Cisco Vulnerability Exploited in Ransomware Attacks Since January

Post Views: 3

Ransomware Group Exploits Cisco Vulnerability in Zero-Day Attacks

A ransomware group known as Interlock has been exploiting a critical vulnerability in Cisco’s Secure Firewall Management Center (FMC) software in zero-day attacks since late January.

Vulnerability Details

The vulnerability, tracked as CVE-2026-20131, is a maximum severity remote code execution (RCE) flaw that allows unauthenticated attackers to execute arbitrary Java code as root on unpatched devices.

Exploitation Timeline

According to Amazon’s threat intelligence team, Interlock began exploiting the vulnerability on January 26, 2026, 36 days before Cisco publicly disclosed the issue on March 4, 2026.

This gave the attackers a significant head start in compromising organizations before defenders were aware of the vulnerability.

Interlock Ransomware Operation

The Interlock ransomware operation has been linked to several high-profile attacks, including those against DaVita, Kettering Health, the Texas Tech University System, and the city of Saint Paul, Minnesota.

The group has also been associated with the deployment of a remote access trojan called NodeSnake on the networks of multiple U.K. universities.

Cisco’s Response

Cisco has addressed several other security vulnerabilities that have been exploited in the wild as zero-days since the start of the year.

In January, the company fixed a maximum-severity Cisco AsyncOS zero-day that had been exploited to breach secure appliances since November.

Additionally, Cisco patched a critical Unified Communications RCE that was also abused in zero-day attacks.

Last month, Cisco addressed another maximum-severity flaw that was abused as a zero-day to bypass Catalyst SD-WAN authentication, allowing attackers to compromise controllers and add malicious rogue peers to targeted networks.

New Malware Strain

The Interlock ransomware operation has also been linked to the deployment of a new malware strain dubbed Slopoly, which is believed to have been created using generative AI tools.

This development highlights the increasing sophistication of ransomware attacks and the need for organizations to prioritize patching and vulnerability management.

Recommendations

In a statement, Cisco urged customers to upgrade to the latest version of the Secure FMC software as soon as possible and to reference the company’s security advisory for more details and guidance.

The company also acknowledged Amazon’s partnership in identifying the vulnerability and thanked them for their collaboration.

Conclusion

The exploitation of the Secure FMC vulnerability by Interlock highlights the ongoing threat posed by ransomware groups and the need for organizations to stay vigilant in their cybersecurity efforts.

As the threat landscape continues to evolve, it is essential for organizations to prioritize patching, vulnerability management, and incident response to minimize the risk of successful attacks.