Cisco firewall zero-day was used to deploy Interlock ransomware before public disclosure
5 min. read 
Published on
A critical Cisco Secure Firewall Management Center flaw was exploited as a zero-day by the Interlock ransomware group before Cisco disclosed and patched it. Amazon threat intelligence says it observed Interlock exploiting CVE-2026-20131 starting on January 26, 2026, which was 36 days before Cisco published its advisory on March 4.
The vulnerability affects Cisco Secure Firewall Management Center, or FMC, and can let an unauthenticated remote attacker execute arbitrary Java code as root on a vulnerable device. Cisco and NVD say the issue stems from insecure deserialization in the web-based management interface.
Amazon says the campaign came into focus after researchers found a misconfigured Interlock staging server that exposed a large part of the group’s toolkit. That server gave AWS visibility into the attackers’ exploit flow, their Linux and Windows payloads, remote access tools, and parts of their evasion chain. AWS also said its own infrastructure and customer workloads were not involved in the campaign.
What happened in the Interlock campaign
According to AWS, the initial exploit activity targeted a specific HTTP path in vulnerable FMC software and included Java code execution attempts plus embedded URLs. One URL delivered configuration data for the exploit, while another confirmed successful compromise by making the target upload a generated file through an HTTP PUT request.
To push the investigation forward, AWS researchers simulated a compromised host by returning the expected PUT request and file content. That prompted the attackers to move to the next stage and send commands to fetch and execute a malicious ELF binary from a remote server. AWS says that same infrastructure hosted a broader Interlock toolkit arranged into separate paths for individual victims.
AWS attributes the operation to Interlock based on the recovered ELF binary, the ransom note, and the TOR negotiation portal, all of which matched the group’s known branding and operating pattern. The company says Interlock continues to target sectors where disruption creates pressure to pay, including education, engineering, construction, manufacturing, healthcare, and government.
Why CVE-2026-20131 is so serious
Cisco rates CVE-2026-20131 as Critical, and NVD shows a CVSS 3.1 base score of 10.0. The vulnerability requires no authentication and no user interaction, which makes exposed management interfaces especially risky. NVD also notes that the attack surface drops if the FMC management interface does not have public internet access.
The flaw exists because FMC accepted untrusted serialized Java data in a way that attackers could abuse. Cisco’s advisory describes the root cause as insecure deserialization of a user-supplied Java byte stream, which can lead to code execution as root on the device.
The attack did not stop at the firewall
AWS says Interlock used the Cisco exploit to get its foothold, then deployed a wider toolkit for persistence, reconnaissance, and remote control. Recovered artifacts included a PowerShell script for Windows environment enumeration, a JavaScript remote access trojan, a Java backdoor, a Bash script that turned Linux servers into reverse proxies with HAProxy, and a memory-resident Java webshell.
That mix matters because it shows Interlock did not treat the firewall as the final target. AWS describes a multi-stage intrusion path built to expand access, map victim environments, and maintain redundant control channels before the ransomware phase.
Cisco FMC zero-day at a glance
| Item | Details |
|---|---|
| CVE | CVE-2026-20131 |
| Product | Cisco Secure Firewall Management Center |
| Impact | Unauthenticated remote code execution as root |
| Root cause | Insecure deserialization |
| Severity | Critical |
| CVSS 3.1 | 10.0 |
| Public disclosure | March 4, 2026 |
| Reported exploitation start | January 26, 2026 |
| Threat actor | Interlock ransomware |
The timing matters as much as the vulnerability itself. AWS says the ransomware group used the bug for more than a month before disclosure, which gave it a meaningful window to compromise organizations before defenders had a patch or a public CVE to hunt against.
What defenders should do now
- Patch Cisco Secure Firewall Management Center immediately using Cisco’s fixed release guidance.
- Remove or tightly restrict public access to the FMC management interface wherever possible.
- Hunt for behavior tied to Interlock rather than relying only on file hashes, since AWS says the group customized artifacts per victim.
- Review systems for unusual HTTP PUT activity, unexpected ELF downloads, memory-resident Java components, and post-compromise reconnaissance behavior.
- Check AWS’s published indicators of compromise and map them against firewall, server, and proxy logs.
FAQ
It is a critical remote code execution flaw in Cisco Secure Firewall Management Center. An unauthenticated attacker can send a crafted serialized Java object to the web interface and execute code as root.
Yes. AWS says it observed Interlock exploiting the bug from January 26, 2026, before Cisco disclosed it on March 4, 2026.
AWS says it did not observe its infrastructure or customer workloads on AWS involved in this campaign.
AWS says Interlock organized tooling in victim-specific paths and customized downloaded artifacts, which weakens simple signature-based detection. Behavioral signals and attack-chain correlations are more useful here.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages