Amazon Threat Intelligence is sounding the alarm regarding an active Interlock ransomware campaign that is exploiting a critical, recently disclosed security vulnerability within Cisco Secure Firewall Management Center (FMC) Software. This flaw, identified as CVE-2026-20131 with a CVSS score of 10.0, allows unauthenticated attackers to execute arbitrary Java code remotely, enabling them to bypass security measures and gain root-level access on affected devices. The threat actor has reportedly been leveraging this zero-day vulnerability since January 26, 2026, significantly ahead of its public disclosure by Cisco.
The exploitation of this critical vulnerability presents a significant threat to organizations relying on Cisco’s security infrastructure. The Interlock ransomware group’s ability to operate with a zero-day exploit provides them with a substantial advantage, allowing for initial compromises before security teams are even aware of the threat. This situation underscores the persistent challenges posed by sophisticated cyber threats and the importance of robust, layered security strategies.
Interlock Ransomware Exploits Critical Cisco Firewall Flaw
According to data gathered from Amazon’s MadPot global sensor network, the exploited security flaw, CVE-2026-20131, has been in active use as a zero-day since late January 2026. This predates Cisco’s public announcement of the vulnerability by over a month. CJ Moses, chief information security officer of Amazon Integrated Security, noted that this exploit gave the attackers a significant head start to compromise organizations. Amazon shared its findings with Cisco to aid in their investigation and customer protection efforts.
The discovery of the Interlock ransomware’s modus operandi was facilitated by an operational security lapse on the part of the threat actor. A misconfigured infrastructure server exposed their operational toolkit, providing crucial insights into their multi-stage attack chain, custom remote access trojans, reconnaissance scripts, and evasion techniques. This accidental disclosure enabled Amazon’s threat intelligence team to map out the attacker’s methods.
The Interlock Ransomware Attack Chain
The attack chain begins with the delivery of crafted HTTP requests to a specific path within the vulnerable Cisco software. This initial step aims to trigger the arbitrary Java code execution. Following successful exploitation, the compromised system communicates with an external server via an HTTP PUT request to confirm the exploitation. Subsequently, commands are issued to download an ELF binary from a remote server, which hosts other tools associated with the Interlock operation.
The identified tools employed by the Interlock ransomware campaign are designed for comprehensive system compromise and evasion. These include a PowerShell script for detailed Windows environment enumeration, gathering information on operating systems, hardware, services, installed software, storage configurations, and user file locations. It also collects browser artifacts and network connection data.
Additionally, the attackers utilize custom remote access trojans developed in JavaScript and Java. These provide command-and-control capabilities, interactive shell access, arbitrary command execution, bidirectional file transfer, and SOCKS5 proxy functionality. These trojans are designed with self-update and self-delete mechanisms to evade detection and hinder forensic investigations.
For Linux environments, a Bash script is employed to configure servers as HTTP reverse proxies, obscuring the attacker’s true origin. This script installs fail2ban and compiles an HAProxy instance that forwards inbound HTTP traffic to a hard-coded IP address. It also includes a log erasure routine to aggressively delete log files and suppress shell history.
A memory-resident web shell is used to inspect incoming requests for encrypted command payloads, which are then decrypted and executed. A lightweight network beacon serves to validate successful code execution or confirm network port reachability. The campaign also leverages ConnectWise ScreenConnect for persistent remote access and as a fallback mechanism if other intrusion points are discovered and removed. The Volatility Framework, an open-source memory forensics tool, is also part of the attacker’s arsenal.
The association with Interlock ransomware stems from convergent technical and operational indicators, such as the embedded ransom notes and TOR negotiation portals. Evidence suggests the threat actor operates primarily within the UTC+3 time zone.
Mitigation and Future Outlook
In response to the active exploitation of this critical flaw, users of Cisco Secure Firewall Management Center (FMC) Software are strongly advised to apply available patches immediately. Organizations should also conduct thorough security assessments to identify any potential compromises and meticulously review their ScreenConnect deployments for unauthorized installations. Implementing defense-in-depth strategies is crucial to bolster overall security posture.
“The real story here isn’t just about one vulnerability or one ransomware group—it’s about the fundamental challenge zero-day exploits pose to every security model,” Moses stated. He emphasized that when attackers exploit vulnerabilities before patches are available, even diligent patching programs cannot offer complete protection during that critical window.
Moses further elaborated that defense-in-depth, employing layered security controls, is essential as it provides protection when individual controls fail or are not yet deployed. While rapid patching remains fundamental for vulnerability management, defense in depth ensures organizations are not left defenseless during the gap between exploit and patch availability.
This disclosure coincides with reports from Google indicating a shift in ransomware tactics. Threat actors are adapting to declining payment rates by targeting vulnerabilities in common VPNs and firewalls for initial access, while relying less on external tools and more on built-in Windows capabilities. Multiple threat clusters are also observed employing malvertising and SEO tactics for malware distribution, alongside the use of compromised credentials and legitimate remote desktop software.
Google anticipates that ransomware will continue to be a dominant global threat, but reduced profits may lead some actors to explore alternative monetization strategies. This could include an increase in data theft extortion operations, more aggressive extortion tactics, or opportunistic use of compromised victim environments for secondary monetization, such as using victim infrastructure to send phishing messages.
The ongoing evolution of ransomware tactics and the persistent threat of zero-day exploits highlight the need for continuous vigilance and proactive security measures. Organizations must remain prepared for sophisticated attacks and adapt their defenses accordingly. The effectiveness of future defense strategies will depend on the ability to integrate rapid response to new threats with comprehensive, multi-layered security architectures.