Cisco Firewall Zero-Day Weaponized by Interlock Ransomware Since January
Amazon threat intelligence teams have identified a sophisticated ransomware campaign by the Interlock group that exploited a maximum-severity zero-day vulnerability in Cisco Firepower Management Center (FMC) for 36 days before Cisco publicly disclosed and patched the flaw. Tracked as CVE-2026-20131 with a CVSS score of 10.0, the vulnerability allows unauthenticated remote attackers to bypass authentication and execute arbitrary Java code as root.
| Attribute | Value |
|---|---|
| CVE | CVE-2026-20131 |
| CVSS Score | 10.0 (Maximum Severity) |
| Type | Insecure Deserialization → Authentication Bypass → RCE as Root |
| Affected Product | Cisco Firepower Management Center (FMC) |
| Zero-Day Exploitation Start | January 26, 2026 |
| Vendor Disclosure | March 4, 2026 |
| Exploitation Window | 36+ days before patch |
| Threat Actor | Interlock Ransomware Group |
| Suspected Time Zone | UTC+3 |
How the Attack Works
The attack chain begins with crafted HTTP requests sent to a specific path in the FMC software, exploiting an insecure deserialization vulnerability in user-supplied Java byte streams. This allows the attacker to:
- Bypass authentication entirely — no credentials required
- Execute arbitrary Java code as root on the FMC appliance
- Issue an HTTP PUT request to an external server to confirm successful exploitation
- Fetch an ELF binary from a remote server hosting additional Interlock tools
Post-Exploitation and Ransomware Deployment
Once inside, Interlock operators deploy ScreenConnect for persistent remote access and leverage the compromised firewall management console to move laterally across the victim's network. The group has claimed responsibility for attacks on DaVita, Kettering Health, the Texas Tech University System, and the city of Saint Paul, Minnesota.
| Impact Area | Description |
|---|---|
| Network Perimeter Breach | Firewall management consoles provide direct access to network infrastructure |
| Root-Level Access | Full control of the FMC appliance, including firewall rules and configurations |
| Lateral Movement | ScreenConnect deployments enable persistent access across the network |
| Ransomware Deployment | Full encryption and data exfiltration following initial compromise |
| Healthcare Targeting | DaVita and Kettering Health among confirmed victims |
Recommendations
For Cisco FMC Operators
- Apply Cisco's patch immediately — the vulnerability has been actively exploited since January
- Conduct a forensic review of FMC access logs from January 26 onward
- Review ScreenConnect deployments for unauthorized installations
- Audit firewall rule changes for unauthorized modifications
For Security Teams
- Implement defense-in-depth strategies — do not rely solely on perimeter firewalls
- Monitor for unusual outbound HTTP PUT requests from FMC appliances
- Restrict management interface access to trusted networks only
- Enable MFA on all firewall management consoles
Key Takeaways
- CVE-2026-20131 is a CVSS 10.0 insecure deserialization flaw in Cisco FMC allowing unauthenticated root-level RCE
- Interlock ransomware exploited it as a zero-day for 36 days before Cisco's March 4 disclosure
- Amazon threat intelligence first identified the campaign targeting enterprise firewalls
- Confirmed victims include healthcare organizations and government entities
- Post-exploitation involves ScreenConnect deployment for persistent access
- Organizations should patch immediately and audit FMC logs back to January 26, 2026
Sources
- Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access — The Hacker News
- Amazon Threat Intelligence Teams Identify Interlock Ransomware Campaign — AWS
- Interlock Ransomware Exploited Cisco FMC Flaw in Zero-Day Attacks Since January — BleepingComputer
- Cisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware Attacks — SecurityWeek
- Interlock Group Exploiting Cisco FMC Flaw 36 Days Before Disclosure — Security Affairs