Critical Zero‑Day in Cisco Secure Firewall Management Center (CVE‑2026‑20131) Exploited by Interlock Ransomware
What It Is – A critical insecure‑deserialization flaw (CVE‑2026‑20131) in the web‑based management interface of Cisco Secure Firewall Management Center (FMC) allows unauthenticated remote attackers to execute arbitrary code and gain root privileges.
Exploitability – The vulnerability was weaponised as a zero‑day by the Interlock ransomware gang for 36 days before Cisco’s public disclosure and patch. Active exploitation has been confirmed in the wild; CVSS v3.1 is estimated at 9.8 (Critical).
Affected Products – Cisco Secure Firewall Management Center (all versions prior to the March 2026 security update).
TPRM Impact – Organizations that rely on Cisco FMC to manage firewalls face a supply‑chain attack surface: a compromised FMC can become a launchpad for ransomware, lateral movement, and data exfiltration across the network, jeopardising downstream vendors and customers.
Recommended Actions –
- Deploy Cisco’s March 2026 patch for CVE‑2026‑20131 immediately.
- Isolate FMC management interfaces from the internet and enforce strict network segmentation.
- Enable multi‑factor authentication and enforce least‑privilege for FMC admin accounts.
- Review FMC logs for anomalous HTTP requests to the vulnerable endpoint and for unexpected PUT uploads.
- Conduct a rapid forensic scan of any systems that communicated with the FMC during the exposure window.
Source: Help Net Security