Interlock Ransomware Exploiting Maximum-Severity Cisco Firewall Zero-Day
The Interlock ransomware gang has been actively exploiting a maximum-severity remote code execution (RCE) vulnerability in Cisco Secure Firewall Management Center (FMC) software since late January 2026 — operating as a zero-day for weeks before the flaw was publicly disclosed. The attacks were reported concurrently by BleepingComputer and The Hacker News on March 18, 2026, with threat intelligence also credited to Amazon Threat Intelligence.
The vulnerability, tracked as CVE-2026-20131 with a CVSS score of 10.0, is caused by insecure deserialization in Cisco's FMC web interface. Because the vulnerable endpoint requires no authentication, remote attackers can send a maliciously crafted serialized object over the network and achieve unauthenticated root-level code execution on the FMC appliance — the system responsible for centrally managing Cisco firewalls, intrusion prevention systems, and network security policies across an organization.
Incident Details
| Attribute | Value |
|---|---|
| Threat Actor | Interlock |
| CVE | CVE-2026-20131 |
| CVSS Score | 10.0 (Critical) |
| Vulnerability Type | Insecure Deserialization |
| Target Software | Cisco Secure Firewall Management Center (FMC) |
| Attack Type | Unauthenticated Remote Code Execution |
| Privilege Level Achieved | Root |
| Operation Model | Double extortion (encrypt + exfiltrate + leak) |
| Exploitation Started | Late January 2026 (zero-day) |
| Publicly Disclosed | March 2026 |
| Patch Availability | Available — update immediately |
The Vulnerability: CVE-2026-20131
CVE-2026-20131 is a critical flaw in the web-based management interface of Cisco Secure Firewall Management Center. The vulnerability stems from improper handling of serialized Java objects submitted by unauthenticated users.
How the Exploit Works
1. Attacker identifies a Cisco FMC instance reachable over the network
2. Attacker crafts a malicious serialized Java object payload
3. Attacker sends the payload to the vulnerable FMC endpoint
— no credentials or authentication token required
4. The FMC deserializes the object without validation
5. Deserialization triggers arbitrary code execution as root
6. Attacker has full, unauthenticated root access to the FMC applianceWhy This Is Catastrophic
Cisco Secure Firewall Management Center is not a typical application server. It is the central management plane for an organization's network security infrastructure. Compromising the FMC gives an attacker:
| Access Gained | Impact |
|---|---|
| Full FMC administrative control | Modify or disable all managed firewall policies |
| Access to all connected firewall credentials | Lateral movement to firewalls, IPS devices, and managed endpoints |
| Complete firewall policy visibility | Map the organization's internal network topology |
| Policy modification capability | Create firewall rules to permit attacker traffic; disable security controls |
| Managed device access | Potential pivot to every Cisco security device managed by the FMC |
An attacker with root on the FMC can effectively blind an organization's network security team while freely moving through the environment.
Interlock Ransomware: Threat Actor Profile
Interlock is a ransomware-as-a-service (RaaS) operation that emerged in late 2024. The group operates a double-extortion model — exfiltrating sensitive data before encrypting systems, then threatening victims with public exposure on their Tor-based leak site if ransom demands are not met.
| Attribute | Value |
|---|---|
| Operation Model | Double extortion (RaaS) |
| Targeted Sectors | Healthcare, Finance, Manufacturing, Critical Infrastructure, Government |
| Target Geography | North America, Europe |
| Known TTPs | Phishing, VPN exploitation, credential abuse, LOLBins, living-off-the-land |
| Data Leak Site | Active on Tor network |
| Notable History | Previously exploited other zero-days in network appliances |
Interlock's decision to weaponize a zero-day in Cisco FMC — high-value, high-privilege infrastructure — represents a significant escalation in capability and intent. Organizations using Cisco FMC are now a primary target of a sophisticated, financially motivated threat actor.
Timeline of Exploitation
| Date | Event |
|---|---|
| Late January 2026 | Interlock begins zero-day exploitation of CVE-2026-20131 |
| January–March 2026 | Exploitation continues silently; victims unaware |
| March 2026 | Cisco issues patch and advisory |
| March 18, 2026 | BleepingComputer and The Hacker News report active exploitation |
The two-month zero-day exploitation window means organizations that have not patched may already be compromised. Incident response — not just patching — is warranted.
Impact Assessment
| Impact Area | Description |
|---|---|
| Network Security Posture | FMC compromise enables modification or disabling of all managed firewall policies |
| Data Exfiltration | Double-extortion model means data is stolen before encryption |
| Operational Disruption | Ransomware encryption of systems following reconnaissance |
| Regulatory Exposure | Healthcare and financial sector victims face breach notification obligations |
| Incident Scope | Any organization using Cisco FMC should assume potential compromise since January 2026 |
Detection Guidance
Indicators of Compromise
Network-level:
- Unexpected outbound connections from the FMC appliance
- HTTP requests to FMC endpoints containing serialized Java object headers (
Content-Type: application/x-java-serialized-objector similar) - Unusual authentication events on the FMC management interface
Host-level (FMC appliance):
- Unexpected processes running as root that are not part of normal FMC operation
- New user accounts created on the FMC
- Changes to firewall policy configurations not correlated with authorized change requests
- Suspicious cron jobs or persistence mechanisms
Ransomware deployment indicators:
- Unusual file encryption activity across managed hosts
- Communications to known Interlock Tor infrastructure
- Data staging activity prior to encryption (large compressed archives, abnormal network exfiltration)
Recommended Detection Rules
RULE: Alert on any process spawned as root by the FMC web application
RULE: Alert on unexpected FMC configuration changes not in the change management system
RULE: Alert on inbound serialized Java object payloads to FMC endpoints
RULE: Alert on new administrative accounts created on FMC outside the provisioning workflowImmediate Response Actions
Priority 1: Patch Immediately
Apply the Cisco patch for CVE-2026-20131 immediately. This is a CVSS 10.0 actively exploited vulnerability — delay is not acceptable.
- Obtain the patch from Cisco's security advisory page
- Schedule an emergency change window if needed — this cannot wait for normal patching cycles
- Apply to all FMC instances across the environment
Priority 2: Assume Compromise — Initiate Incident Response
Because exploitation has been ongoing since January 2026, organizations should not simply patch and move on. Initiate incident response procedures:
- Preserve FMC logs before patching — logs may be wiped by attackers or during patching
- Audit all FMC admin accounts — identify any unauthorized accounts
- Review firewall policy changes — look for rules added or modified since January 2026 that were not authorized
- Check for persistence mechanisms — review cron jobs, startup scripts, and installed packages on the FMC
- Threat hunt across managed devices — look for lateral movement to firewalls and connected infrastructure
Priority 3: Network Isolation
# While patching is in progress:
# Restrict FMC management interface to management VLAN only
# Block all external access to FMC management ports
# Example firewall rule (adjust as appropriate for your environment):
iptables -I INPUT -p tcp --dport 443 -s <MGMT_VLAN_CIDR> -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -j DROPKey Takeaways
- CVE-2026-20131 is CVSS 10.0 and has been actively exploited since January 2026 — this is a maximum-severity, actively exploited zero-day requiring immediate patching
- Interlock ransomware chose Cisco FMC as a target because compromising it gives near-total control over an organization's network security posture
- Two months of silent exploitation means organizations should treat this as a potential compromise event, not just a patching exercise
- Double extortion means even if ransomware is not deployed, stolen data may still be weaponized
- Organizations using Cisco FMC that have not patched should initiate incident response procedures in parallel with applying the patch
- This attack underscores the risk of exposing network management plane interfaces — FMC should never be reachable from untrusted networks