CISA has ordered federal agencies to patch CVE-2026-20131 in Cisco Secure Firewall Management Center (FMC) by Sunday, March 22, after Cisco released a security bulletin and warned that no workaround exists. Vendor and Amazon threat intelligence confirmed active exploitation since late January by the Interlock ransomware group, which abuses insecure Java deserialization to achieve unauthenticated remote code execution as root, prompting CISA to add the flaw to its KEV catalog. #CVE-2026-20131 #Interlock
Keypoints
- CVE-2026-20131 allows unauthenticated remote attackers to execute arbitrary Java code as root via insecure deserialization in the FMC web management interface.
- Cisco published a bulletin on March 4 urging immediate updates and later warned of active exploitation with no available workarounds.
- Amazon researchers confirmed Interlock exploited the vulnerability as a zero-day since late January and observed its use in live attacks.
- CISA added the flaw to its Known Exploited Vulnerabilities catalog and required FCEB agencies to patch or stop using the product by March 22 under BOD 22-01.
- Interlock has used ClickFix for initial access and deployed custom RATs and malware like NodeSnake and Slopoly, impacting victims such as DaVita, Kettering Health, Texas Tech University System, and the city of Saint Paul.