Cisco disclosed CVE-2026-20131 in Firepower Management Center yesterday, a CVSS 10.0 authentication bypass that Interlock ransomware has been exploiting since late February.
Timeline
The gap between initial exploitation and public disclosure was 36 days. During that window, Interlock used the vulnerability to pivot from FMC appliances into internal networks, deploying ransomware across at least a dozen known victims.
What’s vulnerable
Any Cisco FMC instance exposed to a network an attacker can reach. The bug is in the authentication handler for the web management interface — no credentials required, no user interaction needed.
Why this matters for infrastructure teams
If you run FMC in your environment, the question isn’t whether to patch — it’s whether you were already compromised during the 36-day window. Cisco’s advisory includes IOCs, but the Interlock crew is known for cleaning up after themselves.
Network appliance vulnerabilities have been dominating the threat landscape in 2026. Cisco, Citrix, and F5 have all had actively exploited zero-days this quarter alone. The pattern is clear: the devices you trust to protect your perimeter are the ones being turned against you.
What to do
- Patch immediately — Cisco has released fixes for all supported FMC versions
- Hunt for IOCs from the advisory in your FMC logs going back to February 23
- Check for unexpected admin accounts or configuration changes on your FMC
- If you find anything, assume lateral movement and scope the response accordingly