One of the world’s most active ransomware groups, Interlock, started exploiting a critical-rated Cisco firewall vulnerability as a zero day weeks before it was patched in early March, Amazon has revealed.
The vulnerability in question is CVE-2026-20131, a remotely exploitable deserialization flaw in Cisco Secure Firewall Management Center (FMC) Software which was given a maximum 10 CVSS score.
When Cisco released a patch for it on March 4 as part of its semiannual firewall update, security teams would have known this needed to be applied urgently, alongside a fix for a second FMC vulnerability, CVE-2026-20079, with an identical severity rating.
However, Amazon’s discovery that Interlock started exploiting CVE-2026-20131 on January 26, around 38 days prior to the release of the patch, turns the issue from merely ‘urgent’ into something akin to a full-blown zero-day vulnerability patching emergency.
Attacker mistake
Amazon said it started searching for exploitation of CVE-2026-20131 after Cisco’s advisory, using the company’s MadPot global network, a honeypot system comprising thousands of sensors deployed throughout its AWS platform.
This quickly uncovered attacks dated weeks prior to the vulnerability being made public. “Observed activity involved HTTP requests to a specific path in the affected software,” said CJ Moses, CISO for Amazon Integrated Security, in a blog this week.
He added: “This wasn’t just another vulnerability exploit, Interlock had a zero-day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look.” He later clarified to CSO that the “week’s head start” he referred to was the gap between the date of the first exploit that Amazon’s later analysis had unearthed and Cisco’s discovery of the bug.
Amazon gained insight into the attacker’s infrastructure by using the honeypot to mimic a vulnerable firewall system. This resulted in an attack on the honeypot, which received a malicious binary from the attackers; it also revealed that the ransomware depended on a single server with a poorly-secured staging area.
From this, researchers were able to analyze the group’s full attack chain, including Trojans, reconnaissance scripts, and evasion techniques.
Unlocking Interlock
According to Amazon, the tools and techniques connect the malware to Interlock, a ransomware actor that appeared in 2024, possibly as a ransomware-as-a-service (RaaS) offshoot of the notorious Rhysida group which was behind the hugely disruptive 2023 ransomware attack on The British Library.
“The ELF [Linux executable] binary and associated artifacts are attributable to the Interlock ransomware family based on convergent technical and operational indicators. The embedded ransom note and TOR negotiation portal are consistent with Interlock’s established branding and infrastructure,” said Amazon’s Moses.
In the past, Interlock had targeted sectors such as education, engineering, architecture, construction, manufacturing, and healthcare, as well as government and public sector entities, Moses said.
However, given that the group has been able to exploit a zero-day vulnerability in equipment as prevalent as Cisco firewalls for more than a month, any vulnerable organization might be at risk.
The ‘fundamental challenge’ of zero-day exploits
“The real story here isn’t just about one vulnerability or one ransomware group — it’s about the fundamental challenge zero-day exploits pose to every security model,” said Moses.
“When attackers exploit vulnerabilities before patches exist, even the most diligent patching programs can’t protect you in that critical window. This is precisely why defense in depth is essential.”
It’s still unclear how many victims Interlock might have compromised during the period it was able to exploit CVE-2026-20131 as a zero-day vulnerability, but they are likely to be numerous. The Amazon blog includes a list of IP addresses, malicious domains, and JA3 client fingerprint hashes that security teams can search for in logs as evidence of possible compromise.
The procedure for patching CVE-2026-20131, and the other 47 CVEs included in Cisco’s March 4 update, varies depending on the FMC software version installed. Cisco recommends using its software checker to determine the appropriate update.
No Responses