Exploitation of Cisco FMC Zero-Day CVE-2026-20131 Enables Interlock Ransomware Root Access

Amazon Threat Intelligence has issued an alert regarding an ongoing Interlock ransomware operation that is actively abusing a newly revealed, high-severity vulnerability in Cisco Secure Firewall Management Center (FMC) software.

The flaw, tracked as CVE-2026-20131 and assigned a CVSS score of 10.0, stems from insecure deserialization of user-controlled Java byte streams. Exploitation of this weakness allows a remote, unauthenticated attacker to bypass authentication controls and run arbitrary Java code with root-level privileges on vulnerable systems.

Telemetry collected from Amazon’s MadPot global sensor network indicates that threat actors have been exploiting this vulnerability as a zero-day since January 26, 2026 over a month before Cisco publicly acknowledged and disclosed the issue.

According to CJ Moses, Chief Information Security Officer of Amazon Integrated Security, Interlock’s use of the zero-day provided attackers with a significant operational advantage. “This was not a routine exploit,” Moses said in a statement shared with The Hacker News. “Interlock possessed a zero-day vulnerability, granting them early access to compromise organizations well before defenders were aware of the threat. Once we identified the activity, we immediately coordinated with Cisco to support their investigation and help safeguard customers.”

Amazon attributed the discovery to a lapse in operational security by the attackers themselves. A misconfigured infrastructure server inadvertently exposed components of the group’s cybercrime toolkit, allowing researchers to analyze Interlock’s multi-stage intrusion workflow, custom-built malware, reconnaissance tooling, and evasion tactics.

The observed attack sequence begins with specially crafted HTTP requests sent to a vulnerable FMC endpoint, triggering arbitrary Java code execution. Upon successful compromise, the affected system initiates an outbound HTTP PUT request to an attacker-controlled server as confirmation. Subsequent commands instruct the victim to download an ELF payload from a remote location hosting additional Interlock-associated utilities.

Amazon identified several tools used throughout the campaign, including:

• A PowerShell-based reconnaissance script designed to methodically profile Windows environments. The script collects extensive system information such as operating system and hardware details, active services, installed applications, disk and storage layouts, Hyper‑V virtual machine inventories, user file listings from common directories, browser artifacts from Chrome, Edge, Firefox, Internet Explorer, and 360 Browser, active network sessions, and RDP authentication records extracted from Windows event logs.

• Custom remote access trojans (RATs) written in JavaScript and Java, providing command-and-control functionality. These implants support interactive shell access, execution of arbitrary commands, bidirectional file transfers, and SOCKS5 proxying. They also feature self-update and self-removal capabilities, enabling operators to replace or erase artifacts without reinfection and complicating forensic analysis.

• A Linux Bash script used to transform compromised servers into HTTP reverse proxies, masking the attackers’ true infrastructure. The script installs fail2ban and compiles and deploys an HAProxy service listening on port 80, forwarding all inbound traffic to a hard-coded IP address. To further obscure activity, it schedules a cron job that runs every five minutes to aggressively delete log files and suppress command history by unsetting the HISTFILE environment variable.

• An in-memory web shell that inspects incoming HTTP requests for specially crafted parameters containing encrypted command payloads, which are decrypted and executed directly in memory.

• A lightweight network beacon used to contact attacker-controlled servers, likely to verify successful exploitation or confirm network reachability following initial access.

• ConnectWise ScreenConnect, leveraged to maintain persistent remote access and serve as a fallback channel in case other access points are discovered and remediated.

• The Volatility Framework, an open-source memory forensics toolkit.

Attribution to Interlock is supported by a convergence of technical and operational evidence, including an embedded ransom note and a Tor-based negotiation portal. Analysis further suggests the threat actor primarily operates within the UTC+3 time zone.

Given the confirmed active exploitation, organizations are strongly encouraged to apply available patches immediately, perform thorough security reviews to detect signs of compromise, audit ScreenConnect installations for unauthorized deployments, and reinforce layered security controls.

Moses emphasized that the incident underscores a broader security challenge. “The key takeaway isn’t just a single vulnerability or a single ransomware group—it’s the inherent risk posed by zero-day exploits,” he said. “When attackers strike before patches exist, even organizations with strong patch management practices remain exposed during that critical gap.”

He added that this reality reinforces the necessity of defense-in-depth strategies. While rapid patching remains a cornerstone of vulnerability management, layered security measures help ensure organizations are not left defenseless during the window between exploitation and remediation.

This disclosure follows a separate report from Google indicating that ransomware operators are adjusting their playbooks in response to declining ransom payment rates. Increasingly, attackers are exploiting vulnerabilities in widely deployed VPNs and firewall products to gain initial access, while relying less on third-party tools and more on built-in Windows functionality.

Google also noted that multiple threat clusters including both ransomware groups and initial access brokers are using malvertising and search engine optimization (SEO) abuse to distribute malware during the early stages of intrusion. Other frequently observed techniques include the use of stolen credentials, backdoors, and legitimate remote desktop tools to establish persistence, as well as native system utilities for reconnaissance, privilege escalation, and lateral movement.

“Although ransomware remains one of the most significant global cyber threats, declining profitability may push some actors toward alternative monetization strategies,” Google stated. “This could include expanded data-theft extortion schemes, more aggressive coercive tactics, or opportunistic secondary monetization—such as abusing compromised infrastructure to launch phishing campaigns.”