Cisco FMC Flaw Exploited Before Patch (CVE-2026-20131)

A critical vulnerability in Cisco’s Secure Firewall Management Center was actively exploited by ransomware operators for over a month before a patch was available. According to Amazon’s CISO, CJ Moses, the Interlock ransomware gang leveraged CVE-2026-20131 as a zero-day exploit starting January 26, 2026, a full 36 days before Cisco publicly disclosed and fixed the flaw in early March. This discovery was made using Amazon’s MadPot honeypot system, which detected the malicious activity.

The vulnerability resides in the FMC web-based management interface and is caused by the insecure deserialization of user-supplied Java data. An unauthenticated, remote attacker can exploit this flaw by sending a specially crafted serialized Java object to a vulnerable device, potentially leading to arbitrary code execution and privilege escalation to root access. Cisco initially discovered the issue during internal security testing, but threat actors had already found and weaponized it.

Amazon’s threat intelligence observed HTTP requests to a specific path in the software containing Java code execution attempts. These requests included embedded URLs; one delivered configuration data to support the exploit, while another confirmed successful exploitation by triggering an HTTP PUT request to upload a file. By simulating a successful attack, AWS researchers tricked the actors into downloading a malicious Linux executable from a controlled server. Analysis of this server revealed it was a centralized hub for the gang’s tools, organized by victim, used to distribute malware and exfiltrate data.

The investigation uncovered a suite of tools linking the activity to the Interlock group. These included a PowerShell script for network reconnaissance on Windows hosts, a JavaScript remote access trojan with self-update capabilities, and a Java implant for establishing redundant command-and-control channels. The attackers also used a Bash script to turn compromised Linux servers into anonymizing relay points and employed a memory-resident webshell alongside a lightweight network beacon. To support their operations, the group leveraged legitimate tools like ConnectWise ScreenConnect for remote access, Volatility for memory analysis, and Certify for targeting certificate vulnerabilities.

This incident underscores the severe risk posed by zero-day vulnerabilities that are exploited before a patch is released. Moses emphasized that while rapid patching is a cornerstone of security, it cannot protect organizations during the window between initial exploit and patch availability. This reality makes a defense-in-depth strategy with layered security controls critically important to provide resilience when any single control fails.

Cisco has updated its advisory to confirm active exploitation of CVE-2026-20131. The company notes that restricting public internet access to the FMC management interface can significantly reduce the attack surface. The US Cybersecurity and Infrastructure Security Agency has mandated that federal civilian agencies remediate this vulnerability by March 22, 2026. This marks the third Cisco zero-day vulnerability exploited since the beginning of the year, following similar incidents involving flaws in Cisco Catalyst SD-WAN Controller and several unified communications and email security products.