Cisco Firewall 0-Day Exploited: Inter Vulnerability Wild

A critical zero-day vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center (FMC) Software is currently under active exploitation by the Interlock ransomware group.

Cisco disclosed the flaw on March 4, 2026; it allows unauthenticated remote attackers to execute arbitrary Java code as root. Amazon threat intelligence researchers discovered Interlock exploiting this vulnerability 36 days before its public disclosure, starting January 26, 2026.

This head start allowed the ransomware group to aggressively compromise organizations while defenders remained unaware. Amazon shared these findings with Cisco to support their investigation. AWS infrastructure and customer workloads were not involved in this campaign.

The investigation advanced when a misconfigured infrastructure server exposed Interlock’s complete operational toolkit. Initial threat activity involved HTTP requests to a vulnerable software path, containing Java code execution attempts and embedded URLs.

These URLs delivered configuration data and confirmed successful exploitation by triggering an HTTP PUT request to upload a generated file. By simulating a compromised system, researchers prompted the attackers to deploy a malicious Linux ELF binary.

The exposed staging server revealed that the group organized artifacts into dedicated paths for individual targets, streamlining both the downloading of tools and the uploading of stolen operational data.

Cisco Firewall 0-day Vulnerability Exploited

Technical indicators confidently attribute this activity to the Interlock ransomware family, a financially motivated group that first emerged in September 2024.

The recovered ELF binary, embedded ransom note, and TOR negotiation portal align with established Interlock branding. Their ransom notes uniquely cite regulatory exposure to maximize pressure on victims, fitting their known double extortion model.

Amazon threat intelligence team’s temporal analysis of timestamps suggests the actors operate in the UTC+3 timezone. Historically, Interlock targets sectors where operational disruption forces immediate payment, primarily focusing on education, engineering, construction, manufacturing, healthcare, and government entities.

Upon gaining access, Interlock deploys a sophisticated toolkit to escalate privileges and maintain persistence. A recovered PowerShell script conducts extensive Windows environment enumeration, collecting system details, browser artifacts, and network connections.

The script organizes results into dedicated directories for each host and compresses them into ZIP archives, signaling preparation for organization-wide encryption.

The group utilizes custom remote access trojans implemented in both JavaScript and Java. The JavaScript implant uses Windows Management Instrumentation for profiling and establishes persistent WebSocket connections with RC4-encrypted messages.

It provides interactive shell access, file transfers, and SOCKS5 proxy capabilities. The functionally identical Java backdoor, built on GlassFish libraries, ensures redundant access.

To obscure their tracks, attackers deploy a Bash script configuring Linux servers as HTTP reverse proxies. This script installs HAProxy to forward traffic and aggressively erases logs every five minutes.

Additionally, a fileless, memory-resident Java webshell intercepts HTTP requests containing AES-128 encrypted commands using a hardcoded seed.

Interlock also abuses legitimate tools, including ConnectWise ScreenConnect, Volatility for memory forensics, and Certify for Active Directory exploitation, alongside its custom malware.

Organizations running Cisco Secure Firewall Management Center must apply the latest security patches immediately. Because the threat actor heavily customized downloaded artifacts for each individual target network, traditional file hashes are largely unreliable for signature-based detection.

Defenders should instead focus on identifying behavioral patterns, memory-resident anomalies, and the specific network reconnaissance tactics associated with Interlock’s multifaceted attack chain.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.