CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Interlock ransomware leverages Cisco FMC insecure deserialization zero-day (CVE-2026-20131) for root access

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A critical insecure deserialization vulnerability in Cisco Secure Firewall Management Center (FMC) Software, tracked as CVE-2026-20131 (CVSS 10.0), is being actively exploited by the Interlock ransomware group to gain unauthenticated remote root access on unpatched systems. The flaw enables unauthenticated remote attackers to bypass authentication and execute arbitrary Java code with root privileges via crafted HTTP requests to a specific endpoint. Exploitation has been observed as a zero-day since January 26, 2026, more than a month before public disclosure and patch availability. Cisco issued its first advisory for CVE-2026-20131 on March 4, 2026, and Amazon Threat Intelligence confirmed active exploitation by Interlock starting in late January. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and ordered federal agencies to patch by March 22, 2026, under BOD 22-01. Post-exploitation tooling includes custom JavaScript/Java RATs, PowerShell reconnaissance scripts, Linux reverse proxy configuration tools, memory-resident web shells, and ConnectWise ScreenConnect for persistence. Compromised environments are leveraged for ransomware operations and secondary monetization. AWS’s detailed analysis reveals additional post-exploitation components such as a memory-resident backdoor intercepting HTTP requests, Volatility for RAM credential parsing, and Certify for Active Directory Certificate Services misconfiguration exploitation.

Timeline

  1. 18.03.2026 18:00 3 articles · 5d ago

    Interlock ransomware exploits Cisco FMC zero-day (CVE-2026-20131) for initial access and root compromise

    Unauthenticated, remote attackers began exploiting CVE-2026-20131 in Cisco Secure Firewall Management Center (FMC) Software on or around January 26, 2026, achieving root-level code execution via insecure deserialization of user-supplied Java byte streams. The attack begins with crafted HTTP requests to a specific FMC endpoint, followed by confirmation via HTTP PUT, then retrieval of ELF binaries from remote infrastructure. The payloads include reconnaissance scripts, custom RATs, Linux reverse proxy tools, web shells, and ScreenConnect for persistence. Cisco published its first security bulletin for CVE-2026-20131 on March 4, 2026. Amazon Threat Intelligence confirmed active exploitation by the Interlock ransomware group starting in late January 2026, and CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by March 22, 2026. Updated March 23, 2026: AWS’s detailed analysis reveals additional post-exploitation components including a memory-resident HTTP-intercepting backdoor, Volatility for parsing credentials from RAM to enable lateral movement, and Certify for exploiting Active Directory Certificate Services misconfigurations for privilege escalation and persistence.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Langflow unauthenticated RCE vulnerability (CVE-2026-33017) exploited within 20 hours of disclosure

Within 20 hours of the public disclosure of an unauthenticated remote code execution vulnerability in Langflow (CVE-2026-33017), threat actors began exploiting exposed instances to execute arbitrary Python code, harvest credentials, and potentially compromise connected databases and software supply chains. The vulnerability, assigned a CVSS score of 9.3, requires no authentication and can be triggered via a single HTTP POST request to the /api/v1/build_public_tmp/{flow_id}/flow endpoint, where attacker-controlled data is passed to an unsandboxed exec() call. The flaw affects all versions of Langflow prior to and including 1.8.1, with a fix available in development version 1.9.0.dev8. It was discovered by security researcher Aviral Srivastava and reported on February 26, 2026. Sysdig observed the first exploitation attempts within 20 hours of the March 17, 2026 advisory, despite the absence of a public proof-of-concept. Attackers rapidly progressed from automated scanning to staged payload delivery and credential harvesting, including extraction of environment variables, configuration files, and database contents. The incident underscores the accelerating timeline of vulnerability weaponization, where attackers now routinely exploit flaws within hours of disclosure, far outpacing typical patching timelines for defenders.

Open in new tab

Critical Authentication Bypass in Cisco Catalyst SD-WAN Exploited Since 2023

A critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN has been actively exploited in zero-day attacks since at least 2023. The flaw allows remote attackers to compromise controllers and add malicious rogue peers to targeted networks. The vulnerability stems from a peering authentication mechanism that does not work properly, enabling attackers to log in as high-privileged users and manipulate network configurations. Cisco has released specific software updates to address the issue, and CISA has issued an emergency directive requiring federal agencies to patch affected systems by February 27, 2026. Attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting CVE-2022-20775, and have taken steps to clear evidence of the intrusion by purging logs and command history. Additionally, Cisco has flagged two more Catalyst SD-WAN Manager security flaws (CVE-2026-20128 and CVE-2026-20122) as actively exploited in the wild, urging administrators to upgrade vulnerable devices. CVE-2026-20128 is an information disclosure issue affecting the Data Collection Agent (DCA) feature, allowing an authenticated, local attacker to gain DCA user privileges. CVE-2026-20122 is an arbitrary file overwrite bug affecting the API, allowing a remote, authenticated attacker to overwrite arbitrary files and gain elevated privileges. Cisco Talos has linked the attacks exploiting CVE-2026-20127 to UAT-8616, a highly sophisticated threat actor active since at least 2023. Cisco has also released updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: CVE-2026-20079 and CVE-2026-20131.

Open in new tab

Critical Pre-Auth RCE Vulnerability in BeyondTrust Remote Support and PRA

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub. Threat actors have been observed exploiting CVE-2026-1731 to conduct network reconnaissance, deploy web shells, establish command-and-control (C2) channels, install backdoors and remote management tools, perform lateral movement, and exfiltrate data. The attacks have targeted financial services, legal services, high technology, higher education, wholesale and retail, and healthcare sectors across the U.S., France, Germany, Australia, and Canada. The vulnerability enables attackers to inject and execute arbitrary shell commands via the affected 'thin-scc-wrapper' script through the WebSocket interface. Attackers have deployed multiple web shells, including a PHP backdoor and a bash dropper, to maintain persistent access. Malware such as VShell and Spark RAT have been deployed as part of the exploitation. Out-of-band application security testing (OAST) techniques have been used to validate successful code execution and fingerprint compromised systems. Sensitive data, including configuration files, internal system databases, and a full PostgreSQL dump, have been exfiltrated to an external server. CVE-2026-1731 and CVE-2024-12356 share a common issue with input validation within distinct execution pathways. CVE-2026-1731 could be a target for sophisticated threat actors, similar to CVE-2024-12356 which was exploited by China-nexus threat actors like Silk Typhoon. CISA has confirmed that CVE-2026-1731 has been exploited in ransomware campaigns. CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog on February 13 and gave federal agencies three days to apply the patch or stop using the product. Proof-of-concept (PoC) exploits for CVE-2026-1731 became available shortly after the initial disclosure, and exploitation was detected on January 31, making it a zero-day vulnerability for at least a week. CISA has activated the 'Known To Be Used in Ransomware Campaigns?' indicator in the KEV catalog for CVE-2026-1731. Customers of the cloud-based application (SaaS) had the patch applied automatically on February 2. Self-hosted instance customers need to either enable automatic updates or manually install the patch. For Remote Support, the recommended version is 25.3.2. For Privileged Remote Access, the recommended version is 25.1.1 or newer. Customers still using RS v21.3 and PRA v22.1 are recommended to upgrade to a newer version before applying the patch.

Open in new tab

CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog

CISA added the stored cross-site scripting (XSS) vulnerability CVE-2025-66376 in Zimbra Collaboration Suite (ZCS) to its Known Exploited Vulnerabilities (KEV) catalog on March 18, 2026. The flaw, patched in early November 2025, allows unauthenticated attackers to execute arbitrary JavaScript via malicious HTML emails, enabling session hijacking and data theft in compromised Zimbra environments. CISA ordered U.S. federal agencies to patch the flaw by April 1, 2026 under BOD 22-01 and encouraged all organizations to apply mitigations promptly. Russian state-sponsored threat group APT28 (Fancy Bear, Strontium), linked to Russia's military intelligence service (GRU), is actively exploiting CVE-2025-66376 in attacks targeting Ukrainian government entities, including the Ukrainian State Hydrology Agency, as part of a phishing campaign codenamed Operation GhostMail. The attack chain relies on malicious HTML email bodies with obfuscated JavaScript payloads that execute silently in vulnerable Zimbra webmail sessions to harvest credentials, session tokens, 2FA codes, saved passwords, and mailbox contents dating back 90 days, with data exfiltrated over DNS and HTTPS. This exploitation follows prior Russian campaigns against Zimbra infrastructure, including operations by Winter Vivern (since February 2023) and APT29 (Cozy Bear, Midnight Blizzard) in October 2024.

Open in new tab

Increased Scanning for PAN-OS GlobalProtect Vulnerability

The Interlock ransomware gang has exploited a zero-day RCE vulnerability (CVE-2026-20131) in Cisco’s Secure Firewall Management Center (FMC) software since January 26, 2026, two months before Cisco’s March 4, 2026 patch. The flaw, enabling unauthenticated root-level code execution via the web interface, was actively exploited against enterprise firewalls until at least mid-March 2026. AWS CISO CJ Moses confirmed the timeline and provided rare operational visibility into Interlock’s post-exploitation activities, including PowerShell-based network enumeration, deployment of custom JavaScript and Java RATs, and a memory-resident webshell for evasion. The group also installed ConnectWise ScreenConnect as a backup access method. Cisco’s March 4 patch addressed the insecure Java deserialization flaw in the management interface. Interlock’s activities align with their broader campaigns targeting critical infrastructure, including prior links to ClickFix and NodeSnake malware against U.K. universities since 2024.

Open in new tab