Overview
- The flaw in Cisco Secure Firewall Management Center and Security Cloud Control allows unauthenticated remote code execution as root via insecure Java deserialization, earning a CVSS 10.0 rating.
- Cisco released fixes on March 4 and updated its advisory to confirm in-the-wild exploitation, urging customers to upgrade immediately.
- Amazon’s MadPot honeypots logged exploit traffic and revealed a misconfigured Interlock server that exposed the group’s toolkit and indicators of compromise now available to defenders.
- Exposed tools include PowerShell reconnaissance scripts, custom JavaScript and Java remote-access trojans, a memory-resident web shell, HAProxy-based proxying with aggressive log wiping, and ConnectWise ScreenConnect for persistence.
- CISA added the bug to its Known Exploited Vulnerabilities catalog with a March 22 remediation deadline for federal agencies, and Cisco advises keeping the FMC management interface off the public internet to reduce risk.