Cisco FMC Zero-Day Powers Interlock Ransomware Campaign
A critical vulnerability in Cisco's Firewall Management Center (FMC) software has been actively exploited as a zero-day attack vector by the Interlock ransomware group since late January 2026. The flaw, tracked as CVE-2026-20131, allows remote attackers to execute arbitrary code on vulnerable FMC systems without authentication. Amazon's security research team discovered evidence of the exploitation during their investigation into recent ransomware incidents affecting multiple organizations.
The vulnerability affects the web-based management interface of Cisco FMC, which organizations use to centrally manage their Cisco Firepower Next-Generation Firewall deployments. Attackers exploited a path traversal weakness combined with improper input validation to upload malicious files and gain initial access to target networks. The Interlock ransomware operators then leveraged this foothold to move laterally through compromised environments and deploy their encryption payloads.
Cisco disclosed the vulnerability on March 18, 2026, after coordinating with Amazon's threat intelligence team and confirming active exploitation in the wild. The networking giant assigned a CVSS score of 9.8 to the flaw, reflecting its critical severity and the ease of exploitation. Security researchers noted that the vulnerability requires no user interaction and can be exploited remotely over the network, making it particularly attractive to ransomware operators seeking initial access vectors.
The Cybersecurity and Infrastructure Security Agency (CISA) moved quickly to add CVE-2026-20131 to its Known Exploited Vulnerabilities catalog on March 19, 2026, mandating that federal agencies patch affected systems within 21 days. This rapid inclusion underscores the severity of the threat and the confirmed exploitation by ransomware groups targeting critical infrastructure organizations.
Related: CISA Orders Federal Agencies to Patch Zimbra Zero-Day
Related: Langflow CVE-2026-33017 Exploited 20 Hours After Disclosure
Cisco FMC Deployments Under Active Attack
The vulnerability impacts all versions of Cisco Firewall Management Center software prior to version 7.4.2, affecting thousands of organizations worldwide that rely on Cisco's security management platform. Enterprise networks running FMC versions 6.6.0 through 7.4.1 are particularly vulnerable, as these releases contain the exploitable code path that Interlock ransomware operators have been targeting. Organizations using FMC in on-premises deployments face the highest risk, as the vulnerability can be exploited directly through internet-facing management interfaces.
Amazon's threat intelligence analysis revealed that the Interlock ransomware group specifically targeted organizations in the manufacturing, healthcare, and financial services sectors during their exploitation campaign. The attackers appeared to focus on mid-to-large enterprises with complex network infrastructures that rely heavily on centralized firewall management. Security researchers estimate that over 15,000 FMC instances globally may be vulnerable to this attack vector, based on internet scanning data and Cisco's installed base statistics.
The exploitation campaign particularly affected organizations that exposed their FMC management interfaces to the internet for remote administration purposes. Many companies adopted this configuration during the pandemic to enable remote security management, inadvertently creating attack surfaces that ransomware operators could exploit. The vulnerability also impacts FMC deployments in cloud environments, where organizations often configure management access through public IP addresses or VPN concentrators.
Immediate Patching and Mitigation Required
Cisco released emergency patches for CVE-2026-20131 on March 18, 2026, urging customers to update their FMC software immediately. The fix is available in FMC version 7.4.2 and later releases, which address the path traversal vulnerability and implement additional input validation controls. Organizations should prioritize patching internet-facing FMC instances first, as these systems face the highest risk of exploitation by ransomware operators.
For organizations unable to patch immediately, Cisco recommends implementing network-level access controls to restrict FMC management interface access to trusted IP addresses only. Administrators should configure firewall rules to block external access to TCP ports 443 and 8305, which the FMC web interface uses for HTTPS connections. Additionally, organizations should enable multi-factor authentication for all FMC administrative accounts and review access logs for suspicious authentication attempts or file upload activities.
The official Cisco security advisory provides detailed remediation guidance, including specific configuration commands for implementing access restrictions. Security teams should also deploy network monitoring tools to detect lateral movement patterns consistent with Interlock ransomware tactics, such as unusual SMB traffic, credential dumping activities, and attempts to access domain controllers. Organizations that suspect compromise should immediately isolate affected FMC systems and engage incident response teams to assess the scope of potential ransomware deployment.
