What happened
The Interlock ransomware group exploited a critical zero-day vulnerability in Cisco Secure Firewall Management Center (FMC) software in attacks beginning January 26, 2026, more than a month before the flaw was publicly disclosed and patched. The vulnerability, tracked as CVE-2026-20131, is a maximum-severity remote code execution issue that allows unauthenticated attackers to execute arbitrary Java code as root on affected systems. Researchers from Amazon Threat Intelligence discovered the early exploitation through honeypot data, revealing that attackers used crafted HTTP requests to trigger code execution, followed by downloading additional payloads from attacker-controlled infrastructure. Cisco released a patch on March 4, 2026, but by that time, attackers had already used the flaw to compromise enterprise firewall management systems in real-world attacks.Â
Who is affected
Organizations running unpatched versions of Cisco Secure Firewall Management Center are affected, particularly enterprise environments where firewall management systems are exposed or accessible to attackers.Â
Why CISOs should care
The incident highlights how ransomware groups are exploiting critical vulnerabilities in network security infrastructure, allowing attackers to gain privileged access to core systems that control and monitor enterprise networks.Â
3 practical actions
- Apply Cisco security patches immediately. Update affected FMC systems to remediate CVE-2026-20131.Â
- Restrict access to firewall management interfaces. Limit exposure of FMC systems to trusted networks only.Â
- Monitor for exploitation indicators. Review logs for suspicious HTTP requests and unauthorized code execution attempts.Â
For more coverage of ransomware campaigns and extortion-driven attacks, explore our reporting under the Ransomware tag.