A sophisticated ransomware operation known as Interlock has been actively exploiting a critical, pre-patch vulnerability in Cisco's Secure Firewall Management Center (FMC) software. According to threat intelligence reports, the group leveraged this maximum-severity remote code execution (RCE) flaw, tracked as CVE-2026-20131, in zero-day attacks targeting enterprise networks since late January. Cisco released an official patch for the vulnerability on March 4, 2026, warning that it could allow unauthenticated attackers to execute arbitrary Java code with root-level privileges on affected, unpatched firewall management devices. This gap of over 36 days between the start of exploitation and the availability of a fix highlights the critical window of exposure organizations faced.
The Interlock ransomware operation, which first emerged in September 2024, has established a notable threat profile. Security researchers have linked the group to previous campaigns, including the deployment of a remote access trojan called NodeSnake on networks belonging to multiple UK universities. Interlock has also publicly claimed responsibility for attacks on major organizations such as healthcare provider DaVita, Kettering Health, the Texas Tech University System, and the city of Saint Paul, Minnesota. In a concerning evolution, IBM X-Force researchers recently reported that Interlock operators have begun deploying a new malware strain dubbed "Slopoly," which is suspected to have been created using generative AI tools, indicating an adaptation of modern techniques to enhance their offensive capabilities.
The exploitation of the Cisco FMC flaw represents a significant escalation in Interlock's tactics. By targeting the management interface of enterprise firewalls—a core component of network security infrastructure—the attackers could potentially gain a deep foothold within an organization's environment to deploy ransomware or conduct espionage. The Amazon threat intelligence team confirmed that Interlock had been exploiting this specific vulnerability for more than a month before Cisco issued the patch. This prolonged period of undisclosed exploitation underscores the challenges of defensive cybersecurity, where adversaries can operate stealthily within critical systems long before vendors and defenders become aware of the specific vulnerability being abused.
This incident is part of a broader landscape of high-severity threats. In parallel news, ConnectWise has patched a new flaw in its ScreenConnect software that could allow hijacking, a new iOS exploit dubbed "Darksword" has been used in infostealer attacks, and the GlassWorm malware has infected over 400 code repositories across platforms like GitHub and npm. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also mandated federal agencies to patch an actively exploited cross-site scripting (XSS) flaw in Zimbra collaboration software. The case of the Interlock gang's Cisco zero-day exploitation serves as a stark reminder of the imperative for organizations to maintain rigorous patch management programs, employ robust network segmentation, and deploy threat-hunting capabilities to detect anomalous activity, especially on critical security management platforms, before official advisories are released.
