Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access
Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access
Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that’s exploiting a recently disclosed critical security flaw in Cisco Secure Firewall Management Center (FMC) Software. The vulnerability in question is CVE-2026-20131 (CVSS score: 10.0), a case of insecure deserialization of user-supplied Java byte stream, which could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device. 🚨
According to data gleaned from the tech giant’s MadPot global sensor network, the security flaw is said to have been exploited as a zero-day since January 26, 2026, more than a month before it was publicly disclosed by Cisco. “This wasn’t just another vulnerability exploit; Interlock had a zero-day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look,” said CJ Moses, chief information security officer (CISO) of Amazon Integrated Security.
The discovery, Amazon said, was made possible thanks to an operational security blunder on the part of the threat actor that exposed their cybercrime group’s operational toolkit via a misconfigured infrastructure server, offering insights into its multi-stage attack chain, bespoke remote access trojans, reconnaissance scripts, and evasion techniques. The attack chain involves sending crafted HTTP requests to a specific path in the affected software with an aim to execute arbitrary Java code, after which the compromised system issues an HTTP PUT request to an external server to confirm successful exploitation. Once this step is complete, the commands are sent to fetch an ELF binary from a remote server, which hosts other tools linked to Interlock.
The identified tools include a PowerShell reconnaissance script, custom remote access trojans written in JavaScript and Java for command-and-control, interactive shell access, and bidirectional file transfer. A Bash script is also used for configuring Linux servers as HTTP reverse proxies to obscure the attacker’s true origins, and it aggressively deletes and purges log file contents and suppresses shell history. Other tools found include a memory-resident web shell, a lightweight network beacon, ConnectWise ScreenConnect for persistent remote access, and Volatility Framework. The links to Interlock stem from “convergent” technical and operational indicators, including the embedded ransom note and TOR negotiation portal. Evidence shows that the threat actor is likely operational during the UTC+3 time zone.
In light of active exploitation of the flaw, users are advised to apply patches as soon as possible, conduct security assessments to identify potential compromise, review ScreenConnect deployments for unauthorized installations, and implement defense-in-depth strategies. “The real story here isn’t just about one vulnerability or one ransomware group—it’s about the fundamental challenge zero-day exploits pose to every security model,” Moses said, adding that “rapid patching remains foundational in vulnerability management, but defense in depth helps organizations not to be defenseless during the window between exploit and patch.”
The disclosure also comes as Google revealed that ransomware actors are changing their tactics in response to declining payment rates, targeting vulnerabilities in common VPNs and firewalls for initial access and leaning less on external tooling and more on built-in Windows capabilities.