{"id":15979,"date":"2026-03-19T18:26:15","date_gmt":"2026-03-19T18:26:15","guid":{"rendered":"https:\/\/newestek.com\/?p=15979"},"modified":"2026-03-19T18:26:15","modified_gmt":"2026-03-19T18:26:15","slug":"ransomware-group-exploited-cisco-firewall-vulnerability-as-a-zero-day-weeks-before-a-patch-appeared","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15979","title":{"rendered":"Ransomware group exploited Cisco firewall vulnerability as a zero day, weeks before a patch appeared"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

One of the world\u2019s most active ransomware groups, Interlock, started exploiting a critical-rated Cisco firewall vulnerability as a zero day weeks before it was patched in early March, Amazon has revealed.<\/p>\n

The vulnerability in question is CVE-2026-20131<\/a>, a remotely exploitable deserialization flaw in Cisco Secure Firewall Management Center (FMC) Software which was given a maximum 10 CVSS score.<\/p>\n

When Cisco released a patch for it on March 4<\/a> as part of its semiannual firewall update, security teams would have known this needed to be applied urgently, alongside a fix for a second FMC vulnerability, CVE-2026-20079<\/a>, with an identical severity rating.<\/p>\n

However, Amazon\u2019s discovery that Interlock started exploiting CVE-2026-20131 on January 26, around 38 days prior to the release of the patch, turns the issue from merely \u2018urgent\u2019 into something akin to a full-blown zero-day vulnerability patching emergency.<\/p>\n

Attacker mistake<\/h2>\n

Amazon said it started searching for exploitation of CVE-2026-20131 after Cisco\u2019s advisory, using the company\u2019s MadPot global network, a honeypot system comprising thousands of sensors deployed throughout its AWS platform.<\/p>\n

This quickly uncovered attacks dated weeks prior to the vulnerability being made public. \u201cObserved activity involved HTTP requests to a specific path in the affected software,\u201d said CJ Moses, CISO for Amazon Integrated Security, in a blog this week<\/a>.<\/p>\n

He added: \u201cThis wasn\u2019t just another vulnerability exploit, Interlock had a zero-day in their hands, giving them a week\u2019s head start to compromise organizations before defenders even knew to look.\u201d He later clarified to CSO<\/em> that the \u201cweek\u2019s head start\u201d he referred to was the gap between the date of the first exploit that Amazon\u2019s later analysis had unearthed and Cisco\u2019s discovery of the bug.<\/p>\n

Amazon gained insight into the attacker\u2019s infrastructure by using the honeypot to mimic a vulnerable firewall system. This resulted in an attack on the honeypot, which received a malicious binary from the attackers; it also revealed that the ransomware depended on a single server with a poorly-secured staging area.<\/p>\n

From this, researchers were able to analyze the group\u2019s full attack chain, including Trojans, reconnaissance scripts, and evasion techniques.<\/p>\n

Unlocking Interlock<\/h2>\n

According to Amazon, the tools and techniques connect the malware to Interlock, a ransomware actor that appeared in 2024, possibly as a ransomware-as-a-service (RaaS) offshoot of the notorious Rhysida group which was behind the hugely disruptive 2023 ransomware attack on The British Library<\/a>.<\/p>\n

\u201cThe ELF [Linux executable] binary and associated artifacts are attributable to the Interlock ransomware family based on convergent technical and operational indicators. The embedded ransom note and TOR negotiation portal are consistent with Interlock\u2019s established branding and infrastructure,\u201d said Amazon\u2019s Moses.<\/p>\n

In the past, Interlock had targeted sectors such as education, engineering, architecture, construction, manufacturing, and healthcare, as well as government and public sector entities, Moses said.<\/p>\n

However, given that the group has been able to exploit a zero-day vulnerability in equipment as prevalent as Cisco firewalls for more than a month, any vulnerable organization might be at risk.<\/p>\n

The \u2018fundamental challenge\u2019 of zero-day exploits<\/h2>\n

\u201cThe real story here isn\u2019t just about one vulnerability or one ransomware group \u2014 it\u2019s about the fundamental challenge zero-day exploits pose to every security model,\u201d said Moses.<\/p>\n

\u201cWhen attackers exploit vulnerabilities before patches exist, even the most diligent patching programs can\u2019t protect you in that critical window. This is precisely why defense in depth is essential.\u201d<\/p>\n

It\u2019s still unclear how many victims Interlock might have compromised during the period it was able to exploit CVE-2026-20131 as a zero-day vulnerability, but they are likely to be numerous. The Amazon blog includes a list of IP addresses, malicious domains, and JA3 client fingerprint hashes that security teams can search for in logs as evidence of possible compromise.<\/p>\n

The procedure for patching CVE-2026-20131, and the other 47 CVEs included in Cisco\u2019s March 4 update, varies depending on the FMC software version installed. Cisco recommends using its software checker<\/a> to determine the appropriate update.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

One of the world\u2019s most active ransomware groups, Interlock, started exploiting a critical-rated Cisco firewall vulnerability as a zero day weeks before it was patched in early March, Amazon has revealed. The vulnerability in question is CVE-2026-20131, a remotely exploitable deserialization flaw in Cisco Secure Firewall Management Center (FMC) Software which was given a maximum 10 CVSS score. When Cisco released a patch for it… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15979","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15979","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15979"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15979\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15979"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15979"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15979"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}