A critical zero-day vulnerability in Cisco Secure Firewall Management Center (FMC) has been actively exploited by the Interlock ransomware group since January 2026 — more than a month before Cisco released a patch. CISA has added CVE-2026-20131 to its Known Exploited Vulnerabilities (KEV) catalog, confirming it is known to be used in ransomware campaigns.
If your organization runs Cisco FMC or Cisco Security Cloud Control (SCC) for firewall management, this is a patch-now situation. Here’s everything you need to know about the vulnerability, the attack chain, and how to protect your infrastructure.
What Is CVE-2026-20131?
CVE-2026-20131 is a deserialization of untrusted data vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management. According to CISA’s KEV catalog:
“Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management contain a deserialization of untrusted data vulnerability in the web-based management interface that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.”
Key details:
- CVSS Score: 10.0 (Critical — maximum severity)
- Attack Vector: Network (unauthenticated, remote)
- Impact: Full root access via arbitrary Java code execution
- Exploited in the wild: Yes — confirmed ransomware campaigns
- CISA KEV Added: March 19, 2026
- CISA Remediation Deadline: March 22, 2026 (already passed)
The Attack Timeline
What makes CVE-2026-20131 particularly alarming is the extended zero-day exploitation window:
| Date | Event |
|---|---|
| ~January 26, 2026 | Interlock ransomware begins exploiting the vulnerability as a zero-day |
| March 4, 2026 | Cisco releases a patch (37 days of zero-day exploitation) |
| March 18, 2026 | Public disclosure (51 days after first exploitation) |
| March 19, 2026 | CISA adds to KEV catalog with 3-day remediation deadline |
Amazon Threat Intelligence discovered the exploitation through its MadPot sensor network — a global honeypot infrastructure that monitors attacker behavior. According to reports, an OPSEC blunder by the Interlock attackers (misconfigured infrastructure) exposed their full multi-stage attack toolkit, allowing researchers to map the entire operation.
Why This Vulnerability Is Especially Dangerous
Several factors make CVE-2026-20131 a worst-case scenario for network defenders:
1. No Authentication Required
Unlike many Cisco vulnerabilities that require valid credentials, this flaw is exploitable by any unauthenticated attacker who can reach the FMC web interface. If your FMC management port is exposed to the internet (or even a poorly segmented internal network), you’re at risk.
2. Root-Level Code Execution
The insecure Java deserialization vulnerability grants the attacker root access — the highest privilege level. From there, they can:
- Modify firewall rules to create persistent backdoors
- Disable security policies across your entire firewall fleet
- Exfiltrate firewall configurations (which contain network topology, NAT rules, and VPN configurations)
- Pivot to connected Firepower Threat Defense (FTD) devices
- Deploy ransomware across the managed network
3. Ransomware-Confirmed
CISA explicitly notes this vulnerability is “Known to be used in ransomware campaigns” — one of the more severe classifications in the KEV catalog. Interlock is a ransomware operation known for targeting enterprise environments, making this a direct threat to business continuity.
📚 Continue Reading
Sign in with your Google or Facebook account to read the full article.
It takes just 2 seconds!
Already have an account? Log in here
Leave a Reply