A critical (CVSS not specified) insecure deserialization vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center (FMC) software allows unauthenticated remote attackers to execute arbitrary Java code as root via a crafted serialized object sent to the web management interface. Cisco has released software updates to address this vulnerability, and there are no available workarounds. Organizations should apply the provided patches immediately, prioritizing systems with management interfaces exposed to untrusted networks.
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root . Note: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh This advisory is part of the March 2026 release of the Cisco Secure Firewall ASA, Secure FMC, and Secure FTD Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: March 2026 Semiannual Cisco Secure Firewall ASA, Secure FMC, and Secure FTD Software Security Advisory Bundled Publication . <br/>Security Impact Rating: Critical <br/>CVE: CVE-2026-20131