Interlock Ransomware Uses Cisco FMC Zero-Day CVE-2026-20131 to Gain Root Access
Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that exploits a recently disclosed critical flaw in the Cisco Secure Firewall Management Center (FMC) Software.
The vulnerability in question is CVE-2026-20131 (CVSS score: 10.0), a user-supplied Java byte stream vulnerability, which could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device.
According to data obtained from the global sensor network of the tech giant’s MadPot, the security flaw is said to have been used as a zero-day since January 26, 2026, more than a month before it was publicly disclosed by Cisco.
“This was not just another advantage of the vulnerability; Interlock had a zero-day in their hands, it gave them a week’s head start to compromise organizations before defenders even knew to look. After we discovered this, we shared our results with Cisco to help support their investigation and protect customers,” CJ Moses, chief information security officer (CISO) of Amazon Integrated Reporting Security, told Hacker News.
The discovery, Amazon said, was made possible, due to a security flaw by a threat actor that exposed their cybercriminal group’s operational toolset through a poorly configured server infrastructure, detailing its multi-stage attack chain, remote access trojans, inspection scripts, and evasion techniques.
The attack sequence consists of sending specially crafted HTTP requests to the affected software for the purpose of executing malicious Java code, after which the vulnerable system issues an HTTP PUT request to an external server to ensure a successful exploit. Once this step is complete, commands are sent to download the ELF binary to a remote server, which hosts other devices connected to the Interlock.
The list of identified tools is as follows –
- A PowerShell monitoring script used to enumerate the structured Windows environment, gather information about the operating system and hardware, running services, installed software, storage configuration, Hyper-V virtual machine listing, listing of user files across the Desktop, Documents, and Downloads lists, browser artifacts from Chrome, Edge, Firefox, Internet Explorer, and 360 authentication network events for RDP, and Windows operating systems.
- Custom remote access trojans written in JavaScript and Java for command and control, interactive shell access, arbitrary command execution, bidirectional file transfer, and SOCKS5 proxy capability. It also supports self-revision and self-removal methods to access or remove artifacts without re-infecting the machine and challenging forensic investigations.
- A Bash script to configure Linux servers as reverse HTTP proxies to hide the real origin of the attacker. The script introduces fail2ban, an open-source Linux intrusion prevention tool, and compiles and exposes an HAProxy example that listens on port 80 and forwards all incoming HTTP traffic to a hard-targeted IP address. In addition, the infrastructure cleanup script uses the log cleanup routine as a cron job every five minutes to hard delete and clean the contents of *.log files and compress the shell history by removing the HISTFILE setup.
- An in-memory web shell for inspecting incoming requests for specially crafted parameters that contain encrypted command payloads, which are then decrypted and executed.
- A lightweight network beacon for dialing into attacker-controlled infrastructure that may verify code execution or verify network port accessibility after initial exploitation.
- ConnectWise ScreenConnect for continuous remote access and to work as an alternative if possible to find and remove other areas.
- Volatility Framework, an open framework for memory forensics
Links to Interlock are from references to technical and functional “flexibility”, including an embedded ransom note and a TOR discussion portal. Evidence suggests that the threat actor may be operating within the UTC+3 time zone.
Considering the active exploitation of the bug, users are advised to apply patches as soon as possible, perform security tests to identify potential compromises, review ScreenConnect deployments for unauthorized installations, and use advanced security techniques.
“The real issue here is not just about one vulnerability or one group of ransomware—it’s about the fundamental challenge of 0-day exploits in every security model,” Moses said. “When attackers exploit vulnerabilities before patches are available, even the most proactive patching systems can’t protect you in that critical window.”
“That’s why defense-in-depth is important—layered security controls provide protection when any single control fails or isn’t implemented. Rapid remediation remains fundamental to risk management, but defense-in-depth helps organizations protect themselves during the window between exploits and remediation.”
The disclosure comes as Google revealed that ransomware actors are changing their tactics in response to the drop in payment rates, targeting vulnerabilities in traditional VPNs and firewalls to gain initial access and relying less on external tools and more on Windows’ built-in capabilities.
Many threat groups, both the ransomware operators themselves and the first access buyers, have also been found to be using poor and/or search engine optimization (SEO) techniques to distribute the malware uploads for initial access. Other commonly seen techniques include the use of compromised credentials, backdoors, or legitimate remote desktop software to establish a residency, as well as reliance on built-in and pre-installed tools for information recovery, privilege escalation, and joint movements.
“While we expect ransomware to remain one of the world’s most dominant threats, the decline in profitability may cause threat actors to look for other ways to make money,” Google said. “This could be seen as an increase in data theft activities, the use of sophisticated phishing tactics, or taking advantage of vulnerable areas for secondary monetization methods such as using vulnerable infrastructure to send phishing messages.”
