Cisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware Attacks
Cisco's Secure Firewall Management Center (FMC) vulnerability CVE-2026-20131 has been actively exploited as a zero-day since late January by the Interlock ransomware group, despite being patched on March 4. Amazon's threat intelligence team discovered the exploitation through a misconfigured Interlock server and identified the attackers likely operate from Russia's UTC+3 timezone, targeting education, engineering, healthcare, and government sectors.
Summary
Cisco's Secure Firewall Management Center (FMC) vulnerability CVE-2026-20131 has been actively exploited as a zero-day since late January by the Interlock ransomware group, despite being patched on March 4. Amazon's threat intelligence team discovered the exploitation through a misconfigured Interlock server and identified the attackers likely operate from Russia's UTC+3 timezone, targeting education, engineering, healthcare, and government sectors.
Full text
A vulnerability patched earlier this month by Cisco in its firewalls has been exploited as a zero-day since at least late January, according to Amazon’s threat intelligence team. The vulnerability is tracked as CVE-2026-20131 and it affects the Secure Firewall Management Center (FMC) software. The availability of patches was announced on March 4, when Cisco patched dozens of other vulnerabilities in its FMC, ASA, and Secure FTD products. CVE-2026-20131 impacts the web-based management interface of FMC software and it can be exploited by a remote, unauthenticated attacker to execute arbitrary Java code with root privileges. Cisco noted at the time of disclosure that not exposing the FMC management interface to the internet reduces the vulnerability’s attack surface. [ Read: Only 4 Corporate Giants Still Silent on Oracle EBS Hack ] An investigation by Amazon researchers found evidence that the Interlock cybercrime group, known for several high-profile ransomware attacks, had exploited the vulnerability as a zero-day since at least January 26. Advertisement. Scroll to continue reading. Cisco updated its advisory for CVE-2026-20131 on Wednesday to inform customers about in-the-wild exploitation. The Amazon researchers came across a misconfigured infrastructure server used by the Interlock group, which enabled them to collect information on the threat actor’s attack chain, custom RATs, reconnaissance scripts, and evasion techniques. “Interlock has historically targeted specific sectors where operational disruption creates maximum pressure for payment,” Amazon noted. “Education represents the largest share of their activity, followed by engineering, architecture, and construction firms, manufacturing and industrial organizations, healthcare providers, and government and public sector entities.” An analysis of timestamps from threat activity, server artifacts, and embedded metadata indicates that the threat actor most likely operates in the UTC+3 time zone. The observed pattern shows initial daily activity around 08:30, peak operations between 12:00 and 18:00, and a consistent low-activity window from approximately 00:30 to 08:30. While Amazon has not named the country from where the cybercriminals appear to be operating, this temporal analysis suggests the hackers are likely based in Russia, with secondary possibilities in Belarus or select Middle Eastern countries. Amazon has shared indicators of compromise (IoCs) to help defenders detect and block Interlock ransomware attacks. Related: Cisco Patches High-Severity IOS XR Vulnerabilities Related: Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited Related: Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Iranian Hackers Likely Used Malware-Stolen Credentials in Stryker BreachResearcher Discovers 4th WhatsApp View Once Bypass; Meta Won’t PatchUK Companies House Exposed Details of Millions of Firms Google, Meta, Microsoft Among Signatories of Pact to Combat ScamsOracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential ImpactHacking Attempt Reported at Poland’s Nuclear Research CenterLoblaw Data Breach Impacts Customer InformationStarbucks Data Breach Impacts Employees Latest News The Collapse of Predictive Security in the Age of Machine-Speed AttacksAutonomous Offensive Security Firm XBOW Raises $120M at $1B+ ValuationCloud Security Startup Native Exits Stealth With $42 Million in Funding‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware VendorsVirtual Summit Today: Supply Chain & Third-Party Risk SummitEU Sanctions Chinese, Iranian Firms Supporting Hacking OperationsShadow AI Risk: How SaaS Apps Are Quietly Enabling Massive BreachesManifold Raises $8 Million for AI Detection and Response Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveNudge Security has appointed Patrick Dillon as Chief Revenue Officer.Arctic Wolf has named Will May as its Chief Revenue Officer.Palo Alto Networks has named Danielle Gonzalez as its new Chief People Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- cve — CVE-2026-20131
- malware — Interlock