Interlock Ransomware Exploits Cisco Secure FMC Zero‑Day (CVE‑2026‑20131) to Target Health, Education, and Municipal Networks
What Happened — The Interlock ransomware gang leveraged an unauthenticated remote‑code‑execution flaw (CVE‑2026‑20131) in Cisco Secure Firewall Management Center (FMC) for over a month before the vendor issued a patch on 4 Mar 2026. The zero‑day enabled the group to install ransomware payloads such as Slopoly and NodeSnake on victims ranging from U.S. hospitals to universities and a city government.
Why It Matters for TPRM —
- A zero‑day in a core network security product can bypass traditional perimeter defenses, exposing downstream third‑party data.
- Ransomware operators are now using generative‑AI‑crafted malware, raising the bar for detection and response.
- Multiple high‑value sectors (healthcare, education, municipal) rely on Cisco FMC, so any supply‑chain exposure must be reassessed.
Who Is Affected — Healthcare providers, higher‑education institutions, municipal IT environments, and any organization that deploys Cisco Secure FMC.
Recommended Actions —
- Verify that all Cisco Secure FMC instances are patched to the March 4, 2026 release.
- Conduct a rapid inventory of any third‑party services that depend on FMC for firewall management.
- Review ransomware response playbooks and ensure backups are isolated from network‑connected storage.
Technical Notes — The vulnerability is a maximum‑severity RCE in the web interface, allowing unauthenticated attackers to execute arbitrary Java code as root. Exploitation was observed 36 days before public disclosure. Malware families observed include NodeSnake (remote‑access trojan) and Slopoly (AI‑generated ransomware). Source: BleepingComputer