Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Mar 26, 2026 · 6 min read

Interlock Ransomware Exploited a Cisco Firewall Zero Day for 36 Days Before Anyone Knew

CVE-2026-20131 is a maximum severity Java deserialization flaw in Cisco Secure Firewall Management Center. The Interlock gang weaponized it weeks before Cisco shipped a patch, hitting hospitals, universities, and city governments.

A data center corridor with server racks under amber emergency lighting, one rack panel glowing red to indicate compromise

A Perfect 10 on the Severity Scale

Cisco Secure Firewall Management Center (FMC) is the central dashboard that enterprises use to configure, monitor, and push policies to every Cisco firewall on the network. On March 4, 2026, Cisco disclosed CVE-2026-20131, a deserialization vulnerability in the FMC web management interface that carries the maximum possible CVSS score of 10.0.

The root cause is insecure handling of Java byte streams. An unauthenticated attacker can send a crafted serialized Java object to the management interface and execute arbitrary code as root, no credentials required. Because FMC manages firewall policy for entire networks, compromising it gives an attacker a direct path to reconfigure or disable every firewall under its control.

36 Days of Silent Exploitation

Amazon's threat intelligence team discovered that the Interlock ransomware gang had been exploiting this vulnerability since January 26, 2026, a full 36 days before Cisco publicly disclosed it. According to Amazon CISO CJ Moses, the gap between first exploitation and patch availability gave Interlock a significant head start.

The attack chain works in stages. First, the attacker sends crafted HTTP requests to a specific endpoint in the FMC web interface, triggering the deserialization flaw and achieving code execution. The compromised FMC then issues an HTTP PUT request to an external server to confirm successful exploitation. Finally, the attacker downloads an ELF binary from a remote server, establishing persistent access.

From there, Interlock deployed a toolkit that included a PowerShell script for Windows host enumeration, a JavaScript based remote access trojan with self update capabilities, a Java implant for command and control, and a memory resident webshell. The group also used legitimate remote access tools like ConnectWise ScreenConnect to blend in with normal administrative traffic.

Who Got Hit

Interlock has been active since September 2024, but the FMC zero day supercharged its operations. The group has claimed responsibility for attacks on DaVita, one of the largest kidney dialysis providers in the United States, Kettering Health, the Texas Tech University System, the city of Saint Paul in Minnesota, and multiple UK universities. Across these campaigns, Interlock's operations have affected an estimated 27 million people, primarily through the theft of healthcare and education records.

The healthcare sector is a particularly alarming target. Patient records contain Social Security numbers, insurance details, and medical histories, data that commands premium prices on criminal marketplaces and that victims cannot simply change like a password.

What Makes This Different

Several factors make CVE-2026-20131 stand out. First, it requires no authentication. Many firewall management vulnerabilities require at least a valid login, but this one can be triggered by anyone who can reach the FMC web interface. Second, the affected product is a management platform, not just a single device. Compromising FMC can cascade across every firewall it manages.

Third, Interlock is not a typical ransomware gang. The group has been linked to ClickFix social engineering campaigns and has recently incorporated AI generated malware variants, including one dubbed Slopoly. This suggests a technically sophisticated operation that actively evolves its tactics.

CISA added CVE-2026-20131 to its Known Exploited Vulnerabilities catalog and ordered all federal civilian agencies to patch by March 22, 2026. For organizations outside the federal government, the urgency is the same. If your FMC management interface is reachable from the internet, assume it may have already been probed.

How to Protect Yourself

  • Patch immediately. Cisco has released updates. Apply them now. Do not wait for a maintenance window.
  • Restrict management access. The FMC web interface should never be exposed to the public internet. Use VPN or jump host access only.
  • Check for indicators of compromise. Look for unexpected HTTP PUT requests from FMC to external IPs, unfamiliar ELF binaries, and ConnectWise ScreenConnect installations you did not authorize.
  • Review firewall policies. If FMC was compromised, the attacker may have silently modified firewall rules to allow future access. Audit all policy changes since January 2026.
  • Segment your management network. Firewall management planes should be on isolated networks with strict access controls, separate from production traffic.

The Bigger Picture

The Cisco FMC exploit follows a pattern that has become disturbingly common: attackers target security infrastructure itself. In recent months, vulnerabilities in Citrix NetScaler, Cisco SD-WAN, and FortiGate firewalls have all been exploited in the wild. When the devices meant to protect your network become the entry point, traditional perimeter defenses fail entirely.

For any organization running Cisco FMC, the message is straightforward: patch today, lock down management access, and verify that no unauthorized changes have already been made. The 36 day window that Interlock had before disclosure means the damage may already be done.