Ransomware crims abused Cisco 0-day weeks before disclosure • The Register
Ransomware crims abused Cisco 0-day weeks before disclosure • The Register
https://www.theregister.com/2026/03/18/amazon_cisco_firewall_0_day_ransomware/
Publish Date: 2026-03-18 13:40:00
Source Domain: www.theregister.com
Ransomware criminals exploited CVE-2026-20131, a maximum-severity bug in Cisco Secure Firewall Management Center software, as a zero-day vulnerability more than a month before Cisco patched the hole, according to Amazon security boss CJ Moses.
The critical security flaw allows an unauthenticated, remote attacker to execute arbitrary Java code as root on vulnerable devices. Cisco released software updates that fix the vulnerability on March 4 – but the attackers had a head start.
“Our research found that Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26,” Moses, the chief information security officer of Amazon Integrated Security, said on Wednesday.
A Cisco spokesperson told The Register that it will update its security advisory to reflect the exploitation.
“We appreciate Amazon’s partnership on this, and we have updated our security advisory with the latest information,” the spokesperson said. “We strongly urge customers to upgrade as soon as possible and reference our security advisory for more details and guidance.”
Ransomware crims are among those abusing this critical flaw, according to the US Cybersecurity and Infrastructure Agency. Late Wednesday, CISA added CVE-2026-20131 to its Known Exploited Vulnerability catalog, said it’s known to be used in ransomware infections, and gave federal agencies three days to patch.
Interlock is a ransomware crew that emerged in 2025, and has since infected hospitals and medical facilities – including kidney dialysis firm Davita and Kettering Health, where the criminals not only disrupted chemotherapy sessions and pre-surgery appointments, but also leaked cancer patients’ details online.
This criminal group also claimed to have stolen 43 GB of files from the city of Saint Paul over the summer, forcing the…
