Ransomware gang exploits Cisco flaw in zero-day attacks since January

The Interlock ransomware gang has been exploiting a maximum severity remote code execution (RCE) vulnerability in Cisco's Secure Firewall Management Center (FMC) software in zero-day attacks since late January.

Cisco patched the security flaw (CVE-2026-20131) on March 4, warning that it could allow unauthenticated attackers to remotely execute arbitrary Java code as root on unpatched devices.

"This vulnerability is due to insecure deserialization of a user-supplied Java byte stream," Cisco explained in an advisory published two weeks ago. "An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.

While the company's advisory still says it has no evidence that the security vulnerability is being exploited in the wild, the Amazon threat intelligence team reported on Wednesday that the Interlock ransomware operation had been exploiting it in attacks targeting enterprise firewalls for more than a month before it was patched.

Amazon said it also shared its findings with Cisco "to help support their investigation and protect customers," but Cisco has yet to flag CVE-2026-20131 as actively exploited.

"While looking for any current or past exploits of this vulnerability, our research found that Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26, 2026," said CJ Moses, CISO of Amazon Integrated Security. "This wasn't just another vulnerability exploit, Interlock had a zero-day in their hands, giving them a week's head start to compromise organizations before defenders even knew to look."

A Cisco spokesperson was not immediately available for comment when BleepingComputer reached out earlier today.

Since the start of the year, Cisco has addressed several other security vulnerabilities that have been exploited in the wild as zero-days. For instance, in January, it fixed a maximum-severity Cisco AsyncOS zero-day that had been exploited to breach secure email appliances since November and patched a critical Unified Communications RCE that was also abused in zero-day attacks.

Last month, Cisco addressed another maximum-severity flaw that was abused as a zero-day to bypass Catalyst SD-WAN authentication, allowing attackers to compromise controllers and add malicious rogue peers to targeted networks.

The Interlock ransomware operation surfaced in September 2024 and has been linked to ClickFix and to malware attacks in which they deployed a remote access trojan called NodeSnake on the networks of multiple U.K. universities.

Interlock has also claimed responsibility for attacks on DaVita, Kettering Health, the Texas Tech University System, and the city of Saint Paul, Minnesota. More recently, IBM X-Force researchers reported that Interlock operators have deployed a new malware strain dubbed Slopoly, likely created using generative AI tools.