When Cisco published its semi-annual firewall security advisory on March 4, most organizations did what they were supposed to do: assessed the patch, triaged their risk, and got to work. For some of them, the damage was already done.
Amazon’s threat intelligence team has confirmed that the Interlock ransomware gang was exploiting CVE-2026-20131, a critical flaw in Cisco Secure Firewall Management Center (FMC) software, starting January 26 — a full 36 days before Cisco disclosed or patched it. When Cisco released the advisory, the company initially stated the vulnerability hadn’t been exploited in the wild. They’ve since updated that position.
What the Vulnerability Does
CVE-2026-20131 affects the web-based management interface of Cisco FMC and stems from insecure deserialization of a user-supplied Java byte stream. Unauthenticated remote attackers can exploit it by sending a crafted serialized Java object to the management interface, leading to arbitrary code execution with root-level privileges. It carries a CVSS score of 10.0, the maximum possible severity rating. No authentication required, full system access gained. Cisco has confirmed there are no effective workarounds, making patching the only reliable mitigation.
It’s worth noting that Cisco Security Cloud Control is also affected by the flaw, while Cisco ASA and Firepower Threat Defense (FTD) configurations are not.
Who Is Interlock?
Interlock is not a new name. The group first surfaced in September 2024 and has since built a track record of targeting organizations where operational downtime creates maximum financial pressure: healthcare, education, local government, and critical infrastructure across North America and Europe.
Their attack history includes the dialysis giant DaVita, Kettering Health in Ohio, the Texas Tech University Health Sciences Center, and the city of St. Paul, Minnesota, where the attack was severe enough that the state governor called in the National Guard to assist with recovery. The group operates a double extortion model, exfiltrating data before encrypting it, then threatening to publish it on their leak site (“Worldwide Secrets Blog”) unless a ransom is paid. Their ransom notes also cite data protection regulations directly, adding the threat of regulatory penalties on top of everything else.
Unlike most ransomware operations, Interlock doesn’t use affiliates. They develop and operate their own malware, which has made them harder to track and has allowed them to iterate quickly. IBM X-Force researchers recently reported that Interlock has deployed a new malware strain, dubbed Slopoly, that appears to have been built with generative AI tools.
How the Attack Worked
Amazon’s researchers uncovered the exploitation details through a combination of honeypot data and a stroke of luck: Interlock had left an infrastructure server misconfigured, exposing their full operational toolkit to outside observation. That staging server revealed a highly organized attack chain broken down by individual target, including custom malware, reconnaissance scripts, and evasion techniques.
The initial exploitation involved crafted HTTP requests sent to vulnerable FMC systems, containing embedded Java code execution attempts and URLs designed to confirm successful compromise. Once inside, the group deployed a PowerShell-based reconnaissance script to enumerate the Windows environment, mapping hardware, network connections, and virtual machine details before compressing and exfiltrating the data.
For persistence, Interlock deployed custom remote access trojans built in both JavaScript and Java, alongside a memory-resident web shell and a lightweight network beacon. They also made use of legitimate tools including ConnectWise ScreenConnect for redundant remote access and the Volatility Framework for parsing memory dumps in search of sensitive data. Amazon researchers noted that Interlock operators appeared to work primarily in the UTC+3 timezone, consistent with Moscow and parts of the Middle East.
The Bigger Problem With Zero-Days
CVE-2026-20131 is the third Cisco vulnerability confirmed as exploited as a zero-day since the start of 2026 alone. It’s part of a broader pattern: ransomware groups and initial access brokers are increasingly targeting perimeter devices, VPNs, and firewall management interfaces as their entry points of choice, precisely because these systems are trusted, highly privileged, and often assumed to be secure.
The challenge zero-days expose is a real one. Even organizations with mature patch management programs can’t patch a vulnerability they don’t know exists, which is exactly why patching alone can’t be the whole strategy. Defense in depth matters because it provides layers of protection when any single control hasn’t yet been deployed or has already been bypassed. If an attacker gains initial access through a perimeter device, what they can do next depends heavily on what they find inside.
What to Do Now
If your organization runs Cisco Secure Firewall Management Center, the immediate priority is applying the patches from Cisco’s March 4 advisory. Cisco’s software checker can help identify the correct update for your FMC version.
Beyond patching, Amazon’s research team has recommended reviewing ScreenConnect deployments for unauthorized installations, conducting security assessments for signs of prior compromise, and searching logs for the indicators of compromise they’ve published. Because Interlock customizes their tooling per target, traditional file hash-based detection is largely unreliable here. Behavioral detection, memory-resident anomalies, and network reconnaissance patterns are more useful signals.
The broader takeaway is that perimeter controls can be bypassed, and what attackers find on the other side determines how far they get. Removing permanent local admin rights from endpoints is one of the more effective ways to limit that exposure. If a compromised account doesn’t carry local admin privileges, the scope of what malware can execute, install, or move through is significantly constrained. Admin By Request’s EPM solution handles this through just-in-time privilege elevation, granting users elevated access only when needed and only for specific tasks, with a full audit trail throughout.
Patching remains the foundation, but it can’t protect you during the window between exploitation and disclosure. Layered controls inside the network are what fill that gap.
