Ransomware criminals exploited CVE-2026-20131, a maximum-severity bug in Cisco Secure Firewall Management Center software, as a zero-day vulnerability more than a month before Cisco patched the hole, according to Amazon's chief information security officer CJ Moses. The research found that Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26.
The flaw is a case of insecure deserialization of user-supplied Java byte stream, which allows an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device. Cisco patched the security flaw on March 4, but by then the criminal group had already gained access to multiple targets and extracted valuable reconnaissance data.
For network defenders, the timeline is troubling. Amazon caught the intruders in its MadPot honeypot network, which logged exploit traffic tied to Interlock's infrastructure. The threat intel team also spotted a misconfigured infrastructure server that exposed Interlock's attack toolkit. What emerged was a picture of a well-organised criminal operation deploying multiple backup systems to maintain access even if defenders spotted one.
In addition to using custom malware, the ransomware gang deployed legitimate software to blend in with authorised remote access, including ConnectWise ScreenConnect for remote desktop control; open source memory forensics tool Volatility; and Certify, another open source offensive security tool used by red teams to exploit misconfigurations in Active Directory Certificate Services. When ransomware operators deploy legitimate remote access tools alongside their custom malware, they are buying insurance. If defenders find and remove one backdoor, they still have another way in. This indicates multiple redundant remote access mechanisms, a pattern consistent with ransomware operators seeking to maintain access even if individual footholds are removed.
Interlock has claimed responsibility for attacks on DaVita, Kettering Health, the Texas Tech University System, and the city of Saint Paul, Minnesota. At Kettering Health, the criminals disrupted chemotherapy sessions and pre-surgery appointments, and also leaked cancer patients' details online.
The disclosure highlights a fundamental tension in cybersecurity that no amount of patching alone can solve. Moses said the real story is about the fundamental challenge zero-day exploits pose to every security model. When attackers exploit vulnerabilities before patches exist, even the most diligent patching programs cannot protect an organisation in that critical window. This is precisely why defence-in-depth is essential. Layered security controls provide protection when any single control fails or has not yet been deployed.
For organisations currently running Cisco Secure Firewall Management Center, the imperative is immediate patching. If the FMC management interface does not have public internet access, the attack surface is reduced. But Interlock's sophisticated toolkit suggests that restricting access alone may not be sufficient against determined adversaries who have invested in multi-layered persistence mechanisms and custom tools designed specifically to evade detection.
The incident also reveals a broader pattern in how ransomware operations have evolved. Rather than relying on any single vulnerability or attack vector, criminal groups now deploy arsenals of tools that operate in parallel, making network defenders' jobs exponentially harder. Strip away the buzz and the fundamentals show that even maximum-severity flaws in critical network infrastructure leave organisations vulnerable during the window between exploitation and disclosure.
Cisco's security advisory provides guidance on identifying and patching affected systems.