Cisco firewall zero-day exploited by Interlock, Amazon intel shows
Context and chronology
Amazon Security Labs found forensic evidence that CVE-2026-20131 — a critical unauthenticated remote code execution flaw in Cisco firewall management software — was exploited in the wild weeks before Cisco released fixes in early March. Amazon links a cluster of intrusions to the ransomware group Interlock and dates primary activity to late January, creating a multi-week patch-to-exploit window that materially increases breach risk for exposed management consoles.
Broader visibility and complementary telemetry
Complementary disclosures from government and vendor teams expand and complicate the operational picture: CISA and allied partners issued coordinated advisories and hunt playbooks for compromised SD‑WAN and edge appliances, while other threat telemetry describes mass automated scans and large-scale validation campaigns that affected hundreds of perimeter appliances across dozens of countries. One vendor dataset reported on the order of several hundred compromised devices over a roughly five‑week span, underscoring that the incident combined targeted intrusions with later high‑velocity, automated exploitation at scale.
Technical vector and attacker tradecraft
Amazon’s analysis shows exposed management interfaces were the failing point: unauthenticated access to the web control plane enabled arbitrary Java execution and root‑level control on affected boxes. Observed tooling included bespoke remote‑access trojans, evasive loaders and scripted exploitation modules. Other researchers also observed credential‑validation pipelines, agentic automation and credential‑stuffing activity that amplified reach and enabled rapid follow‑on compromise once initial access paths were identified.
Attribution and conflicting signals
Attribution varies across reports: Amazon maps activity to Interlock, government bulletins reference clusters tracked under codes such as UAT‑8616, and separate vendor findings have used other cluster names. These differences likely reflect partial overlap of toolsets, shared commoditized workflows, and sequential waves of activity (initial targeted exploitation followed by broader automated scans) rather than mutually exclusive actors. Analysts should therefore assume attribution ambiguity while treating the operational artifacts as actionable for containment and hunting.
Immediate defender actions
Practical mitigations remain consistent across sources: remove management consoles from direct internet exposure, apply Cisco’s published updates, enforce MFA and least‑privilege access to admin planes, and ingest Amazon’s and other vendors’ IoCs into detection stacks. Rapid evidence preservation (images, extensive logs and configuration exports), expedited hunts across VPN concentrators and firewall management hosts, and memory forensics to detect bespoke RATs are recommended. Given CISA’s coordinated guidance and the KEV‑style pressure applied across other contemporaneous incidents, organizations should compress change windows for impacted appliances and coordinate with MSSPs or national incident response teams where appropriate.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
Dell RecoverPoint Zero-Day Exploited by China-Linked Cyberespionage Group
A China-linked espionage cluster abused a hardcoded-credential flaw in Dell RecoverPoint for Virtual Machines to escalate privileges, move laterally, and deploy bespoke malware; Dell released patch 6.0.3.1 HF1 and vendors published IoCs and behavioral indicators. The incident underscores a broader trend of rapid weaponization of management and recovery tooling, forcing organisations to pair urgent patching with compensating network controls and extended telemetry into virtualization stacks.
Amazon: Hackers Used AI to Breach 600+ Firewalls in Weeks
Security teams at Amazon traced a compact, likely Russian‑speaking operation that used widely available AI tooling and automated agents to compromise more than 600 perimeter firewalls across roughly 55 countries in about five weeks. The campaign—which automated reconnaissance, credential validation and rapid probing—typifies a broader 2026 trend in which off‑the‑shelf AI compresses the time from discovery to exploitation, forcing defenders to treat exposed management interfaces and self‑hosted AI endpoints as high‑risk assets.
Cisco SD‑WAN Compromised; CISA and Five Eyes Order Emergency Hunts
CISA and Five Eyes partners warned of active exploitation against Cisco SD‑WAN, flagging two tracked CVEs and urging immediate hunts, log preservation, and patching. The alert joins a string of rapid, high‑impact exploit events (Fortinet, SolarWinds and other KEV additions), compressing remediation windows and forcing both near‑term incident response and longer‑term edge‑device inventory and replacement planning.
Google GTIG: Zero‑Day Exploits Shift Toward Enterprise Targets in 2025
Google’s GTIG logged 90 exploited zero‑days in 2025 and a record portion hit enterprise infrastructure; commercial spyware vendors and OS flaws drove much of the shift. Field cases — including a long‑running WinRAR exploit and rapid weaponization of disclosed appliance flaws — illustrate how automation and exploit brokerage compress the timeline from discovery to impact.
Critical SolarWinds Web Help Desk Flaw Exploited; CISA Orders Rapid Patching
A critical unauthenticated remote code execution bug in SolarWinds Web Help Desk (WHD) rooted in AjaxProxy deserialization is being exploited in the wild and was added to CISA’s Known Exploited Vulnerabilities list, triggering compressed federal remediation deadlines. The listing arrived alongside other high-priority KEV additions this patch cycle, reinforcing that administrative consoles and legacy proxy components are high-risk and require immediate patching and network controls.
Chinese-linked APT exploits zero-day and rootkits against Singapore telcos
A China-linked advanced persistent threat group targeted all four major Singapore telecommunications operators last year, using a firewall zero-day and rootkits to gain limited footholds. Authorities report no service outages or confirmed data theft so far, and are coordinating containment, remediation, and strengthened monitoring across the sector.
Microsoft pushes urgent Office patch for a newly exploited zero-day used in targeted intrusions
Microsoft released fixes for CVE-2026-21509 after detecting active exploitation that undermines Office protections; mitigations and patches cover major supported Office builds and CISA has flagged the flaw for immediate remediation. The vulnerability appears to be leveraged in focused operations requiring user interaction and complex exploit chains, elevating the priority for high-value targets to deploy updates quickly.
VMware Aria Operations Exploited; CISA Adds CVE-2026-22719 to KEV
A high-severity, unauthenticated command-injection flaw, CVE-2026-22719 , is being exploited against VMware Aria Operations , and CISA has added it to the Known Exploited Vulnerabilities catalog with a federal remediation mandate. This event is one of several recent management-plane and remote‑access vulnerabilities (e.g., SolarWinds WHD, BeyondTrust) that have been weaponized quickly after disclosure, compressing patch windows and forcing urgent compensating controls.