Critical Zero‑Day Exploit (CVE‑2026‑20131) in Cisco Secure Firewall Management Center (FMC) Leveraged by Interlock Ransomware
What It Is – A newly disclosed Cisco Secure Firewall Management Center (FMC) vulnerability (CVE‑2026‑20131) allows unauthenticated remote code execution via insecure Java deserialization. The flaw scores a perfect 10.0 on the CVSS v3.1 scale.
Exploitability – Active exploitation has been confirmed by Amazon Threat Intelligence. The Interlock ransomware group is using a publicly available exploit chain to gain root access on FMC appliances and then deploy ransomware payloads. No public PoC beyond the ransomware campaign has been released.
Affected Products – Cisco Secure Firewall Management Center (FMC) 7.x and later (on‑prem and virtual appliances).
TPRM Impact – Organizations that rely on Cisco FMC—direct customers, managed‑service providers, and any downstream partners that inherit firewall policies—face a supply‑chain risk. A successful compromise can lead to network‑control hijacking, ransomware encryption of management data, and lateral movement into connected environments.
Recommended Actions –
- Deploy Cisco’s emergency patch for CVE‑2026‑20131 immediately.
- If patching cannot be done within 48 h, apply the vendor‑provided mitigation: disable Java deserialization endpoints and restrict FMC management access to trusted IP ranges.
- Intensify endpoint and network monitoring for anomalous FMC traffic and ransomware indicators.
- Review and test ransomware incident‑response playbooks, ensuring backups of FMC configuration are isolated and immutable.
- Communicate the risk to any third‑party MSPs or MSSPs that manage your firewalls.
Source: The Hacker News – Interlock ransomware exploits Cisco FMC zero‑day