VulnHub

Real-time Cybersecurity News

Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access

The Hacker News
Actively Exploited
RansomwareCVEZero-dayCiscoVulnerabilityCriticalAmazon

Overview

Amazon Threat Intelligence has issued a warning regarding an active ransomware campaign known as Interlock, which is exploiting a significant vulnerability in Cisco's Secure Firewall Management Center (FMC) Software. This vulnerability, identified as CVE-2026-20131, has a maximum severity score of 10.0 and stems from an insecure deserialization of user-supplied Java byte streams. This flaw could allow attackers to gain root access without authentication, posing a serious risk to organizations using affected Cisco products. The exploitation of this vulnerability is concerning as it enables unauthorized access, potentially leading to data breaches and system compromises. Companies using Cisco FMC Software must take immediate action to protect their systems from this ongoing threat.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: Cisco Secure Firewall Management Center (FMC) Software
  • Action Required: Organizations should immediately update their Cisco FMC Software to the latest version to mitigate this vulnerability.
  • Timeline: Newly disclosed

Original Article Summary

Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that's exploiting a recently disclosed critical security flaw in Cisco Secure Firewall Management Center (FMC) Software. The vulnerability in question is CVE-2026-20131 (CVSS score: 10.0), a case of insecure deserialization of user-supplied Java byte stream, which could allow an unauthenticated, remote attacker to

Impact

Cisco Secure Firewall Management Center (FMC) Software

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Newly disclosed

Remediation

Organizations should immediately update their Cisco FMC Software to the latest version to mitigate this vulnerability. Additionally, they should review their security configurations and consider implementing network segmentation and access controls to limit exposure.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to Ransomware, CVE, Zero-day, and 4 more.

Read Original Article

Related Coverage

Cisco warns of unpatched AsyncOS zero-day exploited in attacks

BleepingComputer

Cisco has issued a warning regarding a serious zero-day vulnerability in its AsyncOS software that is currently being exploited in the wild. This flaw affects Cisco's Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances, leaving customers vulnerable to potential attacks. The zero-day has been classified with maximum severity, indicating the urgency for organizations using these products to take action. As of now, there are no patches available to address this vulnerability, which raises concerns about the security of email communications for affected users. Companies that rely on these Cisco products should closely monitor their systems and implement any available security measures to mitigate risks until a fix is released.

Dec 17, 2025

China-Linked Hackers Exploiting Zero-Day in Cisco Security Gear

SecurityWeek

A new vulnerability, tracked as CVE-2025-20393, has been discovered in Cisco's Secure Email Gateway and Secure Email and Web Manager appliances. This zero-day flaw is reportedly being exploited by hackers linked to China, posing a significant risk to organizations using these products. The vulnerability allows attackers to bypass security controls, potentially leading to unauthorized access and data breaches. Companies using these Cisco appliances should prioritize patching and monitoring their systems to mitigate the risks associated with this exploit. The discovery of this flaw is particularly concerning given the ongoing cyber threats targeting critical infrastructure and enterprise environments.

Dec 18, 2025

China-linked APT UAT-9686 is targeting Cisco Secure Email Gateway and Secure Email and Web Manager

Security Affairs

Cisco has disclosed a critical zero-day vulnerability, tracked as CVE-2025-20393, affecting its Secure Email Gateway and Secure Email/Web Manager products. This vulnerability is currently being exploited by a China-linked advanced persistent threat group known as UAT-9686. The attack campaign began on December 10 and targets specific systems, raising significant concerns for organizations relying on these Cisco products. Users and administrators should be particularly vigilant, as this active exploitation could lead to unauthorized access and data breaches. The urgency of addressing this vulnerability cannot be overstated, given its potential impact on email security and the sensitive information handled by these systems.

Dec 19, 2025

Week in review: Exploited zero-day in Cisco email security appliances, Kali Linux 2025.4 released

Help Net Security

Last week, a zero-day vulnerability was discovered in Cisco email security appliances, which has been actively exploited by attackers. This flaw affects multiple versions of Cisco's email security products, putting organizations that rely on these systems at risk of data breaches and unauthorized access. Cisco has acknowledged the issue and is urging users to implement security measures while they work on a patch. The exploitation of this vulnerability raises significant concerns for businesses using Cisco's email solutions, as it could lead to serious security incidents if not addressed promptly. Users should stay vigilant and monitor for any updates from Cisco regarding remediation steps.

Dec 21, 2025

Cisco switches hit by reboot loops due to DNS client bug

BleepingComputer

Several models of Cisco switches are experiencing reboot loops triggered by fatal errors in their DNS client. This issue has been reported by users and confirmed by BleepingComputer, indicating a significant problem that could disrupt network operations for affected organizations. The models impacted include various Cisco switches, which are widely used in enterprise environments. The reboot loops not only lead to downtime but could also complicate network management and security efforts. Ensuring stable and reliable network infrastructure is crucial for businesses, making this bug a serious concern for IT departments.

Jan 8, 2026

Cisco ISE, ISE-PIC flaw patched following PoC exploit release

SCM feed for Latest

Cisco has released updates to address a medium-severity vulnerability in its Identity Services Engine (ISE) and ISE Passive Identity Connector, identified as CVE-2026-20029. This flaw was brought to light following the publication of a proof-of-concept exploit, raising concerns about its potential exploitation. Organizations using these Cisco products are at risk, as the vulnerability could allow unauthorized access or manipulation of identity services. It’s crucial for affected users to apply the updates promptly to safeguard their networks and data from possible attacks. The quick response from Cisco highlights the ongoing need for vigilance in cybersecurity practices.

Jan 9, 2026