Cisco FMC Zero Day Exploited
- Siwoo Lee
- 2 hours ago
- 3 min read
A remote code execution vulnerability CVE-2026-20131 identified in Cisco Secure Firewall Management Center (Secure FMC) has been confirmed to be actively exploited in real world attacks. Cisco disclosed the vulnerability on March 4, 2026 and provided patched versions. However, Amazon Threat Intelligence reports that the Interlock ransomware group had already been exploiting this vulnerability since January 26, 2026.
The critical point is the exploitation began before public disclosure.
Cisco Secure FMC Vulnerability Overview
The issue originates from the Secure FMC web management interface, where externally supplied Java serialized data is not handled securely. According to Cisco and NVD, an attacker can send a crafted serialized object to achieve unauthenticated remote execution of arbitrary Java code, potentially escalating to root level access. The vulnerability carries a CVSS score of 10.0, reflecting its critical severity.
More important than the flaw itself is how it has already been used. Amazon Threat Intelligence identified real attack activity involving this vulnerability, tracking malicious requests, follow up URLs, and additional ELF payload delivery. Their analysis indicates that Interlock ransomware operators incorporated this vulnerability into their attack chain.
This confirms that exploitation was already in progress before public disclosure. Secure FMC functions as a centralized control layer for firewall policies and infrastructure. If exposed externally, a compromised FMC does not remain isolated. It can provide attackers with visibility into the environment and enable progression into lateral movement across managed systems.
Impact Scope
The primary affected environment is on premise Cisco Secure FMC deployments. If the web management interface is exposed to the internet, it should be restricted immediately.
While limiting exposure reduces attack surface, operating a vulnerable version still represents a direct risk.
Affected and fixed versions are summarized below:
Affected Versions | Fixed Versions |
6.4.0.13 to 6.4.0.18 | 7.0.9 or later |
7.0.0 to 7.0.8.1 | 7.0.9 or later |
7.1.0 to 7.1.0.3 | 7.2.11 or later |
7.2.0 to 7.2.10.2 | 7.2.11 or later |
7.3.0 to 7.3.1.2 | 7.4.6 or later |
7.4.0 to 7.4.5 | 7.4.6 or later |
7.6.0 to 7.6.4 | 7.6.5 or later |
7.7.0 to 7.7.11 | 7.7.12 or later |
10.0.0 | 10.0.1 or later |
Some advisories including CISA KEV and CSA Singapore also reference Cisco Security Cloud Control (SCC) Firewall Management as potentially impacted.
Organizations should verify whether they are operating on premise Secure FMC and whether their environment is managed via SCC.
Recommendations
The following areas should be reviewed in active environments:
Exposure of the web management interface to the internet
Use of vulnerable versions
Application of patched versions
Presence of abnormal traffic
Communication with infrastructure identified by Amazon
Exploitation activity has been observed since January 26, 2026. Applying patches alone is not sufficient.
It is necessary to review whether there are traces of abnormal requests, malicious file downloads, or upload activity linked to this vulnerability. AWS has released related network indicators of compromise.
Network IOC
IP Addresses
206[.]251[.]239[.]164
199[.]217[.]98[.]153
89[.]46[.]237[.]33
144[.]172[.]94[.]59
199[.]217[.]99[.]121
188[.]245[.]41[.]78
144[.]172[.]110[.]106
95[.]217[.]22[.]175
37[.]27[.]244[.]222
Domains
cherryberry[.]click
ms-server-default[.]com
initialize-configs[.]com
ms-global[.]first-update-server[.]com
ms-sql-auth[.]com
kolonialeru[.]com
sclaire[.]it[.]com
browser-updater[.]com
browser-updater[.]live
os-update-server[.]com
os-update-server[.]org
os-update-server[.]live
os-update-server[.]top
Cisco has not provided a workaround for this vulnerability and recommends applying software updates. Key actions include upgrading to fixed versions and restricting external access to management interfaces.
Why This Matters
This case shows how quickly exposed infrastructure can shift from risk to active entry point.
The issue reflects a broader pattern where externally exposed management systems become high value targets, especially when tied to centralized control layers like FMC. This aligns directly with the need for External Attack Surface Management (EASM) and Continuous Threat Exposure Management (CTEM).
Security outcomes are increasingly defined by how quickly exposure is identified, validated, and contained before attackers can operationalize it.