Executive Summary

Amazon Threat Intelligence has revealed that the Interlock ransomware group began exploiting a maximum-severity zero-day vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center (FMC) software on January 26, 2026. This exploitation occurred a full 36 days before Cisco disclosed and patched the flaw on March 4, 2026. The vulnerability is a critical insecure deserialization issue with a CVSS score of 10.0, allowing a remote, unauthenticated attacker to achieve root-level remote code execution (RCE). In response to confirmed active exploitation, CISA added CVE-2026-20131 to its Known Exploited Vulnerabilities (KEV) catalog on March 19, 2026. This incident highlights the significant head start threat actors can gain by discovering and weaponizing zero-day flaws before vendors are aware of them.

Vulnerability Details

CVE-2026-20131 is an insecure deserialization vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) and Cisco Security Cloud Control (SCC) Firewall Management.

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• CVSS Score: 10.0 (Critical)

The flaw allows a remote, unauthenticated attacker to execute arbitrary Java code with root privileges on the affected device by sending a specially crafted serialized Java object to the management interface. Gaining root access on a central firewall management console effectively gives an attacker control over a significant portion of an organization's network security infrastructure.

Exploitation Status

The Interlock ransomware group, active since September 2024, was identified as the primary actor exploiting this zero-day. Amazon's researchers uncovered the activity after discovering a misconfigured server belonging to the gang. This provided a rare look into the group's TTPs and their exploitation timeline, which began on January 26, 2026. Cisco acknowledged the active exploitation in an updated advisory on March 18, 2026, and CISA added the flaw to its KEV catalog the following day, mandating that federal agencies patch it promptly.

Technical Analysis

The attack chain observed by Amazon researchers involved several stages:

1. Initial Access: The attackers exploited CVE-2026-20131 by sending a crafted HTTP request to the vulnerable Cisco FMC management interface. This is a classic example of T1190 - Exploit Public-Facing Application.
2. Execution & Persistence: Upon successful exploitation, the attackers deployed a variety of custom payloads to establish control and maintain access.
   • An ELF binary containing custom JavaScript and Java-based Remote Access Trojans (RATs) was deployed for persistent access and command and control (T1203 - Exploitation for Client Execution).
   • A PowerShell script was used for reconnaissance on compromised systems (T1059.001 - PowerShell).
   • A Bash script was used to turn Linux servers into reverse proxies, likely for C2 traffic obfuscation or pivoting (T1059.004 - Unix Shell).
3. Defense Evasion & Lateral Movement: The group was also observed using legitimate remote access software, ConnectWise ScreenConnect (T1219 - Remote Access Software), to blend in with normal administrative traffic and facilitate movement within the network. The use of the Volatility Framework suggests advanced memory forensics capabilities for credential harvesting or analyzing compromised systems.

Impact Assessment

The exploitation of a CVSS 10.0 vulnerability on a network security appliance like the Cisco FMC represents a worst-case scenario. Successful exploitation grants attackers:

• Complete Control: Root-level access to the firewall management console.
• Network Manipulation: The ability to alter firewall rules, disable security policies, and redirect traffic.
• Pivoting Point: A highly trusted position within the network from which to launch further attacks, move laterally, and deploy ransomware across the enterprise.
• Stealth: The ability to disable logging or create firewall rules that hide their C2 traffic.

The Interlock group is known for targeting sectors like education, manufacturing, and healthcare, where operational downtime is highly impactful. Compromising the central security appliance allows them to maximize this disruption.

Detection & Response

1. Patch Verification: The highest priority is to ensure all Cisco FMC and SCC instances are updated to a patched version.
2. Network Log Analysis (D3FEND: Network Traffic Analysis): Review web server and network logs for the FMC management interface for any suspicious or anomalous HTTP requests, especially those originating from untrusted external IP addresses. Look for requests containing serialized Java objects.
3. Endpoint and Server Monitoring: Hunt for the presence of the post-exploitation tools and scripts mentioned:
   • Monitor for unexpected PowerShell or Bash script execution on servers.
   • Look for unauthorized installations or executions of ConnectWise ScreenConnect.
   • Scan for the presence of the custom ELF/Java RATs if signatures become available.
4. Compromise Assessment: If running a vulnerable version, a full compromise assessment is recommended to search for signs of attacker persistence, even if no obvious malicious activity is visible.

Remediation Steps

1. Patch Immediately: Upgrade Cisco Secure Firewall Management Center (FMC) and Cisco Security Cloud Control (SCC) Firewall Management to the versions recommended in the Cisco security advisory.
2. Restrict Access (D3FEND: Network Isolation): As a compensating control, ensure the management interfaces of network security appliances are not exposed to the public internet. Access should be restricted to a secure, isolated management network and limited to authorized personnel only.
3. Network Segmentation: Implement network segmentation to limit the blast radius if a critical device like a firewall manager is compromised. This can prevent attackers from easily moving from the management plane to critical data centers or user segments.