Cisco firewall exploit used in Interlock ransomware

Amazon's MadPot honeypot network recorded Interlock exploiting CVE‑2026‑20131 as early as January 26, 2026. (aws.amazon.com) Cloud Security Alliance analysis calculates Interlock used the FMC flaw for 37 days before Cisco issued a patch on March 4, 2026, and for 51 days prior to broader public disclosure on March 18, 2026. (labs.cloudsecurityalliance.org) Cisco’s advisory confirms the root cause as insecure Java deserialization that permits unauthenticated remote code execution as root and lists March 4, 2026 as the initial advisory publish date. (sec.cloudapps.cisco.com) Technical indicators tied to the Interlock activity include bespoke RATs, web shells, recon scripts, ScreenConnect and proxy tooling, which threat analysts say enable lateral movement and post‑exploit staging. (isec.news) Federal and industry bodies moved quickly: CISA’s Interlock advisories document the group’s VM‑encrypting ransomware behavior across Windows and Linux, and FINRA issued an alert to member firms using Cisco FMC to assess exposure. (cisa.gov) (finra.org) Proof‑of‑concept exploit code for CVE‑2026‑20131 is available in public GitHub repositories, widening the immediate attack surface for opportunistic actors. (github.com) Security firms note a compromised FMC can serve as a staging point for credential harvesting, configuration tampering and enterprise‑wide ransomware deployment, and Cisco states no practical workarounds are available beyond applying the vendor updates. (vulert.com) (sec.cloudapps.cisco.com)