CISA Orders US Government to Patch Maximum Severity Cisco Flaw
CISA gives federal agencies three days to patch CVE-2026-20131, a CVSS 10 RCE flaw in Cisco Secure Firewall Management Center already exploited by Interlock ransomware since January.
CISA has ordered all federal civilian agencies to patch CVE-2026-20131, a maximum severity (CVSS 10) remote code execution flaw in Cisco Secure Firewall Management Center. The deadline: three days. That is unusually aggressive, even for CISA.
What the vulnerability does
The bug sits in the web-based management interface of Cisco Secure Firewall Management Center (FMC), the centralized control plane for Cisco firewalls, intrusion prevention, URL filtering, and advanced malware protection. It allows an unauthenticated remote attacker to execute arbitrary Java code as root through insecure deserialization of user-supplied Java byte streams.
Cisco patched it on March 4, but by then the Interlock ransomware group had already been exploiting it as a zero-day since late January.
How Interlock used it
AWS published a detailed write-up of the Interlock campaign last week. After initial access through the bug, the group deployed custom JavaScript and Java RATs, a memory-resident backdoor that intercepted HTTP requests entirely in memory to dodge AV detection, and ConnectWise ScreenConnect as a backup entry point. They also used the Volatility memory forensics framework to extract credentials from RAM and Certify to exploit Active Directory Certificate Services misconfigurations for privilege escalation.
The attack chain is thorough. Initial access, persistence, lateral movement, credential theft, and backup access paths, all covered.
WAFplanet take
A CVSS 10 with active ransomware exploitation and a three-day patch deadline from CISA. That combination does not happen often. If you run Cisco FMC, this is a drop-everything situation.
The broader lesson: management interfaces remain one of the most dangerous attack surfaces in network security. A web application firewall like Cloudflare, Imperva, or AWS WAF protects your applications, but your security management plane needs its own protection. Restrict management interface access to trusted networks, enforce multi-factor authentication, and patch immediately when critical vulnerabilities drop.
For organizations using open-appsec or ModSecurity with custom rules, this is also a reminder to audit your own management endpoints. The tools that protect your stack can become the entry point if left exposed.
