Interlock Ransomware Exploits Critical Cisco FMC Zero-Day CVE-2026-20131 for Root Access

Amazon Threat Intelligence has issued a warning regarding an active ransomware campaign known as Interlock, which is leveraging a recently disclosed critical vulnerability in Cisco’s Secure Firewall Management Center (FMC) Software. This vulnerability, identified as CVE-2026-20131, has been assigned a maximum CVSS score of 10.0, indicating its severity. It involves an insecure deserialization of user-supplied Java byte streams, allowing unauthenticated remote attackers to bypass authentication and execute arbitrary Java code with root privileges on affected devices.

Exploitation Timeline and Discovery

Data from Amazon’s global sensor network, MadPot, indicates that this security flaw has been exploited as a zero-day since January 26, 2026, which is over a month prior to its public disclosure by Cisco. CJ Moses, Chief Information Security Officer (CISO) of Amazon Integrated Security, stated that the Interlock group had a significant advantage, gaining a week’s head start to compromise organizations before defenders were even aware of the threat. Upon discovering this vulnerability, Amazon promptly shared its findings with Cisco to aid in their investigation and protect affected customers.

The identification of this threat was facilitated by an operational security mistake made by the attackers, which exposed their cybercrime toolkit through a misconfigured infrastructure server. This breach provided valuable insights into their multi-stage attack chain, including the use of bespoke remote access trojans, reconnaissance scripts, and evasion techniques.

Technical Details of the Attack Chain

The attack chain initiated by Interlock involves sending specially crafted HTTP requests to specific paths within the vulnerable software, aiming to execute arbitrary Java code. Following successful exploitation, the compromised system issues an HTTP PUT request to an external server to confirm the attack’s success. Subsequently, commands are dispatched to retrieve an ELF binary from a remote server, which contains additional tools associated with Interlock.

The identified tools utilized in this campaign include:

• PowerShell Reconnaissance Script: This script systematically enumerates the Windows environment, collecting details such as operating system and hardware specifications, running services, installed software, and user file listings across various directories.

• Custom Remote Access Trojans: Developed in JavaScript and Java, these trojans facilitate command-and-control operations, interactive shell access, arbitrary command execution, bidirectional file transfer, and SOCKS5 proxy capabilities. They also feature self-update and self-delete mechanisms to evade detection.

• Bash Script for Linux Servers: This script configures Linux servers as HTTP reverse proxies, obscuring the attacker’s origins. It deploys fail2ban, an open-source Linux intrusion prevention tool, and spawns an HAProxy instance to forward inbound HTTP traffic to a predetermined target IP address. Additionally, it includes a log erasure routine that purges log files every five minutes.

• Memory-Resident Web Shell: This tool inspects incoming requests for specially crafted parameters containing encrypted command payloads, which are decrypted and executed.

• Lightweight Network Beacon: This component communicates with attacker-controlled infrastructure to validate successful code execution or confirm network port reachability post-exploitation.

• ConnectWise ScreenConnect: Used for persistent remote access, this tool serves as an alternative pathway should other footholds be compromised.

• Volatility Framework: An open-source memory forensics framework that allows for the parsing of memory dumps and access to sensitive data, including credentials.

• Certify: An open-source offensive security tool designed to exploit misconfigurations in Active Directory Certificate Services (AD CS) and identify vulnerable certificate templates.

Operational Indicators and Recommendations

The links to Interlock have been established through convergent technical and operational indicators, including the ransom note and TOR negotiation portal. Evidence suggests that the threat actor operates within the UTC+3 time zone.

In light of the ongoing exploitation of this vulnerability, users are urged to apply patches immediately, conduct thorough security assessments to identify potential compromises, and review ScreenConnect deployments for unauthorized installations. Implementing defense-in-depth strategies is also recommended to mitigate risks.

Moses emphasized that the core issue extends beyond a single vulnerability or ransomware group; it highlights the significant challenges posed by zero-day exploits to all security models. When attackers exploit vulnerabilities before patches are available, even the most diligent patching programs cannot provide adequate protection during that critical window.

Evolving Threat Landscape

This disclosure aligns with recent findings from Google, which revealed that ransomware actors are adapting their tactics in response to declining payment rates. They are increasingly targeting vulnerabilities in common VPNs and firewalls for initial access, relying less on external tools and more on built-in Windows capabilities.

Multiple threat clusters, including ransomware operators and initial access brokers, have been observed employing malvertising and search engine optimization (SEO) tactics to distribute malware payloads. Common techniques include the use of compromised credentials, backdoors, or legitimate remote desktop software to establish footholds, as well as leveraging built-in tools for reconnaissance, privilege escalation, and lateral movement.

Google noted that while ransomware is expected to remain a dominant threat globally, the reduction in profits may prompt some threat actors to explore alternative monetization methods. This could lead to increased data theft extortion operations and the use of more aggressive extortion tactics.

Update from Cisco

Cisco has updated its advisory for CVE-2026-20131, confirming reports of active exploitation. The company strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability.

For more information on the ongoing threat landscape and cybersecurity developments, refer to the original reporting source. According to publicly available thehackernews.com reporting, organizations must remain vigilant and proactive in their security measures to combat evolving threats.

For the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East: Middle East