AI Autopsy: Interlock zero-day campaign exposes firewall management as Tier-0 risk

When attackers get into your firewall, they’re not just getting past the perimeter – they’re taking control of how it works. A recent campaign from ransomware group Interlock, built around a zero-day vulnerability in enterprise firewall management systems, shows how quickly that shift can turn a defensive control into an attacker’s strongest asset.

Targeting the control plane

The campaign, tracked by Amazon Web Services, centres on the exploitation of a previously unknown vulnerability (CVE-2026-20131) affecting the Cisco Firewall Management Center (FMC). Rather than targeting endpoints or user devices, attackers went after the systems responsible for defining network policy, segmentation, and visibility – effectively the control plane of the network itself.

According to Amazon’s analysis, activity dates back to late January, with attackers maintaining access for weeks before the vulnerability was publicly identified. That early foothold gave them time to move quietly, harvest credentials, and stage further activity inside affected environments.

Denis Calderone, CTO at Suzu Labs, says the timeline alone should raise eyebrows.

“Big kudos to Amazon’s threat intelligence team on this one,” he tells Assured Intelligence. “They didn’t wait for a breach report. They traced this back to January 26 using their sensor network, more than a month before Cisco even knew about it. That’s the model for proactive threat hunting, and the industry as a whole needs more of this.”

The method of entry also matters. The attack targeted exposed management interfaces. In many environments, these are reachable from the internet or insufficiently isolated from production networks.

“This is a textbook example of why firewall management systems are tier-0 targets” Sergiu Zaharia

“The inherited trust angle is what should keep people up at night,” Calderone says. “FMC is the platform that defines your firewall policies, your logging, your visibility. Compromise that, and you don’t just get into the network, you get to decide what the network’s security rules are.”

That level of control turns a foothold into something much more powerful. Once inside the management layer, attackers can move laterally with fewer constraints, avoid detection, and shape how security tools behave.

Interlock has a track record that adds further weight to the risk. Calderone points to previous incidents involving healthcare organisations and critical service providers in which disruption had real-world consequences.

“The zero-day is bad, but an exposed management interface is what makes it exploitable at scale by anyone with a connection,” he says.

One intrusion, broad access

The Interlock campaign points to something that security teams are increasingly seeing. Attackers aren’t just trying to slip past controls anymore; they’re going after the systems that run them. Sergiu Zaharia, CISO at Pentest-Tools, says firewall management platforms should now be treated as top-tier infrastructure.

“From an offensive security perspective, this campaign is a textbook example of why firewall management systems are tier-0 targets,” he tells Assured Intelligence, noting that compromise at this level provides control over segmentation, policy and visibility.

One successful intrusion can translate into wide-reaching access and far quieter persistence than traditional entry points, he adds. That shift has direct implications for how organisations prioritise risk. Systems that were once considered administrative or back-office are now central to how attackers gain and maintain access.

The pre-patch problem

A key challenge in the Interlock campaign, and in zero-day attacks more broadly, is the gap between exploitation and patch availability.

“The inherited trust angle is what should keep people up at night” Denis Calderone

“You can’t patch a zero-day you don’t know about,” Zaharia says, arguing that organisations must plan for this window rather than assume it can be avoided. That means building compensating controls that make post-exploitation activity harder, noisier and easier to detect.

Organisations must therefore treat the management plane as something they don’t fully trust. Zaharia recommends keeping it separate from production networks, limiting admin access to a handful of hardened paths, and watching it as closely as identity systems.

“If FMC can reach ‘everything’, then compromise becomes an environment-wide incident by default,” Zaharia argues.

From exploits to behaviour

One of the more practical lessons from the campaign is where to focus detection efforts. Rather than trying to spot the exploit itself, which is often difficult or impossible with zero-day campaigns, Zaharia suggests focusing on what attackers do after they get in.

“The reported tradecraft is noisy in predictable ways once you look for it,” he says, pointing to credential harvesting, use of network shares, PowerShell-based collection, and unauthorised remote access tooling as examples.

Organisations might not catch the exploit itself, but what happens next is often easier to see. Once security teams know what “normal” looks like on these systems, anything out of the ordinary tends to stand out quickly.

Treat control planes as critical infrastructure

Another lesson from the campaign is architectural. Many organisations still treat firewall and device management platforms as background systems, rather than core infrastructure. That distinction becomes more serious in environments where IT connects to operational technology.

Phil Tonkin, field CTO at Dragos, says the campaign highlights a long-standing issue in how organisations approach segmentation.

“CISOs must shift their focus from detection and prevention towards decisive containment” Shane Read

“The Interlock campaign is a clear reminder that the devices organisations rely on for segmentation are themselves attack surfaces,” he tells Assured Intelligence. “Many industrial organisations treat the enterprise firewall as the primary line of defence, and this can have serious consequences for key operational technology that keeps the country running.”

Where segmentation is weak, compromise of a single control point can remove the barrier between corporate systems and operational environments.

“Dragos architecture reviews consistently find that 81% of organisations have poor segmentation between their enterprise and operational networks,” Tonkin explains.

When IT compromise becomes operational risk

The Interlock campaign also stands out for its targeting. Industrial and manufacturing organisations have become increasingly attractive targets for ransomware groups, as disruption carries real-world consequences. Tonkin says that trend is accelerating.

“Ransomware groups targeting industrial entities rose 49% over the past year,” he says. “These are environments where disruption has physical consequences.”

That raises the stakes for detection. If attackers have already been inside for weeks, perimeter controls alone are no longer enough. “Patching remains essential, but when the attacker had access five weeks before disclosure, patching alone is not a strategy,” Tonkin adds.

Designing for containment, not just prevention

If the first lesson from Interlock is that compromise is possible, the second is that a single defensive layer is no longer enough. Shane Read, CISO at Goldilock Secure, says the campaign underlines the limits of relying solely on software-based controls.

“The devices organisations rely on for segmentation are themselves attack surfaces” Phil Tonkin

“The Interlock campaign is a clear reminder that software-based defences alone are no longer enough, especially when dealing with zero-day exploits,” he says.

“The key lesson for CISOs is to shift their focus from detection and prevention towards decisive containment. Because the question is no longer whether an attacker can get in, but how quickly you can stop them moving laterally once they do.”

For organisations with operational environments, that challenge is even more acute.

“The lesson for CISOs is straightforward,” says Read. “If your OT security strategy depends on a single boundary device, you do not have an OT security strategy. You have a single point of failure.”

Building resilience into the control layer

Taken together, the Interlock campaign shows how much risk now sits in the systems designed to control and protect everything else. These platforms are no longer just operational tools – they shape how networks behave, what gets logged, and how access is enforced.

That makes them attractive targets, particularly in zero-day scenarios where attackers can operate undetected for extended periods. The question for CISOs is no longer whether these systems will be targeted, but how well they are isolated, monitored, and contained when something goes wrong.