🌐 Network

Interlock Ransomware Exploited Cisco FMC Zero-Day for 36 Days Before Patch β€” Root Access on Enterprise Firewalls

Cisco's Firepower Management Center (FMC) contains a CVSS 10.0 deserialization vulnerability that Interlock ransomware was exploiting as a zero-day for 36 days before Cisco disclosed or patched it. CVE-2026-20131 allows unauthenticated remote attackers to execute arbitrary Java code as root on any internet-exposed FMC appliance. Cisco patched the flaw on 4 March 2026, but unpatched appliances remain under active ransomware targeting.

4 min read
#cisco#firepower#fmc#zero-day#deserialization#rce#ransomware#interlock#cisa-kev#cve-2026-20131#firewall-management

The Vulnerability

CVE-2026-20131 is a critical insecure deserialization vulnerability in Cisco Secure Firewall Management Center (FMC) β€” the centralised management platform used to configure, monitor, and manage Cisco Firepower network security appliances across enterprise environments. The vulnerability carries a CVSS score of 10.0.

An unauthenticated, remote attacker can exploit the flaw by sending a specially crafted serialised Java object to the FMC management interface. The appliance deserialises the untrusted object without validation, resulting in arbitrary Java code execution as the root user. No credentials, no user interaction, and no special network position are required beyond network access to the management interface.

Cisco patched CVE-2026-20131 on 4 March 2026 as part of security advisory Cisco SA-FMC-2026-0001.

Zero-Day Exploitation: 36 Days Before the Patch

Security researchers confirmed that Interlock ransomware began exploiting CVE-2026-20131 as an unpatched zero-day on 26 January 2026 β€” more than five weeks before Cisco disclosed the vulnerability or released a fix. This pre-disclosure exploitation window means:

  • Organisations that follow responsible patch management were given no opportunity to protect themselves during Interlock’s initial campaign
  • Any Cisco FMC appliance with its management interface accessible over a network was a valid ransomware target throughout February and into early March
  • The 36-day head start allowed Interlock to conduct initial access campaigns across an extensive target list before defenders could respond

Amazon threat intelligence teams documented Interlock’s campaign, which used initial FMC compromise to gain root access to the management appliance, pivot to the Firepower sensors managed by the FMC, and from there access network segments protected by those sensors.

Why Compromising Cisco FMC Is Particularly Severe

The Firepower Management Center is not merely a server β€” it is the control plane for your network security enforcement. An attacker who controls the FMC can:

  • Read all existing firewall policies: gaining a complete map of your network segmentation, allowed services, and security control gaps
  • Modify firewall rules: remove blocking rules, add permit rules, or insert policy changes that open pathways through your perimeter
  • Access all managed Firepower sensors: the FMC has management-plane access to every sensor it manages, which may include DMZ firewalls, internal segmentation firewalls, and cloud security appliances
  • Extract VPN configuration and keys: FMC manages site-to-site and remote access VPN configurations including pre-shared keys and certificate information
  • Evade detection: by modifying logging and IDS/IPS policies, an attacker with FMC access can reduce their visibility to network monitoring systems

Ransomware groups specifically target management platforms because compromise of the management plane allows them to disable security controls before executing their destructive phase.

  1. Apply the Cisco FMC patch immediately β€” upgrade to a version addressing CVE-2026-20131 per Cisco advisory SA-FMC-2026-0001. If you have not patched since February, assume potential compromise
  2. Restrict FMC management interface network access: the management interface should be accessible only from a dedicated management network with no direct internet exposure β€” this is the most impactful long-term control for protecting management plane infrastructure
  3. Audit FMC access logs from January 26 onwards for unexpected logins, policy changes, or new administrative accounts β€” if your FMC was internet-accessible and unpatched, conduct thorough forensic review
  4. Review firewall policy integrity: compare current Firepower policy configurations against your last known-good backup to identify any unauthorised rule changes
  5. Check VPN configurations: verify that no unauthorised certificates or pre-shared keys have been added or modified in VPN configurations managed through the FMC
  6. Engage incident response if: you identify unexplained policy changes, new administrative accounts, unusual outbound traffic from FMC, or cannot account for the FMC’s activity during February and early March