Critical Remote Code Execution in Cisco Secure Firewall Management Center (CVE‑2026‑20131) Exploited by Interlock Ransomware
What It Is – A critical unauthenticated remote code execution (RCE) flaw in the web‑based management interface of Cisco Secure Firewall Management Center (FMC) and Cisco Security Cloud Control (SCC). The vulnerability (CVE‑2026‑20131) stems from insecure Java deserialization, allowing an attacker to execute arbitrary Java code as root on the appliance.
Exploitability – Actively exploited in the wild since January 2026 by the Interlock ransomware group. Amazon researchers observed exploitation 36 days before public disclosure. CVSS v3.1 base score 10.0 (Critical).
Affected Products – Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management appliances (various hardware and virtual editions).
TPRM Impact –
- Any third‑party that relies on Cisco FMC/SCC for perimeter security inherits the same exposure, creating a supply‑chain risk.
- Compromise of the management plane can lead to lateral movement into downstream networks, jeopardizing data confidentiality and service availability for customers.
Recommended Actions –
- Verify that the Cisco security advisory (March 2026) has been applied; patch all FMC and SCC instances to the latest firmware.
- Conduct an immediate inventory of all Cisco firewall management assets across your vendor ecosystem.
- Block inbound traffic to the FMC/SCC web interface from untrusted networks until patches are confirmed.
- Review CISA’s Known Exploited Vulnerabilities (KEV) catalog compliance deadline (BOD 22‑01) and document remediation status for audit purposes.
- Monitor for Indicators of Compromise (IoCs) associated with the Interlock ransomware group (e.g., C2 domains, the “Slopoly” malware family).
Source: Security Affairs