John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
A lot of patch programs run on autopilot. Sort by CVSS, assign by owner, slot into a maintenance window, close the ticket. It works fine until it doesn’t.
The Cisco FMC intrusions are a clear example of when it doesn’t.
Interlock-linked operators have reportedly been exploiting CVE-2026-20131 in Cisco Firepower Management Center since January. That’s not a hypothetical. That’s an active attack path into management-plane infrastructure, the kind of system that gives attackers policy visibility and lateral movement options once they’re in.
When CISA adds something to the Known Exploited Vulnerabilities catalog, it’s not background noise. It’s a signal that sorting by CVSS score already failed.
A more useful patch order: active exploits on management and internet-facing systems first, exposed business-critical systems second, high-severity but unconfirmed third, routine hygiene last. And when you close that ticket, verify you actually got there before attackers did.
Get the full breakdown on patch triage and what to check before you close the FMC ticket