A critical CVSS 10 Cisco firewall vulnerability is being exploited in the wild by a ransomware gang –  attacks started over a month before a March 4 patch.

AWS’s threat intelligence team gained access to a “misconfigured” server that contained the "operational toolkit" of the ransomware group, Interlock.

They found that the group had started exploiting the critical vulnerability in Cisco Secure Firewall Management Center (FMC) Software as a zero day in January – 36 days before Cisco disclosed the bug, CVE-2026-20131.

Cisco patched the critical CVSS 10 Cisco FMC vulnerability on March 4.

It updated its advisory today (March 18) to confirm what it described as “attempted exploitation.” AWS was more explicit: “Our research found that Interlock was exploiting this vulnerability [from] January 26, 2026…”

The Cisco FMC vulnerability lets any unauthenticated, remote attacker execute arbitrary Java code as root on affected devices, the vendor said. It blamed “insecure deserialization of a user-supplied Java byte stream.”

As The Stack published, it had not been added to CISA’s KEV - but would represent the 13th Cisco vulnerability exploited in the wild since the start of 2025 and the 87th bug in the agency’s “known exploited” catalogue. 

(A leading financial services sector CISO described network appliance security as a “travesty” this week, telling The Stack that of all the critical incidents their team responded to last year, over half were in systems “meant to protect us”. They have spun up their own dedicated bug-hunting team focused on such appliances in a bid to get ahead of such vulns.) 

The Stack keeps its cybersecurity reporting free for public interest purposes. Subscribing allows us to keep doing so and also gives you access to all of our premium analysis.

Subscribe here

CVE-2026-20131 affects Cisco Secure FMC Software and Cisco Security Cloud Control (SCC) Firewall Management, regardless of configuration.

AWS said its threat intelligence team found a poorly secured infrastructure server belonging to the ransomware group that was used for distributing “Interlock’s entire operational toolkit” – gleaning some critical intelligence.

Among the group’s tools AWS’s threat intel team found was a “PowerShell script designed for systematic Windows environment enumeration… 

This pulls details on “storage configuration, Hyper-V virtual machine inventory, user file listings across Desktop, Documents, and Downloads directories, browser artifacts from Chrome, Edge, Firefox, Internet Explorer, and 360 browser (including history, bookmarks, stored credentials, and extensions), active network connections… ARP tables, iSCSI session data, and RDP authentication events from Windows event logs,” AWS said.

Interlock was also using ConnectWise ScreenConnect, a commercial remote desktop tool; Volatility, an open-source memory forensics framework; and Certify, an open source offensive security tool designed to exploit misconfigurations in Active Directory Certificate Services (AD CS).

The ransomware group also had a log erasure routine running as a cron job every five minutes, AWS said: “The routine truncates all *.log files under /var/log and suppresses shell history by unsetting the HISTFILE variable. 

“This aggressive evidence destruction, wiping logs every five minutes, combined with the purpose-built HTTP forwarding proxy, indicates the script establishes disposable traffic-laundering relay nodes. These nodes obscure exploit traffic origin, relay [C2] communications, or proxy data exfiltration, making it nearly impossible to trace attacks back to their source,” AWS said.

  • AWS has IOCs here.
  • Cisco has a tool to determine potential exposure here
The link has been copied!