A critical zero-day remote code execution vulnerability, CVE-2026-20131, in Cisco's Secure Firewall Management Center has been exploited by the Interlock ransomware group since late January, 36 days before its public disclosure. This flaw, with a CVSS score of 10.0, allows unauthenticated remote attackers to execute arbitrary code as root by sending a crafted serialized object, leveraging insecure Java deserialization in the web interface. The Interlock group's early exploitation of this vulnerability highlights the importance of prompt patching and monitoring. The fact that the group was able to exploit this flaw before its disclosure1 suggests a high level of sophistication and access to sensitive information. This matters to security practitioners because the exploitation status of CVE-2026-20131 will determine whether this is a patch-now or monitor situation, and they must take immediate action to protect their Cisco FMC installations.
Interlock group exploiting the CISCO FMC flaw CVE-2026-20131 36 days before disclosure
⚠️ Critical Alert
Why This Matters
CVE-2026-20131 is in active discussion involving Cisco — exploitation status determines whether this is patch-now or monitor.
References
- SecurityAffairs. (2026, March 19). Interlock group exploiting the CISCO FMC flaw CVE-2026-20131 36 days before disclosure. *SecurityAffairs*. https://securityaffairs.com/189636/malware/interlock-group-exploiting-the-cisco-fmc-flaw-cve-2026-20131-36-days-before-disclosure.html
Original Source
SecurityAffairs
Read original →