A Perfect 10 That Nobody Noticed for a Month
Cisco's firewall management center had a CVSS 10.0 zero-day sitting in the wild for weeks before anyone said anything publicly. This is not a new story, just a familiar one.
There is a particular kind of dread that security people develop over years in this industry. It is not the dramatic, cinematic dread of watching a breach unfold in real time. It is the quieter, more corrosive dread of reading a vendor advisory and doing the math on how long the gap was between 'attacker knew' and 'you knew.' Last week that number was over a month.
Cisco disclosed CVE-2026-20131, a critical flaw in the Firewall Management Center software. CVSS score of 10.0, which is the industry's way of saying 'unauthenticated remote code execution as root, no prerequisites, have a nice day.' Amazon's threat intelligence team found evidence of active exploitation going back to late January. The Interlock ransomware group was already using it. The patch dropped in March.
I have been doing this long enough to remember when a CVSS 10 was genuinely rare. Now it feels like every quarter has at least one. The score has become almost meaningless as a signal for urgency because everything critical gets treated as background noise when there is always something critical. Security teams are buried under patch prioritization fatigue, and attackers know this. They are counting on it.
What bothers me here is not the vulnerability itself. Zero-days happen. What bothers me is the month-long window. Cisco's FMC is the management plane for enterprise firewall infrastructure. If you compromise the management plane, you effectively own the network policy. You can add rules, remove rules, redirect traffic, create visibility gaps. For a ransomware group, that is not just a foothold, it is a blueprint.
I spent time at Cisco. I know how much effort goes into building these products and how seriously the security teams take their work. But the disclosure timeline is a genuine problem across the industry, not just Cisco. Vendors get notification of active exploitation and the calculus becomes: do we push an emergency patch now, which signals to every threat actor that this thing is being used, or do we quietly work on a fix and hope attribution does not go public before we are ready? Neither option is clean. Organizations sit exposed either way.
The honest answer to 'what should defenders do' is depressing: patch faster than your attackers can move, which assumes you find out about the vulnerability before they do, which in this case you did not. So the advice becomes 'have compensating controls, segment your management plane, monitor for anomalous FMC access,' which is all correct and also sounds like telling someone to wear a seatbelt after the car has already gone through the guardrail.
What I actually think needs to happen is a more honest conversation about coordinated vulnerability disclosure timelines and the obligations vendors have to their customers when active exploitation is known. A month is too long. Two weeks is probably the right ceiling before customers deserve to know that someone is actively using a hole in the perimeter they paid for.
Patching is not a security strategy. It is the minimum viable response to a disclosure process that has not kept pace with how fast attackers operate. The gap between 'exploited in the wild' and 'you find out' is where real damage gets done, and right now that gap is measured in weeks.