Interlock ransomware leverages Cisco FMC insecure deserialization zero-day (CVE-2026-20131) for root access
Summary
Hide ▲
Show ▼
A critical insecure deserialization vulnerability in Cisco Secure Firewall Management Center (FMC) Software, tracked as CVE-2026-20131 (CVSS 10.0), is being actively exploited by the Interlock ransomware group to gain unauthenticated remote root access on unpatched systems. The flaw enables unauthenticated remote attackers to bypass authentication and execute arbitrary Java code with root privileges via crafted HTTP requests to a specific endpoint. Exploitation has been observed as a zero-day since January 26, 2026, more than a month before public disclosure and patch availability. The attack chain includes post-exploitation tooling such as custom JavaScript/Java RATs, PowerShell reconnaissance scripts, Linux reverse proxy configuration tools, memory-resident web shells, and ConnectWise ScreenConnect for persistence. Compromised environments are being leveraged for ransomware operations and secondary monetization.
Timeline
-
18.03.2026 18:00 1 articles · 2h ago
Interlock ransomware exploits Cisco FMC zero-day (CVE-2026-20131) for initial access and root compromise
Unauthenticated, remote attackers began exploiting CVE-2026-20131 in Cisco Secure Firewall Management Center (FMC) Software on or around January 26, 2026, achieving root-level code execution via insecure deserialization of user-supplied Java byte streams. The attack begins with crafted HTTP requests to a specific FMC endpoint, followed by confirmation via HTTP PUT, then retrieval of ELF binaries from remote infrastructure. The payloads include reconnaissance scripts, custom RATs, Linux reverse proxy tools, web shells, and ScreenConnect for persistence.
Show sources
- Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access — thehackernews.com — 18.03.2026 18:00
Information Snippets
-
CVE-2026-20131 is an insecure deserialization vulnerability in Cisco FMC Software with a CVSS score of 10.0, enabling unauthenticated, remote root code execution via crafted HTTP requests.
First reported: 18.03.2026 18:001 source, 1 articleShow sources
- Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access — thehackernews.com — 18.03.2026 18:00
-
Interlock ransomware has exploited this vulnerability as a zero-day since January 26, 2026, prior to public disclosure and patch release.
First reported: 18.03.2026 18:001 source, 1 articleShow sources
- Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access — thehackernews.com — 18.03.2026 18:00
-
Post-exploitation involves execution of arbitrary ELF binaries fetched from remote servers, including reconnaissance scripts targeting Windows and Linux environments.
First reported: 18.03.2026 18:001 source, 1 articleShow sources
- Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access — thehackernews.com — 18.03.2026 18:00
-
Identified tools include custom JavaScript/Java RATs with bidirectional file transfer, SOCKS5 proxy support, and self-update capabilities; PowerShell scripts for comprehensive Windows reconnaissance; Linux reverse proxy setup using HAProxy with fail2ban; memory-resident web shells; and ConnectWise ScreenConnect for persistence.
First reported: 18.03.2026 18:001 source, 1 articleShow sources
- Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access — thehackernews.com — 18.03.2026 18:00
-
Evidence suggests the threat actor operates primarily within the UTC+3 time zone and maintains operational security weaknesses that exposed their toolkit via a misconfigured server.
First reported: 18.03.2026 18:001 source, 1 articleShow sources
- Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access — thehackernews.com — 18.03.2026 18:00
-
Cisco disclosed the vulnerability publicly after vendor coordination with Amazon Threat Intelligence, which identified the campaign through its MadPot global sensor network.
First reported: 18.03.2026 18:001 source, 1 articleShow sources
- Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access — thehackernews.com — 18.03.2026 18:00