CISA Orders Federal Agencies to Patch Critical Cisco Secure FMC RCE Flaw Exploited by Interlock Ransomware
CISA has mandated that all U.S. federal civilian agencies patch CVE-2026-20131, a maximum-severity remote code execution vulnerability in Cisco Secure Firewall Management Center that the Interlock ransomware group has been exploiting as a zero-day since January.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal civilian agencies to urgently patch a critical remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC). The flaw, tracked as CVE-2026-20131, carries a maximum CVSS score of 10 and has been actively exploited by the Interlock ransomware group since late January, according to a detailed analysis published by AWS.
The vulnerability resides in the web-based management interface of Cisco Secure Firewall Management Center (FMC), which serves as the centralized administrative nerve center for Cisco's network security products. Cisco explained that the bug stems from insecure deserialization of user-supplied Java byte streams. An unauthenticated, remote attacker can exploit it by sending a crafted serialized Java object to the web interface, achieving arbitrary code execution as root on the affected device.
Cisco released a patch for CVE-2026-20131 on March 4, after the Interlock ransomware group had already been exploiting it as a zero-day since January 26. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on March 19, giving federal agencies just three days to apply the patch or discontinue use of the product. The unusually short timeline reflects the severity of the threat, and the KEV entry carries a warning that the CVE is known to be used in ransomware campaigns.
AWS published a comprehensive write-up of the Interlock campaign, detailing the group's post-exploitation activities. After gaining initial access via the FMC bug, the attackers deployed a PowerShell script for Windows environment enumeration and two custom remote access trojans (RATs) written in JavaScript and Java for persistent control. They also installed a persistent memory-resident backdoor that intercepts HTTP requests entirely in memory to evade antivirus detection.
The attackers further fortified their foothold by installing the legitimate remote desktop tool ConnectWise ScreenConnect as a backup entry point. They used the open-source memory forensics framework Volatility to parse memory dumps and steal credentials stored in RAM, enabling lateral movement and deeper compromise. Additionally, they deployed the security tool Certify to identify and exploit misconfigurations in Active Directory Certificate Services (AD CS), allowing them to request authentication-capable certificates for user impersonation, privilege escalation, and persistent access.
Although the CISA mandate applies only to federal civilian agencies, the private sector is strongly encouraged to follow the same guidance as a best practice. AWS's write-up includes a long list of potential defensive actions, ranging from immediate patching and compromise identification to detection opportunities and longer-term defense-in-depth measures. Organizations using Cisco Secure FMC should prioritize applying the March 4 patch and review their environments for signs of compromise.
This incident underscores the growing trend of ransomware groups targeting network infrastructure appliances as initial access vectors. The Interlock group's sophisticated exploitation chain, combining a critical zero-day with custom malware and off-the-shelf tools, highlights the need for robust patch management, network segmentation, and continuous monitoring of administrative interfaces.