← CIO Briefings Β· Critical Impact ACTION REQUIRED

Ransomware Group Controlled Enterprise Firewalls for 36 Days Via Cisco FMC Zero-Day

Interlock ransomware exploited a CVSS 10.0 zero-day in Cisco Firepower Management Center for 36 days before Cisco issued a patch, gaining root-level control of the platform that manages enterprise firewall policy, segmentation, and VPN configurations. Cisco patched the vulnerability on 4 March 2026. Any organisation running FMC with network-accessible management interfaces should treat the February period as a potential compromise window.

3 min read
#NIST-CSF#ISO-27001#NIS2

What Happened

Interlock, an active ransomware operation targeting enterprise organisations, began exploiting an unpatched zero-day vulnerability in Cisco’s Firepower Management Center (FMC) on 26 January 2026. Cisco disclosed and patched the vulnerability β€” CVE-2026-20131 β€” on 4 March, 36 days later. During that window, organisations running FMC with network-accessible management interfaces were targeted with no available remediation.

The vulnerability allows unauthenticated attackers to send a malicious request to the FMC management interface and gain root-level code execution β€” the highest privilege level on the system. Cisco FMC is the central management platform for Cisco Secure Firewall (Firepower) appliances, used by thousands of enterprise and government networks to manage perimeter security.

Business Impact

The FMC controls your firewall enforcement layer. An attacker with root access to FMC can read, modify, and delete your organisation’s complete firewall rule set, segmentation policy, and VPN configuration. In practical terms:

  • An attacker can remove firewall rules that block lateral movement, pivot access, or data exfiltration β€” silently, at the management layer, before executing their primary attack
  • All site-to-site and remote access VPN configuration is accessible β€” pre-shared keys, certificates, and tunnel definitions, enabling the attacker to impersonate authorised remote connections
  • Every network segment protected by Firepower sensors is visible and manageable from a compromised FMC β€” a single appliance compromise potentially provides access to the entire network security architecture

Interlock has been observed using this initial access to disable security controls before deploying ransomware β€” maximising encryption impact by eliminating the controls that might detect or block their deployment phase.

Regulatory Implications

Under NIS2 (EU), ISO 27001, and NIST CSF frameworks, organisations have obligations to apply security patches promptly. Zero-day exploitation before patch availability is not a failure of patch management β€” but the failure to restrict management interface access to private networks is a control gap that amplified exposure. Competent authorities may scrutinise network architecture controls when reviewing incidents arising from exploited management plane access.

Board-Ready Summary

  • Ransomware operators had a month-long window to gain silent root access to enterprise firewall management platforms. Cisco has now patched the vulnerability, but organisations that ran FMC with accessible management interfaces during February should assume potential compromise.
  • Compromising the firewall management plane is qualitatively different from compromising a server. The attacker gains the ability to silently disable your network security controls before executing their ransomware campaign.
  • Immediate action is required: patch, audit logs for the February window, verify firewall policy integrity, and rotate VPN credentials.
  1. Patch Cisco FMC immediately per advisory SA-FMC-2026-0001 if not already completed
  2. Isolate the FMC management interface to a dedicated management network with no internet exposure β€” this is the single most impactful architectural control
  3. Conduct a forensic audit of FMC activity from 26 January to 4 March: review all policy changes, new user accounts, and unusual API activity
  4. Verify firewall policy integrity by comparing current configurations against documented change records
  5. Rotate all VPN credentials (pre-shared keys and certificates) managed through the FMC as a precautionary measure
  6. Brief your CISO and security operations team on this incident β€” if FMC was exposed and unpatched during February, this should be treated as a presumed compromise pending investigation