TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security AI Conundrum: Why MCP Security Can't Be Patched Away AI Conundrum: Why MCP Security Can't Be Patched Away by Jai Vijayan Mar 19, 2026 4 Min Read Cyber Risk Researchers: Meta, TikTok Steal Personal & Financial Info When Users Click Ads Researchers: Meta, TikTok Steal Personal & Financial Info When Users Click Ads by Nate Nelson Mar 18, 2026 6 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Threat Intelligence Iran's Cyber-Kinetic War Doctrine Takes Shape Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi Mar 6, 2026 4 Min Read The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Threat Intelligence Endpoint Security Data Privacy Cyberattacks & Data Breaches News Interlock Ransomware Targets Cisco Enterprise Firewalls The ransomware gang, known for double-extortion attacks, had access to a critical Cisco firewall vulnerability weeks before it was publicly disclosed. Alexander Culafi , Senior News Writer , Dark Reading March 20, 2026 4 Min Read Source: Zoonar GmbH via Alamy Stock Photo Threat actors had access to a critical zero-day several weeks before it was patched and publicly disclosed. An Interlock ransomware campaign is targeting Cisco firewalls, according to an advisory recently shared by Amazon Web Services (AWS). Specifically, this campaign leverages CVE-2026-20131, a critical vulnerability (10 CVSS) in the Web-based management interface of Cisco's Secure Firewall Management Center (FMC) Software; if exploited, it can allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an impacted device. Cisco disclosed the vulnerability on March 4, and said in an advisory at the time that it was caused by "insecure deserialization of a user-supplied Java byte stream." The attacker would send a crafted serialized Java object to a vulnerable device's Web-based management interface. CVE-2026-20131 impacts all unpatched versions of Cisco Secure FMC Software and Cisco Security Cloud Control (SCC). The latter is a software-as-a-service (SaaS) product and is upgraded without user action, but FMC users should immediately upgrade to a fixed release. Cisco also said that its Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software are unaffected by the vulnerability. Customers can use the Cisco Software Checker to assess their exposure level. Related: EU Sanctions Companies in China, Iran for Cyberattacks CJ Moses, chief information security officer (CISO) of Amazon Integrated Security, published a blog post on March 18 detailing how the Interlock ransomware gang is exploiting the vulnerability to target at risk organizations. Interlock is a financially motivated ransomware actor known for double-extortion attacks (encryption plus data theft). Following Cisco's disclosure, Amazon researchers determined that Interlock exploited CVE-2026-20131 as far back as Jan. 26, making it a zero-day flaw. Through its research, which included the use of honeypots, Amazon discovered a misconfigured infrastructure server that "exposed Interlock's complete operational toolkit." "This rare mistake provided Amazon's security teams with visibility into the ransomware group's multi-stage attack chain, custom remote-access Trojans (backdoor programs that give attackers control of compromised systems), reconnaissance scripts (automated tools for mapping victim networks), and evasion techniques," Moses wrote. A Look Under Interlock Ransomware's Hood Once Interlock gains initial access — in this case through exploiting the firewall software bug — they use a series of tools such as a PowerShell script to enumerate the Windows environment and collect basic data before creating a directory on the attacker's end with collected data belonging to each compromised computer. Related: DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike The Interlock attacker then deploys a remote-access Trojan (RAT) to gain complete access to a compromised device, plus establishing command and control (C2). Amazon detected an effort from Interlock to include JavaScript and Java-based backdoors, which Moses noted would ensure "they maintain access even if defenders detect one version." Other discovered tools included a disposable relay network (in this case a BASH script) so the attacker could hide their true location, a memory-resident backdoor that avoids antivirus detection, connectivity verification tooling, and deployment of legitimate remote-access tools to ensure Interlock would still have a way in if the other backdoors are found. Fancy attacker tooling is nothing new, but Moses noted that the actual danger in this case is this tooling combined with the possession of a critical zero-day. "The real story here isn't just about one vulnerability or one ransomware group — it's about the fundamental challenge zero-day exploits pose to every security model. When attackers exploit vulnerabilities before patches exist, even the most diligent patching programs can't protect you in that critical window," he wrote. "This is precisely why defense in depth is essential — layered security controls provide protection when any single control fails or hasn't yet been deployed." Related: SideWinder Espionage Campaign Expands Across Southeast Asia Amazon's blog post includes indicators of compromise as well as additional detection recommendations. Why Are Firewalls Like This? Unfortunately, critical vulnerabilities targeting firewall vendors like Cisco, Ivanti, SonicWall, and Fortinet are a dime a dozen. Recorded Future's H1 2025 Malware and Vulnerability Trends report found that edge security and gateway devices (such as firewalls and VPNs) accounted for 17% of vulnerabilities exploited by threat actors during the first half of last year. As for why, Vincenzo Iozzo, CEO and cofounder at identity vendor SlashID, tells Dark Reading that firewalls are appealing in part because they are Internet-facing and, therefore, generally easily accessible. They also tend to have proprietary software historically "riddled with vulnerabilities" and lacking detection capabilities. Firewalls also "tend to be useful as a pivot point for attackers that want to move laterally into a victim's network." Similarly Jeff Liford, associate director at cyber disaster recovery firm Fenix24, explains that the firewall industry has experienced "substantial security pressure over the past year," and most major vendors have had to patch multiple critical flaws during this time period. "In our incident response work throughout 2025, we saw firewall compromise act as the initial entry point in a significant number of ransomware cases," he says. "These devices are often mission-critical. However, they are sometimes under-maintained, making them attractive targets." Cisco did not respond to Dark Reading's request for comment. About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. See more from Alexander Culafi More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars Editor's Choice Cybersecurity Operations Why Stryker's Outage Is a Disaster Recovery Wake-Up Call Why Stryker's Outage Is a Disaster Recovery Wake-Up Call by Jai Vijayan Mar 12, 2026 5 Min Read Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks Threat Intelligence Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats Jan 2, 2026 Cyber Risk Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult Jan 12, 2026 | 7 Min Read Endpoint Security CISOs Face a Tighter Insurance Market in 2026 Jan 5, 20