Cisco FMC zero‑day abused

Amazon’s MadPot global sensor network recorded exploit activity starting on January 26, 2026 — a full 36 days before Cisco’s March 4, 2026 advisory — indicating the operations predated public disclosure by over a month. (aws.amazon.com) Cisco’s advisory was first published March 4 and updated March 18, assigns a CVSS base score of 10.0, attributes the root cause to insecure deserialization (CWE‑502), and explicitly states there are no workarounds to fully mitigate the issue. (sec.cloudapps.cisco.com) Amazon investigators found a misconfigured attacker staging server that exposed Interlock’s operational toolkit, giving visibility into bespoke JavaScript/Java remote access trojans and PowerShell reconnaissance scripts used during intrusions. (aws.amazon.com) Telemetry from the investigation shows attackers sent crafted HTTP requests containing Java payloads, used embedded URLs to deliver configuration, validated compromise via HTTP PUT uploads, and then fetched ELF binaries and Linux reverse‑proxy scripts to continue post‑exploitation. (aws.amazon.com) The campaign combined custom implants with legitimate or open‑source tools — notably ConnectWise ScreenConnect for remote access, the Volatility memory‑forensics framework, and Certify for AD CS exploitation — to maintain persistence and perform detailed host enumeration. (cybersecuritynews.com) Amazon shared the intelligence with Cisco during the investigation and reported that no AWS infrastructure or customer workloads were observed to be involved in the campaign during their analysis. (aws.amazon.com) Cisco’s advisory lists fixed software releases for Secure FMC and clarifies that Cisco Security Cloud (SCC) Firewall Management (SaaS) is upgraded by Cisco, while urging immediate upgrades to the indicated fixed releases to remediate exposed instances. (sec.cloudapps.cisco.com)