### Urgent Patch Required for Cisco FMC **CISA** has mandated that federal agencies must patch **CVE-2026-20131** in **Cisco Secure Firewall Management Center (FMC)** by Sunday, March 22. This directive comes after **Cisco** released a security bulletin on March 4, urging administrators to apply the necessary security updates immediately. Notably, no workarounds are available for this vulnerability. The **Cisco Secure Firewall Management Center (FMC)** serves as a centralized management system for crucial **Cisco** network security appliances, including firewalls, application control, intrusion prevention systems, URL filtering, and malware protection. ### Root Cause and Impact According to **Cisco**'s advisory, "A vulnerability in the web-based management interface of **Cisco Secure Firewall Management Center (FMC)** Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device." The vulnerability stems from insecure deserialization of a user-supplied Java byte stream. An attacker can exploit this by sending a specially crafted serialized Java object to the web-based management interface of a vulnerable device. ### Active Exploitation by Interlock Ransomware On March 18, **Cisco** updated its bulletin to warn of active exploitation of **CVE-2026-20131**. Researchers at **Amazon** confirmed that threat actors are actively leveraging the vulnerability in attacks. Specifically, the **Interlock** ransomware gang has been exploiting it as a zero-day vulnerability since late January. **Amazon**'s findings indicate that the **Interlock** ransomware group exploited **CVE-2026-20131** for over a month before **Cisco** released the patch. **Interlock** ransomware has been linked to several high-profile attacks since its emergence in late 2024, targeting organizations such as **DaVita**, **Kettering Health**, the **Texas Tech University System**, and the city of **Saint Paul**, Minnesota. The threat actor is known to employ the ClickFix technique for initial access, alongside custom remote access trojans and malware strains like NodeSnake and Slopoly. ### CISA's Response and Recommendations **CISA** has added **CVE-2026-20131** to its Known Exploited Vulnerabilities (KEV) catalog, highlighting its use in ransomware campaigns. Given the severity of **CVE-2026-20131** and its active exploitation since late January 2026, **CISA** has given Federal Civilian Executive Branch (FCEB) agencies until this Sunday to apply the security updates or discontinue using the affected product. While **CISA**'s directive primarily targets entities subject to Binding Operational Directive (BOD) 22-01, private firms, state/local governments, and all non-FCEB organizations are strongly advised to consider the risk and take appropriate action. <div> <a rel="noopener sponsored" href="https://hubs.li/Q043YRMg0"><img alt="tines" src="https://www.bleepstatic.com/c/p/red-report.jpg"></a> <div> <h2><a rel="noopener sponsored" href="https://hubs.li/Q043YRMg0">Red Report 2026: Why Ransomware Encryption Dropped 38%</a></h2> <p>Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.</p> <p>Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.</p> </div> </div>