Cisco Firewall Zero-Day Exploited by Interlock Ransomware for Over a Month Before Patch

Cisco FMC Flaw (CVE-2026-20131) Actively Exploited as Zero-Day in Interlock Ransomware Attacks

CRITICAL
March 21, 2026
4m read
VulnerabilityRansomwareThreat Actor

Related Entities

Threat Actors

Interlock

Organizations

Cisco CISA

Other

Amazon

CVE Identifiers

CVE-2026-20131
CRITICAL
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1210Lateral Movement

Exploitation of Remote Services

T1497.001Discovery

System Information Discovery

Full Report

Executive Summary

A critical vulnerability in Cisco Secure Firewall Management Center (FMC) software, CVE-2026-20131, was exploited as a zero-day for over a month by the Interlock ransomware group. The vulnerability, an insecure deserialization flaw in the web-based management interface, allows for unauthenticated remote code execution with root privileges. While Cisco released a patch in early March 2026, research from Amazon's threat intelligence team, published on March 20, revealed that exploitation had been ongoing since late January 2026. In response to the active exploitation, CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patch urgently.

Vulnerability Details

  • CVE ID: CVE-2026-20131
  • Severity: Critical (CVSS score not yet public, but impact is RCE with root privileges)
  • Vulnerability Type: Insecure Deserialization of a user-supplied Java byte stream.
  • Attack Vector: An unauthenticated, remote attacker can exploit this flaw by sending a specially crafted serialized Java object to the web-based management interface of a vulnerable FMC device.
  • Impact: Successful exploitation results in the execution of arbitrary Java code on the underlying operating system with root privileges, granting the attacker full control over the device.

Affected Systems

The vulnerability affects the web-based management interface of the Cisco Secure Firewall Management Center (FMC) software. The attack surface is limited to devices where the management interface is accessible to the attacker. Cisco strongly recommends that this interface should never be exposed to the public internet.

Exploitation Status

This vulnerability was exploited as a zero-day. According to Amazon's MadPot honeypot network, the Interlock ransomware gang began exploiting CVE-2026-20131 on or before January 26, 2026. This was 36 days before Cisco publicly disclosed the vulnerability and released a patch. On March 19, 2026, CISA confirmed the active exploitation by adding the CVE to its KEV catalog, mandating federal civilian agencies to patch by March 22, 2026.

Impact Assessment

The exploitation of this vulnerability poses a significant risk to organizations.

  • Network Compromise: The FMC is a central point of control for an organization's firewalls. Compromising it gives an attacker a powerful foothold to manipulate firewall rules, bypass security controls, and pivot deeper into the network.
  • Ransomware Deployment: As demonstrated by the Interlock group, the vulnerability is a direct pathway to deploying ransomware across an organization's network, leading to data encryption, operational shutdown, and financial extortion.
  • Loss of Visibility and Control: An attacker with root on the FMC can disable logging, alter configurations, and effectively blind the security team while carrying out their objectives.

Cyber Observables for Detection

Hunting for exploitation of this vulnerability involves looking for suspicious inbound traffic to the FMC management interface.

Type Value Description
url_pattern (specific path) The exploit targets a specific, undisclosed path on the FMC's web interface. Monitor web server logs for unusual POST requests containing serialized Java objects.
network_traffic_pattern (Java RMI/IIOP) Look for unexpected Java RMI or other deserialization-related traffic directed at the FMC management port (typically TCP/443).
process_name java On the FMC appliance, look for anomalous child processes spawned by the main Java management process.
log_source Cisco FMC Web Server Logs Analyze logs for HTTP requests with large, non-standard payloads, which could be serialized Java objects.

Detection Methods

  • Log Analysis: Scrutinize web access logs for the FMC management interface. Look for requests from unknown IP addresses, especially POST requests with unusual content types or large body sizes. Use D3FEND Network Traffic Analysis (D3-NTA) to spot anomalous connections.
  • Vulnerability Scanning: Use a vulnerability scanner with an up-to-date plugin for CVE-2026-20131 to identify vulnerable FMC instances in your environment.
  • Asset Inventory: Ensure you have a complete inventory of all Cisco FMC devices and verify that their management interfaces are not exposed to the internet. If they must be remotely accessible, restrict access to a trusted IP range via an upstream firewall.

Remediation Steps

  1. Patch Immediately: The primary remediation is to upgrade to a fixed version of the Cisco Secure Firewall Management Center software as detailed in the Cisco security advisory.
  2. Restrict Access: As a critical hardening measure, ensure the FMC management interface is not exposed to the internet. Access should be restricted to a secure, internal management network. This is a key principle of D3FEND Network Isolation (D3-NI).
  3. Hunt for Compromise: If you were running a vulnerable version with an exposed management interface, assume compromise. Initiate an incident response investigation, looking for signs of persistence, lateral movement, or data exfiltration originating from the FMC device.

Timeline of Events

1
January 26, 2026
Interlock ransomware group begins exploiting CVE-2026-20131 as a zero-day.
2
March 3, 2026
Cisco releases a patch for CVE-2026-20131 after discovering it internally (approximate date).
3
March 19, 2026
CISA adds CVE-2026-20131 to its Known Exploited Vulnerabilities (KEV) catalog.
4
March 20, 2026
Amazon's threat intelligence team publishes research confirming the zero-day exploitation.
5
March 21, 2026
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Apply the security patches provided by Cisco to remediate the vulnerability.

Limit Access to Resource Over Network

M1035enterprise

Do not expose the FMC management interface to the internet. Restrict access to a secure, internal-only management network.

Filter Network Traffic

M1037enterprise

Use access control lists (ACLs) or firewall rules to strictly limit which IP addresses can connect to the FMC management interface.

Sources & References

Cisco FMC flaw was exploited by Interlock weeks before patch (CVE-2026-20131)
Help Net Security (helpnetsecurity.com)
CISA Warns Cisco Secure Firewall Management Center 0-Day Is Being Exploited in Ransomware Attacks
GBHackers (gbhackers.com)

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

zero-dayinsecure deserializationransomwareKEVCISAfirewallRCE

📢 Share This Article

Help others stay informed about cybersecurity threats