Cisco Zero-Day Exploited in Ransomware Attacks Since January
▼ Summary
– The Interlock ransomware gang exploited a critical, unpatched vulnerability (CVE-2026-20131) in Cisco’s Secure Firewall Management Center for over a month in zero-day attacks starting January 26, 2026.
– Cisco patched this flaw on March 4, 2026, warning it could allow unauthenticated attackers to remotely execute code as root on affected devices.
– Interlock, a ransomware operation active since late 2024, has previously targeted U.K. universities and claimed attacks on major organizations like DaVita and the city of Saint Paul.
– Researchers report Interlock has used a new AI-generated malware strain called Slopoly and previously deployed remote access trojans like NodeSnake.
– This incident is part of a pattern where Cisco has addressed multiple other maximum-severity zero-day vulnerabilities exploited in the wild since the start of the year.
A significant cybersecurity threat has emerged involving the exploitation of a critical vulnerability in Cisco’s Secure Firewall Management Center software. The Interlock ransomware group has been actively using this flaw in zero-day attacks since late January, well before Cisco released a patch in early March. This extended window gave the attackers a substantial advantage, allowing them to compromise enterprise networks undetected for over a month.
Security researchers from Amazon identified the malicious activity, noting that the exploitation began on January 26th. The vulnerability, tracked as CVE-2026-20131, is a maximum-severity remote code execution flaw. It enables unauthenticated attackers to run arbitrary Java code with root-level privileges on affected, unpatched firewall management devices. This level of access provides a powerful foothold within a network.
The Interlock operation, which first appeared in September 2024, has been linked to several high-profile incidents. Their campaigns have targeted multiple U. K. universities, deploying a remote access trojan known as NodeSnake. The group has also publicly claimed attacks on major organizations including healthcare provider DaVita, Kettering Health, the Texas Tech University System, and the city government of Saint Paul, Minnesota. In a recent development, IBM X-Force analysts reported that Interlock has begun using a new malware strain called Slopoly, which appears to have been created with the assistance of generative AI tools.
Cisco addressed the vulnerability with an urgent security advisory on March 4th, strongly urging all customers to apply the available updates immediately. The company acknowledged the collaboration with Amazon’s threat intelligence team and updated its advisory with the latest findings. A Cisco representative emphasized the critical nature of the patch, stating that upgrading affected systems is the paramount defensive action.
This incident is part of a concerning trend for the networking giant. Since the beginning of the year, Cisco has been forced to patch multiple other zero-day vulnerabilities that were being actively exploited in the wild. These include a critical flaw in Cisco AsyncOS software used to breach secure email appliances and a separate remote code execution vulnerability in Unified Communications products. Just last month, the company addressed another maximum-severity issue that allowed attackers to bypass authentication on Catalyst SD-WAN controllers and inject malicious components into networks.
The prolonged exploitation period of the Secure FMC flaw underscores a persistent challenge in cybersecurity: the gap between when a vulnerability is discovered by threat actors and when a fix becomes available to defenders. Organizations relying on this Cisco software are advised to verify their patch status without delay and to monitor network traffic for any signs of anomalous activity that may indicate a prior compromise.
(Source: BleepingComputer)
