Interlock Ransomware Exploited Zero-Day in Cisco Firewall Before Patch
Ransomware group Interlock exploited a maximum-severity zero-day vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center more than a month before the vendor released a patch. The flaw, allowing unauthenticated remote attackers to execute arbitrary Java code as root, was actively abused starting January 26, while Cisco issued fixes on March 4.
Amazon’s CJ Moses, CISO of Amazon Integrated Security, revealed the timeline, stating that the company’s MadPot honeypot network detected exploit traffic tied to Interlock’s infrastructure. A misconfigured server also exposed the group’s attack toolkit, providing defenders with critical intelligence.
Interlock’s Tactics and Toolkit
Interlock, a ransomware crew active since 2025, has targeted hospitals, medical facilities, and government entities, disrupting critical services including chemotherapy sessions and pre-surgery appointments and leaking sensitive data. Victims include Davita (kidney dialysis), Kettering Health, and the city of Saint Paul, Minnesota, where a 43 GB data breach forced a state of emergency.
The group’s post-exploitation toolkit includes:
- A PowerShell script harvesting system details (OS, hardware, services, software, storage, VM inventory, user files, RDP logs, and browser data).
- Custom remote access trojans (RATs) in JavaScript and Java, providing persistent access, command execution, file transfer, and SOCKS5 proxy capabilities.
- A Bash script configuring Linux servers as reverse proxies, wiping logs, and ensuring persistence.
- Memory-resident backdoors and lightweight network beacons to evade detection.
- Legitimate tools like ConnectWise ScreenConnect, Volatility, and Certify to blend malicious activity with authorized remote access.
Redundant Access and Extortion Tactics
Interlock deploys multiple backdoors including dual-language implants (JavaScript and Java) to maintain access even if one is detected. Their ransom notes threaten regulatory exposure, leveraging compliance violations alongside data encryption and leaks to pressure victims.
Cisco has updated its security advisory, urging customers to apply patches immediately. The incident underscores the growing sophistication of ransomware groups in exploiting zero-days before public disclosure.
Source: https://www.theregister.com/2026/03/18/amazon_cisco_firewall_0_day_ransomware/
Cisco cybersecurity rating report: https://www.rankiteo.com/company/cisco
Saint-Gobain cybersecurity rating report: https://www.rankiteo.com/company/saint-gobain
"id": "CISSAI1773859283",
"linkid": "cisco, saint-gobain",
"type": "Vulnerability",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Kidney dialysis',
'name': 'Davita',
'type': 'Healthcare'},
{'industry': 'Hospital',
'name': 'Kettering Health',
'type': 'Healthcare'},
{'industry': 'Municipal',
'location': 'Saint Paul, Minnesota',
'name': 'City of Saint Paul, Minnesota',
'type': 'Government'}],
'attack_vector': 'Zero-day vulnerability exploitation',
'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
'data_exfiltration': 'Yes (43 GB leaked in Saint Paul '
'incident)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII, medical data)',
'type_of_data_compromised': 'Sensitive personal data, medical '
'records, government data'},
'date_detected': '2026-01-26',
'date_publicly_disclosed': '2026-03-04',
'description': 'Ransomware group Interlock exploited a maximum-severity '
'zero-day vulnerability (CVE-2026-20131) in Cisco Secure '
'Firewall Management Center more than a month before the '
'vendor released a patch. The flaw allowed unauthenticated '
'remote attackers to execute arbitrary Java code as root. '
'Amazon’s MadPot honeypot network detected exploit traffic '
'tied to Interlock’s infrastructure, and a misconfigured '
'server exposed the group’s attack toolkit.',
'impact': {'brand_reputation_impact': 'High (data leaks, service disruptions)',
'data_compromised': '43 GB (Saint Paul, Minnesota incident)',
'identity_theft_risk': 'High (sensitive data leaked)',
'legal_liabilities': 'Potential regulatory violations',
'operational_impact': 'Disrupted chemotherapy sessions, '
'pre-surgery appointments, and critical '
'services',
'systems_affected': 'Cisco Secure Firewall Management Center, '
'hospital systems, government entities'},
'initial_access_broker': {'backdoors_established': 'Multiple (JavaScript/Java '
'RATs, Bash scripts, '
'memory-resident '
'backdoors)',
'entry_point': 'Zero-day vulnerability '
'(CVE-2026-20131)',
'high_value_targets': 'Hospitals, medical '
'facilities, government '
'entities'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Zero-day vulnerabilities can be exploited before patches '
'are available, highlighting the need for proactive threat '
'detection and redundant security measures.',
'motivation': 'Financial gain, data extortion, regulatory pressure',
'post_incident_analysis': {'corrective_actions': 'Patch management, enhanced '
'monitoring, redundant '
'backdoors detection, and '
'threat intelligence sharing',
'root_causes': 'Exploitation of unpatched zero-day '
'vulnerability in Cisco Secure '
'Firewall Management Center'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransomware_strain': 'Interlock'},
'recommendations': 'Apply Cisco patches immediately, monitor for unusual '
'activity, implement network segmentation, and enhance '
'incident response plans for ransomware attacks.',
'references': [{'source': 'Amazon Integrated Security (CJ Moses)'},
{'source': 'Cisco Security Advisory'}],
'regulatory_compliance': {'regulations_violated': 'Potential (healthcare and '
'government data protection '
'regulations)'},
'response': {'remediation_measures': 'Cisco released patches on March 4, 2026',
'third_party_assistance': 'Amazon MadPot honeypot network'},
'threat_actor': 'Interlock',
'title': 'Interlock Ransomware Exploited Zero-Day in Cisco Firewall Before '
'Patch',
'type': 'Ransomware',
'vulnerability_exploited': 'CVE-2026-20131 (Cisco Secure Firewall Management '
'Center)'}