Interlock Ransomware Exploits Cisco FMC Zero-Day (CVE-2026-20131) CVSS 10.0

• .What: Insecure deserialization (CWE-502) in Cisco FMC/SCC web management interface - unauthenticated RCE as root.
• .CVE: CVE-2026-20131 (CVSS 10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
• .Affected: Cisco FMC versions 6.4.0.13 through 10.0.0 (69+ versions). Cisco Security Cloud Control also affected. FMC 6.x has no fix (end of life).
• .Fix: FMC 7.0.6.3+, 7.2.5.1+, 7.4.2.1+, 7.6.5, 7.7.12, 10.0.1. No workarounds available. FMC 6.x has no fix (EOL).
• .Zero-Day Window: 36 days (January 26 - March 4, 2026).
• .Actor: Interlock ransomware (Hive0163). 100+ victims since September 2024. Suspected Rhysida spinoff (low confidence - Cisco Talos).
• .Discovery: Amazon MadPot honeypot + Interlock OPSEC failure (misconfigured infrastructure server).
• .CISA: Added to KEV catalog March 19, 2026. Federal patch deadline March 22. Marked as used in ransomware campaigns.
• .Companion: CVE-2026-20079 (FMC authentication bypass, CVSS 10.0) patched simultaneously - a second unauthenticated root path in the same product.

On March 4, 2026, Cisco published its semiannual firewall security update, addressing 48 CVEs across Firewall Management Center, Adaptive Security Appliance, and Threat Defense software.

Two of those 48 received the maximum CVSS score of 10.0: CVE-2026-20131 (insecure deserialization leading to RCE as root) and CVE-2026-20079 (authentication bypass due to an improperly configured system process at boot time, also leading to root-level script execution).

Both affect the same product - Cisco Secure Firewall Management Center - and both are exploitable by unauthenticated remote attackers via the web-based management interface.

CVE-2026-20131 also affects Cisco Security Cloud Control (SCC), the cloud-based firewall policy management platform.

At the time of disclosure, Cisco's PSIRT reported no known active exploitation. That assessment changed on March 18, when Cisco updated its advisory to confirm reports of active exploitation in the wild.

The following day, CISA added CVE-2026-20131 to its Known Exploited Vulnerabilities catalog and gave federal civilian agencies three days to patch - a deadline of March 22.

The exploitation, however, had begun long before disclosure.

Amazon's threat intelligence team, operating the MadPot global honeypot sensor network, identified Interlock ransomware activity targeting FMC installations beginning January 26, 2026. For 36 days, Interlock possessed a working zero-day exploit against the centralized management platform controlling Cisco's enterprise firewall deployments.

Organizations running internet-facing FMC appliances during this window were vulnerable with no available mitigation and no knowledge that the vulnerability existed.

The breakthrough in understanding the campaign came from an Interlock operational security failure. Amazon researchers discovered a misconfigured infrastructure server that served as Interlock's staging area.

The server contained the group's complete toolkit - organized by victim - including custom malware, reconnaissance scripts, remote access trojans, evasion tools, ransom notes, and Tor negotiation portal artifacts.

This single OPSEC failure gave defenders unprecedented visibility into Interlock's multi-stage attack chain.

Within two days of public disclosure, Zscaler ThreatLabz detected additional exploitation attempts using publicly available GitHub proof-of-concept code, targeting Technology and Software sector organizations in the United States.

This means exploitation expanded beyond Interlock after the CVE was published.

Interlock is a financially motivated ransomware operation first observed in September 2024. The group is tracked by IBM X-Force as Hive0163 and by CISA/FBI under joint advisory AA25-203A (published July 22, 2025).

Unlike most prominent ransomware groups, Interlock does not operate as a Ransomware-as-a-Service (RaaS) platform - no affiliate recruitment advertisements have been observed. The group conducts all operations independently using private infrastructure.

" The victim distribution skews heavily toward the United States (67 of 100 victims), with the remainder spread across Europe, Canada, and Australia. Top targeted sectors: Education (24 victims), Manufacturing (14), Healthcare (10), Public Sector (9), and Construction (6).

live data shows an average 61.5-day delay between compromise and public leak site disclosure.

Interlock's highest-profile attacks include DaVita (kidney dialysis provider; 1.5TB stolen; 2,689,826 patients affected per HHS filing; $13.5M incident cost; April 2025), Kettering Health (14 medical centers disrupted; thousands of procedures canceled; chemotherapy sessions disrupted; 941GB leaked; 200+ lawsuits filed; May 2025), the City of St. Paul, Minnesota (43GB stolen; state of emergency declared; July 2025), and Texas Tech University Health Sciences Center (1.4 million patients; 2.6TB claimed stolen; September-October 2024).

Security researchers have identified code overlaps between Interlock and Rhysida ransomware variants, particularly in hardcoded exclusion lists for Windows encryptors. Microsoft has flagged connections between both groups and Vice Society (tracked as Vanilla Tempest).

The relationship suggests Interlock may be a splinter group or direct evolution of Rhysida operations, though this has not been definitively established.

Interlock's initial access methods have evolved through three phases. In Phase 1 (September-December 2024), the group used traffic distribution systems on compromised legitimate websites to deliver fake browser update prompts.

In Phase 2 (early 2025), they expanded to impersonating security software - fake FortiClient, Cisco AnyConnect, GlobalProtect, and Ivanti Secure Access installers.

In Phase 3 (January 2025 onward), they adopted the ClickFix social engineering technique, tricking victims into copying and pasting malicious PowerShell commands via fake "prove you're human" prompts.

The exploitation of CVE-2026-20131 represents a significant escalation: a zero-day in enterprise network security infrastructure, bypassing the need for social engineering entirely.

In January 2026, FortiGuard Labs documented Interlock deploying "Hotta Killer" - a BYOVD (Bring Your Own Vulnerable Driver) tool exploiting CVE-2025-61155, a zero-day in the GameDriverX64.sys anti-cheat driver from Hotta Studio's "Tower of Fantasy" game.

The tool specifically targets Fortinet EDR/AV processes to disable endpoint protection before encryption. This represents yet another defense-evasion capability in an increasingly sophisticated toolkit.

In March 2026, IBM X-Force disclosed that Interlock had deployed "Slopoly" - a PowerShell-based malware strain assessed with high confidence as AI-generated (based on extensive code comments, structured logging, clearly named variables, and error handling patterns characteristic of LLM output).

Slopoly functioned as a C2 client that maintained persistent access to a compromised server for over a week. This represents one of the earliest documented cases of AI-generated malware deployed in a real-world ransomware campaign.

Temporal analysis of timestamps from the misconfigured infrastructure server and embedded artifact metadata indicates Interlock operators likely work in the UTC+3 timezone (75-80% confidence).

Activity patterns show first activity around 08:30, peak between 12:00-18:00, and a sleep window from 00:30-08:30. UTC+3 covers Moscow, Istanbul, Riyadh, Baghdad, and Nairobi.

Cisco Secure Firewall Management Center (FMC) is the centralized management plane for Cisco's enterprise firewall deployments.

It performs three critical functions: (1) defines and pushes security policies across distributed firewall appliances, (2) manages firmware updates across physical and virtual Cisco security appliances, and (3) aggregates security telemetry and threat data from the entire firewall infrastructure into a single interface.

FMC is where configuration authority, operational visibility, and administrative access converge.

Compromising FMC gives an attacker root access to this control point.

The consequences: modify or disable firewall rules across the entire managed estate; create covert access rules permitting attacker traffic; disable IPS/IDS inspection and logging; access traffic inspection data including potentially unencrypted internal communications; harvest credentials stored on or transiting through the management plane; pivot into any network segment managed by the compromised FMC; and blind defenders by disabling security monitoring at the source.

The vulnerability exists in FMC's handling of user-supplied Java byte streams via the web-based management interface. An attacker sends a crafted serialized Java object to a specific API endpoint.

The FMC processes the object without proper validation, triggering insecure deserialization that executes arbitrary Java code with root privileges. No authentication is required. No user interaction is needed.

The scope is changed (CVSS S:C), meaning the compromised component impacts resources beyond its own security scope - the entire firewall infrastructure managed by the FMC instance.

CVE-2026-20131 affects 69+ software versions spanning FMC 6.4.0.13 through 10.0.0. All FMC 6.x versions are affected with no fix available (end of life).

Fixed releases by branch: 7.0.6.3 (7.0.x), 7.2.5.1 (7.2.x), 7.4.2.1 (7.4.x), 7.6.5 (7.6.x), 7.7.12 (7.7.x), and 10.0.1 (10.0.x).

Internet-facing exposure: approximately 300 FMC instances visible on Censys, 600-700 on FOFA. Cisco Security Cloud Control (SCC) Firewall Management - the cloud-based equivalent - is also affected by CVE-2026-20131 (note: the companion CVE-2026-20079 does not affect cloud-delivered FMC).

There are no workarounds. The only remediation is upgrading to a fixed release or discontinuing use.

1. Initial Exploitation: Crafted HTTP request containing a malicious serialized Java object sent to a vulnerable FMC web management API endpoint. No authentication required.

2. Confirmation Callback: Compromised FMC issues an HTTP PUT request to an attacker-controlled external server, confirming successful exploitation.

3. Payload Delivery: Follow-up commands fetch an ELF binary from a remote server hosting Interlock's toolchain. The binary and associated artifacts are attributable to Interlock based on convergent technical and operational indicators.

4. Reconnaissance: PowerShell script systematically enumerates the compromised environment - OS details, running services, installed software, storage configuration, Hyper-V VM inventories, browser data (Chrome, Edge, Firefox, IE, 360 browser), RDP authentication logs, network connections, and user file listings.

Output organized into per-host directories on a centralized network share, compressed into ZIP archives for exfiltration.

5. Persistence (Multi-Layered): JavaScript RAT conceals itself by overriding browser console methods, communicates via WebSocket C2, provides interactive shell, file transfer, SOCKS5 proxy, and self-update/delete capability.

Java RAT built on GlassFish libraries provides a redundant C2 path. Memory-resident webshell intercepts HTTP requests for encrypted command payloads, decrypts and executes entirely in memory with no disk artifacts.

ConnectWise ScreenConnect deployed for persistent remote desktop access.

6. Credential Harvesting: Volatility framework used for memory forensics to extract credentials from memory dumps. Certify tool used to identify and exploit vulnerable Active Directory Certificate Services templates.

7. Evasion Infrastructure: Bash script configures compromised Linux servers as HTTP reverse proxies using HAProxy on port 80. Deploys fail2ban for intrusion prevention. Cron job wipes logs every 5 minutes, erasing forensic evidence.

8. Lateral Movement: From FMC, attackers move into managed firewall infrastructure and internal networks. Multiple redundant remote access mechanisms ensure persistence survives individual backdoor removal.

9. Ransomware Deployment: After sufficient network penetration, data staging, and exfiltration, Interlock deploys encryption. The group maintains encryptors for both Windows and Linux, including VM encryption capability.

1. Internet-Exposed Management Plane. FMC web management interfaces were accessible from the public internet. Cisco's own advisory notes the attack surface is "reduced" when FMC lacks public internet access.

This single control would have prevented unauthenticated external exploitation entirely.

2. Insecure Deserialization (CWE-502). FMC processed user-supplied Java byte streams without validating them before deserialization.

This is a well-understood vulnerability class - OWASP has listed insecure deserialization as a top-10 risk since 2017. The absence of input validation on a management interface accepting Java serialized objects represents a fundamental secure coding failure.

3. No Workarounds Available.

Unlike many critical vulnerabilities where network-level mitigations, configuration changes, or feature disablement can reduce risk, Cisco confirmed zero workarounds for CVE-2026-20131. Organizations that could not immediately patch had no compensating control except taking FMC offline entirely.

4. 36-Day Zero-Day Window. The gap between first observed exploitation (January 26) and public disclosure (March 4) meant organizations were blind to the threat for over five weeks.

Detection depends on monitoring the management system itself, which few organizations instrument at the depth required to detect insecure deserialization exploitation.

5. Companion Vulnerability Amplification. CVE-2026-20079 (authentication bypass, CVSS 10.0) was patched in the same update.

Defenders who patched only to a branch point sufficient for one CVE but not the other may have believed the emergency was resolved while leaving a second unauthenticated root path open.

Any organization compromised via CVE-2026-20131 faces regulatory exposure based on the data accessible through the managed firewall infrastructure:

• .CISA BOD 22-01 - Federal Civilian Executive Branch agencies are legally mandated to remediate KEV-listed vulnerabilities by the due date. Non-compliance with the March 22 deadline creates direct federal regulatory exposure.

• .HIPAA (US) - Healthcare organizations managing PHI behind Cisco FMC firewalls face potential violation of the Security Rule (45 CFR 164.312) for failure to implement technical safeguards. 60-day breach notification required. Fines up to $2.1M per violation category per year. Interlock has a documented pattern of targeting healthcare (DaVita, Kettering Health).

• .SEC 8-K Disclosure Rules - Public companies must disclose material cybersecurity incidents within 4 business days. A CVSS 10.0 zero-day compromising the firewall management plane is likely material.

• .CCPA/CPRA (California) - Organizations processing California resident data behind compromised FMC infrastructure face potential $7,500 per violation for intentional violations. The management-plane compromise provides access to all traffic transiting managed firewalls.

• .FTC Act Section 5 - Failure to patch a CVSS 10.0 vulnerability with active exploitation confirmed by CISA constitutes potential unfair or deceptive trade practices under FTC's enforcement precedent for unreasonable security practices.

• .GDPR Article 32 (EU) - Internet-exposed management interfaces processing unvalidated serialized objects fail the "appropriate technical and organisational measures" standard. Article 33 requires 72-hour notification to supervisory authority. Fines up to 4% of annual global turnover or EUR 20M.

• .UK GDPR / DPA 2018 - ICO enforcement mirrors GDPR. Fines up to GBP 17.5M or 4% of turnover.

• .Saudi PDPL - Organizations in the Kingdom running Cisco FMC face potential fines up to SAR 5M (~$1.3M). NCA Essential Cybersecurity Controls mandate management-plane isolation for critical infrastructure.

• .UAE PDPL (Federal Decree-Law No. 45/2021) - Administrative fines up to AED 5M (standard maximum); enhanced penalties may apply. TDRA regulations apply to telecom operators running Cisco firewall infrastructure.

1. Isolate Management Planes From the Internet - FMC should never be directly accessible from the public internet. Management interfaces should be restricted to dedicated out-of-band management networks accessible only from hardened jump servers.

This single control would have prevented unauthenticated external exploitation entirely.

2. Emergency Patch Prioritization for CVSS 10.0 Management-Plane Vulnerabilities - The March 4 disclosure demanded same-day triage and emergency patching, not standard patch cycle processing.

CVSS 10.0 with no authentication required, no user interaction, changed scope, and targeting the management plane of security infrastructure cannot be queued behind routine updates.

3. Deploy Application-Layer Filtering for Management Interfaces - Web application firewalls or virtual patching in front of FMC management interfaces could detect and block malicious serialized Java objects.

Zscaler documented detection signatures (ZPA AppProtection 6000322 and 6000042) that identify Java deserialization and YSoSerial tool payloads.

4. Monitor for Unauthorized Remote Access Tool Deployments - Interlock deployed ConnectWise ScreenConnect version 25.2.4.9229 via four MSI installers delivering identical 14-file payloads to Program Files/ScreenConnect Client, communicating on port 8041. Organizations should maintain allowlists for approved remote access tools and alert on unauthorized installations, particularly ScreenConnect instances not provisioned by IT.

5. Behavioral Monitoring of FMC API Activity - Detect unusual patterns: crafted requests to specific API paths, outbound HTTP PUT callbacks to external servers (the exploitation confirmation step), and ELF binary downloads.

Standard FMC logging may not capture these events at the application layer - additional instrumentation is required.

6. Assume Compromise and Hunt - Any organization that ran an internet-facing FMC instance between January 26 and March 4, 2026 should assume potential compromise and conduct a forensic investigation.

Check for: unauthorized ScreenConnect installations, PowerShell reconnaissance scripts, JavaScript/Java RAT artifacts, memory-resident webshells, and anomalous outbound connections from the FMC appliance.

The following gaps exist in the public record for this incident:

1. The total number of organizations compromised via CVE-2026-20131 during the 36-day zero-day window has not been disclosed by Cisco, Amazon, or CISA. Passive OSINT identifies 300-700 internet-facing FMC instances (Censys/FOFA), providing a ceiling for potential exposure, but the actual compromise count remains unknown.

2. Interlock's relationship to Rhysida ransomware is assessed with low confidence (Cisco Talos) based on code overlaps in encryptor exclusion lists. The nature of the connection - shared developers, code licensing, or independent evolution - remains unclear.

Microsoft's parallel connection to Vice Society (Vanilla Tempest) adds complexity without clarity.

3. The Slopoly AI-generated malware identified by IBM X-Force was assessed as AI-generated with "high confidence" based on code characteristics, but this assessment has not been confirmed through attribution to a specific AI model or development workflow.

4. The temporal analysis placing Interlock operators in the UTC+3 timezone (75-80% confidence) is based on artifact timestamps from a single misconfigured server and could reflect operational security deception rather than true geographic location.

5. Whether the companion vulnerability CVE-2026-20079 (authentication bypass, CVSS 10.0) was also exploited in the wild prior to disclosure has not been confirmed - Cisco's advisory confirmed exploitation only for CVE-2026-20131. Note: CVE-2026-20079 only affects on-premises FMC, not cloud-delivered FMC.

6. The deployment scope of Interlock's "Hotta Killer" BYOVD tool (CVE-2025-61155, GameDriverX64.sys) beyond FortiGuard Labs' single documented case is unknown. Whether this defense-evasion technique was used in the FMC campaign specifically has not been established.

Cisco PSIRT (cisco-sa-fmc-rce-NKhnULJh), NVD (CVE-2026-20131), CISA KEV Catalog, CISA/FBI Advisory AA25-203A, AWS Security Blog, The Hacker News, Help Net Security, The Register, The Record, CSO Online, Security Affairs, BleepingComputer, Zscaler ThreatLabz, Qualys ThreatPROTECT, IBM X-Force, Sekoia, Arctic Wolf, Penligent, Purple Ops, FortiGuard Labs, VulnCheck, ransomware.live, Censys, FOFA