A critical vulnerability (CVE-2026-20131) affecting Cisco's Secure Firewall Management Center (FMC) software was exploited as a zero-day by the Interlock cybercrime group since at least January 26, according to Amazon’s threat intelligence team. The vulnerability impacts the web-based management interface of FMC and allows remote, unauthenticated attackers to execute arbitrary Java code with root privileges. This means that any user with access to this interface could potentially exploit the vulnerability without needing credentials. Cisco has acknowledged that restricting internet exposure for the FMC management interface can mitigate some risks associated with this vulnerability. The broader security implications include potential full control over firewall configurations and administrative functions, which could lead to severe operational disruptions. Engineers and sysadmins must prioritize patching affected systems to prevent exploitation.
- Cisco Secure Firewall Management Center (FMC)
- Apply the latest security patches provided by Cisco for FMC. For example, upgrade to version FMC 6.8.1 or higher.
- Restrict internet access to the FMC management interface using network segmentation and firewall rules. Ensure only trusted IP addresses can reach the web-based management interface.
- Perform a thorough security audit of all systems that were potentially exposed due to this vulnerability, looking for signs of compromise.
Common homelab stacks that use Cisco FMC software are directly impacted if they expose the management interface. Configuration files like 'fmc-config.xml' and network settings in '/etc/network/interfaces' could be affected.