CISA Adds One Known Exploited Vulnerability to Catalog
CISA has added CVE-2026-20131, a deserialization of untrusted data vulnerability affecting Cisco Secure Firewall Management Center (FMC) and Cisco Security Cloud Control (SCC), to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation.
Authors: CISA
Source:
CISA
Key Takeaways
- CISA has added CVE-2026-20131 to the Known Exploited Vulnerabilities (KEV) Catalog.
- The vulnerability affects Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management.
- The flaw is categorized as a Deserialization of Untrusted Data vulnerability.
- There is confirmed evidence of active exploitation in the wild.
Affected Systems
- Cisco Secure Firewall Management Center (FMC) Software
- Cisco Security Cloud Control (SCC) Firewall Management
Vulnerabilities (CVEs)
- CVE-2026-20131
Attack Chain
Threat actors target Cisco Secure Firewall Management Center (FMC) Software or Cisco Security Cloud Control (SCC) by exploiting CVE-2026-20131. The vulnerability involves the deserialization of untrusted data, which typically allows attackers to execute arbitrary code or commands on the targeted management appliance. Successful exploitation compromises the firewall management infrastructure, potentially allowing further access into the managed network environments.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries are provided in the CISA alert.
Detection Engineering Assessment
EDR Visibility: Low — Cisco FMC and SCC are specialized management appliances that typically do not support the installation of third-party EDR agents. Network Visibility: Medium — Network intrusion detection systems (IDS) may be able to detect malicious serialized payloads directed at the management interfaces, provided the traffic is not encrypted or TLS inspection is in place. Detection Difficulty: Hard — Without specific payload signatures or EDR telemetry on the appliance, detecting deserialization exploitation relies heavily on identifying anomalous post-exploitation behavior or having specialized network signatures.
Required Log Sources
- Cisco FMC/SCC Application Logs
- Web Server Access Logs
- Network Traffic Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for anomalous child processes or unexpected shell executions originating from the web service or management processes on Cisco FMC/SCC appliances. | Appliance Syslog / Process Execution Logs | Execution | Low |
| Identify unusual inbound network connections to the Cisco FMC/SCC management interfaces from unexpected or untrusted external IP addresses. | Firewall / NetFlow Logs | Initial Access | Medium |
Control Gaps
- Lack of endpoint visibility on proprietary network management appliances.
Key Behavioral Indicators
- Unexpected process spawning from Java or web server processes on the appliance.
- Anomalous serialized data structures in HTTP requests targeting the management interface.
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Apply the latest security patches provided by Cisco for FMC and SCC to remediate CVE-2026-20131.
Infrastructure Hardening
- Restrict network access to Cisco FMC and SCC management interfaces to trusted, internal IP addresses and administrative jump hosts.
- Ensure management interfaces are not exposed to the public internet.
User Protection
- N/A
Security Awareness
- Ensure vulnerability management teams prioritize the remediation of vulnerabilities added to the CISA KEV catalog, as mandated by BOD 22-01 for federal agencies and recommended for all organizations.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application