Patch Critical Cisco Flaw by Sunday, CISA Orders
▼ Summary
– CISA has ordered federal agencies to patch a critical vulnerability in Cisco’s firewall management software by March 22.
– The flaw allows an unauthenticated attacker to remotely execute code as root on affected devices via the web interface.
– Cisco and Amazon have confirmed the vulnerability is being actively exploited by the Interlock ransomware gang.
– The ransomware group used this as a zero-day for over a month before a patch was available and has targeted major organizations.
– While the deadline applies to federal agencies, all organizations are urged to apply the updates due to the active threat.
Federal agencies have been directed by the Cybersecurity and Infrastructure Security Agency to apply a critical security patch by this Sunday, March 22. The order addresses CVE-2026-20131, a maximum-severity flaw in Cisco Secure Firewall Management Center (FMC) software. Cisco initially warned administrators about the vulnerability on March 4, stressing that no temporary workarounds exist and urging immediate patching.
This centralized management platform controls essential security functions for Cisco appliances, including firewalls, intrusion prevention, and malware protection. The vulnerability resides in the web-based management interface. According to Cisco’s advisory, it could permit an unauthenticated, remote attacker to execute arbitrary Java code with root-level privileges on a compromised device. The root cause is insecure deserialization of a user-supplied Java byte stream, which attackers can trigger by sending a maliciously crafted serialized Java object to the interface.
The urgency escalated significantly on March 18 when Cisco updated its bulletin to confirm active exploitation in the wild. Amazon threat intelligence researchers corroborated these attacks, identifying the Interlock ransomware gang as a primary threat actor. Their analysis indicates this group has been leveraging the flaw as a zero-day vulnerability since late January, over a month before Cisco released the patch.
The Interlock ransomware operation, active since late 2024, has already claimed several notable victims. These include healthcare provider DaVita, Kettering Health, the Texas Tech University System, and the city of Saint Paul, Minnesota. Beyond exploiting this Cisco flaw, the group employs the ClickFix technique for initial access and deploys custom tools like remote access trojans alongside malware strains such as NodeSnake and Slopoly.
In response to the active ransomware campaigns, CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The agency’s binding directive gives Federal Civilian Executive Branch (FCEB) agencies a strict deadline to either apply the security updates or cease using the affected product entirely. While the Sunday deadline formally applies to entities under Binding Operational Directive 22-01, CISA strongly recommends that all private sector organizations, state and local governments, and other entities review their systems and take immediate action.
(Source: BleepingComputer)
