INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Interlock Ransomware Targets Cisco Enterprise Firewalls
| 2026-03-20 13:00 CRITICAL HIGHExecutive Summary AI-generated
The Interlock ransomware gang has been exploiting a critical vulnerability in Cisco's Secure Firewall Management Center (FMC) Software, which can allow an unauthenticated remote attacker to execute arbitrary Java code as root on an impacted device. This is precisely why defense in depth is essential - layered security controls provide protection when any single control fails or hasn't yet been deployed. The gang has been targeting companies with Cisco enterprise firewalls and has used various tactics such as a PowerShell script to enumerate the Windows environment, collect basic data before creating a directory on the attacker's end, and custom remote-access Trojans to gain initial access through exploiting the vulnerability. This rare mistake provided Amazon's security teams with visibility into the ransomware group's multi-stage attack chain, including reconnaissance scripts and evasion techniques. The real story here isn't just about one vulnerability or one ransomware group - it's about the fundamental challenge zero-day exploits pose to every security model.
Technical Mitigations AI-generated
* Implement a patching program that checks for and applies all known vulnerabilities, including the Cisco firewall zero-day (CVE-2026-20131), to minimize the risk of exploitation.
* Regularly update software applications and operating systems to ensure they have the latest security patches, even if no patches are available for older versions or critical vulnerabilities like CVE-2026-20131.
* Use a vulnerability scanning tool that can detect known zero-day exploits, such as CVE-2026-20131, in real-time and alert administrators to potential threats before an attacker can exploit them.
* Conduct regular security audits and penetration testing to identify and address any weaknesses or vulnerabilities in the organization's defenses, including those related to Cisco firewalls and other software applications.
* Educate employees on cybersecurity best practices, such as avoiding suspicious links and attachments, using strong passwords, and keeping software up-to-date, to reduce the risk of falling victim to ransomware attacks like Interlock.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-20131CVE-2026-20131
Target & Sectors
EUROPE
EUROPE
NORTH_AMERICA
NORTH_AMERICA
defensedefense
healthhealth
governmentgovernment
healthcarehealthcare
educationeducation
Incident Timeline
September 2024
Threat actors used Interlock ransomware to target Cisco Enterprise Firewalls in North America and Europe.
Click on any entity below to view its context and source!
target_region
EUROPE
The FBI and other federal agencies
said
last year that Interlock emerged in September 2024 and has repeatedly targeted critical infrastructure and businesses across North America and Europe.
target_region
NORTH_AMERICA
The FBI and other federal agencies
said
last year that Interlock emerged in September 2024 and has repeatedly targeted critical infrastructure and businesses across North America and Europe.
attribution
FBI
The FBI and other federal agencies
said
last year that Interlock emerged in September 2024 and has repeatedly targeted critical infrastructure and businesses across North America and Europe.
2025-03-19
The FBI and other federal agencies said the Interlock ransomware gang exploited a vulnerability in Cisco enterprise firewalls to target critical infrastructure and businesses across Europe and North America.
Click on any entity below to view its context and source!
tactic
Ransomware
The ransomware gang behind a damaging cyberattack last year on the city of St. Paul recently exploited a vulnerability in a popular line of Cisco firewalls before the bug was disclosed publicly.
target_region
EUROPE
The FBI and other federal agencies
said
last year that Interlock emerged in September 2024 and has repeatedly targeted critical infrastructure and businesses across North America and Europe.
target_region
NORTH_AMERICA
The FBI and other federal agencies
said
last year that Interlock emerged in September 2024 and has repeatedly targeted critical infrastructure and businesses across North America and Europe.
attribution
FBI
The FBI and other federal agencies
said
last year that Interlock emerged in September 2024 and has repeatedly targeted critical infrastructure and businesses across North America and Europe.
2025-03-20
Threat actors used Recorded Future's H1 2025 Malware and Vulnerability Trends report to identify vulnerabilities in edge security devices, specifically Cisco Enterprise Firewalls.
Click on any entity below to view its context and source!
organisation
Recorded Future's
Recorded Future's
H1 2025 Malware and Vulnerability Trends report
found that edge security and gateway devices (such as firewalls and VPNs) accounted for 17% of vulnerabilities exploited by threat actors during the first half of last year.
tactic
T1588.001 - Malware
Recorded Future's
H1 2025 Malware and Vulnerability Trends report
found that edge security and gateway devices (such as firewalls and VPNs) accounted for 17% of vulnerabilities exploited by threat actors during the first half of last year.
organisation
Vulnerability Trends
Recorded Future's
H1 2025 Malware and Vulnerability Trends report
found that edge security and gateway devices (such as firewalls and VPNs) accounted for 17% of vulnerabilities exploited by threat actors during the first half of last year.
general_metric
2025 H1
Recorded Future's
H1 2025 Malware and Vulnerability Trends report
found that edge security and gateway devices (such as firewalls and VPNs) accounted for 17% of vulnerabilities exploited by threat actors during the first half of last year.
general_metric
17 %
Recorded Future's
H1 2025 Malware and Vulnerability Trends report
found that edge security and gateway devices (such as firewalls and VPNs) accounted for 17% of vulnerabilities exploited by threat actors during the first half of last year.
January 26
Interlock exploited a vulnerability in Cisco Enterprise Firewalls to launch attacks on January 26.
Click on any entity below to view its context and source!
organisation
Moses, Interlock
According to Moses, Interlock began using the vulnerability in attacks on January 26.
Jan. 26
Amazon researchers discovered Interlock exploited a previously unknown vulnerability in Cisco Enterprise Firewalls as far back as January 26.
Click on any entity below to view its context and source!
organisation
Amazon
Following Cisco's disclosure, Amazon researchers determined that Interlock exploited CVE-2026-20131 as far back as Jan. 26, making it a zero-day flaw.
vulnerability
CVE-2026-20131
Following Cisco's disclosure, Amazon researchers determined that Interlock exploited CVE-2026-20131 as far back as Jan. 26, making it a zero-day flaw.
organisation
Interlock
Following Cisco's disclosure, Amazon researchers determined that Interlock exploited CVE-2026-20131 as far back as Jan. 26, making it a zero-day flaw.
March 4
Threat actors used the Interlock ransomware gang to target Cisco Enterprise Firewalls due to exploitation of CVE-2026-20131, a critical vulnerability disclosed on March 4.
Click on any entity below to view its context and source!
tactic
Ransomware
CJ Moses, CISO of Amazon Integrated Security,
released
a report on Wednesday outlining the Interlock ransomware gang’s exploitation of CVE-2026-20131 — a critical vulnerability disclosed on March 4 affecting Cisco Secure Firewall Management Center software.
vulnerability
CVE-2026-20131
CJ Moses, CISO of Amazon Integrated Security,
released
a report on Wednesday outlining the Interlock ransomware gang’s exploitation of CVE-2026-20131 — a critical vulnerability disclosed on March 4 affecting Cisco Secure Firewall Management Center software.
organisation
Amazon Integrated Security
CJ Moses, CISO of Amazon Integrated Security,
released
a report on Wednesday outlining the Interlock ransomware gang’s exploitation of CVE-2026-20131 — a critical vulnerability disclosed on March 4 affecting Cisco Secure Firewall Management Center software.
organisation
CVE-2026
CJ Moses, CISO of Amazon Integrated Security,
released
a report on Wednesday outlining the Interlock ransomware gang’s exploitation of CVE-2026-20131 — a critical vulnerability disclosed on March 4 affecting Cisco Secure Firewall Management Center software.
organisation
Cisco Secure Firewall Management Center
CJ Moses, CISO of Amazon Integrated Security,
released
a report on Wednesday outlining the Interlock ransomware gang’s exploitation of CVE-2026-20131 — a critical vulnerability disclosed on March 4 affecting Cisco Secure Firewall Management Center software.
March 18
Beast Gang exposes Interlock ransomware server.
Click on any entity below to view its context and source!
tactic
Ransomware
Related:
Cyber OpSec Fail: Beast Gang Exposes Ransomware Server
CJ Moses, chief information security officer (CISO) of Amazon Integrated Security, published a blog post on March 18 detailing how the
Interlock ransomware gang
is exploiting the vulnerability to target at risk organizations.
organisation
Amazon Integrated Security
Related:
Cyber OpSec Fail: Beast Gang Exposes Ransomware Server
CJ Moses, chief information security officer (CISO) of Amazon Integrated Security, published a blog post on March 18 detailing how the
Interlock ransomware gang
is exploiting the vulnerability to target at risk organizations.
tactic
T1584.004 - Server
Related:
Cyber OpSec Fail: Beast Gang Exposes Ransomware Server
CJ Moses, chief information security officer (CISO) of Amazon Integrated Security, published a blog post on March 18 detailing how the
Interlock ransomware gang
is exploiting the vulnerability to target at risk organizations.
2026-03-20
Interlock ransomware gang exploited a zero-day vulnerability in Cisco's Secure Firewall Management Center (FMC) Software.
Click on any entity below to view its context and source!
organisation
Amazon
Interlock ransomware gang exploited Cisco firewall zero-day weeks before disclosure: Amazon.
organisation
Interlock
Amazon was able to discover information on exploitation of the bug and Interlock’s operations through a misconfigured infrastructure server that served as a staging area for the ransomware gang.
infrastructure
Windows
A Look Under Interlock Ransomware's Hood
Once Interlock gains initial access — in this case through exploiting the firewall software bug — they use a series of tools such as a PowerShell script to enumerate the Windows environment and collect basic data before creating a directory on the attacker's end with collected data belonging to each compromised computer.
organisation
Hood
Once Interlock
A Look Under Interlock Ransomware's Hood
Once Interlock gains initial access — in this case through exploiting the firewall software bug — they use a series of tools such as a PowerShell script to enumerate the Windows environment and collect basic data before creating a directory on the attacker's end with collected data belonging to each compromised computer.
organisation
DaVita
The group’s attacks on the dialysis treatment company
DaVita
and
one of the largest healthcare systems in Ohio
caused outrage and exposed the sensitive health information of millions.
organisation
Ohio
The group’s attacks on the dialysis treatment company
DaVita
and
one of the largest healthcare systems in Ohio
caused outrage and exposed the sensitive health information of millions.
organisation
CVSS
Specifically, this campaign leverages CVE-2026-20131, a critical vulnerability (10 CVSS) in the Web-based management interface of Cisco's Secure Firewall Management Center (FMC) Software; if exploited, it can allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an impacted device.
organisation
Secure Firewall Management Center
Specifically, this campaign leverages CVE-2026-20131, a critical vulnerability (10 CVSS) in the Web-based management interface of Cisco's Secure Firewall Management Center (FMC) Software; if exploited, it can allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an impacted device.
organisation
CVE-2026
CVE-2026-20131 impacts all unpatched versions of Cisco Secure FMC Software and Cisco Security Cloud Control (SCC).
organisation
Cisco Secure FMC
CVE-2026-20131 impacts all unpatched versions of Cisco Secure FMC Software and Cisco Security Cloud Control (SCC).
organisation
Cisco Security Cloud Control (SCC
CVE-2026-20131 impacts all unpatched versions of Cisco Secure FMC Software and Cisco Security Cloud Control (SCC).
organisation
Interlock’s
“The ransom note’s invocation of multiple data protection regulations reflects Interlock’s documented practice of citing regulatory exposure to pressure victims, essentially threatening organizations not just with data encryption, but with regulatory fines and compliance violations,” Moses wrote.
organisation
ConnectWise ScreenConnect
Moses added that alongside the malicious tools Amazon researchers discovered, they found Interlock using an array of legitimate security tools during attacks, including ConnectWise ScreenConnect, incident response tool Volatility, offensive security product Certify, and more.
organisation
Volatility
Moses added that alongside the malicious tools Amazon researchers discovered, they found Interlock using an array of legitimate security tools during attacks, including ConnectWise ScreenConnect, incident response tool Volatility, offensive security product Certify, and more.
organisation
EU Sanctions Companies
Related:
EU Sanctions Companies in China, Iran for Cyberattacks
The Interlock attacker then deploys a remote-access Trojan (RAT) to gain complete access to a compromised device, plus establishing command and control (C2).
organisation
Cisco
Cisco
also said that its Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software are unaffected by the vulnerability.
organisation
Secure Firewall Adaptive Security Appliance
Cisco
also said that its Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software are unaffected by the vulnerability.
organisation
Secure Firewall Threat Defense
Cisco
also said that its Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software are unaffected by the vulnerability.
organisation
Ivanti
Unfortunately, critical vulnerabilities targeting
firewall
vendors like Cisco, Ivanti, SonicWall, and Fortinet are a dime a dozen.
organisation
SonicWall
Unfortunately, critical vulnerabilities targeting
firewall
vendors like Cisco, Ivanti, SonicWall, and Fortinet are a dime a dozen.
organisation
Fortinet
Unfortunately, critical vulnerabilities targeting
firewall
vendors like Cisco, Ivanti, SonicWall, and Fortinet are a dime a dozen.
organisation
FMC
The latter is a software-as-a-service (SaaS) product and is upgraded without user action, but FMC users should immediately upgrade to a fixed release.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
A Look Under Interlock Ransomware's Hood
Once Interlock gains initial access — in this case through exploiting the firewall software bug — they use a series of tools such as a PowerShell script to enumerate the Windows environment and collect basic data before creating a directory on the attacker's end with collected data belonging to each compromised computer.
Metrics
infrastructure
Ivanti
Affected Product
Unfortunately, critical vulnerabilities targeting
firewall
vendors like Cisco, Ivanti, SonicWall, and Fortinet are a dime a dozen.
Intelligence Sources
TheRecord
2026-03-19
Dark Reading
2026-03-20
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T11:17
Comprehensive Tactical Telemetry
Highly Correlated Entities
27x
organisation
Identified Entity
DaVita
entity
8x
timeline
Temporal Reference
2025-03-19
date
6x
tactic
MITRE ATT&CK Technique
T1592.002 - Software
technique
5x
industry
Targeted Sector
Government
sector
3x
tactic
Cyber Operation Type
Ransomware
tactic
2x
attribution
Attributing Entity
the National Guard
authority
2x
target region
Target Region
EUROPE
region
2x
infrastructure
Affected Product
Windows
software
Contextual Telemetry
Context Block
5 METRICS
vulnerability
Exploited CVE
CVE-2026-20131
cve
target region
Target Country
China
country
source region
Origin Country
Iran, Islamic Republic of
country
general metric
H1
2,025
h1
general metric
%
17
%
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.