Cisco FMC CVSS 10.0 zero-day CVE-2026-20131 was exploited by Interlock ransomware for 36 days
Contents
A critical unauthenticated remote code execution flaw, CVE-2026-20131, was confirmed in Cisco Secure Firewall Management Center (FMC). Amazon Threat Intelligence later found that the Interlock ransomware group had already been abusing it as a zero-day and published a detailed report on March 18, 2026.
Amazon’s MadPot sensor network detected the first exploitation activity on January 26, 36 days before Cisco publicly disclosed the issue on March 4.
Technical details of CVE-2026-20131
| Item | Details |
|---|---|
| CVSS score | 10.0 (Critical) |
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-502: Deserialization of Untrusted Data |
| Cisco Bug ID | CSCwt14636 |
| Affected product | Cisco Secure Firewall Management Center (FMC) Software |
The root cause is unsafe deserialization of user-supplied Java byte streams in the FMC web management interface. Because no authentication is required and the service is reachable over the network, the bug fits the classic CVSS 10.0 profile: remote, unauthenticated code execution as root.
Cisco FMC is the control plane for Cisco firewall products such as FTD (Firewall Threat Defense). Since it manages the devices that actually enforce traffic policy, a compromise of FMC can place all managed firewalls under attacker control.
Attack chain
Interlock’s real-world intrusion flow looked like this:
flowchart TD
A[Attacker] -->|crafted HTTP request| B[Cisco FMC<br/>web management interface]
B -->|unsafe deserialization of<br/>Java byte streams| C[root-level Java code execution]
C -->|HTTP PUT to external server| D[attacker confirms compromise]
D -->|fetch and run ELF binary| E[foothold established]
E --> F[PowerShell reconnaissance<br/>host and credential collection]
E --> G[custom RAT deployment<br/>JS or Java]
E --> H[HAProxy reverse proxy<br/>to obscure infrastructure]
E --> I[fileless web shell in memory]
E --> J[ConnectWise ScreenConnect<br/>abused as a legitimate tool]
F -->|aggregated and zipped on network share| K[lateral movement prep]
G -->|WebSocket + RC4 encrypted C2| L[persistent control]
J --> L
K --> M[Interlock ransomware deployment]
L --> MThe request body contains two URLs: one for serving configuration data and one that the victim system calls back to with an HTTP PUT request when compromise succeeds. Amazon Threat Intelligence pretended to be a successfully compromised host and used that callback path to retrieve and analyze the rest of the toolkit.
Post-compromise toolkit
PowerShell reconnaissance script
The first-stage script collects a wide range of system data:
- OS and hardware details, running services, installed software
- storage layout and Hyper-V virtual machine inventory
- browser artifacts from Chrome, Edge, Firefox, IE, and 360 Browser, including history, bookmarks, saved credentials, and extensions
- active network connections with process correlation, ARP tables, iSCSI sessions, and RDP authentication events
- collected results are grouped by hostname under
\\JK-DC2\Temp, zipped, and then the source data is deleted
Custom RATs in JavaScript and Java
Two RATs were observed, and they are functionally equivalent.
The JavaScript version overrides browser console methods to suppress debug output. At startup it gathers system information through PowerShell and WMI, then sends it through an encrypted handshake. C2 communication uses a persistent WebSocket and RC4 encryption, with a 16-byte random key embedded in the packet header and rotated per message. It cycles through multiple hostnames and IPs in random order with exponential backoff, and it can self-update and self-delete to frustrate forensics.
The Java version is built on GlassFish ecosystem libraries, using Grizzly non-blocking I/O and Tyrus WebSocket, and offers the same capability set.
| Feature | Purpose |
|---|---|
| Interactive shell | arbitrary command execution |
| File transfer | bidirectional |
| SOCKS5 proxy | tunnel TCP traffic |
| Self-update | fetch code updates from C2 |
| Self-delete | hinder forensics |
HAProxy reverse proxy
To obscure infrastructure, the attackers routed traffic through HAProxy 3.1.2. It was built from source and persisted through systemd. A notable detail is a cron job that deletes all logs every five minutes by truncating /var/log/*.log and unsetting HISTFILE.
Memory-resident web shell
This fileless backdoor is implemented as a Java class and does not leave a dedicated payload file on disk. When the JVM loads it, a static initializer registers a ServletRequestListener in StandardContext, then looks for encrypted commands in specific request parameters.
It uses AES-128 with a key derived from the first 16 characters of the MD5 hash of the hard-coded seed string "geckoformboundary99fec155ea301140cbe26faf55ed2f40" (09b1a8422e8faed0). The decrypted code is dynamically loaded and executed as precompiled Java bytecode, which helps it evade file-based detection.
Port 45588 beacon
This is a lightweight network beacon used for compromise confirmation. It listens on port 45588, obfuscated as the Unicode character 넔, records the source IP, sends a greeting, and then disconnects.
Abuse of legitimate tools
| Tool | Abuse purpose |
|---|---|
| ConnectWise ScreenConnect | persistent remote desktop access |
| Volatility Framework | memory forensics abused to extract credentials and aid lateral movement |
| Certify | abuse of Active Directory Certificate Services misconfigurations for privilege escalation and persistence |
Attribution
The Interlock ransomware group’s attribution is supported by the ransom note wording, the TOR negotiation portal branding, and the format of the organization IDs embedded per victim. The activity is believed to operate in UTC+3 with about 75-80% confidence. Activity tends to start around 08:30, peak between 12:00 and 18:00, and go quiet from 00:30 to 08:30.
Education is the most common sector among previous victims, followed by engineering and construction, manufacturing and industrial, healthcare, and government.
The TOR ransom note portal is located at hxxp://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid[.]onion/chat.php.
Indicators of compromise
Source IPs
| IP | Activity period |
|---|---|
206.251.239[.]164 | January 2026 |
199.217.98[.]153 | March 2026 |
89.46.237[.]33 | March 2026 |
Staging server
37.27.244[.]222
Exploit-support domains
cherryberry[.]clickms-server-default[.]cominitialize-configs[.]comms-global.first-update-server[.]comms-sql-auth[.]com
C2 domains
browser-updater[.]click/[.]liveos-update-server[.]com/[.]org/[.]live/[.]top
TLS fingerprints (JA4)
t13i1811h1_85036bcba153_b26ce05bbdd6t13i4311h1_c7886603b240_b26ce05bbdd6
File hashes (SHA-256)
| Hash | Tool |
|---|---|
d1caa376cb45b6a1eb3a45c5633c5ef75f7466b8601ed72c8022a8b3f6c1f3be | Certify |
6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f | screen locker |
(Post-compromise tools are frequently modified per target, so hashes are of limited reliability.)
Response
Cisco Secure FMC already has a patch available, released on March 4, 2026. Any environment exposing the FMC web management interface directly to the internet should patch immediately.
Also check the following:
- search logs for the IoCs above and confirm whether compromise occurred
- verify that ConnectWise ScreenConnect was not installed without authorization
- check for cron jobs that delete logs every five minutes
- verify that no abnormal dynamic registration of
ServletRequestListenerhas occurred on JVMs - check network logs for connection attempts to port 45588
Be aware that local logs on a compromised system may already have been deleted by the attacker, so centralized logging outside the target host is essential.