CISA Adds Actively Exploited Cisco (CVE-2026-20131) and Ivanti (CVE-2026-1603) Vulnerabilities to KEV Catalog

Executive Summary

On February 12, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two critical vulnerabilities affecting enterprise network management products from Cisco and Ivanti to its Known Exploited Vulnerabilities (KEV) catalog. The addition signifies that both CVE-2026-20131 (Cisco Secure Firewall Management Center) and CVE-2026-1603 (Ivanti Endpoint Manager) are being actively exploited by threat actors. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are now mandated to patch these vulnerabilities by a set deadline. CISA strongly urges all organizations using these products to prioritize remediation to defend against active threats.

Vulnerability Details

• CVE-2026-20131 - Cisco Secure Firewall Management Center (FMC) Software: This is a critical deserialization of untrusted data vulnerability in the web-based management interface of the FMC software. An unauthenticated, remote attacker can exploit this flaw by sending a crafted HTTP request to an affected device. Successful exploitation allows the attacker to execute arbitrary Java code on the underlying operating system with root privileges, effectively granting them full control over the firewall management center.

• CVE-2026-1603 - Ivanti Endpoint Manager (EPM): This is an authentication bypass vulnerability. While fewer public details are available, authentication bypass flaws in management products like EPM are extremely dangerous. They typically allow an attacker to circumvent login mechanisms and gain administrative access to the platform, from which they can manage and potentially deploy malicious software to all connected endpoints.

Affected Systems

• Cisco Secure Firewall Management Center (FMC) Software: Specific vulnerable versions should be confirmed via Cisco's security advisory.
• Ivanti Endpoint Manager (EPM): Specific vulnerable versions should be confirmed via Ivanti's security advisory.

Exploitation Status

Both vulnerabilities have been added to the CISA KEV catalog, which serves as definitive confirmation of active, in-the-wild exploitation. Reports suggest that CVE-2026-20131 has been used as a zero-day in ransomware attacks. Attackers are leveraging these flaws for initial access into corporate networks, followed by lateral movement and payload deployment.

Impact Assessment

Compromise of these management platforms represents a critical security failure.

• Cisco FMC: An attacker with root access can alter firewall rules, intercept network traffic, pivot to other network segments, and disable security logging, rendering network defenses useless.
• Ivanti EPM: Control over an endpoint manager allows an attacker to deploy malware (including ransomware) across thousands of managed workstations and servers simultaneously, leading to a widespread and catastrophic incident.

The exploitation of these products provides a direct path for attackers to achieve broad network access and control.

Detection Methods

• Log Analysis: Monitor web server logs on Cisco FMC and Ivanti EPM appliances for unusual or malformed HTTP requests, especially to API endpoints or management interfaces. Look for requests from untrusted IP addresses.
• Network Traffic Analysis: Analyze traffic to and from the management interfaces of these products. Any connections originating from the public internet that are not from known administrator locations should be considered highly suspicious. This aligns with D3FEND's Network Traffic Analysis (D3-NTA).
• Endpoint Behavior: On the appliances themselves, monitor for the creation of new files, unexpected outbound network connections, or the execution of suspicious processes (e.g., shells, reverse shells), which would indicate a successful compromise.

Remediation Steps

1. Prioritize Patching: Apply the security updates provided by Cisco and Ivanti immediately. Due to active exploitation, this should be treated as an emergency change.
2. Restrict Access: If patching is not immediately possible, restrict access to the management interfaces of both products. They should not be exposed to the public internet. Access should be limited to a secure management VLAN and controlled via jump hosts and strict firewall rules. This is a key principle of D3FEND's Network Isolation (D3-NI).
3. Hunt for Compromise: After patching, assume compromise and hunt for signs of malicious activity as described in the Detection Methods section. Check for newly created user accounts or scheduled tasks on the appliances.