What Happened

The Interlock ransomware gang exploited a critical Cisco Secure Firewall Management Center (FMC) vulnerability for 52 days before Cisco publicly disclosed it on March 4, 2026. Amazon Threat Intelligence discovered that attackers had been actively exploiting CVE-2026-20131—a maximum-severity remote code execution flaw with a CVSS score of 10.0—as a zero-day since January 26, 2026, according to The Register.

This wasn't a opportunistic attack on random systems. Interlock deliberately targeted network security infrastructure—the very tools organizations deploy to protect themselves. The gang, which emerged in September 2024 and is linked to the ClickFix and NodeSnake malware families, gained a significant head start by exploiting the vulnerability before patches existed.

Technical Details

CVE-2026-20131 stems from insecure deserialization of user-supplied Java byte streams in the FMC's web-based management interface. An unauthenticated attacker can send crafted HTTP requests containing serialized Java objects to a specific endpoint, bypassing authentication entirely and executing arbitrary code with root privileges, according to the Cisco Security Advisory.

The attack chain discovered by Amazon Threat Intelligence reveals sophisticated post-exploitation capabilities:

  • Custom JavaScript RAT: Uses WebSocket for command-and-control communication, enabling shell access, command execution, file transfer, and SOCKS5 proxying
  • Java RAT: Built on GlassFish infrastructure with similar capabilities
  • Linux HAProxy reverse proxies: Deployed via bash scripts that install fail2ban, configure HAProxy on port 80, and set up cron jobs for log erasure
  • Memory-resident web shell: Executes encrypted commands without leaving disk artifacts
  • ConnectWise ScreenConnect: Used for persistent remote access

The vulnerability affects FMC versions 7.4.0–7.4.5, 7.6.0–7.6.4, 7.7.0–7.7.11, and 10.0.0. Critically, the CVSS scope is marked as "Changed," meaning exploitation impacts not just the FMC itself but also managed Firepower Threat Defense (FTD) devices—extending the blast radius significantly.

Impact Assessment

Organizations with externally exposed FMC management interfaces face the highest risk. This includes enterprises managing distributed firewall deployments, data centers, and cloud environments where the FMC web interface is accessible from the internet.

The 52-day exploitation window gave attackers nearly two months of unfettered access before defenders even knew a patch was needed. During this time, Interlock could establish persistence, move laterally, and exfiltrate data—all while appearing as legitimate administrative traffic.

The attack demonstrates a troubling trend: threat actors targeting security infrastructure itself. Compromising a firewall management platform provides attackers with a trusted position inside the network, visibility into security policies, and potential control over traffic filtering rules.

What You Should Do

Immediate Actions:

  1. Patch immediately: Upgrade to fixed FMC releases as specified in the Cisco advisory. There are no workarounds.
  2. Conduct a compromise assessment: If you're running an affected version, assume potential compromise. Look for indicators including unusual outbound connections, unauthorized ScreenConnect installations, and unexpected HAProxy configurations.
  3. Review access controls: FMC management interfaces should never be internet-accessible. Restrict access to trusted management networks via VPN or jump hosts.
  4. Audit ScreenConnect deployments: Check for unauthorized installations of ConnectWise ScreenConnect, which Interlock used for persistence.
  5. Enable comprehensive logging: Ensure FMC logs are captured, retained, and monitored for anomalous activity.

Lessons Learned

This incident highlights several uncomfortable truths about enterprise security:

Security tools are attack surfaces too. Organizations often focus on patching endpoints and servers while neglecting the security infrastructure itself. Firewall management platforms, SIEM consoles, and endpoint protection dashboards all represent high-value targets.

Zero-days create asymmetric advantages. For 52 days, defenders had no knowledge that a patch was needed. This underscores the importance of defense-in-depth—network segmentation, behavioral monitoring, and least-privilege access can limit damage even when patches don't exist yet.

Time-to-patch matters, but so does detection. While organizations scrambled to apply patches after March 4, the real question is: would you have detected suspicious activity on your FMC during those 52 days? Memory-resident web shells and legitimate remote access tools make detection challenging but not impossible.

Threat intelligence sharing remains critical. Amazon's discovery and disclosure of this campaign enabled Cisco to update its advisory and the broader community to respond. Without this intelligence sharing, exploitation could have continued undetected even longer.

Resources