Interlock Ransomware Exploited Cisco Firewall Flaw for Weeks
AWS researchers reveal the Interlock ransomware group exploited a maximum-severity Cisco firewall flaw for over five weeks before Cisco disclosed the vulnerability.
The Interlock ransomware group exploited a maximum-severity flaw in Cisco's Secure Firewall Management Center for weeks before Cisco even disclosed the vulnerability. AWS researchers found honeypot evidence dating the exploitation back to January 26, over five weeks before Cisco's March 4 advisory.
How the Attack Worked
The vulnerability, tracked as CVE-2026-20131, allowed attackers to send malicious HTTP requests containing Java code and embedded URLs. One URL delivered configuration data for the exploit. The other confirmed successful exploitation by forcing the target to perform an HTTP PUT request and upload a generated file.
When AWS researchers observed their honeypot performing the expected PUT request, automated commands retrieved and executed a malicious Linux executable. Inside the file: an Interlock ransomware note and a link to the group's darkweb negotiation panel.
Interlock's Toolkit Exposed
The researchers also found a poorly secured Interlock server exposing the group's full toolkit. Unlike most ransomware operations, Interlock does not use affiliates. They develop and operate their own malware across most of their kill chain.
Their toolkit included PowerShell scripts for Windows environment enumeration, Linux reverse proxy configuration scripts, custom remote access Trojans in both JavaScript and Java, and ConnectWise ScreenConnect as a backup remote access tool.
The group has focused on critical infrastructure in North America and Europe, with education as their most-targeted sector. A March 2025 attack on a South Carolina school district compromised records of 46,000 students, parents, and teachers.
WAFplanet Take
This is another reminder that network firewalls alone do not constitute a complete security posture. A WAF sitting in front of your applications would not have stopped this particular attack, which targeted management infrastructure. But the broader pattern is clear: if you are running Cisco gear, patch cycles need to be measured in days, not weeks. Fortinet, which identified Interlock's tactics in a January analysis, has had its own share of exploitable flaws recently. The lesson is universal: no vendor gets a free pass on patching, and layered security with a proper WAF deployment remains essential for application-layer protection.
