You are currently viewing Interlock’s Early Access: Cisco FMC Vulnerability Exploited Before Disclosure

Interlock’s Early Access: Cisco FMC Vulnerability Exploited Before Disclosure

  • Post author:
  • Reading time:4 mins read

Executive Summary

Interlock group has been observed exploiting the critical vulnerability CVE-2026-20131 (CVSS 10.0) in Cisco Secure Firewall Management Center (FMC) since January 26, 2026, prior to its public disclosure. This vulnerability, caused by insecure Java deserialization in the FMC web interface, enables unauthenticated remote attackers to execute arbitrary code with root privileges.

Following successful exploitation, Interlock conducts multi-stage intrusions involving reconnaissance, payload deployment, and persistence mechanisms. The group employs a mix of custom tooling and legitimate administrative utilities to maintain access and evade detection, highlighting the risks posed by zero-day exploitation and the limitations of traditional patch-based defenses.

Background on Interlock Ransomware Group

Interlock is an emerging ransomware group that targets enterprise environments, with a particular focus on internet-facing infrastructure and security appliances. The group follows a structured, multi-stage attack approach that includes gaining initial access, conducting reconnaissance, maintaining persistence, and establishing communication with attacker-controlled servers.

To remain undetected, Interlock leverages a combination of custom malware and legitimate administrative tools, along with evasion techniques such as log deletion, proxy-based infrastructure, and fileless execution. The group has been observed using fileless web shells that operate entirely in memory, allowing malicious code to be decrypted and executed without being written to disk. Additionally, Interlock abuses legitimate remote administration tools such as ConnectWise ScreenConnect to maintain stealthy and persistent access, even if primary malware components are removed.

Vulnerability Details:

  • CVE-IDCVE-2026-20131
  • CVSS Score: 10.0 (Critical) 
  • EPSS Score: 0.57%
  • Vulnerability: Insecure Java Deserialization Remote Code Execution vulnerability 
  • Affected Product: Cisco Secure Firewall Management Center (FMC) Software versions 6.4.0.13 through 6.4.0.18, 7.0.0 through 7.0.8.1, 7.1.0 through 7.1.0.3, 7.2.0 through 7.2.10.2, 7.3.0 through 7.3.1.2, 7.4.0 through 7.4.5, 7.6.0 through 7.6.4, 7.7.0 through 7.7.11, and 10.0.0
  • Patched version: Cisco Secure Firewall Management Center (FMC) Software versions 7.0.9, 7.2.11,
    7.4.6, 7.6.5, 7.7.12 and 10.0.1

Attack Methodology

Interlock initiates its attack chain by exploiting the CVE-2026-20131 vulnerability to gain unauthenticated access to Cisco FMC instances. The exploitation involves sending crafted HTTP requests containing malicious serialized Java objects to trigger remote code execution.

Upon successful compromise, the targeted system issues outbound communication to attacker-controlled infrastructure, confirming exploitation. Subsequent stages involve downloading additional payloads, including ELF binaries, which facilitate further intrusion activities.

Post-exploitation actions include network reconnaissance, system enumeration, and deployment of persistence mechanisms. The group leverages proxy-based infrastructure, memory-resident web shells, and log evasion techniques to reduce visibility and maintain long-term access within compromised environments.

Threat Capabilities:

Based on observed activity, Interlock has demonstrated the following capabilities:

  • Exploitation of critical vulnerabilities, including zero-day usage such as CVE-2026-20131.
  • Execution of multi-stage attack workflows encompassing initial access, reconnaissance, payload delivery, and persistence.
  • Use of custom-developed malware alongside legitimate remote administration tools to enable stealthy operations and evade detection.
  • Implementation of anti-forensic techniques, including log manipulation and infrastructure obfuscation via reverse proxies.

Visual Flow

Initial Access (exploitation of CVE-2026-20131 via crafted HTTP request) -> Execution & Validation (remote code execution and callback confirmation) -> Payload Delivery (download and execution of ELF binaries) -> Persistence (deployment of RATs and web shells) -> Reconnaissance (system and network enumeration) -> Command and Control (C2) (communication over HTTP/HTTPS) -> Defense Evasion (log deletion and proxy-based obfuscation) -> Potential Exfiltration (staging and transfer of collected data)

Indicators of Compromise (IOCs)

Potential indicators associated with this activity include:

  • Suspicious HTTP requests targeting FMC web interface endpoints
  • Presence of serialized Java payloads in inbound requests
  • Unexpected outbound connections to external or untrusted infrastructure
  • Deployment of remote access tools such as ScreenConnect
  • Evidence of log tampering or abnormal log deletion activity

Tactics include:

  • TA0001 – Initial Access: Exploitation of public-facing application
  • TA0002 – Execution: Execution of malicious payloads via RCE
  • TA0003 – Persistence: Use of backdoors and remote access tools
  • TA0005 – Defense Evasion: Log deletion and proxy-based obfuscation
  • TA0006 – Discovery: System and network reconnaissance

Mitigation and Recommendations

Organizations are advised to take the following actions:

  • Apply security updates provided by Cisco to remediate CVE-2026-20131
  • Conduct forensic analysis to identify potential signs of compromise
  • Monitor network traffic for anomalous outbound connections
  • Audit remote access tools for unauthorized installations
  • Implement defense-in-depth strategies to reduce exposure during zero-day windows

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.