CVSS 10.0 Cybersecurity March 27, 2026

Cisco FMC CVE-2026-20131: Interlock Ransomware Achieves Root via CVSS 10.0 Java Deserialization

Interlock ransomware group has been silently exploiting an unauthenticated RCE flaw in Cisco Firepower Management Center since January 26 — only disclosed today. CVSS 10.0. Patch now.

Dillip Chowdary

Founder & AI Researcher • March 27, 2026 • 8 min read

What Is Cisco FMC and Why Does This Hurt So Much?

Cisco Firepower Management Center is the centralized management console for Cisco's enterprise firewall and IDS/IPS ecosystem. Organizations use it to manage access control policies, intrusion rules, and network visibility for thousands of Firepower appliances. Compromise of the FMC is a master-key scenario — an attacker with root on FMC can silently modify firewall rules, disable intrusion detection, and exfiltrate network telemetry across the entire managed environment.

The vulnerability exists in FMC's management web interface, which is intended to be accessible only from trusted management networks — but in practice, many deployments expose it to broader internal segments or, critically, to the internet. The Interlock group specifically targeted internet-facing FMC instances.

The Vulnerability: Java Deserialization at the Management Layer

CVE-2026-20131 is a Java insecure deserialization vulnerability in FMC's management API endpoint. Java deserialization flaws occur when an application deserializes untrusted data without validating its type or integrity — allowing an attacker to supply a crafted serialized object that triggers arbitrary code execution upon deserialization, before any authentication logic runs.

The attack path is straightforward: an unauthenticated HTTP POST request containing a malicious Java serialized payload sent to the FMC management endpoint results in OS command execution as root. No credentials required. No bypass needed. A single packet.

Interlock's Attack Chain

The Interlock ransomware group — active since September 2024 — has evolved from targeting Windows and FreeBSD servers to pursuing high-value network infrastructure. Their exploitation of CVE-2026-20131 follows a precise kill chain:

• Stage 1 — Initial Access: Automated internet scanning identifies exposed FMC management interfaces (default port 443, path fingerprinting via SSL certificate CN). Malicious deserialization payload delivered via single POST request.
• Stage 2 — Root Persistence: Webshell dropped under FMC's web root; SSH key injected into /root/.ssh/authorized_keys. Persistence survives FMC UI restarts.
• Stage 3 — Policy Manipulation: Firewall access control rules silently modified to permit lateral movement traffic. Intrusion prevention signatures selectively disabled for attacker-controlled IP ranges.
• Stage 4 — Credential Harvesting: FMC database queried for managed device credentials, VPN configs, and LDAP/AD integration settings — providing a high-value credential dump for further pivoting.
• Stage 5 — Ransomware Deployment: Interlock encryptor deployed to downstream managed Firepower appliances and connected network segments via the now-open policy rules.

The 60-day gap between Interlock's first exploitation (January 26) and today's public disclosure allowed the group to compromise an estimated dozens of enterprise networks before defenders had any vendor-confirmed indicator. Cisco's disclosure today aligns with a coordinated release of patches.

Remediation: What to Do Right Now

Cisco has released patches addressing CVE-2026-20131 in FMC software versions 7.2.9, 7.3.5, and 7.4.2. There is no workaround — patching is the only remediation. For organizations that cannot patch immediately, the following mitigations reduce (but do not eliminate) exposure:

Related: Cisco SD-WAN CVE-2026-20127 (CVSS 10.0) Also in CISA KEV

Cisco disclosed a second CVSS 10.0 flaw today — CVE-2026-20127 in Cisco SD-WAN vManage and SD-WAN Manager. This vulnerability allows unauthenticated remote attackers to gain administrator-level access via an authentication bypass in the web management interface. It has been exploited in the wild since at least 2023 and was added to CISA's Known Exploited Vulnerabilities catalog today, triggering a mandatory federal patch deadline.

• Affected: Cisco SD-WAN vManage 20.6–20.12, SD-WAN Manager 20.13–20.15
• Impact: Unauthenticated admin access — full control of SD-WAN fabric, routing policy manipulation, credential exposure
• Patch: SD-WAN Manager 20.12.5, 20.15.2 — apply immediately alongside FMC patches
• CISA mandate: Federal agencies required to patch within 3 weeks per KEV binding operational directive

Key Takeaways for Security Engineers

• Network management planes are high-value targets. FMC, vManage, and similar orchestration consoles should never be internet-accessible. Place them behind a dedicated OOB management network with MFA-gated jump access.
• Java deserialization is still a live threat class in 2026. Any Java application accepting serialized objects from external sources without strict type validation is potentially vulnerable. Audit your Java-based management software.
• 60-day exploitation-before-disclosure gaps are increasingly common. Assume your perimeter management tools are targeted. Implement integrity monitoring on critical system paths (authorized_keys, cron, sudoers) as a detection control.
• Policy-baseline diffing is underutilized. Regular automated comparison of firewall rule sets against a signed baseline would have detected Interlock's silent policy modifications within hours, not after ransomware detonation.
• Patch Tuesday cadence is insufficient for CVSS 10.0 vulnerabilities. CVE-2026-20131 warrants emergency change procedures — skip the change advisory board if needed, patch today.

Full technical analysis and IOCs: The Hacker News →

Official Cisco Security Advisory →