Interlock explores a vulnerability of Cisco FMC for remote code execution before the patch and increases risk in business networks

Security teams and network managers have a new reason to urgently review their firewalls: the Ransomware group known as Interlock has been taking advantage of a remote code execution vulnerability (CERs) in the Cisco Secure Firewall Management Center (FMC) software before the public correction was available.

According to telemetry published by Amazon's intelligence team, the active exploitation of this decision began in late January 2026, long before Cisco made the solution public. Amazon's finding indicates that the attackers had a functional explosion at least since January 26, which gave them an advantage in compromising systems before the defenders knew exactly what to look for. The Amazon report is available for more context and technical details on your security blog: Amazon Threat Intelligence.

Cisco launched the patch on March 4, 2026 and accompanied the update with a notice describing the vulnerability listed as CVE-2026-20131. The company warned that, on unpatched devices, an unauthenticated attacker could run arbitrary Java code with root privileges through the FMC web interface. Cisco's own note with recommendations and update download is available at your security center: Cisco Security Advisory. For standard technical data and CVE monitoring, the NVD registry offers a public entry: NVD · CVE-2026-20131.

Interlock is not a minor actor: it emerged publicly in September 2024 and has been related to other previous campaigns that included the distribution of remote-access Trojans, such as NodeSnake, and attacks on UK universities. The group has attributed high-profile incidents against health and education organizations, including victims. In addition, IBM X-Force researchers have noted the emergence of a new malicious load associated with the group, nicknamed Slopoly, which possibly incorporates tools based on generative artificial intelligence to expand its attack capabilities.

The combination of a zero-day explosion and a target as sensitive as the firewall management console poses a high risk. The FMC is precisely the point from which network security policy is controlled; achieving remote execution with root privileges allows an attacker to disable rules, deploy malicious routes, or move laterally with relative freedom. It's the kind of access that turns a gap into a larger-range incident in a very short time..

Recent research also shows that Cisco has had to respond to a number of failures in productive environments over the course of the year, which highlights the pressure on both manufacturers and internal security equipment. In this scenario, the window between discovery and exploitation can be very short, and the adversaries benefit from every day that a patch is not applied in critical environments.

For infrastructure managers who manage Cisco FMC, the immediate recommendation is clear: apply the official updates provided by Cisco and follow the safety notice guides. Beyond the patch, it is appropriate to review the access to the management console, restrict its exposure to the Internet, apply network segmentation to isolate the FMC and analyze the records for suspicious activity prior to the patch. In scenarios where immediate correction is not possible, mitigating exposure and monitoring commitment signals can make a difference.

There is another strategic lesson: attackers are moving fast and, in some cases, taking advantage of capabilities expanded by automated or IA-based tools to create and adapt malware. This increases the need for in-depth defence, centralized telemetry and incident response exercises that consider the possibility of initial commitments through management systems.

Finally, the security community and suppliers must maintain a smooth communication. The case of Amazon by detecting prior exploitation and sharing this information with Cisco to accelerate the response is an example of collaboration that helps reduce impact. Coordination between detectors, suppliers and operators is now as crucial as ever..

If you manage a Cisco Secure FMC, check Cisco's notice and mitigation indications as soon as possible, and consider auditioning your environment for signs of abnormal activity on the dates before the patch is published. The official resources referred to in this article are a good starting point for rapid action: Security notice from Cisco Amazon's campaign report: Amazon Threat Intelligence and the CVE public record: NVD · CVE-2026-20131.