By Zeljka Zorz
Publication Date: 2026-03-20 13:21:00
A critical vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center (FMC) that Cisco disclosed and patched in early March 2026 has been exploited as a zero-day by the Interlock ransomware gang, Amazon CISO and VP of Security Engineering CJ Moses revealed.
“Our research [using Amazon’s MadPot system of honeypots] found that Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26, 2026,” he said on Wednesday.
CVE-2026-20131 exploited as zero-day for weeks
Cisco Secure Firewall Management Center is used by organizations to centrally manage Cisco Secure Firewall devices.
CVE-2026-20131 affects the FMC web-based management interface and stems from insecure deserialization of a user-supplied Java byte stream.
The vulnerability can be exploited by unauthenticated, remote attackers by sending a crafted serialized Java object to the management interface of a vulnerable device, and can lead to code execution and…