Ransomware gang exploits Cisco flaw in zero-day attacks since January

Summary

The Interlock ransomware gang exploited a maximum severity RCE vulnerability (CVE-2026-20131) in Cisco's Secure Firewall Management Center as a zero-day for 36 days before it was patched. Amazon's threat intelligence team discovered the gang had been using this flaw since late January 2026, giving them remote root access to unpatched enterprise firewalls.

Key Points

• Interlock ransomware exploited CVE-2026-20131 in Cisco Secure FMC starting January 26, 2026, more than a month before the March 4 patch release
• The vulnerability allows unauthenticated attackers to execute arbitrary Java code as root on unpatched Cisco firewall management systems
• Interlock has previously targeted major organizations including DaVita, Kettering Health, Texas Tech University System, and the city of Saint Paul

Takeaways

• Organizations using Cisco Secure FMC should immediately verify they have applied the March 4, 2026 patch to prevent exploitation
• Security teams should monitor for indicators of compromise on Cisco firewall infrastructure, particularly any unauthorized access or configuration changes since late January 2026

Topics: zero-day, ransomware, Cisco, RCE, vulnerability, enterprise security, firewall