Skip to content
Tech News
← Back to articles

Ransomware gang exploits Cisco flaw in zero-day attacks since January

2026-03-18 | original
read original get Cisco Security Patch Kit → more articles
Why This Matters

The exploitation of a zero-day vulnerability in Cisco's Secure Firewall Management Center by the Interlock ransomware gang highlights the critical importance of timely security updates and proactive threat detection in the tech industry. This incident underscores the risks posed by sophisticated cybercriminal groups leveraging unpatched flaws to target enterprise networks, potentially leading to widespread data breaches and operational disruptions for consumers and organizations alike.

Key Takeaways

The Interlock ransomware gang has been exploiting a maximum severity remote code execution (RCE) vulnerability in Cisco's Secure Firewall Management Center (FMC) software in zero-day attacks since late January.

The Interlock ransomware operation surfaced in September 2024 and has been linked to ClickFix and to malware attacks in which they deployed a remote access trojan called NodeSnake on the networks of multiple U.K. universities.

Interlock has also claimed responsibility for attacks on DaVita, Kettering Health, the Texas Tech University System, and the city of Saint Paul, Minnesota. More recently, IBM X-Force researchers reported that Interlock operators have deployed a new malware strain dubbed Slopoly, likely created using generative AI tools.

Cisco patched the security flaw (CVE-2026-20131) on March 4, warning that it could allow unauthenticated attackers to remotely execute arbitrary Java code as root on unpatched devices.

The Amazon threat intelligence team reported on Wednesday that the Interlock ransomware operation had been exploiting the Secure FMC flaw in attacks targeting enterprise firewalls for more than a month before it was patched.

"While looking for any current or past exploits of this vulnerability, our research found that Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26, 2026," said CJ Moses, CISO of Amazon Integrated Security.

"This wasn't just another vulnerability exploit, Interlock had a zero-day in their hands, giving them a week's head start to compromise organizations before defenders even knew to look."

"On March 4, 2026, Cisco issued a security advisory disclosing a vulnerability in the web interface of Cisco Secure Firewall Management Center Software," Cisco told BleepingComputer on Wednesday in an email statement after publishing. "We appreciate Amazon's partnership on this, and we have updated our security advisory with the latest information. We strongly urge customers to upgrade as soon as possible and reference our security advisory for more details and guidance."

Since the start of the year, Cisco has addressed several other security vulnerabilities that have been exploited in the wild as zero-days. For instance, in January, it fixed a maximum-severity Cisco AsyncOS zero-day that had been exploited to breach secure email appliances since November and patched a critical Unified Communications RCE that was also abused in zero-day attacks.

Last month, Cisco addressed another maximum-severity flaw that was abused as a zero-day to bypass Catalyst SD-WAN authentication, allowing attackers to compromise controllers and add malicious rogue peers to targeted networks.

... continue reading

Explore topics: cisco secure firewall management center interlock ransomware cve-2026-20131 nodesnake
Related:
Justice Department Says Anthropic Can’t Be Trusted With Warfighting Systems
Capcom’s next big game explores the horrors of AI
Miro’s CEO is betting AI will change how teams work
A Visual Introduction to Machine Learning
A Visual Introduction to Machine Learning (2015)

© 2026 GoKawiil

About | Editorial Policy | Contact