Cisco Firewall Management Center: CVSS 10.0 Zero-Day Exploited by Interlock Ransomware Since January

CISA added CVE-2026-20131 to its Known Exploited Vulnerabilities catalogue today, 19 March 2026, with a federal remediation deadline of 22 March — a three-day window that reflects the severity of what is now confirmed to be active ransomware exploitation. The vulnerability is a Java deserialization flaw in Cisco Secure Firewall Management Center (FMC) and Cisco Security Cloud Control (SCC). It carries a CVSS score of 10.0. An unauthenticated, remote attacker can send a crafted serialised object to the FMC web management interface and execute arbitrary code as root. No credentials required.

CISA's own notes flag this as known to be used in ransomware campaigns. They are not wrong.

Interlock Exploited This as a Zero-Day for 36 Days Before Disclosure

Amazon threat intelligence, working through its MadPot global honeypot network, identified that the Interlock ransomware group had been actively exploiting CVE-2026-20131 since 26 January 2026 — more than five weeks before Cisco publicly disclosed the vulnerability in early March. Amazon shared its findings with Cisco to support the investigation.

Interlock, active since September 2024, is not a minor player. Prior confirmed victims include DaVita (kidney dialysis), Kettering Health, and Texas Tech University. The group is assessed to operate in the UTC+3 timezone. Their toolkit, exposed through a misconfigured infrastructure server, reveals a mature and deliberate operation.

What the Toolkit Looks Like

The Amazon analysis documented the full Interlock attack chain as it operates against FMC targets. Initial exploitation sends crafted HTTP requests to trigger Java code execution. A beacon call-home confirms successful compromise. An ELF binary is then fetched from a remote server, followed by deployment of the group's complete toolkit.

That toolkit includes custom remote access trojans written in JavaScript and Java with interactive shell access, bidirectional file transfer, and SOCKS5 proxy capability; a PowerShell reconnaissance script that enumerates hardware, services, installed software, virtual machine inventory, browser artifacts from Chrome, Edge, Firefox, IE and 360 browser, and RDP authentication events; a Bash script that deploys HAProxy as a reverse proxy and runs a cron job every five minutes to delete all log files and suppress shell history; a memory-resident web shell with encrypted command payloads; ConnectWise ScreenConnect for persistent remote access; and the Volatility memory forensics framework. This is not opportunistic. This is operational infrastructure designed for long-term persistence and forensic evasion.

Scope and Exposure

Cisco FMC is the centralised management console for Cisco Adaptive Security Appliances and Firepower devices. Organisations running Cisco's firewall estate — which is a substantial portion of enterprise and critical infrastructure networks — will have FMC deployed. In many environments, FMC is accessible from internal management networks or, in misconfigured deployments, from broader network segments. The flaw does not require authentication to exploit. Any reachable FMC instance is a target.

Action for CISOs

Patch immediately. Cisco issued fixes in early March — apply them now. The CISA KEV deadline of 22 March applies to federal agencies by regulation; treat it as your own deadline regardless of sector.

Assume you may already be compromised if you were running an unpatched FMC instance after 26 January. Look for ScreenConnect installations that were not authorised by your team. Review management network logs for unexpected outbound HTTP PUT requests and connections to unfamiliar external infrastructure. Check for HAProxy processes and suppressed shell histories on Linux systems in or adjacent to your firewall management zone.

The zero-day gap here — 36 days of active exploitation before any patch existed — is the real lesson. When ransomware operators have a CVSS 10.0 zero-day in a network perimeter control, your patching programme cannot protect you. Defence-in-depth matters: restrict management interface access to dedicated jump hosts, segment firewall management networks aggressively, and monitor for anomalous outbound traffic from management systems. None of that eliminates the risk, but it raises the cost of exploitation to the point where many attackers move on.