EagleEye
All posts
Threat Intelligence13 min read

CVE-2026-20131: How Interlock Turned a Cisco Firewall Into Root for 36 Days

Interlock ransomware exploited a maximum-severity deserialization flaw in Cisco Secure FMC as a zero-day for 36 days before a patch existed — owning the management plane of enterprise firewall estates. Here's the kill chain, the IOCs, and how to hunt it.

EagleEye Security Team

EagleEye Security Team

Threat Intelligence ·

Share

A single unauthenticated HTTP request gave Interlock ransomware root on the box that controls your firewalls. No credentials, no user interaction, no second stage to bypass auth. CVE-2026-20131 is a CVSS 10.0 deserialization flaw in the Cisco Secure Firewall Management Center (FMC) web interface — and Interlock was already exploiting it on January 26, 2026, 36 days before Cisco had a patch or an advisory.

That window matters because FMC is not an endpoint. It is the management plane: firewall policy, NAT rules, VPN configuration, and every connected Firepower Threat Defense device. Compromise it and the attacker doesn't just have a foothold — they have your perimeter's rulebook.

When the box that enforces your network policy is the box that gets owned, "defense in depth" collapses to a single point of failure.

The Vulnerability: Insecure Deserialization, the Classic Root Cause

CVE-2026-20131 is a CWE-502 insecure deserialization flaw in the FMC web-based management interface. The interface accepts a serialized Java object from an untrusted source and deserializes it without sufficient validation. A crafted byte stream triggers a gadget chain — a sequence of existing Java library methods chained to execute arbitrary OS commands. In FMC's case, the deserializing process runs as root.

There are no mitigating prerequisites. The CVSS vector spells out why this scores a perfect 10.0:

MetricValueWhat it means
Attack Vector (AV)NetworkExploitable remotely over the wire
Attack Complexity (AC)LowNo special conditions or timing required
Privileges Required (PR)NoneNo authentication needed
User Interaction (UI)NoneNo victim action required
Scope (S)ChangedImpact crosses a security boundary
Confidentiality (C)HighFull information disclosure
Integrity (I)HighFull system modification
Availability (A)HighFull system disruption

Full vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Affected Versions

Per NVD and Cisco's March 4, 2026 advisory, the following Cisco Secure FMC Software releases are vulnerable:

  • 7.4.x — 7.4.0, 7.4.1, 7.4.1.1
  • 7.3.x — 7.3.0, 7.3.1, 7.3.1.1, 7.3.1.2
  • 7.2.x — 7.2.0 through 7.2.5.2
  • 7.1.x — 7.1.0 through 7.1.0.3
  • 7.0.x — 7.0.5, 7.0.6, 7.0.6.1 and earlier

Who Is Interlock

Interlock surfaced in September 2024 running a double-extortion model — encrypting victim data while exfiltrating it to a Tor-hosted leak portal. Notably, Interlock does not run a Ransomware-as-a-Service program, which makes it a tighter operation with more consistent TTPs than the typical affiliate-driven crew.

Confirmed victims before the FMC campaign include DaVita, Kettering Health, the Texas Tech University System, the City of Saint Paul, and multiple UK universities. The targeting pattern is deliberate: healthcare, education, government, manufacturing, engineering, architecture, and construction — sectors that run large Cisco firewall estates, hold high-value PII/PHI/IP, and face regulatory pressure that raises their willingness to pay. Operational-timezone analysis places the group in UTC+3 (75–80% confidence), with peak activity 12:00–18:00 UTC+3, consistent with an Eastern European or Middle Eastern base.

The 36-Day Zero-Day Window

Amazon's threat intelligence team, using their MadPot honeypot infrastructure, confirmed the January 26 start and noted Interlock had roughly a week to hit initial targets before the broader defender community had any signal at all.

DateEvent
Jan 26, 2026Interlock begins zero-day exploitation of CVE-2026-20131
Feb–Mar 2026Silent exploitation continues; no public patch or advisory
Mar 4, 2026Cisco discloses CVE-2026-20131 and ships fixed software
Mar 19, 2026CISA adds the CVE to the KEV Catalog
Mar 22, 2026CISA-mandated remediation deadline for federal civilian agencies
Mar 25, 2026NVD last-modified date reflecting updated exploitation confirmation

Recorded Future's March 2026 CVE Landscape flagged CVE-2026-20131 among 31 high-impact vulnerabilities that month, and named Interlock's campaign the highest-severity active exploitation of the period.

The Kill Chain

Stage 1 — Initial Access via CVE-2026-20131

  1. Reconnaissance — identify internet-exposed FMC instances, typically on port 443 or 8305.
  2. Exploit delivery — an HTTP POST to a vulnerable FMC endpoint carrying a crafted serialized Java object.
  3. Gadget-chain execution — the FMC Java runtime deserializes the object and runs OS commands as root.
  4. Payload staging — two embedded URLs in the payload deliver configuration data and confirm success via HTTP PUT.
  5. Persistence staging — a malicious ELF binary is fetched and executed from attacker infrastructure.

Confirmed exploit source IPs: 206.251.239.164 (January 2026), 199.217.98.153 and 89.46.237.33 (March 2026).

Stage 2 — Post-Exploitation Toolkit

  • JavaScript RAT — obfuscated implant using RC4 with per-message 16-byte random keys over WebSocket; shell, file transfer, and SOCKS5 proxy.
  • Java RAT — functionally equivalent, built on GlassFish/Grizzly/Tyrus libraries; both implants self-update and self-delete.
  • Memory-resident Java webshell — fileless, AES-128 encrypted (key derived from the MD5 of geckoformboundary99fec155ea301140cbe26faf55ed2f40); never touches disk.
  • Infrastructure — a TCP beacon on port 45588 and a HAProxy relay script that turns compromised Linux hosts into C2 relays, deleting logs every five minutes.
  • Legitimate tool abuse — ConnectWise ScreenConnect as backup persistence, the Certify AD CS exploitation tool, and Volatility repurposed for memory/credential analysis.

Stage 3 — Lateral Movement and Recon

Post-access, Interlock runs PowerShell enumeration of Windows hosts: OS and hardware, services and installed software, browser artifacts (Chrome/Edge/Firefox credential stores and cookies), active connections and ARP tables, RDP event logs, process lists, and registry contents. Data is staged to hostname-based network shares (e.g. \\JK-DC2\Temp), ZIP-compressed, and exfiltrated. The Lumma and Berserk infostealers add browser-credential harvesting.

Stage 4 — Double Extortion

Encryption plus threatened publication on the Tor leak portal, with ransom notes leaning on regulatory-violation threats. The ransom-communication portal and screen-locker binary hash are in the IOC appendix below.

MITRE ATT&CK Mapping

TacticTechniqueObserved behavior
Initial AccessT1190 Exploit Public-Facing ApplicationJava deserialization against FMC web interface
ExecutionT1059.001 PowerShellRecon scripts post-compromise
ExecutionT1059.007 JavaScriptRC4-encrypted WebSocket RAT
PersistenceT1505.003 Web ShellFileless AES-128 Java webshell
PersistenceT1053 Scheduled Task/JobTask creation on Windows hosts
PersistenceT1078 Valid AccountsReuse of harvested credentials
Defense EvasionT1027 Obfuscated Files or InformationRC4/AES implants, obfuscated JS
Defense EvasionT1070 Indicator RemovalHAProxy relay deletes logs every 5 min
Defense EvasionT1036 MasqueradingScreenConnect as a legitimate tool
Credential AccessT1555 Credentials from Password StoresLumma/Berserk browser stealers
DiscoveryT1082 / T1518 / T1049 / T1057 / T1033 / T1087 / T1012 / T1040Host, software, connection, process, user, account, registry, ARP enumeration
Lateral MovementT1021.001 RDPMovement with harvested credentials
Lateral MovementT1021.002 SMB/Admin SharesStaging to \\hostname\Temp
CollectionT1005 / T1010Local data and application-window discovery
C2T1573.001 Encrypted ChannelRC4 and AES-128 C2
C2T1090.001 Internal ProxyHAProxy relay on Linux hosts
ExfiltrationT1020 / T1041Automated ZIP staging, exfil over C2
ImpactT1486 Data Encrypted for ImpactFile encryption
ImpactT1490 Inhibit System RecoveryShadow copy deletion

Defense and Detection

Patch It Like an Emergency

Cisco shipped fixed software on March 4, 2026. With confirmed exploitation since January 26 and a KEV listing, treat this as emergency remediation regardless of maintenance windows, and upgrade to the latest fixed release — not the minimum fixed version. Use your vulnerability-management and asset-inventory tooling to find every unpatched FMC instance and rank it critical.

Get FMC Off the Internet

The FMC management interface should never face the public internet. Cisco's advisory is explicit: restrict the web interface to trusted management networks. If you find an exposed instance:

  • Place it behind a VPN or jump host immediately.
  • Restrict source IPs via ACLs to known management workstations.
  • Enforce MFA for all FMC administrative access.
  • Audit your perimeter, load balancer / ADC, and reverse-proxy logs for any external traffic to FMC management ports (443, 8305).

Detect the Exploit at the Web/Network Layer

Frame these as rules in your WAF and perimeter logs — the field names will differ by vendor, but the behavior is universal:

  • Alert on requests to FMC management paths carrying serialized Java object indicators: the ac ed 00 05 ("aced0005") magic bytes, sr markers, or java.* class references in request bodies.
  • Flag the anomalous exploit User-Agent — Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0 — when it originates from non-browser infrastructure.
  • Block the known exploit source IPs (206.251.239.164, 199.217.98.153, 89.46.237.33).
  • Watch inbound POST/PUT requests with Content-Type: application/octet-stream or application/x-java-serialized-object to management paths.
  • Push WAF rules that block serialized Java object patterns at the HTTP layer as defense-in-depth, even after patching.
  • Alert on repeated 5xx errors from a single source against management paths — deserialization exploits often generate error-producing probes before they land.

Detect the Post-Exploitation at the Endpoint

These belong in your EDR/XDR platform and host telemetry:

# Linux — suspicious child of an FMC web service
parent IN (httpd, java, tomcat-worker) AND child IN (curl, wget, bash)
  AND new_file_path IN (/tmp/, /dev/shm/, <world-writable>)
  AND time_since_fmc_activity < 60s
  → likely ELF staging after exploitation

# Linux — egress from an FMC server process to known C2
src_process = fmc_web_service
dst_ip IN (144.172.94.59, 199.217.99.121, 188.245.41.78,
           144.172.110.106, 95.217.22.175, 37.27.244.222)
  OR dst_port = 45588
  → C2 beacon / data egress

Additional behaviors to alert on:

  • DNS queries for the C2 domains in the appendix (cherryberry.click, ms-server-default.com, os-update-server.*, etc.).
  • TLS fingerprints matching the JA3/JA4 values below.
  • File writes — ZIP archives in \\hostname\Temp or C:\Windows\Temp (staging), plus the Certify and screen-locker hashes.
  • Ransomware behavior and Volume Shadow Copy deletion — run these detections in prevent mode, not detect-only.
  • Anomalous RDP authentications and lateral movement following recon spikes.
  • Scheduled task creation by non-standard parent processes.
  • Unexpected ConnectWise ScreenConnect installs — treat any undocumented new install as backdoor deployment.

Why This Keeps Happening

CVE-2026-20131 is part of an accelerating pattern: ransomware crews acquiring and weaponizing zero-days against security infrastructure itself — firewalls, VPN concentrators, management consoles. It echoes CVE-2023-20269 (Cisco ASA/FTD, exploited by Akira and LockBit), CVE-2024-3400 (PAN-OS), and CVE-2025-0282 (Ivanti Connect Secure).

Security infrastructure is a high-value target for three structural reasons: compromise grants network-wide visibility and movement; responsible-disclosure timelines create exploitable windows between discovery and patch; and defenders rarely have EDR/XDR coverage on network appliances the way they do on endpoints.

Your endpoints are watched. Your firewall manager probably isn't. Attackers know which gap is wider.

Interlock's leap from a 2024 commodity operator to a zero-day-capable actor — with custom RATs, fileless webshells, log-deletion tradecraft, and fallback persistence — is the story here. IBM X-Force's attribution of Slopoly, an AI-generated malware strain, to Interlock suggests AI-assisted development is now in their pipeline. And CWE-502 itself remains a chronic enterprise wound a decade after Frohoff and Lawrence's 2015 disclosure: Java serialization is woven into legacy apps, safe fixes take real engineering, and toolkits like ysoserial keep the exploitation bar low.

Action Checklist

Immediate (0–72 hours)

  1. Patch every Cisco Secure FMC instance to a fixed release; treat as emergency maintenance.
  2. Audit exposure — confirm no FMC management interface (443, 8305) is externally reachable.
  3. Hunt IOCs — sweep Linux/Windows/macOS hosts for the C2 IPs/domains, the Certify and screen-locker hashes, and the JA3/JA4 fingerprints.
  4. Update WAF rules — push Java deserialization blocks and exploit source-IP blocks.

Short-term (1–4 weeks)

  1. Retrospective log review — examine perimeter/WAF logs for Jan 26 – Mar 22, 2026 for historical compromise warranting IR.
  2. Segmentation review — FMC reachable only from dedicated management VLANs behind MFA-protected jump hosts.
  3. Rotate credentials — if FMC was exposed during the zero-day window, rotate everything reachable from it: managed firewall creds, LDAP/AD service accounts, API keys.
  4. Harden endpoint policy — ransomware-behavior and shadow-copy-deletion detections in prevention mode.
  5. Monitor task/service creation by non-standard parents.

Strategic (1–3 months)

  1. Reduce security-infra attack surface — audit every internet-exposed management interface (SIEM, EDR consoles, firewall management, VPN portals); enforce VPN/zero-trust gateway plus MFA plus IP allowlisting.
  2. Java deserialization controls — audit whether serialization is required; apply ObjectInputFilter or move to JSON/protobuf.
  3. Threat-intel integration — ingest Interlock C2 indicators into WAF blocklists and EDR feeds.
  4. IR runbooks for management-plane compromise — the response differs from endpoint ransomware because the adversary may control firewall policy itself.

IOC Appendix

IP Addresses

IndicatorRoleFirst seen
206.251.239.164Exploit sourceJanuary 2026
199.217.98.153Exploit sourceMarch 2026
89.46.237.33Exploit sourceMarch 2026
144.172.94.59C2 / backend2026
199.217.99.121C2 fallback2026
188.245.41.78C2 fallback2026
144.172.110.106Backend C22026
95.217.22.175Backend C22026
37.27.244.222Staging host2026

Domains

IndicatorRole
cherryberry.clickExploit / staging
ms-server-default.comExploit / staging
initialize-configs.comExploit / staging
ms-global.first-update-server.comExploit / staging
ms-sql-auth.comExploit / staging
kolonialeru.comExploit / staging
sclair.it.comExploit / staging
browser-updater.com / browser-updater.liveC2
os-update-server.com / .org / .live / .topC2

File Hashes (SHA-256)

HashArtifact
d1caa376cb45b6a1eb3a45c5633c5ef75f7466b8601ed72c8022a8b3f6c1f3beCertify (AD CS exploitation)
6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5fScreen locker binary

TLS Fingerprints

TypeValue
JA3b885946e72ad51dca6c70abc2f773506
JA3f80d3d09f61892c5846c854dd84ac403
JA4t13i1811h1_85036bcba153_b26ce05bbdd6
JA4t13i4311h1_c7886603b240_b26ce05bbdd6

Network and Other Indicators

  • TCP port 45588 — Interlock C2 beacon listener.
  • User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0 (exploit and implant traffic).
  • AES-128 key seedgeckoformboundary99fec155ea301140cbe26faf55ed2f40 (Java webshell).
  • Tor portalebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/chat.php (ransom communication).

The Takeaway

The lesson of CVE-2026-20131 isn't "patch your firewalls" — though you should, today. It's that the device enforcing your network policy is now a primary ransomware target, and it almost certainly has thinner telemetry than the laptops it protects. Close that gap before the next zero-day finds it.

If you're not sure whether your management-plane infrastructure is exposed — or whether you have detection coverage for behavior like the kill chain above — that's exactly the kind of question our team helps answer. For a faster line, reach us at support@eagleeye-sec.com.

References

  1. NVD — CVE-2026-20131
  2. AWS Security Blog — Interlock campaign targeting enterprise firewalls
  3. BleepingComputer — Interlock exploited Secure FMC flaw since January
  4. Help Net Security — Cisco FMC flaw exploited weeks before patch
  5. The Hacker News — Interlock exploits Cisco FMC zero-day for root
  6. Recorded Future — March 2026 CVE Landscape
  7. The Record — Interlock exploited Cisco firewall zero-day before disclosure
  8. Security Affairs — Interlock exploiting CVE-2026-20131 36 days before disclosure
  9. CISA — #StopRansomware: Interlock (AA25-203A)
  10. Hive Pro — Interlock exploits critical Cisco Secure FMC flaw
  11. Horizon3.ai — CVE-2026-20131 Cisco FMC RCE
  12. FortiGuard Labs — Interlock Ransomware: New Techniques, Same Old Tricks
  13. Dark Reading — Interlock Targets Cisco Enterprise Firewalls
  14. SC World — Interlock targeting of max-severity Cisco FMC zero-day
#cve-2026-20131#interlock#ransomware#cisco#deserialization#zero-day
EagleEye Security Team

EagleEye Security Team

Threat Intelligence — writing on threat intelligence, detections, and agentic security operations.

Share

Keep reading

All posts →
Threat Intelligence16 min read

Lazarus Poisons axios: A 100-Million-Download npm Package, Owned for Three Hours

DPRK's Lazarus stole one maintainer token and pushed a trojanized axios to npm — a library in 80% of cloud environments. The blast radius was global; the exposure window was three hours. Here's the kill chain, the cross-platform RAT, and every IOC.

EagleEye Security Team