They Had 36 Days. Cisco Had Zero.
- Patrick Duggan
- Mar 20
- 3 min read
How Interlock Ransomware Owned Enterprise Firewalls Before Anyone Knew
January 26, 2026. A ransomware gang called Interlock starts exploiting a vulnerability in Cisco Secure Firewall Management Center. CVSS score: 10.0. The maximum. Unauthenticated. Remote. Root access.
Cisco doesn't know yet.
Their customers don't know yet.
For 36 days, every Cisco FMC instance facing the internet is a door with no lock.
What CVE-2026-20131 Actually Does
Insecure deserialization of user-supplied Java byte streams. In English: you send Cisco's firewall management console a crafted HTTP request, and it runs your code as root. No credentials needed. No user interaction. Just a URL and some malicious Java.
The attack chain, captured by Amazon's MadPot honeypot network:
Crafted HTTP request hits a specific FMC path
Arbitrary Java code executes as root
Compromised system phones home — HTTP PUT to an external server confirming the kill
ELF binary fetched from a remote server
Ransomware deployment begins
From first contact to root: one request.
Who Is Interlock?
First observed September 2024. No affiliates, no RaaS model — they work alone. That makes them harder to track and harder to disrupt.
Their target list reads like critical infrastructure bingo:
DaVita (April 2025) — 1.5 TB exfiltrated, 200,000+ kidney dialysis patients affected
City of St. Paul, Minnesota (July 2025) — municipal systems encrypted
Healthcare and public health — their preferred sector, per FBI/CISA joint advisory AA25-203A
They use double extortion: encrypt your systems, threaten to leak your data. Pay in Bitcoin or get published on their TOR portal.
CISA and the FBI issued a joint #StopRansomware advisory in July 2025. Interlock upgraded their malware anyway. Made it more resistant to detection.
Now they have a perfect 10 zero-day on enterprise firewalls.
The Timeline That Should Make You Angry
Date | What Happened |
Jan 26, 2026 | Interlock begins exploiting CVE-2026-20131 in the wild |
Feb — early Mar | 36 days of undetected exploitation |
Mar 4, 2026 | Cisco publicly discloses and patches the vulnerability |
Mar 20, 2026 | Amazon publishes IOCs. The world finds out how bad it was. |
Thirty-six days. Five weeks. For a CVSS 10.0 vulnerability in the product that's supposed to manage your firewall security.
The irony writes itself: the tool you use to secure your firewalls was the way in.
The Minnesota Connection
This one's personal. Interlock claimed the City of St. Paul attack in August 2025. St. Paul is 10 miles from our office.
When a ransomware gang that already hit your neighbor gets a zero-day on enterprise firewall management — you don't wait for the advisory. You block now.
What To Do Right Now
1. Patch immediately. Cisco released fixes on March 4. If you haven't patched in 16 days, assume compromise.
Unexpected HTTP PUT requests from FMC instances to external servers
ELF binary downloads on FMC hosts
Java deserialization artifacts in FMC logs
ConnectWise ScreenConnect installations you didn't authorize (Interlock's preferred remote access tool)
3. Check our STIX feed. CVE-2026-20131 and associated Interlock IOCs are already in the DugganUSA threat intelligence feed. If you're consuming our STIX/TAXII endpoint, you're already protected. If you're not — register here.
4. Block the infrastructure. Interlock operates in the UTC+3 timezone. Their C2 infrastructure shifts, but the behavioral pattern doesn't. Our feed tracks it.
The Bigger Picture
This is the third major "security tool turned attack vector" story this year. First it was the CrowdStrike impersonation by Handala. Then the n8n RCE (CVE-2025-68613) hitting automation platforms. Now Cisco FMC.
The pattern: attackers aren't going around your security stack anymore. They're going through it.
Your firewall manager. Your EDR. Your automation platform. The tools you trust most are the tools they target first.
We wrote about this pattern when Handala masqueraded as CrowdStrike. We wrote about it when Iran hit Stryker through their device management. The vector changes. The lesson doesn't.
The things you trust most are the things most worth compromising.
DugganUSA tracks 1,021,431 indicators of compromise across 42 indexes. Our STIX feed serves 10.9 million indicators to security teams in 24 countries. [Get the feed.](https://analytics.dugganusa.com/stix/pricing)
Category: Threat Intelligence
Comments