Interlock Cisco Secure Firewall Management Center zero-day exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
A zero-day exploitation wave tied to Interlock has been hitting Cisco Secure Firewall Management Center (FMC), putting enterprise firewalls at risk before patching. Cisco's CVE-2026-20131 fix on March 4 addressed a flaw that could let unauthenticated attackers run arbitrary Java code as root on unpatched devices. Amazon said the abuse began on January 26, 2026, giving attackers a head start before public disclosure.
Cases
Related Happenings
Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)
Vulnerability
First: 14.05.2026 23:09
Last: 14.05.2026 23:09
Sources 1
About this happening:
**CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...
Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)
VulnerabilityAbout this happening: **CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...
Latest development: 14.05.2026 23:25
Cisco released a patch for CVE-2026-20182, giving organizations using Cisco Catalyst SD-WAN Controllers a way to block the authentication bypass before UAT-8616 can continue using it for administrative access, SSH key insertion, NETCONF changes, and root escalation.
CISA KEV listing and FCEB firewall directive for CVE-2026-0300
Public Sector Action
First: 07.05.2026 13:57
Last: 07.05.2026 13:57
Sources 1
About this happening:
**CISA** added **CVE-2026-0300** to the **KEV Catalog** and ordered **FCEB agencies** to secure vulnerable firewalls by **May 9, 2026**. The federal directive makes the exploited...
CISA KEV listing and FCEB firewall directive for CVE-2026-0300
Public Sector ActionAbout this happening: **CISA** added **CVE-2026-0300** to the **KEV Catalog** and ordered **FCEB agencies** to secure vulnerable firewalls by **May 9, 2026**. The federal directive makes the exploited...
Cisco security patch release for CVE-2026-20188
Security Patch Release
First: 06.05.2026 21:06
Last: 06.05.2026 21:06
Sources 1
About this happening:
**Cisco** released security updates for **CVE-2026-20188**, a high-severity **DoS vulnerability** in **Crosswork Network Controller (CNC)** and **Network Services Orchestrator (NS...
Cisco security patch release for CVE-2026-20188
Security Patch ReleaseAbout this happening: **Cisco** released security updates for **CVE-2026-20188**, a high-severity **DoS vulnerability** in **Crosswork Network Controller (CNC)** and **Network Services Orchestrator (NS...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
Vulnerability
First: 24.04.2026 20:06
Last: 24.04.2026 20:06
Sources 1
About this happening:
**Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
Cisco Catalyst SD-WAN Manager information disclosure vulnerability (CVE-2026-20133)
Vulnerability
First: 21.04.2026 15:30
Last: 21.04.2026 15:30
Sources 1
About this happening:
CISA moved **CVE-2026-20133** in **Cisco Catalyst SD-WAN Manager** into its **KEV Catalog**, signaling **active exploitation** against **unpatched devices** and forcing **FCEB age...
Cisco Catalyst SD-WAN Manager information disclosure vulnerability (CVE-2026-20133)
VulnerabilityAbout this happening: CISA moved **CVE-2026-20133** in **Cisco Catalyst SD-WAN Manager** into its **KEV Catalog**, signaling **active exploitation** against **unpatched devices** and forcing **FCEB age...
Timeline
-
18.03.2026 18:53 2 articles · 2mo ago
Interlock exploits Cisco Secure Firewall Management Center zero-day
Exploitation ObservedInterlock ransomware gang exploited CVE-2026-20131 in Cisco Secure Firewall Management Center (FMC) as a zero-day beginning January 26, 2026, targeting enterprise firewalls and enabling unauthenticated remote Java code execution as root on unpatched devices through a crafted serialized Java object sent to the web-based management interface.
Show sources
- Ransomware gang exploits Cisco flaw in zero-day attacks since January — www.bleepingcomputer.com — 18.03.2026 18:53
- CISA orders feds to patch max-severity Cisco flaw by Sunday — www.bleepingcomputer.com — 20.03.2026 17:09
-
18.03.2026 18:53 2 articles · 2mo ago
Cisco patches CVE-2026-20131 in Secure Firewall Management Center
Mitigation Patch UpdateCisco patched CVE-2026-20131 in Cisco Secure Firewall Management Center (FMC) on March 4, 2026, warning that the insecure deserialization flaw in a user-supplied Java byte stream could let unauthenticated attackers execute arbitrary Java code as root on unpatched devices.
Show sources
- Ransomware gang exploits Cisco flaw in zero-day attacks since January — www.bleepingcomputer.com — 18.03.2026 18:53
- CISA Orders US Government to Patch Maximum Severity Cisco Flaw — www.infosecurity-magazine.com — 23.03.2026 12:30
-
18.03.2026 18:53 1 articles · 2mo ago
Amazon reports Interlock exploitation of Cisco CVE-2026-20131
Initial DisclosureAmazon threat intelligence reported that Interlock had been exploiting CVE-2026-20131 in attacks against enterprise firewalls before public disclosure and shared the findings with Cisco, while Cisco still had not flagged the flaw as actively exploited.
Show sources
- Ransomware gang exploits Cisco flaw in zero-day attacks since January — www.bleepingcomputer.com — 18.03.2026 18:53