⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could ⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could
← Back to articles
Threat Intel 23 March 2026 9 min read

Zero-Day Before the Patch: How Interlock Ransomware Exploited Cisco FMC for 36 Days Undetected

CVE-2026-20131 CVSS 10.0. Patched 4 March 2026. Exploited since 26 January.

MS

Marco Scarito

23 March 2026

9 min read

On 4 March 2026, Cisco released a semiannual security update covering 48 vulnerabilities across its Secure Firewall Management Center (FMC), ASA, and Secure FTD product lines. Among them was CVE-2026-20131 — a CVSS 10.0 critical vulnerability in the FMC web-based management interface, caused by insecure deserialization of user-supplied Java byte streams. An unauthenticated, remote attacker can exploit it by sending a crafted serialized Java object to the management interface, achieving arbitrary code execution with root privileges. On the standard severity scoring framework, 10.0 is the maximum possible score. It does not get worse than this.

On 19 March, Amazon CISO CJ Moses published a detailed threat intelligence report based on findings from Amazon's MadPot global honeypot network. The report confirmed what the security community feared: Interlock ransomware had been actively exploiting CVE-2026-20131 since 26 January 2026 — 36 days before Cisco's patch was released and 53 days before CISA added it to the Known Exploited Vulnerabilities catalogue. Every organisation that ran an internet-exposed Cisco FMC management interface between 26 January and 4 March was potentially compromised without any available remediation existing at the time.

Understanding the Vulnerability

Cisco Secure Firewall Management Center is a centralised management platform used by organisations to configure, monitor, and manage Cisco Secure Firewall devices across their network infrastructure. In large enterprises — banks, insurance companies, hospitals, industrial operators — FMC is the control plane for the entire perimeter security architecture. Compromising FMC does not just give an attacker a foothold: it gives them visibility and potential control over the firewall policies governing the entire network.

CVE-2026-20131 exploits the FMC's handling of Java deserialization in its web management interface. The attack does not require any credentials. An attacker sends a crafted HTTP request to a specific path in the affected software. The request body contains embedded Java code execution attempts and two URLs: one to deliver exploit configuration data, and a second that the compromised device is instructed to call back — confirming successful exploitation. This callback mechanism allowed Amazon's MadPot infrastructure to detect and track the campaign.

The Interlock Group: Targets, Tactics, and the Swiss Exposure

Interlock is a ransomware operation that emerged in September 2024. Security researchers have linked it to the Rhysida group — the same organisation responsible for the 2023 ransomware attack on the British Library. Interlock has historically targeted sectors where operational disruption creates maximum pressure for ransom payment: education, healthcare, manufacturing, engineering, construction, and government. Its confirmed victims include DaVita, Kettering Health, the Texas Tech University System, and the city of Saint Paul, Minnesota. These are precisely the sectors — healthcare, manufacturing, public administration — where Swiss organisations have the highest ransomware exposure according to NCSC data.

◆ Key Takeaway

CVE-2026-20131 is the third Cisco vulnerability confirmed exploited as a zero-day in 2026 alone. If your organisation runs Cisco infrastructure and has not applied the March 4 FMC update, you should treat any unpatched FMC as potentially compromised — not merely vulnerable.

What Amazon Intelligence Revealed About Interlock Infrastructure

The most operationally significant aspect of Amazon's disclosure is what the MadPot team found when they accessed Interlock's operational server. The server was poorly secured and functioned as a central hub organised by victim. Among Interlock's tool set was a PowerShell script designed for systematic Windows environment enumeration, collecting storage configuration data, Hyper-V virtual machine inventories, user file listings across Desktop, Documents, and Downloads directories, browser artifacts from Chrome, Edge, Firefox, Internet Explorer, and the 360 browser, active network connections, ARP tables, iSCSI session data, and RDP authentication events from Windows event logs.

Immediate Actions for Swiss Security Teams

  • Patch immediately if you have not already done so. Cisco's March 4 update addresses CVE-2026-20131 and 47 other vulnerabilities. Use Cisco's software checker tool to identify the correct update for your environment.
  • Treat unpatched FMC instances as potentially compromised. Any organisation running an internet-accessible FMC between 26 January and 4 March should assume possible compromise and conduct a forensic review, not simply apply the patch and move on.
  • Verify your FMC management interface is not internet-accessible. Cisco explicitly noted that limiting the FMC management interface's internet exposure reduces the attack surface for this vulnerability.
  • Review ScreenConnect deployments. Amazon's advisory specifically recommends reviewing ScreenConnect remote access tool deployments for unauthorised installations — Interlock has previously used ScreenConnect as a persistence mechanism.
  • Assess your defence-in-depth posture. When attackers exploit a zero-day, patch management cannot protect you during the exploitation window. Network segmentation, endpoint detection and response, and anomaly-based monitoring are the controls that matter here.
  • Engage your cyber insurer and legal counsel if you suspect exposure. Swiss ISA mandatory reporting obligations for critical infrastructure operators apply if a breach is confirmed.

The Strategic Implication: Zero-Day Exploitation Has Become a Ransomware Standard

CVE-2026-20131 is the third Cisco zero-day confirmed exploited in 2026. Groups like Interlock are no longer solely dependent on phishing and commodity exploits. They are acquiring or developing zero-day capabilities against high-value targets: network security infrastructure that, when compromised, provides immediate access to an organisation's entire network architecture. For Swiss CISOs and security architects, the implication is direct: a patching programme, however mature, is not a complete defence against adversaries operating at this capability level. The defence must be layered, anomaly-aware, and resilient to the assumption that perimeter controls may be silently compromised.