Full Report
Interlock's post-exploit toolkit exposed Ransomware criminals exploited CVE-2026-20131, a maximum-severity bug in Cisco Secure Firewall Management Center software, as a zero-day vulnerability more than a month before Cisco patched the hole, according to Amazon security boss CJ Moses.…
Analysis Summary
# Vulnerability: Cisco Secure Firewall Management Center Remote Code Execution
## CVE Details
- **CVE ID:** CVE-2026-20131
- **CVSS Score:** 10.0 (Critical)
- **CWE:** Not specified (Technically relates to Improper Input Validation / Unsafe Deserialization allowing arbitrary code execution)
## Affected Systems
- **Products:** Cisco Secure Firewall Management Center (FMC) software
- **Versions:** All versions prior to the March 4, 2026 update.
- **Configurations:** Default configurations accessible via the network.
## Vulnerability Description
CVE-2026-20131 is a maximum-severity flaw that allows an unauthenticated, remote attacker to execute arbitrary Java code on the target device. Because the process runs with elevated permissions, the attacker can achieve **root-level access** to the underlying operating system. The flaw is likely rooted in how the FMC software handles specific network requests or serialized Java objects, enabling the execution of commands without valid credentials.
## Exploitation
- **Status:** Exploited in the wild (Zero-day). Exploitation by the "Interlock" ransomware group began on January 26, 2026—36 days before a patch was available.
- **Complexity:** Low (Unauthenticated)
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Total (Root access allows full data exfiltration and credential harvesting)
- **Integrity:** Total (Attackers can modify system logs, configurations, and install persistent implants)
- **Availability:** Total (Ransomware actors use this access to encrypt systems and disrupt services)
## Remediation
### Patches
- Cisco released software updates to address this vulnerability on **March 4, 2026**. Customers are urged to upgrade to the latest fixed release of Cisco Secure Firewall Management Center immediately.
### Workarounds
- No specific workarounds were provided in the report. Standard best practices include restricting access to the FMC management interface to trusted internal networks or via VPN.
## Detection
### Indicators of Compromise
- **Attacker Infrastructure:** Traffic originating from or moving to known Interlock ransomware command-and-control (C2) servers.
- **Malicious Files:**
- PowerShell scripts designed for system profiling and ZIP-based data staging.
- Custom RATs (C++ and Java variants) using WebSockets for C2 communication.
- Memory-resident Java backdoors (intercepting HTTP requests without writing to disk).
- Bash scripts that configure Linux servers as HTTP reverse proxies and wipe logs every 5 minutes.
- **Tooling:** Presence of `ConnectWise ScreenConnect`, `Volatility`, or `Certify` (unauthorized use of legitimate tools).
### Detection Methods and Tools
- **Honeypots:** Monitoring for exploit attempts targeting the FMC management ports.
- **Log Analysis:** Checking for evidence of log-wiping scripts or unauthorized RDP authentication events.
- **Network Defense:** Monitoring for persistent WebSocket connections to external, unrecognized IP addresses.
## References
- **Vendor Advisory:** hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh
- **Amazon Threat Intelligence Blog:** hxxps[://]aws[.]amazon[.]com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/
- **Article Source:** hxxps[://]www[.]theregister[.]com/2026/03/18/cisco_firewall_zero_day_amazon/