The Interlock ransomware group known has been actively exploiting a critical vulnerability in Cisco Secure Firewall Management Center, according to new findings from Amazon threat intelligence researchers.
Interlock, which first emerged in September 2024, has previously been linked to campaigns involving the NodeSnake malware and attacks against academic institutions in the United Kingdom. The gang is focused on industries where operational disruption is most likely to force victims into paying. The education sector accounts for the largest portion of the activity, followed by engineering, architecture, and construction firms, as well as manufacturing and industrial organizations, healthcare providers, and government and public sector institutions.
The flaw, tracked as CVE-2026-20131, is a remote code execution (RCE) vulnerability that allows unauthenticated attackers to execute arbitrary Java code with root privileges on affected devices. Cisco released a patch for the issue on March 4. At the time, Cisco said that there was no evidence that the flaw was exploited by threat actors.
Now, Amazon researchers say that Interlock had been abusing the flaw as a zero-day issue in real-world attacks as early as January 26. The attacks reportedly targeted enterprise firewall systems.
“Observed activity involved HTTP requests to a specific path in the affected software,” the report says. “Request bodies contained Java code execution attempts and two embedded URLs: one used to deliver configuration data supporting the exploit, and another designed to confirm successful exploitation by causing a vulnerable target to perform an HTTP PUT request and upload a generated file. Multiple variations of these URLs were observed across different exploit attempts.”
Amazon said it had shared its findings with Cisco to help in its investigation and customer protection efforts, though Cisco has not yet officially flagged the flaw as actively exploited.