The firewall control system hit, and hackers received a head start for more than a month.
The Cisco administrative panel, through which companies operate firewalls, proved to be a convenient entry point for ransomware. Amazon Thread Intelligence сообщилаreported that the Interlock group has exploited the critical vulnerability of CVE-2026-2013 in the Cisco Secure Firewall Management Center since at least January 26, 2026, and Cisco revealed the problem only on March 4. Defenders have received a troubling example of a real zero-day vulnerability (zero-day): the attackers are already working on the goal, and corrections and public warning are not yet available.
CVE-2026-20131 received the maximum score on the CVSS (Common Vulnerability Scoring System) scale - 10.0. The vulnerability is in the FMC (Firewall Management Center) and is associated with unsafely rendering of the user Java stream. Cisco and NVD (National Vulnerability Database) describe the scenario as follows: an external attacker without authorization can send a specially prepared serialized object, execute an arbitrary Java code on the device and get root rights. If the control interface is not exposed to the Internet, the attack area becomes smaller, but the problem does not disappear.
Amazon went on the campaign through the network of traps MadPot, and then received a rare success for the investigation: one of the Interlock servers turned out to be configured with errors and revealed almost the entire working set of the group. The researchers saw a multi-step attack chain, intelligence scripts, malicious ELF files (Excutable and Linkable Format), Linux executable troans of remote access to JavaScript and Java, and a resident web store that works in memory and does not write files to disks. Such a bundle does not speak of a chaotic criminal attack, but about a well-established operation with spare access channels and preparation for a long retention within the network.
Interlock tried not only to penetrate the infrastructure, but also to confuse the investigation. According to Amazon, the attackers raised intermediate Linux nodes from HAProxy to hide the traffic source, and cut the logs every five minutes. Amazon calls the main goals of education, engineering and construction companies, industry, medicine, as well as the public sector. On March 19, 2026, CISA (Cybersecurity and Infrastructure Security Agency - the US cybersecurity and Infrastructure Protection Agency) added CVE-2026-20131 to the KEV catalog (Known Exploid Vulnerabilities - a register of actively exploited vulnerabilities), and such a step usually means one thing: updates can no longer be postponed for several days.
The Cisco administrative panel, through which companies operate firewalls, proved to be a convenient entry point for ransomware. Amazon Thread Intelligence сообщилаreported that the Interlock group has exploited the critical vulnerability of CVE-2026-2013 in the Cisco Secure Firewall Management Center since at least January 26, 2026, and Cisco revealed the problem only on March 4. Defenders have received a troubling example of a real zero-day vulnerability (zero-day): the attackers are already working on the goal, and corrections and public warning are not yet available.
CVE-2026-20131 received the maximum score on the CVSS (Common Vulnerability Scoring System) scale - 10.0. The vulnerability is in the FMC (Firewall Management Center) and is associated with unsafely rendering of the user Java stream. Cisco and NVD (National Vulnerability Database) describe the scenario as follows: an external attacker without authorization can send a specially prepared serialized object, execute an arbitrary Java code on the device and get root rights. If the control interface is not exposed to the Internet, the attack area becomes smaller, but the problem does not disappear.
Amazon went on the campaign through the network of traps MadPot, and then received a rare success for the investigation: one of the Interlock servers turned out to be configured with errors and revealed almost the entire working set of the group. The researchers saw a multi-step attack chain, intelligence scripts, malicious ELF files (Excutable and Linkable Format), Linux executable troans of remote access to JavaScript and Java, and a resident web store that works in memory and does not write files to disks. Such a bundle does not speak of a chaotic criminal attack, but about a well-established operation with spare access channels and preparation for a long retention within the network.
Interlock tried not only to penetrate the infrastructure, but also to confuse the investigation. According to Amazon, the attackers raised intermediate Linux nodes from HAProxy to hide the traffic source, and cut the logs every five minutes. Amazon calls the main goals of education, engineering and construction companies, industry, medicine, as well as the public sector. On March 19, 2026, CISA (Cybersecurity and Infrastructure Security Agency - the US cybersecurity and Infrastructure Protection Agency) added CVE-2026-20131 to the KEV catalog (Known Exploid Vulnerabilities - a register of actively exploited vulnerabilities), and such a step usually means one thing: updates can no longer be postponed for several days.
