CVE-2026-20131: Cisco Firewall Zero-Day Exploited by Interlock Ransomware

The Interlock ransomware group has been actively exploiting CVE-2026-20131, a maximum severity (CVSS 10.0) remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) software since late January 2026. This deserialization flaw allows unauthenticated, remote attackers to execute arbitrary Java code with root privileges via the web-based management interface. The vulnerability has been exploited in zero-day attacks primarily targeting the education, engineering, architecture, construction, manufacturing, industrial, healthcare, and government sectors. Temporal analysis suggests the attackers are likely based in Russia. Organizations using Cisco FMC must immediately apply the emergency patches released in early March and conduct thorough security assessments to detect potential compromises. This represents one of the most severe network security vulnerabilities disclosed this year.