Exploited in the Wild: Interlock Ransomware Weaponizes Critical 10.0 CVSS Cisco Zero-Day
Ddos 
Interlock ransomware
Amazon threat intelligence has uncovered an active Interlock ransomware campaign that exploited a critical vulnerability in Cisco Secure Firewall Management Center (FMC) as a zero-day.
The flaw, tracked as CVE-2026-20131, carries a maximum CVSS score of 10. While Cisco publicly disclosed the bug on March 4, 2026, Amazon’s research found that Interlock had been exploiting it since January 26—giving the group a “week’s head start to compromise organizations before defenders even knew to look”.
The vulnerability is rooted in the “insecure deserialization of a user-supplied Java byte stream” within the FMC’s web-based management interface. By sending a crafted Java object, an unauthenticated remote attacker can “execute arbitrary Java code as root on an affected device”.
Amazon’s security teams gained an unprecedented look into this campaign after a “misconfigured infrastructure server—essentially, a poorly secured staging area used by the attackers—exposed Interlock’s complete operational toolkit”.
The group developed custom Remote Access Trojans (RATs) in both JavaScript and Java to maintain a persistent foothold.
As the Amazon analysts noted:
“Interlock built the same backdoor in two different programming languages, ensuring they maintain access even if defenders detect one version“.
Beyond their custom implants, the group utilized a “fileless” memory-resident webshell to evade traditional antivirus. This tool intercepts HTTP requests and executes malicious code entirely within the Java Virtual Machine (JVM) without writing a single file to the disk.
The exposed staging server revealed a suite of tools designed for rapid network takeover:
- Reconnaissance Scripts: A PowerShell tool that automates the collection of browser artifacts, RDP authentication events, and Hyper-V inventories.
- Infrastructure Laundering: A Bash script that builds “disposable traffic-laundering relay nodes” using HAProxy to hide the attacker’s true location.
- Aggressive Cleanup: A log erasure routine that “truncates all *.log files under /var/log” every five minutes to hinder forensic investigations.
- Legitimate Tool Abuse: The deployment of commercial tools like ConnectWise ScreenConnect alongside malware to “blend with authorized remote administration traffic”.
The campaign has been firmly attributed to Interlock based on their signature negotiation portal and ransom notes. Notably, the group uses “regulatory exposure to pressure victims,” threatening them with compliance fines in addition to data encryption.
Interlock’s primary targets continue to be sectors where downtime is devastating, with Education representing their largest share of activity, followed by healthcare and manufacturing.
Organizations running Cisco Secure Firewall Management Center are urged to “immediately apply Cisco’s security patches”. While the attack surface is reduced if the management interface is not public-facing, the severity of the root-level access makes this a top-priority fix.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
