A critical vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center (FMC) that Cisco disclosed and patched in early March 2026 has been exploited as a zero-day by the Interlock ransomware gang, Amazon CISO and VP of Security Engineering CJ Moses revealed.
“Our research [using Amazon’s MadPot system of honeypots] found that Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26, 2026,” he said on Wednesday.
CVE-2026-20131 exploited as zero-day for weeks
Cisco Secure Firewall Management Center is used by organizations to centrally manage Cisco Secure Firewall devices.
CVE-2026-20131 affects the FMC web-based management interface and stems from insecure deserialization of a user-supplied Java byte stream.
The vulnerability can be exploited by unauthenticated, remote attackers by sending a crafted serialized Java object to the management interface of a vulnerable device, and can lead to code execution and privilege escalation (to root).
Cisco was made aware of CVE-2026-20131 after a member of its Advanced Security Initiatives Group found it during internal security testing. Unfortunately, it seems that Interlock found it before that.
“Amazon threat intelligence identified threat activity potentially related to CVE-2026-20131 beginning January 26, 2026, predating the public disclosure. Observed activity involved HTTP requests to a specific path in the affected software,” Moses shared.
“Request bodies contained Java code execution attempts and two embedded URLs: one used to deliver configuration data supporting the exploit, and another designed to confirm successful exploitation by causing a vulnerable target to perform an HTTP PUT request and upload a generated file.”
Interlock’s tools revealed
AWS researchers simulated a successful exploitation, tricking the attackers into downloading a malicious Linux executable file from a remote server. By analyzing this server, they found it was a central hub for the attackers’ tools, organized by victim, and used both to send malware to infected systems and receive data back from them.
The malware, other stored artifacts, and the ransom note pointed to Interlock involvement.
The researchers found:
- A PowerShell script the group uses for enumerating and collecting information about Windows hosts present on the targeted network
- A JavaScript remote access trojan that collects information about infected hosts (and has self-update and self-delete capabilities)
- A Java implant that sets up redundant command-and-control communication
- A Bash script that turns a hacked Linux server into a temporary relay server that anonymizes attacks, forwards malicious traffic, and constantly erases traces to make tracking attacker activity difficult
- A memory-resident webshell/backdoot
- A lightweight network beacon that confirms successful code execution or network port reachability following initial exploitation.
Interlock also uses legitimate tools like ConnectWise ScreenConnect (for redundant remote access), Volatility (for parsing memory dumps in search for sensitive data), and Certify (for identifying vulnerable certificate templates and enrollment permissions).
Mitigation and remediation
AWS has shared indicators of compromise enterprise defenders can check for in their logs and has advised on immediate actions and long-term measures they should take.
“The real story here isn’t just about one vulnerability or one ransomware group—it’s about the fundamental challenge zero-day exploits pose to every security model. When attackers exploit vulnerabilities before patches exist, even the most diligent patching programs can’t protect you in that critical window,” Moses pointed out.
“This is precisely why defense in depth is essential—layered security controls provide protection when any single control fails or hasn’t yet been deployed. Rapid patching remains foundational in vulnerability management, but defense in depth helps organizations not to be defenseless during the window between exploit and patch.”
Cisco updated the advisory to say they’ve been made aware of active CVE-2026-20131 exploitation, and the US Cybersecurity and Infrastructure Security Agency has ordered US federal civilian agencies to address CVE-2026-20131 by March 22, 2026.
“If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced,” Cisco noted in its advisory.
CVE-2026-20131 is the third Cisco vulnerability flagged as exploited as a zero-day since the start of this year: attackers also leveraged CVE-2026-20127 (in Cisco Catalyst SD-WAN Controller), CVE-2026-20045 (in the company’s unified communications solutions), and CVE-2025-20393 (in Email Security Gateway and Secure Email and Web Manager devices).
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
