WAFPlanet
Security News

AWS Warns Hackers Have Abused Cisco Firewall Zero-Day Since January

AWS reveals that the Interlock ransomware group has been exploiting a critical Cisco firewall zero-day (CVE-2026-20131) since January. The CVSS 10 flaw allows unauthenticated remote code execution as root.

Avatar for Zoutje
1 min read
AWS Warns Hackers Have Abused Cisco Firewall Zero-Day Since January
AWS Warns Hackers Have Abused Cisco Firewall Zero-Day Since January

AWS has revealed that the Interlock ransomware group has been exploiting a critical zero-day vulnerability in Cisco Secure Firewall Management Center since January. AWS CISO CJ Moses disclosed that the group leveraged CVE-2026-20131, a remote code execution flaw with a maximum CVSS score of 10, allowing unauthenticated attackers to run arbitrary Java code as root.

Full Visibility Into the Attack Chain

A misconfigured infrastructure server on Interlock's side gave AWS security researchers rare, full visibility into the group's operational toolkit. The attack chain is thorough: after initial access through the zero-day, the group deploys PowerShell-based reconnaissance, two custom remote access trojans written in JavaScript and Java, and a memory-resident webshell that intercepts HTTP requests entirely in memory to dodge antivirus detection.

ConnectWise ScreenConnect is installed as a backup entry point in case defenders discover and close the primary access.

What Organizations Should Do

AWS recommends applying Cisco's patches immediately, reviewing logs for indicators of compromise, checking for unauthorized ScreenConnect installations, and monitoring for PowerShell scripts staging data to network shares. Cisco confirms attacks are still ongoing.

The bigger picture matters here: when attackers exploit vulnerabilities before patches exist, patching alone is not enough. Defense in depth, layered security controls, and continuous threat monitoring are essential to survive the gap between exploit and patch.

WAFplanet Take

This is a textbook case of why perimeter security cannot be your only line of defense. A WAF sitting in front of your applications helps, but when the firewall management console itself is compromised, attackers are already inside your network. The Interlock group's toolkit is mature: custom RATs, memory-only webshells, and backup access through legitimate remote access tools. Organizations running Cisco FMC should treat this as a hair-on-fire priority. Patch now, hunt for compromise, and make sure your security stack does not have a single point of failure.

Read the full story at Infosecurity Magazine

Original reporting on the Interlock ransomware campaign targeting Cisco firewalls.
Logo officiel d'AWS Web Application Firewall

AWS Web Application Firewall

Featured

Native AWS security service providing scalable WAF protection for applications hosted on AWS infrastructure with pay-per-use pricing.

4.3/5
View Full Profile

Tags

security-news cisco vulnerability

Related Posts

Cloudflare launches stateful API vulnerability scanner

Cloudflare Launches Stateful API Vulnerability Scanner Targeting BOLA Flaws

Mar 11, 2026

NSFOCUS full-chain web security protection system

NSFOCUS Outlines Full-Chain Web Security System Combining WAF and Tamper Protection

Mar 11, 2026

Radware Introduces Alteon Protect to Deliver Scalable Application Security Without Compromise

Radware Launches Alteon Protect: Cloud-Augmented WAF Without SSL Key Sharing

Mar 11, 2026