CP
cyberpings
VulnerabilitiesCRITICAL

CISCO FMC Vulnerability - Interlock Group Exploits Flaw Early

SASecurity Affairs
CVE-2026-20131InterlockCiscoRCEmalware
🎯

Basically, hackers used a flaw in Cisco's software to take control of systems before anyone knew about it.

Quick Summary

The Interlock ransomware group exploited a critical Cisco FMC flaw before its disclosure. Affected organizations face severe risks, including unauthorized access and data theft. Immediate patching is essential to mitigate potential damage.

The Flaw

The Interlock ransomware group has been exploiting a critical zero-day vulnerability in Cisco Secure Firewall Management Center (FMC), tracked as CVE-2026-20131. This vulnerability, which has a CVSS score of 10.0, allows unauthenticated remote attackers to execute arbitrary code on affected devices. The flaw resides in the web interface of Cisco FMC and is due to insecure Java deserialization. Attackers can send a crafted serialized object to the management interface, allowing them to execute Java code as root.

Cisco disclosed this vulnerability in early March 2026, but the Interlock group began their attacks on January 26, 2026, taking advantage of the flaw for 36 days before it was publicly known. This head start gave them ample opportunity to compromise various organizations without detection.

What's at Risk

Organizations using Cisco FMC and Cisco Security Cloud Control (SCC) Firewall Management are at significant risk due to this vulnerability. The flaw allows attackers to gain root access, which can lead to severe consequences, including data theft, system disruption, and further exploitation of network resources. The Interlock group has targeted multiple sectors, including education, healthcare, and government, where disruption can lead to high ransom payments.

The activity was discovered through Amazon's honeypots, which revealed the extent of the attacks and the tools used by the Interlock group. Their operations include sophisticated multi-stage attacks and custom backdoors, making it crucial for affected organizations to act swiftly.

Patch Status

Cisco addressed the CVE-2026-20131 vulnerability in March 2026. Organizations are urged to apply the patches immediately to mitigate the risks associated with this critical flaw. The Indicators of Compromise (IoCs) shared by Amazon provide valuable insights into detecting potential compromises and should be reviewed thoroughly by security teams.

Failure to patch could leave organizations vulnerable to ongoing attacks, as the Interlock group continues to leverage this exploit to infiltrate networks and execute malicious activities.

Immediate Actions

Organizations using Cisco FMC should take immediate action to protect themselves from potential exploitation. Here are some recommended steps:

  • Apply the latest patches provided by Cisco to secure your systems.
  • Review the shared IoCs from Amazon to identify any signs of compromise.
  • Monitor network traffic for unusual activity, especially HTTP requests targeting Cisco FMC.
  • Educate your staff about the risks associated with ransomware and the importance of cybersecurity hygiene.

By taking these proactive measures, organizations can significantly reduce their risk of falling victim to the Interlock ransomware group and similar threats in the future.

🔒 Pro insight: The early exploitation of CVE-2026-20131 highlights the need for organizations to enhance their vulnerability management processes and threat detection capabilities.

Original article from

Security Affairs · Pierluigi Paganini

Read Full Article

Share

Related Pings

HIGHVulnerabilities

Microsoft SharePoint Vulnerability - Active Exploitation Alert

CISA has confirmed active exploitation of a critical SharePoint vulnerability, CVE-2026-20963. Affected organizations must patch their systems immediately to prevent unauthorized access and data breaches. Don't wait for an attack to happen; act now to secure your SharePoint servers.

Help Net Security·
HIGHVulnerabilities

Vulnerabilities - CISA Urges Securing Microsoft Intune After Breach

CISA warns organizations to secure Microsoft Intune systems after a cyberattack wiped Stryker's devices. This breach highlights critical vulnerabilities. Companies must act now to protect their networks.

BleepingComputer·
HIGHVulnerabilities

Microsoft SharePoint Vulnerability - Critical Flaw Exploited

A critical vulnerability in Microsoft SharePoint is now being exploited, posing serious risks to federal agencies and beyond. CISA urges immediate patching to prevent attacks. Don't wait—secure your systems now!

BleepingComputer·
HIGHVulnerabilities

SharePoint Vulnerability - CISA Warns of Active Exploitation

CISA warns of attacks exploiting a critical SharePoint vulnerability, CVE-2026-20963. Organizations must act quickly to patch their systems to avoid exploitation. Stay vigilant and secure your data!

SecurityWeek·
HIGHVulnerabilities

Cisco Firewall Zero-Day - Interlock Ransomware Exploitation Alert

A critical zero-day vulnerability in Cisco firewalls has been exploited by the Interlock ransomware group since January. Organizations must act quickly to apply patches and secure their systems. This ongoing threat underscores the importance of proactive cybersecurity measures.

Infosecurity Magazine·
HIGHVulnerabilities

Vulnerabilities in IoT - Hacked Robot Vacuum Incident

A user tried to control his robot vacuum and ended up taking over 7,000 worldwide. This incident reveals serious security flaws in IoT devices. Users must be vigilant to protect their devices.

Schneier on Security·