Cisco Firewall Zero-Day Exploited by Interlock Ransomware Gang

CVE-2026-20131 is a maximum severity remote code execution vulnerability in Cisco's Secure Firewall Management Center (FMC) software that has been actively exploited as a zero-day since late January 2026, 36 days before public disclosure. The flaw affects the web-based management interface and allows remote, unauthenticated attackers to execute arbitrary Java code with root privileges. Amazon's threat intelligence team discovered evidence linking the Interlock ransomware group to this exploitation in high-profile attacks targeting education, engineering, manufacturing, healthcare, and government sectors. The threat actors are likely based in Russia or nearby regions. Organizations using Cisco FMC should immediately apply available patches and review their systems for indicators of compromise. This vulnerability demonstrates the critical importance of rapid patch deployment and network segmentation to limit exposure of management interfaces.