Interlock Ransomware Has Been Inside Your Cisco Firewall Since January

title: "Interlock Ransomware Has Been Inside Your Cisco Firewall Since January"

Interlock ransomware has been quietly exploiting a CVSS 10 zero-day in Cisco's Secure Firewall Management Center since January 26. That's nearly two months of active exploitation before most defenders had any idea the vulnerability existed.

AWS disclosed this yesterday. The detail that makes this unusual: AWS's security team got rare full visibility into Interlock's operational toolkit because the group left one of its own infrastructure servers misconfigured and exposed. AWS CISO CJ Moses described what they found inside.

The Vulnerability

CVE-2026-20131 is a remote code execution flaw in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software. CVSS score: 10 — the maximum. An unauthenticated remote attacker can execute arbitrary Java code as root on a vulnerable device. No credentials. No phishing. No foothold needed — your firewall management plane is the foothold.

Cisco has issued patches and confirmed attacks are still ongoing.

What Interlock's Toolkit Looks Like

Thanks to the misconfigured infrastructure server, AWS documented Interlock's full post-exploitation playbook:

Initial recon: A PowerShell script to map victim networks immediately after gaining access.

Persistence layer 1 — Custom RATs: Two remote access trojans, one written in JavaScript, one in Java. Not commodity tools. Custom-built.

Persistence layer 2 — Memory-resident webshell: A backdoor that intercepts HTTP requests entirely in memory, leaving no files on disk and evading most AV solutions.

Persistence layer 3 — ConnectWise ScreenConnect: Installed as a backup entry point. If they get discovered and their other access is burned, ScreenConnect keeps them in.

That's four separate persistence mechanisms from a single initial access vector. Defenders who find and close one of them may not know about the other three.

Who They're Targeting

Interlock has been documented going after US healthcare, IT services, and government organizations. These are exactly the verticals that run Cisco FMC at scale. A firewall management center is a high-value target — gain access there and you can see (and potentially modify) network policies across the entire environment.

What to Do Right Now

AWS laid out specific defensive actions. These aren't generic advice — they're based on what Interlock actually does once inside:

1. Patch immediately. Apply Cisco's security update for CVE-2026-20131. This stops initial access.

1. Hunt for existing compromise. The January start date means you may already be affected. Don't assume you're clean because you haven't seen ransomware yet — Interlock has been sitting quietly in victim environments for weeks before deploying.

1. Audit ScreenConnect deployments. Flag any ConnectWise ScreenConnect instances you didn't explicitly authorize.

1. Monitor for these specifics:

- PowerShell scripts staging data to network shares using hostname-based directory structures

- Java `ServletRequestListener` registrations in web application contexts

- HAProxy installations with aggressive log deletion cron jobs (this is how they cover tracks)

- Outbound TCP connections to high-numbered ports — AWS specifically called out port 45588

1. Check your IoCs. AWS published a full indicator list in their write-up. Run it against your logs going back to late January.

The Zero-Day Window Problem

CJ Moses made a point worth sitting with: "When attackers exploit vulnerabilities before patches exist, even the most diligent patching programs can't protect you in that critical window."

That's the core issue here. Interlock had this zero-day for at least 53 days before public disclosure. Organizations with excellent patch management — 24-hour patch cycles, full coverage — were still exposed because the patch didn't exist.

This is why the specifics of Interlock's post-exploitation behavior matter more than just knowing the CVE. If you can't stop initial access, you need detection at every layer that follows it: memory-resident webshells, unexpected ScreenConnect installs, Java listeners in unusual contexts, log deletion patterns.

If you're running Cisco Secure Firewall Management Center, assume you need to investigate. Patch and hunt — in parallel.

*CybrPulse tracks security news across thousands of sources daily. This story was flagged as critical priority based on active exploitation, CVSS score, and threat actor activity.*