A critical vulnerability identified as CVE-2026-20131 within the Cisco Secure Firewall Management Center (FMC) was exploited by the Interlock ransomware group weeks before a patch was publicly released. This alarming revelation was made by CJ Moses, Chief Information Security Officer at Amazon, during a recent announcement.

According to Moses, research conducted using Amazon's MadPot honeypot system uncovered that Interlock began exploiting this vulnerability as a zero-day on January 26, 2026, which was 36 days prior to the vulnerability's public disclosure and subsequent patch in early March.

CVE-2026-20131: Details of the Vulnerability

The Cisco FMC is a crucial tool for organizations to manage their Cisco Secure Firewall devices. The vulnerability in question affects the web-based management interface of the FMC and arises from insecure deserialization of a user-supplied Java byte stream.

This flaw allows unauthenticated and remote attackers to exploit the management interface by sending a specially crafted serialized Java object, potentially leading to code execution and privilege escalation to root level.

Cisco was made aware of CVE-2026-20131 after it was discovered during internal security testing by a member of its Advanced Security Initiatives Group. However, it appears that the Interlock group identified and exploited this vulnerability before Cisco could respond.

Amazon's threat intelligence indicated that activity associated with CVE-2026-20131 was detected starting January 26, 2026, well ahead of the public disclosure. The observed activity included HTTP requests targeting specific paths within the affected software.

These requests contained attempts for Java code execution, along with two embedded URLs: one aimed at delivering configuration data to support the exploit, and another intended to verify successful exploitation by prompting a vulnerable target to execute an HTTP PUT request to upload a generated file.

Insights into Interlock’s Exploitation Tools

Researchers from AWS successfully simulated the exploitation of the vulnerability, tricking attackers into downloading a malicious Linux executable file from a remote server. An analysis of this server revealed it served as a central hub for the attackers' tools, organized by victim, and was utilized to dispatch malware to infected systems and collect data from them.

The evidence collected included various malware types, artifacts, and a ransom note that confirmed Interlock's involvement. The researchers found:

• A PowerShell script designed to enumerate and collect information about Windows hosts within the targeted network.
• A JavaScript remote access trojan capable of collecting information about infected hosts, equipped with self-update and self-delete features.
• A Java implant that establishes redundant command-and-control communication.
• A Bash script that transforms a compromised Linux server into a temporary relay server, anonymizing attacks, forwarding malicious traffic, and continually erasing traces to complicate tracking of attacker activities.
• A memory-resident webshell/backdoor.
• A lightweight network beacon that confirms successful code execution or network port reachability following the initial exploitation.

In addition to their custom tools, Interlock also employs legitimate software such as ConnectWise ScreenConnect for redundant remote access, Volatility for parsing memory dumps to locate sensitive data, and Certify for identifying vulnerable certificate templates and enrollment permissions.

Mitigation Strategies and Recommendations

AWS has provided indicators of compromise for enterprise defenders to check in their logs and has outlined immediate actions and long-term strategies for organizations to adopt.

Moses emphasized that the issue extends beyond a single vulnerability or one ransomware group; it highlights the ongoing challenge posed by zero-day exploits to all security frameworks. When vulnerabilities are exploited before patches are available, even the most rigorous patching protocols cannot guarantee protection during those critical periods.

“This underscores the necessity of a defense-in-depth strategy—layered security controls can offer protection when any single control fails or has yet to be implemented. While rapid patching is essential in vulnerability management, a multi-layered defense approach helps organizations remain resilient in the gap between exploit and patch,” Moses stated.

Cisco has since updated its advisory to indicate awareness of active exploitation of CVE-2026-20131, with the US Cybersecurity and Infrastructure Security Agency requiring US federal civilian agencies to address this vulnerability by March 22, 2026.

To mitigate risk, Cisco noted that restricting public internet access to the FMC management interface can significantly reduce the attack surface associated with this vulnerability.

CVE-2026-20131 marks the third Cisco vulnerability identified as exploited as a zero-day in 2026, following CVE-2026-20127 in the Cisco Catalyst SD-WAN Controller and CVE-2026-20045 in the company’s unified communications solutions.

Source: Help Net Security News