Interlock Ransomware Has Been Exploiting a CVSS 10.0 Cisco Firewall Zero-Day Since January

CybrPulse

CybrPulse

3 min read
Interlock Ransomware Has Been Exploiting a CVSS 10.0 Cisco Firewall Zero-Day Since January

If you're running Cisco Secure Firewall Management Center, stop reading this and go patch. Then come back.

CVE-2026-20131 is a perfect-score vulnerability — CVSS 10.0 — in Cisco's Firewall Management Center (FMC). Unauthenticated. Remote. Code execution as root. No credentials required, no interaction from the target, just a maliciously crafted serialized Java object sent to the web-based management interface and the attacker owns the box.

Cisco disclosed it publicly on February 19. Interlock was already using it on January 26.

That's a 36-day operational window before anyone outside the attack chain knew this existed.

What Interlock Got Into

The Interlock ransomware group isn't new, but they've been leveling up. This campaign demonstrates something more sophisticated than the typical ransomware playbook.

AWS researchers stumbled onto the group's full toolkit when an Interlock staging server was left misconfigured and exposed. That's an unusual gift for defenders — a rare window into a threat actor's complete operational methodology while an active campaign is running.

What they found inside:

Two custom RATs. One written in JavaScript using WebSocket communications with rotating RC4 encryption keys. A second in Java, deployed as a GlassFish-based backdoor for redundancy. These aren't commodity tools — Interlock built these to be persistent and resilient.

Memory-resident webshell. The webshell operates entirely in memory, decrypting command payloads at runtime. It intercepts HTTP requests without touching disk. Standard file-based endpoint detection sees nothing.

ConnectWise ScreenConnect. Legitimate remote access software deployed as a secondary persistence mechanism. If the custom tools get burned, ScreenConnect keeps the door open. It blends into enterprise environments because many organizations legitimately use it — exactly why attackers like it.

PowerShell reconnaissance. Post-exploitation starts with systematic Windows environment enumeration: hardware inventory, VM configurations, network connections. All compressed and exfiltrated before encryption begins.

Temporal analysis of attacker artifacts puts Interlock operators in the UTC+3 timezone. Confirmed targets include education, manufacturing, healthcare, and critical infrastructure sectors.

The Trust Inversion Problem

There's something particularly nasty about a firewall being the attack vector.

The whole purpose of FMC is to manage network security policy across your Cisco firewall estate. It sits at the control plane. Compromise it and you don't just get a foothold — you get visibility and control over the security architecture itself. Everything behind it is potentially exposed, and you may not realize it until Interlock has already exfiltrated everything worth ransoming.

Cisco ASA and FTD software are unaffected. But Cisco Security Cloud Control (SCC) is also confirmed vulnerable alongside FMC. Check your deployment.

The 36-day pre-disclosure window matters beyond this specific campaign. It means Interlock — and groups like them — are actively developing or acquiring zero-day capability for critical infrastructure products. This isn't opportunistic exploitation of a newly patched bug. This is an investment in operational advantage.

Interlock's Extortion Model

One tactical note worth flagging: Interlock has added a compliance threat to their ransom pressure. In addition to encryption and data publication, they're explicitly threatening victims with regulatory consequences — GDPR fines, HIPAA exposure, whatever fits the target's sector.

For organizations in healthcare or government already operating under tight regulatory scrutiny, that's a second clock ticking alongside the ransom demand. It's a calculated move that increases the likelihood of payment without any additional technical work.

What You Need to Do Right Now

1. Patch. There are no viable workarounds for CVE-2026-20131. The only mitigation is Cisco's official patch. Apply it immediately. Federal agencies are already operating under BOD 22-01 requirements; the private sector should treat the urgency the same way.

2. Hunt for existing compromise. If your FMC was internet-exposed or reachable from untrusted networks before patching, assume you may already be compromised. The 36-day window means some organizations were vulnerable before they knew the bug existed.

AWS published indicators of compromise. Hunt for:

  • TCP connections to unusual high-numbered ports (e.g., 45588)
  • HAProxy installations with aggressive log deletion cron jobs
  • Java ServletRequestListener registrations you didn't put there
  • ScreenConnect deployments that weren't authorized by your team

3. Review FMC exposure. Management interfaces for security infrastructure shouldn't be internet-facing. If your FMC is reachable from outside your organization, that's a remediation item independent of this CVE.

4. Check for ScreenConnect. If Interlock got in before you patched, they likely installed ScreenConnect as a persistence mechanism. Audit authorized remote access tools and revoke anything that wasn't explicitly deployed by your team.

CVE-2026-20131 is the kind of vulnerability that gets used for years after disclosure because patching security appliances is organizationally painful and often deprioritized. Interlock is already in the field with it. Patch now, hunt for compromise, and treat your security infrastructure's management plane as the high-value target it actually is.

*CybrPulse tracks vulnerability exploitation activity across thousands of security feeds daily. This post reflects data ingested March 19, 2026.*

Read more