Cisco FMC Zero-Day: CVSS 10.0, Exploited as Ransomware Backdoor for Six Weeks Before Patch

A maximum-severity vulnerability in Cisco Secure Firewall Management Center (FMC) was exploited as a zero-day by the Interlock ransomware group for nearly six weeks before a patch became available — and CISA added it to the Known Exploited Vulnerabilities catalog yesterday with a federal remediation deadline of 22 March 2026.

The flaw, CVE-2026-20131 (CVSS 10.0), is an insecure deserialization vulnerability in the web-based management interface of Cisco FMC Software and Cisco Security Cloud Control (SCC) Firewall Management. It allows an unauthenticated, remote attacker to execute arbitrary Java code as root with no authentication required. The attack surface is the management plane — a component that carries full visibility of firewall policy, network topology, and access controls across an estate.

Exploitation Timeline

Amazon Threat Intelligence, using the company's MadPot global sensor network, identified the first confirmed exploitation on 26 January 2026 — 38 days before Cisco published the patch on 4 March as part of its semiannual FMC update. During that window, Interlock had what the Amazon CISO described as "a zero-day in their hands, giving them a week's head start to compromise organisations before defenders even knew to look."

The attack chain begins with crafted HTTP requests to a specific path in FMC's interface. Successful exploitation triggers an outbound HTTP PUT callback to Interlock-controlled infrastructure — confirming code execution — followed by retrieval of a Linux ELF binary and additional tooling. Amazon's investigation was aided by an operational security error on Interlock's part: a misconfigured staging server exposed their full toolkit, including custom remote access trojans, PowerShell reconnaissance scripts (targeting browser credentials, Hyper-V inventories, service lists, and user directories), and evasion scripts.

Compounding Risk: SharePoint Also in Active Exploitation

CISA simultaneously added CVE-2026-20963 (CVSS 9.8) to KEV — a deserialization RCE flaw in Microsoft SharePoint Server 2016, 2019, and Subscription Edition, patched in January 2026. Active exploitation is confirmed, threat actor unattributed at this time. Federal agencies have until 9 April to remediate. The combination of FMC and SharePoint both in active exploitation in the same 48-hour window is notable: both are enterprise infrastructure chokepoints, and both can be leveraged for lateral movement and credential harvesting before ransom deployment.

Affected Versions

Cisco FMC Software and Cisco Security Cloud Control (SCC) are affected. Cisco issued patches on 4 March 2026 via its semiannual firewall advisory. If your organisation has not applied that update — or if the patch window was deferred — assume exposure. The KEV due date of 22 March for federal agencies reflects genuine urgency, not boilerplate.

Action

Check patch status for all Cisco FMC instances immediately. If patching cannot complete before 22 March, restrict management-plane access to known-good source IPs at the network perimeter as an interim control — this attack is unauthenticated, so removing internet-accessible management interfaces eliminates the primary vector. Review FMC logs from 26 January forward for the exploitation indicator pattern: anomalous HTTP requests to the FMC management interface followed by outbound connections to unfamiliar IPs.

For SharePoint: apply January 2026 cumulative updates to all on-premises deployments. SharePoint Online is not affected.

Both vulnerabilities are confirmed ransomware-linked. Neither should be treated as routine patch-Tuesday items.