The Interlock ransomware gang exploited a maximum-severity remote code execution vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center as a zero-day beginning January 26, 2026, enabling unauthenticated remote Java code execution as root on unpatched devices. Cisco patched the flaw on March 4 after Amazon threat intelligence found Interlock had been exploiting the vulnerability for 36 days, and Interlock — linked to ClickFix — has also deployed NodeSnake and a new AI-era strain called Slopoly while claiming attacks on DaVita, Kettering Health, the Texas Tech University System, and the city of Saint Paul. #Interlock #CiscoSecureFMC
Keypoints
- Interlock exploited CVE-2026-20131, a maximum-severity RCE in Cisco Secure FMC, as a zero-day starting January 26, 2026.
- Cisco issued a patch and advisory on March 4 and urged customers to upgrade immediately.
- Amazon’s threat intelligence reported Interlock had a 36-day head start exploiting the vulnerability before public disclosure.
- Interlock has been linked to ClickFix and has deployed NodeSnake and a likely AI-assisted new strain called Slopoly.
- Interlock has claimed responsibility for attacks on organizations including DaVita, Kettering Health, the Texas Tech University System, and the city of Saint Paul.