Critical Cisco FMC Zero‑Day (CVE‑2026‑20131) Exploited by Interlock Ransomware Group 36 Days Before Disclosure
What It Is – A remote‑code‑execution (RCE) flaw in Cisco Secure Firewall Management Center (FMC) and Cisco Security Cloud Control (SCC) allows an unauthenticated attacker to execute arbitrary Java code as root via insecure deserialization. The vulnerability is tracked as CVE‑2026‑20131 and carries a CVSS 10.0 rating.
Exploitability – The Interlock ransomware group has been weaponising this zero‑day since 26 January 2026, i.e., 36 days before Cisco’s public advisory in early March 2026. Exploits have been observed in the wild, delivering the AI‑assisted Slopoly malware and ransomware payloads.
Affected Products –
- Cisco Secure Firewall Management Center (FMC) (web‑interface)
- Cisco Security Cloud Control (SCC) Firewall Management
TPRM Impact – Organizations that rely on Cisco FMC for network security—especially managed‑service providers, healthcare systems, and universities—face a heightened supply‑chain risk. A successful exploit can give attackers unfettered control of the firewall, enabling lateral movement, data exfiltration, and ransomware encryption across the enterprise network.
Recommended Actions –
- Deploy Cisco’s March 2026 patch for CVE‑2026‑20131 immediately.
- If patching is delayed, disable remote web management or restrict access to trusted IP ranges.
- Enforce multi‑factor authentication for all FMC admin accounts.
- Apply IDS/IPS signatures that detect the crafted Java serialized object used in the exploit.
- Monitor for known Slopoly IOCs and ransomware activity linked to Interlock.
- Conduct a rapid audit of FMC configurations across all third‑party environments and verify segmentation of management traffic.