Active Exploitation of Cisco Secure Firewall Management Center (CVE‑2026‑20131) Triggers CISA KEV Catalog Update
What It Is – CISA has added CVE‑2026‑20131, a deserialization‑of‑untrusted‑data flaw in Cisco Secure Firewall Management Center (FMC) and Cisco Security Cloud Control (SCC), to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability allows an attacker to supply crafted data that can be processed by the management console, potentially leading to code execution or privilege escalation.
Exploitability – Evidence of active exploitation in the wild prompted the KEV listing; a public proof‑of‑concept has been observed. While a formal CVSS score has not yet been published, the active‑exploitation status and the privileged nature of the affected component place the risk at High.
Affected Products – Cisco Secure Firewall Management Center (FMC) software and Cisco Security Cloud Control (SCC) firewall‑management platforms.
TPRM Impact –
- Organizations that rely on Cisco FMC/SCC as a third‑party security service inherit the same exposure, extending risk to their own networks and customers.
- Compromise of the management plane can enable lateral movement into downstream environments, creating a supply‑chain attack vector.
Recommended Actions –
- Prioritize patching of Cisco FMC and SCC to the latest security release that addresses CVE‑2026‑20131.
- Verify that all firewalls managed by the affected consoles are running the patched version; inventory any unmanaged instances.
- Conduct a focused risk assessment on any third‑party services that depend on the compromised management consoles.
- Update vulnerability‑management policies to treat KEV‑listed items as “remediate‑by‑deadline” per CISA BOD 22‑01 guidance.
- Monitor Cisco and CISA advisories for any emerging exploitation techniques or additional mitigation guidance.
Source: CISA Advisory – CISA Adds One Known Exploited Vulnerability to Catalog (2026‑03‑19)