The US Cybersecurity and Infrastructure Security Agency (CISA) has told all federal civilian agencies to patch a critical remote code execution (RCE) vulnerability in a Cisco firewall product, as ransomware actors circle.
CVE-2026-20131 affects the web-based management interface of Cisco Secure Firewall Management Center (FMC). With a maximum CVSS score of 10, it could “allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device,” according to the vendor.
It was patched by Cisco on March 4 after reports the Interlock ransomware group had been exploiting it as a zero day for several months.
CISA added the CVE to its known exploited vulnerabilities (KEV) catalog on Thursday 19 March, giving agencies just three days to patch it or “discontinue use of the product if mitigations are unavailable.”
That’s an unusually short timeline for CISA, reflective of the urgency of the situation. The entry also has a warning note attached stating that the CVE is “known to be used in ransomware campaigns.”
Read more on Cisco zero days: Global Cyber Agencies Urge Immediate Patching of Cisco SD-WAN Zero Day.
Cisco Secure Firewall Management Center (FMC) is described by the vendor as providing an “administrative nerve center” for Cisco network security products. It delivers centralized management of firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection, Cisco said.
This vulnerability is “due to insecure deserialization of a user-supplied Java byte stream,” according to the CVE Program.
“An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device,” it explained. “A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.”
How Attackers Are Using the CVE
AWS published a detailed write up of the Interlock campaign last week, warning that it had been exploiting CVE-2026-20131 in attacks since January 26.
After gaining initial access via the bug, the attackers used a variety of post-exploitation tools and techniques for persistence. These included a PowerShell script for Windows environment enumeration, and two custom remote access trojans (RATs), written in JavaScript and Java, for persistent control.
Also spotted by AWS was a “persistent memory-resident backdoor” that intercepted HTTP requests entirely in memory to evade AV detection.
The group also covered its bases by installing legitimate remote desktop tool ConnectWise ScreenConnect as a backup entry point in case they were discovered.
Additionally, they used open source memory forensics framework Volatility for parsing memory dumps in order to access credentials stored in RAM for lateral movement and deeper compromise.
They deployed security tool Certify to identify and exploit misconfigurations in Active Directory Certificate Services (AD CS). It enables threat actors to request “authentication-capable certificates” which can be used to impersonate users, escalate privileges or maintain persistent access, AWS said.
The write up included a long list of potential defensive actions, ranging from immediate tasks to patch and identify potential compromise, to detection opportunities, and longer term defense-in-depth measures.
Although the CISA mandate only applies to federal agencies, the private sector is encouraged to follow the same guidance as best practice.
