Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access
Amazon Threat Intelligence disclosed an active Interlock ransomware campaign exploiting CVE-2026-20131, a critical zero-day in Cisco Secure Firewall Management Center (FMC) that allows unauthenticated remote code execution as root. The threat actor has been exploiting the flaw since January 26, 2026—over a month before public disclosure—using a sophisticated multi-stage attack chain involving custom RATs, reconnaissance scripts, and evasion techniques revealed through an operational security mistake.
Summary
Amazon Threat Intelligence disclosed an active Interlock ransomware campaign exploiting CVE-2026-20131, a critical zero-day in Cisco Secure Firewall Management Center (FMC) that allows unauthenticated remote code execution as root. The threat actor has been exploiting the flaw since January 26, 2026—over a month before public disclosure—using a sophisticated multi-stage attack chain involving custom RATs, reconnaissance scripts, and evasion techniques revealed through an operational security mistake.
Full text
Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access Ravie LakshmananMar 18, 2026Network Security / Ransomware Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that's exploiting a recently disclosed critical security flaw in Cisco Secure Firewall Management Center (FMC) Software. The vulnerability in question is CVE-2026-20131 (CVSS score: 10.0), a case of insecure deserialization of user-supplied Java byte stream, which could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device. According to data gleaned from the tech giant's MadPot global sensor network, the security flaw is said to have been exploited as a zero-day since January 26, 2026, more than a month before it was publicly disclosed by Cisco. "This wasn't just another vulnerability exploit; Interlock had a zero-day in their hands, giving them a week's head start to compromise organizations before defenders even knew to look. Upon making this discovery, we shared our findings with Cisco to help support their investigation and protect customers," CJ Moses, chief information security officer (CISO) of Amazon Integrated Security, said in a report shared with The Hacker News. The discovery, Amazon said, was made possible, thanks to an operational security blunder on the part of the threat actor that exposed their cybercrime group's operational toolkit via a misconfigured infrastructure server, offering insights into its multi-stage attack chain, bespoke remote access trojans, reconnaissance scripts, and evasion techniques. The attack chain involves sending crafted HTTP requests to a specific path in the affected software with an aim to execute arbitrary Java code, after which the compromised system issues an HTTP PUT request to an external server to confirm successful exploitation. Once this step is complete, the commands are sent to fetch an ELF binary from a remote server, which hosts other tools linked to Interlock. The list of identified tools is as follows - A PowerShell reconnaissance script used for systematic Windows environment enumeration, gathering details about operating system and hardware, running services, installed software, storage configuration, Hyper-V virtual machine inventory, user file listings across Desktop, Documents, and Downloads directories, browser artifacts from Chrome, Edge, Firefox, Internet Explorer, and 360 browser, active network connections, and RDP authentication events from Windows event logs. Custom remote access trojans written in JavaScript and Java for command-and-control, interactive shell access, arbitrary command execution, bidirectional file transfer, and SOCKS5 proxy capability. It also supports self-update and self-delete mechanisms to replace or remove the artifact without having to reinfect the machine and challenge forensic investigation. A Bash script for configuring Linux servers as HTTP reverse proxies to obscure the attacker's true origins. The script delivers fail2ban, an open-source Linux intrusion prevention tool, and compiles and spawns an HAProxy instance that listens on port 80 and forwards all inbound HTTP traffic to a hard-coded target IP address. Furthermore, the infrastructure laundering script runs a log erasure routine as a cron job every five minutes to aggressively delete and purge the contents of *.log files and suppress shell history by unsetting the HISTFILE variable. A memory-resident web shell for inspecting incoming requests for specially crafted parameters containing encrypted command payloads, which are then decrypted and executed. A lightweight network beacon for phoning attacker-controlled infrastructure likely to validate successful code execution or confirm network port reachability following initial exploitation. ConnectWise ScreenConnect for persistent remote access and for serving as an alternative pathway should other footholds be detected and removed. Volatility Framework, an open-source memory forensics framework The links to Interlock stem from "convergent" technical and operational indicators, including the embedded ransom note and TOR negotiation portal. Evidence shows that the threat actor is likely operational during the UTC+3 time zone. In light of active exploitation of the flaw, users are advised to apply patches as soon as possible, conduct security assessments to identify potential compromise, review ScreenConnect deployments for unauthorized installations, and implement defense-in-depth strategies. "The real story here isn't just about one vulnerability or one ransomware group—it's about the fundamental challenge zero-day exploits pose to every security model," Moses said. "When attackers exploit vulnerabilities before patches exist, even the most diligent patching programs can't protect you in that critical window." "This is precisely why defense-in-depth is essential—layered security controls provide protection when any single control fails or hasn't yet been deployed. Rapid patching remains foundational in vulnerability management, but defense in depth helps organizations not to be defenseless during the window between exploit and patch." The disclosure comes as Google revealed that ransomware actors are changing their tactics in response to declining payment rates, targeting vulnerabilities in common VPNs and firewalls for initial access and leaning less on external tooling and more on built-in Windows capabilities. Multiple threat clusters, both ransomware operators themselves and initial access brokers, have also been found to employ malvertising and/or search engine optimization (SEO) tactics to distribute malware payloads for initial access. Other commonly observed techniques include the use of compromised credentials, backdoors, or legitimate remote desktop software to establish a foothold, as well as relying on built-in and already installed tools for reconnaissance, privilege escalation, and lateral movement. "While we anticipate ransomware to remain one of the most dominant threats globally, the reduction in profits may cause some threat actors to seek other monetization methods," Google said. "This could manifest as increased data theft extortion operations, the use of more aggressive extortion tactics, or opportunistically using access to victim environments for secondary monetization mechanisms such as using compromised infrastructure to send phishing messages." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE cisco, Cloud security, cybersecurity, Malware, network security, ransomware, Threat Intelligence, Vulnerability, zero-day Trending News ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Popular Resources Self-Hosted
Indicators of Compromise
- cve — CVE-2026-20131
- malware — Interlock
- malware — ConnectWise ScreenConnect