Share
## https://sploitus.com/exploit?id=A1211FBA-41FE-531B-BF6D-D19E0264920B
# CVE-2026-20131 โ€” Cisco Secure FMC Remote Code Execution (Java Deserialization)

> **Severity:** Critical (CVSS 3.1: **10.0**)
> **CWE:** CWE-502 โ€” Deserialization of Untrusted Data
> **Affected:** Cisco Secure Firewall Management Center (FMC) Software
> **Advisory:** [cisco-sa-fmc-rce-NKhnULJh](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh)
> **Bug ID:** CSCwt14636

---

## Overview

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software allows an **unauthenticated, remote attacker** to execute arbitrary Java code as **root** on the affected device.

The vulnerability stems from insecure deserialization of a user-supplied Java byte stream. An attacker can send a crafted serialized Java object to the FMC web interface, triggering arbitrary code execution with root privileges โ€” no authentication required.

> **Note:** Cisco Security Cloud Control (SCC) Firewall Management (SaaS) is also affected and has been patched automatically by Cisco.

---

## Root Cause

The FMC web interface accepts and deserializes Java objects from unauthenticated HTTP requests without validating the object type or content. Java deserialization is inherently dangerous when applied to untrusted input โ€” the JVM executes code embedded in the object graph during `readObject()`, before any application-level validation can run.

**Attack flow:**
```
Attacker โ†’ crafted serialized Java object (HTTP POST) โ†’ FMC readObject() โ†’ gadget chain fires โ†’ root RCE
```

Java serialization magic bytes that identify the start of a serialized stream:
```
AC ED 00 05
```

---

## Affected Products

| Product | Status |
|---|---|
| Cisco Secure Firewall Management Center (FMC) Software | **Vulnerable** โ€” patch available |
| Cisco Security Cloud Control (SCC) Firewall Management | **Vulnerable** โ€” patched automatically by Cisco |
| Cisco Secure Firewall ASA Software | Not affected |
| Cisco Secure Firewall Threat Defense (FTD) Software | Not affected |

Use the [Cisco Software Checker](https://sec.cloudapps.cisco.com/security/center/softwarechecker.x) for specific affected version numbers.

---

## Files

| File | Description |
|---|---|
| `check.py` | Safe detection probe โ€” no gadget chain |
| `poc.py` | PoC exploit via ysoserial โ€” **lab/CTF environments only** |

---

## Detection Script

`check_cve_2026_20131.py` probes known FMC endpoints by sending Java serialization magic bytes and inspecting the HTTP response. A 500 or unexpected 200 on a serialization endpoint suggests the server is processing (deserializing) the input rather than rejecting it.

**No exploit payload or gadget chain is used.**

```bash
pip install requests
python3 check.py https://
```

| Result | Meaning |
|---|---|
| `POTENTIALLY VULNERABLE` | Endpoint processed serialized bytes |
| `No obvious exposure detected` | Likely patched or endpoints unreachable |

---

## PoC Exploit (Lab / CTF)

`poc.py` builds a deserialization payload using [ysoserial](https://github.com/frohoff/ysoserial) and delivers it to the target FMC endpoint.

> **For authorized lab and CTF environments only.**

See `poc.py` for full usage, requirements, and setup instructions.

---

## Remediation

Cisco has released fixed software. **There are no workarounds.**

Apply the patch from the official advisory:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh

**Interim hardening (while patching):**
- Restrict FMC management interface to trusted IP ranges only
- Block all public internet access to the FMC web interface
- Add WAF/IDS rules to detect `AC ED 00 05` magic bytes in HTTP POST bodies

---

## Timeline

| Date | Event |
|---|---|
| 2026-03-04 | Cisco advisory published โ€” v1.0 Final |
| 2026-03-04 | Part of March 2026 Cisco Secure Firewall Bundled Advisory release |

---

## Source

Discovered during internal security testing by **Keane O'Kelley**, Cisco Advanced Security Initiatives Group (ASIG).

---

## References

- [Cisco Advisory cisco-sa-fmc-rce-NKhnULJh](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh)
- [Cisco Software Checker](https://sec.cloudapps.cisco.com/security/center/softwarechecker.x)
- [ysoserial](https://github.com/frohoff/ysoserial)
- [NVD CVE-2026-20131](https://nvd.nist.gov/vuln/detail/CVE-2026-20131)

---

## Credits

- **Keane O'Kelley** (Cisco ASIG) โ€” original discoverer
- **[Sushilsin](https://github.com/Sushilsin/CVE-2026-20131)** โ€” prior detection research (detection script approach)

---

## Disclaimer

This repository is published for **educational and authorized security research purposes only**. Only use against systems you own or have **explicit written permission** to test. Unauthorized use may violate the Computer Fraud and Abuse Act (CFAA) and equivalent laws in your jurisdiction.