Interlock Ransomware Exploited Cisco FMC Flaw 36 Days Before Disclosure

The Interlock ransomware operation exploited a critical Cisco vulnerability for more than a month before it was publicly disclosed, giving attackers a significant head start against defenders who had no idea the flaw existed.

Amazon's MadPot global sensor network first detected exploitation of CVE-2026-20131 on January 26, 2026. Cisco didn't publish the advisory until March 4, meaning Interlock operators had 36 days of unrestricted access to vulnerable Secure Firewall Management Center (FMC) deployments before organizations even knew to patch.

What Makes This Vulnerability So Dangerous

CVE-2026-20131 carries a maximum CVSS score of 10.0. The flaw stems from insecure deserialization of user-supplied Java byte streams, allowing an unauthenticated remote attacker to bypass authentication entirely and execute arbitrary code with root privileges.

No credentials required. No user interaction needed. Just a crafted HTTP request to a specific endpoint, and attackers own the box.

The attack chain works like this: Interlock sends malicious HTTP requests to the FMC software. When the server attempts to process the serialized Java data, it triggers code execution. The compromised system then issues an HTTP PUT request to an external server, confirming successful exploitation. From there, the attackers fetch additional tools including JavaScript and Java-based RATs, PowerShell reconnaissance scripts, and eventually deploy ransomware.

Interlock's Growing Arsenal

According to Amazon's threat intelligence team, an operational security mistake exposed the full toolkit Interlock deploys post-exploitation:

• PowerShell scripts for Windows environment reconnaissance, harvesting OS details, running services, user files, and browser artifacts
• JavaScript and Java RATs providing interactive shells, bidirectional file transfer, and SOCKS5 proxy capabilities
• Bash scripts configuring Linux HTTP reverse proxies with fail2ban and HAProxy
• Memory-resident web shells that decrypt and execute encrypted command payloads
• ConnectWise ScreenConnect for persistent remote access
• The Volatility memory forensics framework

The breadth of tooling suggests a mature operation with dedicated development resources. Evidence points to operators working in the UTC+3 timezone.

Who Is Interlock?

Interlock emerged in September 2024 and has steadily built a reputation for targeting high-value organizations. The group previously deployed a remote access trojan called NodeSnake against multiple U.K. universities and has been linked to ClickFix social engineering campaigns that trick users into running malicious commands.

Recent victims include DaVita, Kettering Health, the Texas Tech University System, and the city of Saint Paul, Minnesota. Their operations show clear connections to AI-assisted malware development we reported earlier this month.

Cisco's Firewall Problems Compound

This marks another entry in Cisco's difficult 2026 for firewall security. Earlier this year, we covered critical SD-WAN vulnerabilities being actively exploited, and Cisco has faced ongoing scrutiny over its network appliance security posture.

CVE-2026-20131 affects Cisco Secure Firewall Management Center software specifically. The related CVE-2026-20079, also carrying a CVSS 10.0 score, compounds the risk for organizations running these deployments.

Immediate Actions Required

Security teams should treat this as a critical incident requiring immediate response:

1. Patch now - Apply Cisco's security update immediately for all FMC installations
2. Hunt for compromise - Review logs from January 26 onward for suspicious HTTP requests to FMC endpoints
3. Audit ScreenConnect - Check for unauthorized ConnectWise installations that may indicate post-exploitation activity
4. Segment aggressively - If patching requires a maintenance window, isolate FMC systems from broader network access

Organizations running on-premises Cisco Secure Firewall Management Center should assume they were targeted during the 36-day exposure window and conduct forensic investigation accordingly.

Why This Matters

Zero-day exploitation of security appliances represents the worst-case scenario for defenders. The devices meant to protect networks become the entry point. When ransomware gangs weaponize these flaws before vendors can issue patches, the traditional patch management approach fails entirely.

The shift toward targeting enterprise security infrastructure - firewalls, VPN appliances, management consoles - continues to accelerate. As we've seen with Fortinet and other vendors, these devices sit at network boundaries with privileged access, making them high-value targets for initial access brokers and ransomware operators alike.

For threat intelligence on suspicious IP indicators, security teams can use tools like PortSix to enrich their investigations.