Critical Vulnerability in Cisco Secure Firewall Exploited by Interlock Group
Recent observations indicate that the Interlock group has actively exploited the critical vulnerability CVE-2026-20131 in Cisco Secure Firewall Management Center (FMC) since January 26, 2026. This vulnerability is primarily linked to insecure Java deserialization within the FMC web interface, allowing unauthenticated remote attackers to execute arbitrary code with root privileges.
Interlock’s attack methodology consists of multi-stage intrusions, encompassing initial access, reconnaissance, payload deployment, and persistence. The group demonstrates a sophisticated approach by using both custom tools and legitimate administrative utilities, complicating detection efforts. Notably, they employ fileless web shells, enabling malicious code execution directly in memory, which prevents leaving traces on disk. The exploitation process is initiated via crafted HTTP requests targeting the FMC web interface, followed by outbound communication to attacker-controlled infrastructure, subsequently facilitating the download of additional payloads.
The group’s operational tactics reflect a structured workflow involving reconnaissance to gather network and system intelligence, maintaining long-term persistence, and utilizing evasion techniques to minimize visibility. Their exploitation of proxy-based infrastructure and anti-forensic measures allows them to obscure their activities effectively. By combining these techniques, Interlock is able to maintain access even in the absence of primary malware components.
Defensive Context
Organizations using Cisco Secure Firewall should be particularly vigilant. The exploitation of CVE-2026-20131 poses serious risks to environments with internet-facing infrastructure. Security teams in such organizations need to evaluate their exposure to this vulnerability.
Why This Matters
The risk is pronounced for enterprises relying on affected Cisco FMC versions, as successful exploitation leads to complete system compromise. Entities handling sensitive data or critical applications are at heightened risk, especially those that maintain public-facing interfaces for firewall management.
Defender Considerations
While no specific detection methods were mentioned in the article, monitoring for suspicious HTTP requests to the FMC web interface and unauthorized outbound communications may provide avenues for detection. Additionally, auditing for unauthorized installations of remote access tools, such as ConnectWise ScreenConnect, may reveal signs of compromise.
Indicators of Compromise (IOCs)
- CVE-2026-20131
- Suspicious HTTP requests targeting FMC endpoints
- Serialized Java payloads in inbound requests
- Unexpected outbound connections to unknown infrastructure
- Evidence of log deletion or tampering activities
Overall, the Interlock group’s actions highlight the critical need for organizations using Cisco FMC to remain proactive against this and potentially other emerging threats.
