CISA orders feds to patch max-severity Cisco flaw by Sunday
The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a maximum-severity vulnerability, CVE-2026-20131, in Cisco Secure Firewall Management Center (FMC) by Sunday,
CISA has ordered federal agencies to patch CVE-2026-20131, a maximum-severity flaw in Cisco Secure Firewall Management Center (FMC), after confirming active exploitation by the Interlock ransomware gang. The deadline was Sunday, March 22.
What happened
Cisco disclosed the vulnerability on March 4. It sits in the web-based management interface of FMC and allows an unauthenticated, remote attacker to execute arbitrary Java code as root. The root cause is insecure deserialization of user-supplied Java byte streams. No workaround exists. You patch or you stop using it.
On March 18, Cisco updated its advisory to confirm exploitation in the wild. Amazon threat intelligence researchers identified the Interlock ransomware group as the actor behind the campaign, noting they had been exploiting it as a zero-day since late January, more than a month before the patch dropped.
Why it matters for WAF teams
This is not a WAF bypass or application-layer attack. It is a direct hit on network security infrastructure. Cisco FMC is the centralized management plane for Cisco firewalls, intrusion prevention, application control, and URL filtering. Compromising FMC means an attacker can reconfigure or disable all downstream security policies.
For organizations running Cloudflare, Akamai, or AWS WAF as their edge WAF alongside Cisco firewalls on the perimeter, the risk is lateral. An attacker who owns FMC can punch holes in the internal firewall, making the WAF the last line of defense for anything internet-facing. Teams relying on F5 Advanced WAF or Imperva in similar hybrid setups should audit their segmentation assumptions.
The Interlock angle
Interlock has been busy since late 2024. Their victim list includes DaVita, Kettering Health, Texas Tech University System, and the city of Saint Paul. They combine this kind of infrastructure exploitation with ClickFix social engineering and custom malware including NodeSnake and Slopoly. This is a multi-stage operation, not a spray-and-pray campaign.
WAFplanet take
When your firewall management plane is the entry point, your entire security stack is compromised from the inside out. This is exactly why defense in depth is not just a buzzword. If your WAF policy, your IPS rules, and your firewall config are all managed through one tool that just got rooted, you have nothing left.
The timeline is brutal. Interlock had over a month of zero-day access before Cisco even published a patch. That is not a criticism of Cisco specifically. It is a reality check on how fast threat actors move versus how fast vendors ship fixes. If you are running Cisco FMC: patch now, review logs back to January, and assume breach until proven otherwise.
