Interlock Ransomware Exploited Cisco Firewall Zero-Day for 36 Days Before Anyone Knew

The Interlock ransomware group spent five weeks silently exploiting a maximum-severity flaw in Cisco's Secure Firewall Management Center before the vulnerability was publicly known — a window that let attackers gain root-level access to enterprise network infrastructure with no credentials required.

On March 4, 2026, Cisco published a security advisory for CVE-2026-20131, a critical remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) Software. The advisory carried a CVSS score of 10.0 — the highest possible rating — and disclosed that no workarounds exist. By that date, the Interlock ransomware operation had already been exploiting this vulnerability as a zero-day for more than a month. Amazon's threat intelligence team, using data from its MadPot global sensor network, traced active exploitation back to January 26, 2026, a full 36 days before Cisco's public disclosure. The patch arrived. The damage was already underway.

What CVE-2026-20131 Is and Why It Scores a Perfect 10

CVE-2026-20131 lives in the web-based management interface of Cisco Secure Firewall Management Center Software. The root cause is insecure deserialization of a user-supplied Java byte stream — classified under CWE-502. What makes this particularly dangerous is not just the nature of the flaw but where it sits. FMC is the centralized control plane for Cisco's firewall ecosystem, responsible for managing Firepower Threat Defense (FTD) devices, applying security policies, processing intrusion detection data, and providing network-wide visibility. Cisco itself describes FMC as the nerve center of unified firewall and threat management. Compromising it means compromising every device under its control.

Exploitation requires no credentials and no user interaction. An attacker with network access to the management interface sends a specially crafted serialized Java object in an HTTP request. The application processes it without validating the class types being deserialized, allowing an attacker-controlled object graph to execute arbitrary commands on the underlying system. The result is remote code execution with root privileges. According to Cisco's advisory, the CVSS vector for this vulnerability includes a scope of "Changed" — meaning successful exploitation on the FMC itself can cascade outward to compromise Firewall Threat Defense devices managed by that FMC. The blast radius extends far beyond the initial foothold.

Cisco released the patch on March 4, 2026, alongside a companion vulnerability, CVE-2026-20079, which carries the same CVSS 10.0 rating and involves an authentication bypass via a misconfigured system process created at boot time. Both vulnerabilities affect all on-premises FMC software releases, including versions 6.4.0, 7.0.x through 7.7.x, and 10.0.0. Cloud-Delivered FMC is not affected. There are no configuration workarounds for either flaw — patching is the only remediation path.

How Interlock Got There First: The 36-Day Head Start

Amazon's threat intelligence team disclosed the timeline on March 18, 2026, the same day this article was published. Using telemetry from MadPot — Amazon's global network of honeypot sensors — researchers identified exploitation attempts against the CVE-2026-20131 endpoint beginning January 26, 2026. The team linked the activity to Interlock through converging technical and operational indicators, including the embedded ransom note format and the TOR-based negotiation portal the group uses across its campaigns. Evidence also points to the threat actor operating within the UTC+3 time zone, with peak activity observed between 12:00 and 18:00 UTC+3 and a probable inactivity window from roughly 00:30 to 08:30.

A critical element of Amazon's investigation came from an unexpected gift: a misconfigured infrastructure server on the attacker's own staging environment was left openly accessible. This exposed Interlock's complete operational toolkit — custom remote access trojans, reconnaissance scripts, evasion utilities, and the ELF binary payload delivered to compromised hosts — providing researchers with visibility into the group's full attack chain rather than only the initial exploit traffic. According to Amazon's published analysis, the same server paths used to distribute tools to compromised hosts were also used to receive operational artifacts uploaded from those hosts, creating a bidirectional staging point that, once exposed, gave defenders a clear map of how the group operates post-exploitation.

"This wasn't just another vulnerability exploit — Interlock had a zero-day in their hands, giving them a week's head start to compromise organizations before defenders even knew to look." — CJ Moses, CISO of Amazon Integrated Security (AWS Security Blog, March 18, 2026)

The implication is direct: organizations running unpatched FMC instances with management interfaces reachable from the internet were exposed for five weeks with no patch available and no public knowledge of the threat. Even a security team that patches within hours of a vendor advisory — a standard considered excellent practice — would have been caught in this window. This is precisely the scenario that zero-day exploitation creates: the defender's entire detection and response model assumes a known threat surface, and a pre-disclosure exploit removes that assumption entirely.

Amazon shared its findings with Cisco to support the vendor's investigation prior to the March 4 patch release, a detail that underscores the cooperative disclosure process that preceded the public advisory. A Cisco spokesperson confirmed to The Register that the company updated its security advisory to reflect the exploitation data Amazon provided. The Dutch National Cyber Security Center, for its part, warned shortly after the patch release that it expected public proof-of-concept code and large-scale exploitation attempts in the near term — a warning that proved accurate given the active campaign already underway.

"The real story here isn't just about one vulnerability or one ransomware group — it's about the fundamental challenge zero-day exploits pose to every security model. When attackers exploit vulnerabilities before patches exist, even the most diligent patching programs can't protect you in that critical window." — CJ Moses, CISO of Amazon Integrated Security (AWS Security Blog, March 18, 2026)

Who Is Interlock? A Ransomware Group That Has Been Leveling Up

Interlock first appeared in September 2024 and has spent the intervening 18 months systematically expanding its capabilities, victim count, and operational reach. The group operates outside the typical Ransomware-as-a-Service model — it does not advertise affiliates or sell access to its tooling. Instead, according to FortiGuard Labs researchers, it appears to be a smaller closed group of operators who develop and run their own malware through most of the kill chain. That self-contained structure makes it harder to track through the usual affiliate and broker networks, and it means the group maintains tight control over its tooling and operational security.

By mid-2025, the FBI, CISA, HHS, and MS-ISAC issued a joint advisory on Interlock activity — a significant escalation in official attention. The advisory noted the group had hit targets across North America and Europe spanning healthcare, technology, education, and government sectors. Confirmed victims have included DaVita, where Interlock claimed to have stolen 1.5 terabytes of data and the breach was subsequently confirmed to have affected 2.7 million patients; Kettering Health, where the group exfiltrated 941 GB of data — including financial records and patient information — before publishing it after ransom negotiations failed, disrupting chemotherapy sessions and pre-surgery appointments; the Texas Tech University System; and the city of Saint Paul, Minnesota. Interlock's data leak site, known as "Worldwide Secrets Blog," is used to pressure non-paying victims by publishing stolen data. The ransom note also explicitly threatens victims with regulatory exposure, warning that non-payment may result in notification to data protection authorities — adding compliance fines as a third lever of pressure alongside encryption and publication.

Historically, Interlock gained initial access through drive-by downloads from compromised legitimate websites — local news sites, small business pages, community forums — injecting fake browser update prompts for Chrome or Microsoft Edge. When a visitor clicked the fake update, they downloaded and executed a PowerShell-based payload. Starting in early 2025, the group layered in the ClickFix technique, which presents victims with a fake CAPTCHA or error page instructing them to open the Windows Run dialog and paste a command. The victim runs the malicious script themselves, which bypasses many endpoint detection tools that flag executables rather than user-initiated command execution. Later, the group added FileFix, which abuses the Windows File Explorer address bar to achieve the same result.

The group's post-exploitation toolkit has grown substantially. Researchers at Forescout and FortiGuard have documented the use of Cobalt Strike, AnyDesk, PuTTY, LummaStealer, BerserkStealer, and a custom remote access trojan tracked variously as NodeSnakeRAT, Interlock RAT, WINDYTWIST.SEA, and Interlock Backdoor. For data exfiltration, Interlock relies heavily on AzCopy and Azure Storage Explorer to move stolen data into Azure Blob Storage — a cloud-native exfiltration technique that blends into enterprise traffic and complicates detection. The group's average dwell time before deploying ransomware has been observed at 15 to 24 days, providing enough time for thorough reconnaissance, lateral movement, and data staging.

In a notable early-2026 development, IBM X-Force researchers reported that Hive0163 — the cluster IBM uses to track the operators behind Interlock — had deployed a new malware strain called Slopoly during a ransomware engagement. Slopoly is a PowerShell-based C2 backdoor assessed to have been developed with assistance from a large language model; IBM researchers cited extensive inline commentary, structured logging, and clearly named variables as indicators of LLM-assisted authorship, all of which are rare in human-authored malware. The discovery marks the first publicly documented use of likely AI-generated malware by a financially motivated ransomware group in an active intrusion. The group has also developed a custom process-termination utility called "Hotta Killer," which exploits CVE-2025-61155 — a zero-day in a gaming anti-cheat driver (GameDriverX64.sys, developed by Hotta Studio for the game Tower of Fantasy) — to disable endpoint detection and response solutions during active intrusions. This is a Bring Your Own Vulnerable Driver technique documented by FortiGuard Labs in January 2026 and has been observed used specifically to target Fortinet security software.

The Exploit Mechanics: Java Deserialization and Gadget Chains

To understand why CVE-2026-20131 is genuinely dangerous rather than theoretically dangerous, it helps to understand what Java deserialization attacks involve in practice. Java serialization is a mechanism for converting an object into a byte stream so it can be transmitted or stored. Deserialization is the reverse — reconstructing the object from that stream. The problem is that Java executes code during this reconstruction process, before any application-level validation can occur.

In the context of Cisco FMC, the web management interface accepts serialized Java objects from unauthenticated remote sources. The application does not implement look-ahead validation or a whitelist of permitted classes before deserializing incoming data. An attacker exploits this by crafting a "gadget chain" — a sequence of existing Java classes in the application's classpath that, when deserialized in a specific order, produce arbitrary command execution as a side effect. Libraries such as Apache Commons Collections and Spring have historically provided rich gadget chains for exactly this type of attack. The Java Virtual Machine follows the attacker's instructions during object reconstruction, effectively executing a payload that bypasses all application-level logic.

Cisco's advisory confirms the attack vector involves sending a crafted HTTP request containing a serialized Java object to the FMC management interface. No valid credentials are needed. No user needs to click anything. If the management interface is reachable — whether from the internet or an internal network segment — the exploit works. Security researchers at Purple Ops have noted that AI-assisted analysis can accelerate the development of working gadget chains by analyzing code differences between patched and unpatched versions, narrowing the exploit development window significantly.

# Detection: Look for Java serialization magic bytes in HTTP traffic to FMC management interface
# Java serialized objects begin with these hex bytes: AC ED 00 05
# Flag any HTTP POST containing this header pattern directed at the FMC management port

# Network IDS rule concept (Snort/Suricata syntax):
alert tcp any any -> [FMC_MGMT_IP] [443,8443] (msg:"Possible Java Deserialization Attack on Cisco FMC"; content:"|AC ED 00 05|"; http_client_body; sid:20260001; rev:1;)

What the Post-Exploitation Looks Like

Once root access is established on the FMC, the attacker controls the management plane for every firewall device registered to that instance. Cisco's advisory notes that the CVSS scope is "Changed," meaning exploitation on the FMC can be used to compromise the FTD devices it manages. From a practical standpoint, this means an attacker can push malicious policy changes, open firewall rules, disable threat detection on managed devices, or use FMC as a pivot point into other segments of the network.

Amazon's disclosure also flagged that Interlock operators were reviewing ConnectWise ScreenConnect deployments following initial access. Deploying a legitimate commercial remote desktop tool alongside custom implants provides Interlock with a redundant foothold: if defenders find and remove one backdoor, the ScreenConnect installation still grants re-entry. Its legitimate network footprint helps it blend with authorized remote administration traffic, complicating detection. After lateral movement and network reconnaissance, the group exfiltrates data to Azure Blob Storage using AzCopy — a cloud-native technique that blends into enterprise traffic — before deploying its ransomware payload. The final encryptor, which Interlock has built for both Windows and Linux environments, uses AES-GCM per-file session keys protected by RSA, appends .!NT3RLOCK or .int3R1Ock extensions to encrypted files, uses the Windows Restart Manager API to release file locks before encryption, and deletes itself post-execution to complicate forensic analysis. The Windows variant is a 64-bit PE file delivered via the JunkFiction loader, capable of running as a scheduled task at SYSTEM level.

The ransom note delivered by Interlock does not include an initial demand or payment instructions. Victims receive a unique identifier code and are directed to a TOR-based negotiation portal to begin a chat session. The note goes beyond the standard double-extortion threat of encryption plus publication — it explicitly invokes data protection regulations, warning victims that non-payment may trigger notifications to regulatory authorities and result in compliance fines. This three-pronged pressure model (encryption, data publication, and regulatory exposure) reflects Interlock's documented practice across multiple campaigns and was confirmed in the ransom note recovered from the AWS investigation. For organizations that do not pay, data is published to the "Worldwide Secrets Blog" leak site.

Amazon's response guidance, issued alongside the disclosure, calls for organizations to apply patches immediately, conduct security assessments to identify potential compromise, audit ScreenConnect and other remote management tool deployments for unauthorized installations, and implement defense-in-depth controls that function independently of any single patching cycle. The guidance reflects the core problem the campaign illustrates: when exploitation precedes disclosure, the defender's standard playbook has no answer for the gap.

The full technical picture of Interlock's post-exploitation capability is more sophisticated than a standard ransomware intrusion. Amazon's analysis of the exposed staging server revealed a JavaScript implant that suppresses browser debugging output and communicates over persistent WebSocket connections using RC4-encrypted messages with per-message 16-byte random keys — a design that produces different ciphertext for each message even when the plaintext is identical, complicating traffic analysis. A functionally equivalent Java implant provides the same capabilities, meaning Interlock maintains C2 access through two separately implemented backdoors simultaneously. A third component, a Bash-based infrastructure laundering script, configures Linux servers as HAProxy-based HTTP reverse proxies with log erasure routines running every five minutes, erasing all files under /var/log on a schedule — aggressively destroying forensic evidence in near real-time. The group also deployed Certify, an open-source tool for identifying misconfigurations in Active Directory Certificate Services, supporting both privilege escalation and persistent authentication via fraudulent certificates.

"This is precisely why defense-in-depth is essential — layered security controls provide protection when any single control fails or hasn't yet been deployed. Rapid patching remains foundational in vulnerability management, but defense in depth helps organizations not to be defenseless during the window between exploit and patch." — CJ Moses, CISO of Amazon Integrated Security (AWS Security Blog, March 18, 2026)

Key Takeaways

1. Patch CVE-2026-20131 immediately: There are no workarounds. The only remediation is upgrading to a fixed release of Cisco Secure FMC. Use the Cisco Software Checker to identify the correct version for your deployment. Every day of delay on an internet-facing management interface is an accepted risk of the highest category.
2. Isolate FMC management interfaces: Cisco's advisory explicitly states that restricting the management interface from public internet access reduces the attack surface. FMC management should be accessible only from a trusted, out-of-band management network. This is a foundational control that limits exposure to both known and pre-disclosure exploitation.
3. Audit remote access tools: Amazon's guidance specifically calls out ScreenConnect deployments. Following a compromise via CVE-2026-20131, Interlock operators use legitimate remote management tools to establish persistence. Audit what is installed, who installed it, and whether it was authorized.
4. Implement network-level detection for serialization attacks: Monitor HTTP traffic to FMC management interfaces for requests containing Java serialization magic bytes (AC ED 00 05). This is a low-noise signal that should never appear in legitimate management traffic and can serve as an early warning even before CVE-specific signatures are deployed.
5. Assume the pre-patch window is a real threat model: The 36-day gap between Interlock's first exploitation and Cisco's patch release is not an anomaly — it is a pattern. Zero-day exploitation of perimeter and management infrastructure by financially motivated actors is documented across multiple 2025 and 2026 campaigns. Defense-in-depth controls, network segmentation, and behavioral monitoring need to function independently of any knowledge that a specific CVE exists.
6. Understand that Interlock applies three simultaneous levers of pressure: The group encrypts, publishes stolen data, and explicitly threatens regulatory notification in its ransom note — warning victims that non-payment may result in data protection authority disclosures and compliance fines. Organizations in regulated industries (healthcare, finance, education) face compounded risk. Incident response planning and legal counsel should be engaged before negotiations begin, not after.

The CVE-2026-20131 campaign closes a loop that has been tightening since at least the Citrix Bleed wave of late 2023: ransomware operators and sophisticated threat actors are converging on the same target class — firewalls, VPN gateways, and management platforms that sit at the network edge and process traffic before any other security control has a chance to see it. Exploiting these systems is not just about gaining access to a single host. It is about sitting upstream of the organization's entire defensive stack. The Interlock group's willingness to weaponize a CVSS 10.0 flaw 36 days before it was public is evidence that this calculus is working.

Sources

• CJ Moses, Amazon threat intelligence teams identify Interlock ransomware campaign targeting enterprise firewalls, AWS Security Blog, March 18, 2026 — aws.amazon.com
• Cisco Systems, Cisco Secure Firewall Management Center Software Remote Code Execution Vulnerability (cisco-sa-fmc-rce-NKhnULJh), March 4, 2026 — sec.cloudapps.cisco.com
• FortiGuard Labs (Robson et al.), Interlock Ransomware: New Techniques, Same Old Tricks, January 29, 2026 — fortinet.com
• IBM X-Force (Golo Mühr), A Slopoly start to AI-enhanced ransomware attacks, March 2026 — ibm.com
• Arctic Wolf, CVE-2026-20079 & CVE-2026-20131, March 2026 — arcticwolf.com
• The Hacker News, Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access, March 18, 2026 — thehackernews.com
• The Register, Ransomware crims abused Cisco 0-day weeks before disclosure, March 18, 2026 — theregister.com
• MITRE, CWE-502: Deserialization of Untrusted Data — cwe.mitre.org