Interlock’s 45-Day Zero-Day: CVE-2026-20131

Key Takeaways

• CVE-2026-20131 is a CVSS 10.0 unauthenticated remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC), caused by insecure Java deserialization. It requires no authentication and no user interaction to exploit, and there is no workaround — patching is the only mitigation [1].
• Interlock ransomware operators began exploiting CVE-2026-20131 on January 26, 2026, a full 36 days before Cisco’s public disclosure and patch release on March 4, 2026 [2][3]. This scenario meets the defining criteria of zero-day exploitation: defenders had no patch, no CVE identifier, and no official guidance during the entire pre-disclosure period.
• A companion CVSS 10.0 vulnerability, CVE-2026-20079, was disclosed simultaneously on March 4, 2026, providing a second unauthenticated path to root on the same management plane. Together, these vulnerabilities provide redundant unauthenticated root access to one of the highest-value network control points in enterprise environments [4].
• The 2025 industry-wide average time-to-exploit for disclosed vulnerabilities has compressed to 44 days — down from 296 days in 2023 and 745 days in 2020, a 94 percent reduction over five years [5]. The CVE-2026-20131 case, with its negative exploitation window, represents an extreme but increasingly plausible outcome of this trend.
• Organizations running on-premises Cisco Secure FMC must apply the March 4, 2026 patch immediately. CISA added CVE-2026-20131 to its Known Exploited Vulnerabilities catalog on March 19, 2026, with a federal remediation deadline of March 22, 2026 [6].

Background

Interlock Ransomware: A Closed, Targeted Operation

Interlock ransomware emerged in late September 2024 as a distinctly structured threat. Unlike the dominant ransomware-as-a-service (RaaS) model — in which a core developer group licenses malware to independent affiliates — Interlock operates as a closed organization that develops and deploys its own tooling from initial access through encryption and extortion. This closed architecture likely reduces the information leakage that has historically allowed law enforcement and threat researchers to infiltrate RaaS affiliate networks, potentially making Interlock operationally harder to track [7].

The group’s targeting profile spans healthcare, education, engineering and construction, manufacturing, government, and components of the defense industrial base supply chain. Interlock employs a double-extortion model: sensitive data is exfiltrated before encryption, and victims are threatened with publication on a dedicated leak site if ransom demands are not met [7][8]. Confirmed major incidents include an attack on DaVita, a large U.S. dialysis provider, in which Interlock claimed to have exfiltrated between 1.5 and 20-plus terabytes of data; DaVita’s subsequent breach reporting identified approximately 2.7 million potentially affected individuals [9]. The group also struck the City of St. Paul, Minnesota in July 2025 [10].

Interlock’s initial access techniques have included drive-by downloads from compromised legitimate websites, ClickFix social engineering (malicious fake CAPTCHA prompts that execute PowerShell), and payloads disguised as browser, security software, or VPN client updates. Once inside a network, the group uses a broad toolkit: Cobalt Strike and SystemBC for command-and-control, Lumma and Berserk stealers for credential theft, and Azure Storage Explorer with AzCopy for data exfiltration to Azure blob storage [11].

CVE-2026-20131 and CVE-2026-20079: Twin CVSS 10.0 Vulnerabilities in Cisco FMC

Cisco Secure Firewall Management Center is the centralized management plane for Cisco’s Firepower next-generation firewalls. It provides policy configuration, event analysis, and administrative control across managed firewall nodes. This architectural position — visibility and control over an organization’s perimeter defenses — makes it an extremely high-value target. Compromising FMC is functionally equivalent to compromising the organization’s firewall posture: an attacker with root on FMC can read traffic policies, inject rule modifications, extract credentials, and facilitate unrestricted lateral movement through the defended network.

CVE-2026-20131 is a critical vulnerability in the web-based management interface of Cisco Secure FMC. It arises from insecure deserialization of user-supplied Java byte streams (CWE-502): a remote, unauthenticated attacker can send a crafted serialized Java object via HTTP to the management interface and trigger arbitrary code execution as root. No authentication is required, no user interaction is needed, and the vulnerability scores a CVSS 3.1 base score of 10.0 with a vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. Cisco confirmed there is no workaround; patching is mandatory [1].

CVE-2026-20079, disclosed simultaneously on March 4, 2026, is an authentication bypass affecting the same product. This vulnerability arises from an improperly created system process that runs at boot, allowing an unauthenticated attacker to execute scripts as root on the device. It also carries a CVSS 3.1 score of 10.0. While exploitation of CVE-2026-20079 in the wild had not been confirmed in available reporting at the time of this writing, proof-of-concept code appeared on GitHub shortly after disclosure [4]. The co-existence of two independent CVSS 10.0 vulnerabilities in the same product means that patching one without the other leaves full compromise capability in attacker hands.

Affected versions of Cisco Secure FMC span a wide range: 6.4.0.13 through 6.4.0.18, 7.0.0 through 7.0.8.1, 7.1.0 through 7.1.0.3, 7.2.0 through 7.2.10.2, 7.3.0 through 7.3.1.2, 7.4.0 through 7.4.5, 7.6.0 through 7.6.4, and 7.7.0 through 7.7.11 [1]. The breadth of this version range means that organizations running any unpatched FMC release are at risk regardless of when they last updated.

Security Analysis

The Exploitation Timeline: 36 Days of Uncontested Access

Amazon’s MadPot threat intelligence platform first detected active exploitation of CVE-2026-20131 on January 26, 2026 [2]. Cisco disclosed the vulnerability and released patches 36 days later, on March 4, 2026 [1]. During that entire interval, no CVE identifier existed, no official advisory was available, and no patch could be applied. Organizations whose FMC instances were internet-accessible — or reachable from compromised internal hosts — had no patch-based means of remediation. In this scenario, defenders’ response options were structurally constrained not by organizational slowness but by the absence of a vendor-supplied fix — the most consequential form of zero-day exploitation.

The attack chain Interlock deployed against CVE-2026-20131 is detailed and multi-stage. Attackers delivered crafted serialized Java objects to the FMC web management interface, triggering an HTTP PUT request to an external server that confirmed successful compromise. A subsequent ELF binary containing the full attack toolkit was deployed. PowerShell reconnaissance scripts enumerated the Windows environment. Custom JavaScript and Java-based remote access trojans established persistent command-and-control channels. Bash scripts converted Linux servers into HTTP reverse proxies. Memory-resident webshells enabled encrypted command execution. Tools including Volatility Framework and Certify were used to extract credentials and escalate privileges across the managed environment. Finally, logs were wiped to impede forensic analysis [2][3].

An operationally significant discovery arose from Interlock’s infrastructure management: Amazon researchers identified misconfigured servers within Interlock’s own infrastructure that exposed the group’s complete toolkit, organized by target. This enabled detailed forensic reconstruction of the campaign and allowed researchers to infer an operational timezone consistent with UTC+3 — though timezone inference from activity patterns should be treated as an analytical conclusion rather than confirmed attribution [2].

The Structural Problem: Patch Latency vs. Exploitation Velocity

The CVE-2026-20131 incident is an acute illustration of a structural problem that has been deteriorating steadily across the vulnerability management ecosystem. Flashpoint’s 2025 research on time-to-exploit (TTE) for disclosed vulnerabilities found that the average time between public disclosure and confirmed exploitation compressed from 745 days in 2020 to 44 days in 2025 — a 94 percent reduction over five years [5]. The direction of this trend is unambiguous: attackers are exploiting disclosed vulnerabilities faster than enterprise patch cycles can respond.

The complementary patching data compounds this problem. Industry research indicates that the average enterprise requires approximately 60 days to patch a critical vulnerability after public disclosure, with 77 percent of organizations needing more than one week to complete a patch deployment [12][13]. This creates a structural exposure window even for N-day vulnerabilities: if the average exploitation onset is 44 days post-disclosure and the average patch completion is 60 days post-disclosure, organizations running typical patch cycles face an average exposure window of approximately 16 days on any given critical vulnerability — and often longer, given the 77 percent of organizations requiring more than one week to complete deployment.

The following table summarizes the timeline of the CVE-2026-20131 incident against these industry benchmarks.

For the zero-day phase alone (January 26 to March 4, 2026), affected organizations had no vendor-supplied fix available. The compound effect of the two simultaneous CVSS 10.0 vulnerabilities means that even organizations that had implemented network segmentation or access controls for FMC may have faced exposure if those controls were not applied consistently across both vulnerability classes.

Why FMC Is a High-Consequence Target

The FMC compromise pattern suggests that sophisticated ransomware operators prioritize management planes in part because compromising them amplifies downstream impact. An FMC installation with root-level attacker access is not merely a compromised server — it is a compromised view of, and control plane over, the organization’s firewall infrastructure. Attackers can read traffic policies to identify gaps, modify rules to permit additional access paths, harvest credentials for managed devices, and use the management network connectivity that FMC inherently requires to move laterally to network segments that would otherwise be isolated [2][3].

This pattern is consistent with a broader observed trend in sophisticated ransomware and advanced persistent threat campaigns: as documented in recent threat intelligence reporting, attackers have increasingly targeted identity providers, cloud management APIs, and network orchestration layers rather than individual endpoints [2]. The convergence toward management and control planes reflects a strategic logic — compromising the systems that govern infrastructure yields access to everything those systems govern, without requiring exploitation of each component individually.

Recommendations

Immediate Actions

Organizations running on-premises Cisco Secure FMC should treat patching as an emergency response, not a routine change management activity. Cisco’s March 4, 2026 advisory addresses both CVE-2026-20131 and CVE-2026-20079; both must be applied. Because exploitation of CVE-2026-20131 predates the patch by 36 days, organizations should assume that unpatched FMC instances that were reachable from external networks or from compromised internal hosts during the January 26 to March 4 window may already be compromised. Patching alone does not remediate an active compromise; incident response procedures should be initiated in parallel with patch deployment.

Network telemetry review should focus on the indicators associated with Interlock’s post-exploitation toolkit: anomalous HTTP PUT requests to external hosts originating from FMC, unexpected ELF binary execution on Linux-based FMC nodes, new or modified PowerShell execution on Windows hosts in the management network, unusual credential use associated with Volatility Framework or Certify tooling, and outbound data transfers to Azure blob storage endpoints via AzCopy.

Short-Term Mitigations

For organizations that cannot immediately patch, reducing the attack surface of the FMC management interface is the highest-priority intermediate step. The FMC management web interface should not be accessible from the public internet under any operational scenario; if it is, that exposure should be remediated immediately via network access controls or firewall policy regardless of whether the patch has been applied. Inbound access to the FMC interface should be restricted to administrative jump hosts that are themselves subject to multi-factor authentication and privileged access workstation controls.

Monitoring should be enhanced across all FMC-adjacent network paths. HTTP-based deserialization attacks produce observable network artifacts — specifically, the delivery of large, structured binary payloads to application ports followed by unusual callback traffic patterns. Security teams with network detection and response (NDR) capabilities should tune for these patterns, and those without dedicated NDR tooling should review firewall and proxy logs for the relevant indicators.

Organizations should also audit whether CVE-2026-20079 has received independent attention in their remediation workflow. Because both vulnerabilities were disclosed simultaneously, there is a risk that patch tracking systems have collapsed them into a single item. They are separate vulnerabilities requiring the same patch but deserving separate verification of remediation.

Strategic Considerations

The CVE-2026-20131 incident provides a concrete basis for revisiting the assumptions embedded in standard enterprise patch management programs. Traditional patch SLAs — typically 30 days for critical vulnerabilities and 90 days for high-severity vulnerabilities [12][13] — were developed during a period when the average time from public disclosure to confirmed exploitation was measured in months. With the 2025 average compressed to 44 days [5] and zero-day exploitation occurring at pre-disclosure rates in cases like this one, those SLAs no longer provide meaningful protection for the most severe vulnerability classes.

Security programs should consider tiered response policies that distinguish between N-day vulnerabilities and zero-days or newly disclosed critical vulnerabilities in actively targeted products. For the latter category, a 48-to-72-hour emergency patching posture — with compensating controls deployed in parallel — is more appropriate than the standard monthly patching cycle. This requires pre-authorized change windows for emergency security patches and clear escalation paths that bypass normal change advisory board timelines.

Architecturally, organizations should evaluate the degree to which management planes — including FMC, hypervisor management consoles, cloud management APIs, and identity provider administration interfaces — are segregated from production networks and protected by controls independent of the managed infrastructure itself. A management plane that relies on the security controls it manages for its own protection creates a circular dependency: if FMC’s only network access control is a firewall rule enforced by the firewalls FMC manages, a root-level FMC compromise may allow the attacker to remove that rule. When the managed perimeter is compromised, a circularly dependent management plane is immediately at risk. Addressing this requires independent protective controls for the management layer itself.

CSA Resource Alignment

This incident and the vulnerability class it represents connect directly to several areas of CSA guidance. The MAESTRO framework for agentic AI threat modeling addresses the management plane compromise pattern in its analysis of Layer 6 (integration ecosystems) threats, where compromise of orchestration or management tooling cascades through dependent systems in ways that individual component security controls cannot prevent [16]. The FMC scenario — a single compromised management node propagating attacker access across a managed firewall estate — is structurally analogous to the agent orchestrator compromise scenarios MAESTRO addresses.

The CSA Cloud Controls Matrix (CCM) and AICM (AI Controls Matrix) both address vulnerability management lifecycle requirements under the Threat and Vulnerability Management (TVM) domain. The CVE-2026-20131 case illustrates a gap that TVM controls must account for: the period between first exploitation and public disclosure, during which standard vulnerability management processes cannot function because no CVE identifier or patch exists. Compensating controls for this gap — management plane network isolation, behavioral detection, and emergency response procedures — should be mapped to TVM control objectives.

CSA’s Zero Trust guidance is directly relevant to the architectural remediation this incident motivates. A zero trust network architecture applied to the management plane — requiring continuous verification of identity and device posture for all FMC administrative access, regardless of network location — is designed to structurally limit lateral movement from a compromised management plane. The absence of lateral movement controls between the FMC management network and production networks amplifies the impact of every management plane vulnerability; zero trust segmentation addresses this structurally rather than reactively.

CSA’s earlier work on the CAVEaT cloud adversarial vector taxonomy [14] and on vulnerability data quality [15] provides additional framing for the systemic issues this incident illustrates: the problem is not merely that one vendor had a critical bug, but that the interaction of exploitation velocity, patch latency, and management plane architecture creates conditions under which even well-resourced organizations have no patch-based response available during the zero-day window.

References

[1] Cisco Systems, “Cisco Secure Firewall Management Center Software Remote Code Execution Vulnerability (CVE-2026-20131),” Cisco Security Advisory, March 4, 2026. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-CjpPqoem

[2] Amazon Web Services, “Amazon Threat Intelligence Teams Identify Interlock Ransomware Campaign Targeting Enterprise Firewalls,” AWS Security Blog, March 2026. https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/

[3] Security Affairs, “Interlock Group Exploiting CVE-2026-20131 36 Days Before Disclosure,” Security Affairs, March 18, 2026. https://securityaffairs.com/189636/malware/interlock-group-exploiting-the-cisco-fmc-flaw-cve-2026-20131-36-days-before-disclosure.html

[4] Arctic Wolf, “CVE-2026-20079 and CVE-2026-20131: Twin Critical Vulnerabilities in Cisco FMC,” Arctic Wolf Blog, March 2026. https://arcticwolf.com/resources/blog/cve-2026-20079-cve-2026-20131/

[5] Flashpoint, “N-Day Vulnerability Trends: The Shrinking Window of Exposure,” Flashpoint Research, 2025. https://flashpoint.io/blog/n-day-vulnerability-trends-turn-key-exploitation/

[6] CISA, “Known Exploited Vulnerabilities Catalog: CVE-2026-20131,” March 19, 2026. https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[7] Arctic Wolf, “Threat Actor Profile: Interlock Ransomware,” Arctic Wolf Blog, August 15, 2025. https://arcticwolf.com/resources/blog/threat-actor-profile-interlock-ransomware/

[8] CISA, “StopRansomware: Interlock (AA25-203A),” CISA Cybersecurity Advisory, 2025. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a

[9] HIPAA Journal, “DaVita Ransomware Attack: Interlock Claims 2.7 Million Affected,” HIPAA Journal, 2025. https://www.hipaajournal.com/davita-ransomware-attack/

[10] HIPAA Journal, “Feds Issue Interlock Ransomware Warning,” HIPAA Journal, 2025. https://www.hipaajournal.com/interlock-ransomware-alert-2025/

[11] Resecurity, “How Interlock Ransomware Affects the Defense Industrial Base Supply Chain,” Resecurity Blog, 2025. https://www.resecurity.com/blog/article/how-interlock-ransomware-affects-the-defense-industrial-base-supply-chain

[12] Gitnux, “Patch Management Statistics 2026,” Gitnux, 2026. https://gitnux.org/patch-management-statistics/

[13] Expert Insights, “Patch Management Statistics and Trends 2025,” Expert Insights, 2025. https://expertinsights.com/it-management/patch-management-statistics-and-trends-2025

[14] CSA, “Cloud Adversarial Vectors, Exploits, and Threats (CAVEaT),” CSA Research Report, 2023. https://cloudsecurityalliance.org/research/working-groups/top-threats/

[15] CSA, “Top Concerns with Vulnerability Data,” CSA Research Report, 2024. https://cloudsecurityalliance.org/research/

[16] CSA, “MAESTRO: A Multi-Layer Framework for AI Threat Modeling in Agentic Systems,” CSA AI Safety Initiative, 2025. https://cloudsecurityalliance.org/research/working-groups/ai-safety-initiative/