Interlock ransomware exploits Cisco Secure Firewall zero-day CVE-2026-20131

The Interlock ransomware gang exploited a maximum severity remote code execution vulnerability in Cisco's Secure Firewall Management Center software in zero-day attacks since late January. Amazon threat intelligence reported that the operation began exploiting the flaw, tracked as CVE-2026-20131, on January 26, 2026. The exploitation targeted enterprise firewalls for more than a month before the patch. Amazon researchers discovered the activity while investigating the vulnerability. CJ Moses, CISO of Amazon Integrated Security, said that Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26, 2026. He added, "This wasn't just another vulnerability exploit, Interlock had a zero-day in their hands, giving them a week's head start to compromise organizations before defenders even knew to look." Cisco patched the security flaw on March 4. The company said in a statement that it issued a security advisory disclosing a vulnerability in the web interface of Cisco Secure Firewall Management Center Software on March 4, 2026. Cisco added that it appreciates Amazon's partnership on this and has updated its security advisory with the latest information while strongly urging customers to upgrade as soon as possible.