A maximum-severity RCE flaw in Cisco’s Secure Firewall Management Center was silently weaponized by the Interlock ransomware group for over a month before anyone knew it existed — a textbook pre-disclosure zero-day that now sits in CISA’s KEV catalog and demands immediate action.
The Vulnerability: CVE-2026-20131
CISA has added CVE-2026-20131 (CVSS 10.0) — a critical flaw in Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management — to its Known Exploited Vulnerabilities catalog.
The vulnerability exists in the web-based management interface of Cisco FMC. It is rooted in insecure deserialization of a user-supplied Java byte stream, allowing an unauthenticated remote attacker to send a crafted serialized Java object that triggers arbitrary code execution and privilege escalation to root.
This is as bad as it gets technically: pre-auth, no interaction required, full root on a network security management platform. The attack surface here isn’t an endpoint or a workload — it’s the control plane that oversees your entire firewall estate.
Cisco patched CVE-2026-20131 on March 4, as part of its semiannual firewall update.
The Zero-Day Timeline: 36 Days of Silent Exploitation
This is where the story gets significantly more concerning than a typical n-day ransomware exploit.
Amazon Threat Intelligence, using its MadPot global honeypot sensor network, found that Interlock was exploiting CVE-2026-20131 beginning January 26, 2026 — 36 days before Cisco’s public disclosure on March 4.
Observed exploitation activity involved crafted HTTP requests to a specific path in the vulnerable FMC software. Request bodies contained Java code execution attempts and two embedded URLs: one delivering configuration data supporting the exploit, and another designed to confirm successful exploitation by causing the target to perform an HTTP PUT request and upload a generated file.
To confirm the kill chain, Amazon’s researchers took an unconventional but effective approach — they mimicked a compromised system to trigger Interlock’s next-stage payload. This led to the download of a malicious Linux ELF binary. Analysis revealed that a single server hosted the group’s full toolkit, organizing files by target and using the same paths to both deploy tools and collect stolen data.
The implication: while security teams were relying on Cisco patch advisories and vendor timelines to manage risk, Interlock was already inside organizations that had done nothing wrong.
Attack Chain: From RCE to Ransomware Deployment
Post-exploitation tooling reveals a mature, multi-stage operator — not a spray-and-pray crew.
Once CVE-2026-20131 is exploited, Interlock deploys a PowerShell-based reconnaissance script that systematically collects system and network information — installed software, running services, browser data, and active connections — organizing it into per-host directories on a centralized share and compressing it into ZIP archives for exfiltration. This structured approach is consistent with preparation for large-scale ransomware deployment across multiple systems.
Interlock uses multiple RATs to maintain persistent access. One JavaScript-based variant suppresses debugging output, gathers system details, and establishes encrypted C2 communication via WebSockets using RC4 encryption with unique keys per transmission.
Interlock also leveraged Certify, an open-source offensive tool designed to exploit misconfigurations in Active Directory Certificate Services (AD CS). For ransomware operators, Certify provides a pathway to identify vulnerable certificate templates that can be used to impersonate users, escalate privileges, or maintain persistent access — directly supporting both initial compromise and long-term persistence objectives.
Ransom notes deployed by Interlock notably referenced multiple data protection regulations — a deliberate pressure tactic threatening victims with not just encryption but potential regulatory penalties. Each victim was assigned a unique organization identifier, consistent with a structured tracking model.
Who is Interlock?
The Interlock ransomware operation surfaced in September 2024 and has been linked to ClickFix campaigns and malware attacks deploying a remote access trojan called NodeSnake on networks of multiple UK universities. The group has also claimed responsibility for attacks on DaVita, Kettering Health, the Texas Tech University System, and the city of Saint Paul, Minnesota.
Some researchers assess Interlock as a possible RaaS offshoot of the Rhysida group, which was behind the highly disruptive 2023 ransomware attack on The British Library.
More recently, IBM X-Force researchers reported that Interlock operators have deployed a new malware strain dubbed Slopoly, likely created using generative AI tools.
Temporal analysis of Interlock’s activity patterns suggests the operators likely function in a UTC+3 time zone, with activity typically beginning around 08:30, peaking between 12:00 and 18:00, and declining overnight.
Indicators of Compromise
Amazon’s advisory includes IP addresses, malicious domains, and JA3 client fingerprint hashes for threat hunting. Given Interlock’s use of content variation techniques (modifying scripts and binaries per target), file hashes are not reliable indicators — security teams should focus on behavioral and network-based IOCs from the Amazon advisory.
Recommended Actions
For any organization running Cisco Secure FMC or Cisco SCC Firewall Management:
- Apply Cisco’s March 4, 2026 patch immediately. Use Cisco’s Software Checker to identify the correct update path for your FMC version.
- Assume breach posture for unpatched systems active since January 26. Treat any FMC environment that was internet-accessible or reachable without strict segmentation from late January onward as potentially compromised. Initiate forensic review.
- Hunt using Amazon MadPot IOCs. Review HTTP logs for requests to vulnerable FMC endpoints, outbound PUT requests to unknown destinations, and JA3 fingerprints from the advisory.
- Audit AD CS immediately. Run Certify or BloodHound-based AD CS enumeration to identify exploitable certificate templates before attackers do.
- Harden management plane access. FMC should never be internet-exposed. Enforce segmentation, MFA, and jump-host-only access to all security management infrastructure.
- Inventory ScreenConnect and remote access tooling. Interlock is known to install unauthorized ScreenConnect instances for persistent access — audit your RMM deployment aggressively.
