What Happened
The Interlock ransomware group is actively exploiting CVE-2026-20131, a CVSS 10.0 insecure deserialization vulnerability in Cisco Firewall Management Center (FMC) Software, giving attackers unauthenticated root access to affected devices.
Amazon’s MadPot global threat sensor network detected exploitation of CVE-2026-20131 as early as January 26, 2026 — over a month before Cisco disclosed the vulnerability publicly. Attackers send crafted HTTP requests to specific CGI paths in the FMC application, triggering arbitrary Java code execution. Once the exploit succeeds, the compromised device issues an HTTP PUT request to an attacker-controlled server to confirm the breach, then downloads additional Interlock tooling.
CISA added CVE-2026-20131 to its Known Exploited Vulnerabilities catalog on March 19 and set a federal remediation deadline of March 22. Interlock has historically targeted education, engineering, manufacturing, healthcare, and government entities.
Why This Matters for Canadian Organizations
Cisco FMC is a standard component in enterprise network security architectures across Canada. Federal departments, crown corporations, provincial governments, and healthcare networks running FMC without the latest patches face an active ransomware group operating with root-level firewall access.
A successful FMC compromise gives attackers deep network visibility, the ability to modify firewall policies, and a platform for lateral movement across the entire environment. Interlock’s targeting profile — healthcare, government, manufacturing — maps directly onto critical sectors in Canada.
The Canadian Centre for Cyber Security (CCCS) has not yet issued a specific advisory for CVE-2026-20131, but the CISA KEV listing and confirmed active exploitation warrant immediate action without waiting for domestic guidance.
What to Do
Patch Cisco FMC to the latest available version without delay. If immediate patching is not possible, restrict management interface access to trusted IP ranges only. Review FMC audit logs for unusual HTTP requests to CGI paths from unexpected source addresses. Monitor outbound connections from FMC appliances for unexpected external communication — a confirmed indicator of compromise in this campaign.
Source: The Hacker News
