Recent reporting from Amazon Threat Intelligence and multiple security researchers confirms that the Interlock ransomware group is actively exploiting a critical remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) Software. Read this Cybersecurity Threat Advisory to protect you and your clients’ systems.
What is the threat?
Interlock operators are exploiting CVE‑2026‑20131 in Cisco FMC to gain full control over targeted management appliances. The vulnerability in the FMC web interface stems from insecure deserialization, enabling crafted requests to trigger remote code execution as root.
Once inside, attackers deploy additional tooling and backdoors, abuse FMC’s privileged position to manipulate firewall configurations, and ultimately stage and launch ransomware across victim networks. Public analysis shows activity dating back to late January 2026—well before Cisco’s advisory—confirming real‑world zero‑day exploitation.
Why is it noteworthy?
Cisco FMC is the central control plane for many Cisco Secure Firewall and Firepower environments—often protecting perimeters, data centers, OT networks, and critical infrastructure. Compromise gives attackers broad visibility and control over security enforcement points, making FMC an exceptionally high‑value target.
Because Interlock used CVE‑2026‑20131 as a zero‑day, some organizations may already have been compromised, with attackers potentially modifying firewall rules, disabling logging, or establishing persistence before defenders knew the issue existed. The vulnerability carries a maximum CVSS score due to its unauthenticated, remote, root‑level impact, and its active weaponization by ransomware operators significantly heightens risk.
What is the exposure or risk?
Organizations running affected versions of Cisco FMC—especially those exposed to the internet or reachable from untrusted networks—face immediate risk. Successful exploitation grants full control of the FMC host, including the ability to run arbitrary root‑level code, install malware, and alter security configurations.
From this foothold, attackers can use FMC to push malicious policies to managed firewalls, enabling lateral movement, disabling security controls, and supporting widespread ransomware deployment. Consequences may include large‑scale encryption of critical systems, exfiltration of sensitive configurations, operational disruption, and regulatory or reputational fallout.
What are the recommendations?
Barracuda strongly recommends taking the following actions to mitigate risk:
- Identify and patch all vulnerable Cisco FMC instances immediately.
- Remove internet exposure to the FMC interface; restrict access to trusted networks or VPN only.
- Enable MFA and enforce least‑privilege for all admin accounts.
- Review logs for suspicious activity and signs of exploitation.
- Isolate and rebuild the FMC from a known‑good image if compromise is suspected.
- Rotate credentials tied to FMC and audit firewall/VPN configurations.
- Establish patching SLAs and monitor Cisco PSIRT and trusted threat‑intel sources.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2026/03/interlock-ransomware-exploits-cisco-fmc.html
- https://www.securityweek.com/cisco-firewall-vulnerability-exploited-as-zero-day-in-interlock-ransomware-attacks/
- https://securityaffairs.com/189636/malware/interlock-group-exploiting-the-cisco-fmc-flaw-cve-2026-20131-36-days-before-disclosure.html
- https://www.scworld.com/brief/interlock-ransomware-targeting-of-max-severity-cisco-fmc-zero-day-precedes-disclosure
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.