Interlock ransomware weaponizes Cisco FMC zero-day in pre-patch campaign
Interlock has exploited a maximum-severity remote-code-execution zero-day in Cisco Secure Firewall Management Center (CVE-2026-20131) since Jan 26, 2026, gaining unauthenticated root access on unpatched devices; Cisco issued a patch on March 4, and Amazon’s threat intel says the attacks ran about 36 days before disclosure. The group has a history of high-profile attacks (including NodeSnake on UK universities) and researchers note a new Slopoly malware strain associated with the operation.