Cisco FMC Got Owned for 36 Days Before Anyone Said Anything. We Found the Fake PoC in January.

On January 14, 2026, we found a fake Cisco Firepower Management Center proof-of-concept on GitHub. It wasn't a PoC. It was a webshell disguised as one — a Pattern 38 supply chain attack targeting security researchers who test vulnerabilities for a living. We published the findings. We reported the repo.

Twelve days later, on January 26, someone started exploiting the real Cisco FMC for real. Not a fake PoC. Not a webshell in a GitHub repo. A CVSS 10.0 unauthenticated remote code execution vulnerability in the web management interface of the product that manages your Cisco firewalls. CVE-2026-20131.

Cisco disclosed the vulnerability on March 4. That's 36 days of exploitation before anyone outside of Amazon's honeypot network knew it was happening.

The Vulnerability

CVE-2026-20131 is an insecure deserialization of user-supplied Java byte streams in the FMC web-based management interface. An unauthenticated, remote attacker sends a crafted HTTP request to a specific path. The FMC deserializes the payload. The attacker gets arbitrary Java code execution as root.

Root. On the device that manages your firewall rules, your IPS policies, your network visibility. The device that every SOC operator trusts implicitly.

CVSS 10.0. Maximum severity. No authentication required. Remote. Root.

The Timeline

January 14, 2026: We find a fake Cisco FMC PoC on GitHub — a webshell masquerading as a vulnerability test. Pattern 38 instance #4. We publish, we report.

January 26, 2026: Interlock ransomware operators begin exploiting CVE-2026-20131 in the wild. Amazon's MadPot global sensor network detects the activity. Nobody else does.

March 4, 2026: Cisco publicly discloses CVE-2026-20131 and releases patches. 36 days after exploitation began.

March 20, 2026: Amazon Web Services publishes the full attack chain analysis, confirming zero-day exploitation since January 26.

36 days. The security management console of the most widely deployed enterprise firewall in the world was being exploited for more than a month before the vendor acknowledged it existed.

The Attack Chain

The Interlock operators didn't stumble onto this. The attack chain is surgical:

1. Send crafted HTTP requests to the FMC web management interface

2. Exploit the Java deserialization flaw to execute code as root

3. Compromised FMC issues an HTTP PUT request to an external server — the "I'm in" beacon

4. Fetch an ELF binary from a remote server hosting additional Interlock tools

5. Pivot from the FMC into the network it manages — because the FMC has administrative access to every firewall in the environment

Step 5 is the kill shot. The FMC isn't just another server. It's the server that configures your network security. Owning the FMC means owning the firewall rules, the IPS signatures, the access policies. The attacker can disable protections, create backdoor rules, or simply watch everything the SOC sees — from the inside.

Interlock's Resume

Interlock isn't a newcomer. Their victim list reads like a healthcare and government directory:

• DaVita — dialysis provider, 2,700+ centers, 200,000+ patients

• Kettering Health — Ohio hospital network

• Texas Tech University System — higher education

• City of Saint Paul, Minnesota — our neighbor

Saint Paul. That's across the river. Interlock ransomware hit our own city using a Cisco zero-day that was burning for 36 days before anyone knew.

The Fake and the Real

In January, the fake PoC on GitHub was a trap for researchers. A webshell hidden in what looked like a Cisco FMC test script. Download it, run it on your lab, and you're compromised. We caught it because we hunt GitHub for exactly this pattern — malware masquerading as security tools.

In January, the real exploit was being used against production FMC deployments. No fake. No bait. Just a root shell on your firewall manager.

Both attacks target the same product. Both exploit the trust security professionals place in their tools. The fake PoC targets researchers who test vulnerabilities. The real zero-day targets enterprises who deploy the product. Different vectors, same thesis: Cisco FMC is an attack surface, not just a security tool.

Who Found It

Not Cisco. Amazon.

Amazon's MadPot honeypot network — a global sensor deployment that mimics vulnerable services to attract and analyze real attacks — detected the exploitation. Amazon's threat intelligence team traced it to Interlock, mapped the attack chain, and published the analysis.

The vendor whose product was burning didn't find it. A cloud provider's honeypot did. That's the state of vulnerability disclosure in 2026.

What This Means

This is the third post in three days about security tools becoming attack vectors.

Monday: CrowdStrike, Microsoft Intune, and Aqua Trivy — endpoint agents, MDM platforms, and CI/CD scanners weaponized against their users.

Tuesday: TeamPCP chaining supply chain attacks through Trivy, LiteLLM, and Telnyx — each compromise funding the next.

Wednesday: Cisco FMC — the firewall management console itself, exploited for 36 days, hitting hospitals and cities.

The pattern is clear. The tools that security teams trust most are the tools attackers target first. Not because those tools are poorly built, but because they have the deepest access. A kernel-level agent. An MDM with remote wipe authority. A firewall management console with root access to every network policy.

Trust and access. The two things attackers want most. The two things security products are designed to provide.

IOCs

Interlock infrastructure and CVE-2026-20131 exploitation indicators are indexed in our STIX feed. If you're a consumer, they're already in your next pull.

Check your FMC version. Patch to the latest. Audit who has network access to the management interface — it should not be reachable from the internet. Ever.

DugganUSA found the fake Cisco FMC PoC on GitHub in January (Pattern 38 instance #4). Amazon found the real exploitation in January. Cisco disclosed in March. Interlock hit Saint Paul in between.

We don't sell firewall management. We sell the intelligence that tells you when your firewall management is the problem.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →