Cisco FMC Zero-Day CVE-2026-20131: Interlock Ransomware Had Root for 36 Days Before the Patch Existed

Commissioned, Curated and Published by Russ. Researched and written with AI.

CVE-2026-20131 is a CVSS 10.0 vulnerability in Cisco Secure Firewall Management Center. It allows an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. Cisco published its advisory on March 4, 2026. The Interlock ransomware gang had been exploiting it since January 26 – 36 days earlier.

That gap is the story. When attackers hold a zero-day in widely deployed network security infrastructure, defenders have no patch to apply, no advisory to act on, and no way to know they’re already compromised.

What the Vulnerability Is

The root cause is insecure deserialization of a user-supplied Java byte stream. An attacker sends a crafted HTTP request to a specific path in the FMC software, and the deserialisation process executes attacker-controlled Java code with root privileges. No authentication required. No workarounds available – Cisco’s advisory is explicit on both counts.

The FMC is the centralised management plane for Cisco’s network security stack: firewalls, intrusion prevention, application control, URL filtering, malware protection. Compromise here means visibility into and potential control over the entire defensive perimeter it administers.

How Amazon Found It

Amazon Threat Intelligence identified the campaign using MadPot, its global honeypot system running thousands of sensors across AWS. Amazon ran a retrospective search after Cisco’s March 4 advisory and found exploit attempts dating back to January 26. According to Amazon CISO CJ Moses, as reported by PrismNews, “observed activity involved HTTP requests to a specific path in the affected software,” with request bodies containing Java code execution attempts and two embedded URLs – one to deliver configuration data, one to confirm successful exploitation via an HTTP PUT callback.

Amazon went further: they simulated a compromised FMC to probe the attacker’s infrastructure. The honeypot received a malicious binary and revealed that Interlock’s ransomware depended on a single server with a poorly-secured staging area. From this, researchers recovered the group’s full attack chain.

The Attack Chain

Initial access via CVE-2026-20131 was followed by a methodical compromise sequence. Interlock deployed PowerShell scripts to map compromised networks and collect system, user, and browser data. They established persistence using custom remote access trojans written in both JavaScript and Java, capable of command execution, file transfer, and data exfiltration over encrypted channels. To cover their tracks, attackers built proxy-based relay infrastructure to mask attack origins and wiped logs regularly.

The ransom note added a regulatory threat alongside the standard data encryption and leak pressure – explicitly warning victims of potential fines and compliance violations. It’s a tactic designed to amplify urgency in regulated industries.

Interlock has been active since late 2024, with confirmed victims including DaVita, Kettering Health, the Texas Tech University System, and the city of Saint Paul, Minnesota. The group disrupted chemotherapy sessions and pre-surgery appointments at Kettering Health, and reportedly stole 43 GB of files from Saint Paul – enough to trigger a state of emergency.

The Broader Pattern

CVE-2026-20131 is the third Cisco vulnerability exploited as a zero-day since January 2026. The other two are CVE-2026-20127 in Cisco Catalyst SD-WAN Controller and CVE-2026-20045 in Cisco’s unified communications solutions.

CISA added CVE-2026-20131 to its Known Exploited Vulnerabilities catalog, flagging it as “known to be used in ransomware campaigns.” The federal patch deadline was March 22. Cisco’s March 4 update covered 48 CVEs in total; the patching procedure for FMC varies by software version.

What to Do

If you’re running Cisco Secure Firewall Management Center, you should already be patched. If you’re not, apply the March 4 update immediately. There are no compensating controls – no workaround, no config change, no rule that mitigates an unauthenticated root RCE at the deserialization layer.

If you patched after late January, it’s worth running a retrospective review. The attack chain involved log wiping, but proxy logs, network telemetry, and EDR data from managed endpoints may still show the reconnaissance phase that typically followed initial access.

The pre-patch exploitation window is not unique to this CVE. It’s increasingly a baseline assumption with targeted ransomware groups. The perimeter device managing your security stack is a high-value target precisely because compromising it is quiet, persistent, and hard to detect from inside the environment it controls.