CVE-2026-20131

Cisco Secure Firewall Management Center (FMC) — Unauthenticated Remote Code Execution via Java Deserialization
🔥 CVSS 3.1  10 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

Overview

Actively Exploited as a Zero-Day by Interlock Ransomware. Amazon threat intelligence confirmed exploitation began January 26, 2026 — 36 days before public disclosure. CISA added this to the Known Exploited Vulnerabilities (KEV) Catalog on March 19, 2026 with an emergency remediation deadline of March 22, 2026 (only 3 days). Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2026-20131 is a critical unauthenticated remote code execution vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC). The flaw stems from insecure deserialization of user-supplied Java byte streams (CWE-502). An attacker can send a crafted serialized Java object to the management interface to achieve arbitrary code execution as root on the underlying Linux system — with no authentication required.

This is a maximum severity vulnerability: CVSS 10.0, network-accessible, no authentication, no user interaction, and the attacker gains root-level access with cross-scope impact (Scope: Changed). The Interlock ransomware group weaponized this as a zero-day to compromise enterprise firewall infrastructure and deploy a full operational toolkit including RATs, webshells, and ransomware payloads.

Zero-Day Exploitation: Interlock Ransomware Campaign

Amazon's threat intelligence team, using their MadPot global honeypot sensor network, identified Interlock ransomware exploiting this vulnerability 36 days before Cisco's public disclosure. A misconfigured Interlock infrastructure server exposed the group's complete operational toolkit, giving researchers rare visibility into a ransomware operation's full attack chain.

Attack Timeline

DateEvent
January 26, 2026First observed exploitation activity (Amazon MadPot sensors)
January – March 2026Interlock actively compromising organizations via zero-day
March 4, 2026Cisco publicly discloses CVE-2026-20131 and releases patches
March 18, 2026Amazon publishes detailed Interlock campaign analysis
March 19, 2026CISA adds to KEV catalog with 3-day remediation deadline
March 22, 2026CISA remediation deadline

Exploitation Technique

The attack involves sending HTTP requests to a specific path in the FMC web interface. Request bodies contain Java code execution attempts along with two embedded URLs:

  1. A URL to deliver configuration data supporting the exploit
  2. A URL designed to confirm successful exploitation by causing the vulnerable target to perform an HTTP PUT request and upload a generated file

Upon successful exploitation, Interlock fetches and executes a malicious ELF binary (Linux executable) from a remote staging server, beginning post-compromise operations.

Interlock's Operational Toolkit

The exposed infrastructure revealed a sophisticated multi-stage attack chain:

ToolPurpose
PowerShell Recon ScriptSystematic Windows environment enumeration — OS/hardware details, services, installed software, Hyper-V inventory, browser artifacts (Chrome, Edge, Firefox, IE, 360 browser), network connections, RDP events. Stages results to network shares per-hostname.
JavaScript RATFull remote access trojan with RC4-encrypted WebSocket C2, per-message random 16-byte keys, interactive shell, file transfer, SOCKS5 proxy. Self-update/self-delete for operational cleanup.
Java RATFunctionally equivalent backup RAT built on GlassFish/Grizzly/Tyrus libraries. Ensures persistent access even if one implant is detected.
Memory-Resident WebshellFileless Java class that registers a ServletRequestListener on the FMC's StandardContext. Intercepts HTTP requests with AES-128 encrypted command payloads (key derived from MD5 of hardcoded seed). Dynamically loads and executes Java bytecode in-memory — no files on disk.
Infrastructure Laundering ScriptBash script that builds disposable HTTP reverse proxy nodes using HAProxy 3.1.2 compiled from source. Includes log erasure cron job (every 5 minutes) and shell history suppression.
Connectivity BeaconTCP server on port 45588 (encoded as Unicode character to evade static analysis) that confirms successful code execution.
ConnectWise ScreenConnectLegitimate remote desktop tool deployed alongside custom implants for redundant access.
VolatilityMemory forensics framework repurposed to extract credentials from RAM.
CertifyAD CS exploitation tool for certificate-based privilege escalation and persistence.

Threat Actor Profile: Interlock

Interlock ransomware primarily targets education (largest share), followed by engineering/architecture/construction, manufacturing, healthcare, and government entities — sectors where operational disruption creates maximum payment pressure. Ransom notes cite data protection regulations (GDPR, etc.) to compound pressure. Temporal analysis of operational artifacts indicates the actor most likely operates in UTC+3 (75–80% confidence), with peak activity between 12:00–18:00 and a probable sleep window of 00:30–08:30.

Vulnerability Description

The vulnerability resides in the web-based management interface of Cisco FMC. The interface accepts user-supplied data and passes it through a Java deserialization pathway without adequate validation or filtering. An attacker crafts a malicious serialized Java object (a "gadget chain") that, when deserialized by the server's JVM, triggers arbitrary code execution.

Why Java Deserialization Is Dangerous

  • Automatic code execution: Java's ObjectInputStream.readObject() can invoke arbitrary methods during deserialization if the classpath contains exploitable "gadget" classes (e.g., from Apache Commons Collections, Spring, etc.).
  • Root privileges: The FMC web service runs with elevated (root) privileges on the underlying Linux OS, so successful deserialization exploits grant immediate root access.
  • No authentication barrier: The vulnerable endpoint is accessible to unauthenticated remote users, meaning any network-reachable attacker can exploit it.
  • Cross-scope impact: FMC manages and configures Cisco Secure Firewalls. Compromising FMC gives an attacker control over the entire firewall fleet, enabling policy manipulation, traffic interception, and lateral movement into protected networks.
Critical infrastructure risk: Cisco FMC is a centralized management platform for enterprise firewall deployments. A single compromised FMC instance can allow an attacker to disable security policies, open firewall rules, intercept traffic, or pivot into every network segment the firewall fleet protects. This makes FMC an extraordinarily high-value target for ransomware operators.

Affected Versions

Cisco Secure Firewall Management Center Software versions spanning nearly the entire product line are affected. The NVD lists specific point releases across multiple major version branches.

Affected Version Branches

6.4.0.13 – 6.4.0.18 7.0.0 – 7.0.8.1 7.1.0 – 7.1.0.3 7.2.0 – 7.2.10.2 7.3.0 – 7.3.1.2 7.4.0 – 7.4.5 7.6.0 – 7.6.4 7.7.0 – 7.7.11 10.0.0

Also Affected

Cisco Security Cloud Control (SCC) Firewall Management

Attack surface note: Cisco states that if the FMC management interface does not have public internet access, the attack surface is reduced. However, as demonstrated by Interlock's campaign, many enterprise FMC deployments are reachable — either directly exposed or accessible through compromised network segments.

Indicators of Compromise (Selected)

From Amazon's threat intelligence report on the Interlock campaign:

Exploit Source IPs

206.251.239[.]164 199.217.98[.]153 89.46.237[.]33

C2 & Staging Infrastructure

144.172.94[.]59 199.217.99[.]121 188.245.41[.]78 144.172.110[.]106 95.217.22[.]175 37.27.244[.]222

Exploit Support Domains

cherryberry[.]click ms-server-default[.]com initialize-configs[.]com ms-sql-auth[.]com kolonialeru[.]com sclair.it[.]com

C2 Domains

browser-updater[.]com browser-updater[.]live os-update-server[.]com os-update-server[.]org os-update-server[.]live os-update-server[.]top

TLS Fingerprints

JA3: b885946e72ad51dca6c70abc2f773506 JA3: f80d3d09f61892c5846c854dd84ac403 JA4: t13i1811h1_85036bcba153_b26ce05bbdd6 JA4: t13i4311h1_c7886603b240_b26ce05bbdd6

Mitigation & Remediation

Immediate Actions

  • Apply Cisco's security patches immediately — this is a maximum-severity zero-day with confirmed ransomware exploitation.
  • Restrict management interface access — ensure FMC web interfaces are not exposed to the public internet. Use dedicated management networks with strict ACLs.
  • Review logs for IOCs — search for the exploit source IPs, domains, and TLS fingerprints listed above.
  • Hunt for post-compromise artifacts — look for unauthorized ScreenConnect installations, PowerShell scripts staging data to network shares, and unusual Java ServletRequestListener registrations.

Detection Opportunities

  • Monitor for PowerShell scripts staging data to network shares with hostname-based directory structures
  • Detect Java ServletRequestListener registrations in web application contexts
  • Identify HAProxy installations with aggressive log deletion cron jobs
  • Watch for TCP connections to unusual high-numbered ports (e.g., 45588)
  • Alert on HTTP PUT requests originating from FMC systems to external hosts

Long-Term Measures

  • Implement network segmentation to isolate management planes from production traffic
  • Deploy defense-in-depth controls — assume any single security device can be compromised
  • Maintain centralized, tamper-resistant logging separate from managed infrastructure
  • Regularly audit Active Directory Certificate Services configurations (the Certify tool targets AD CS misconfigurations)
  • Test incident response procedures specifically for security infrastructure compromise scenarios

Key Details

PropertyValue
CVE ID CVE-2026-20131
Vendor / Product Cisco — Secure Firewall Management Center (FMC)
NVD Published2026-03-04
NVD Last Modified2026-03-25
CVSS 3.1 Score10
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-502
CISA KEV Added2026-03-19
CISA KEV Deadline2026-03-22
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-03-22. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2026-01-26First observed exploitation activity (Amazon MadPot sensors detect Interlock)
2026-03-04Cisco publicly discloses CVE-2026-20131 and releases patches
2026-03-18Amazon publishes detailed Interlock campaign analysis (MadPot findings)
2026-03-19Added to CISA Known Exploited Vulnerabilities catalog (3-day emergency deadline)
2026-03-22CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2026-20131 Vulnerability Database
CISA KEV Catalog Entry US Government
Cisco Security Advisory — cisco-sa-fmc-rce-NKhnULJh Vendor Advisory
AWS Security Blog — Interlock Ransomware Campaign Targeting Enterprise Firewalls Security Research

Last updated: 2026-04-06

Gavin Hollinger & AI assembled this air-gap friendly HTML