By Dark Reading
Publication Date: 2026-03-20 13:00:00
Threat actors had access to a critical zero-day several weeks before it was patched and publicly disclosed.
An Interlock ransomware campaign is targeting Cisco firewalls, according to an advisory recently shared by Amazon Web Services (AWS). Specifically, this campaign leverages CVE-2026-20131, a critical vulnerability (10 CVSS) in the Web-based management interface of Cisco’s Secure Firewall Management Center (FMC) Software; if exploited, it can allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an impacted device.
Cisco disclosed the vulnerability on March 4, and said in an advisory at the time that it was caused by “insecure deserialization of a user-supplied Java byte stream.” The attacker would send a crafted serialized Java object to a vulnerable device’s Web-based management interface.
CVE-2026-20131 impacts all unpatched versions of Cisco Secure FMC Software and Cisco Security Cloud Control (SCC). The latter is a software-as-a-service (SaaS)…
