Interlock group exploiting the CISCO FMC flaw CVE-2026-20131 36 days before disclosure

The Interlock ransomware group has exploited a Cisco FMC zero-day RCE vulnerability in attacks since late January.

The Interlock ransomware group has been exploiting a critical zero-day RCE vulnerability, tracked as CVE-2026-20131 (CVSS score of 10.0), in Cisco Secure Firewall Management Center (FMC) since late January.

The vulnerability is a remote code execution flaw that resides in Cisco Secure FMC’s web interface and allows unauthenticated remote attackers to exploit insecure Java deserialization and execute arbitrary code as root by sending a crafted serialized object.

“A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.” reads the advisory. “This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.”

CVE-2026-20131 also impacts Cisco Security Cloud Control (SCC) Firewall Management. The networking giant addressed the flaw in early March 2026.

Interlock ransomware group has been active since September 2024, it has targeted multiple organizations, including DaVita, Kettering Health, and Texas Tech University. Recently, researchers observed a new AI-assisted malware strain called Slopoly used in its operations.

Amazon researchers observed the Interlock group exploiting the CVE-2026-20131 flaw 36 days before disclosure, starting on January 26, 2026. This gave attackers time to compromise targets before detection. The activity was uncovered via honeypots and shared with Cisco to aid in the investigation and protect customers.

“After Cisco’s disclosure, Amazon threat intelligence began research into this vulnerability using Amazon MadPot’s global sensor network—a system of honeypot servers that attract and monitor cybercriminal activity. While looking for any current or past exploits of this vulnerability, our research found that Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26, 2026.” reads the report published by Amazon. “This wasn’t just another vulnerability exploit, Interlock had a zero-day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look. Upon making this discovery, we shared our findings with Cisco to help support their investigation and protect customers.”

A misconfigured server exposed Interlock’s full toolkit, revealing its multi-stage attacks, custom backdoors, reconnaissance tools, and evasion methods. AWS pointed out that its systems were not affected. The findings provide detailed indicators to help detect compromises, and organizations using Cisco FMC are urged to apply patches and review the shared indicators immediately.

“Amazon threat intelligence identified threat activity potentially related to CVE-2026-20131 beginning January 26, 2026, predating the public disclosure.” continues the report. “Observed activity involved HTTP requests to a specific path in the affected software. Request bodies contained Java code execution attempts and two embedded URLs: one used to deliver configuration data supporting the exploit, and another designed to confirm successful exploitation by causing a vulnerable target to perform an HTTP PUT request and upload a generated file. Multiple variations of these URLs were observed across different exploit attempts.”

Researchers mimicked a compromised system to trigger Interlock’s next step, leading to the download of a malicious Linux binary. Analysis showed a single server hosted the group’s full toolkit, organizing files by target and using the same paths to both deploy tools and collect stolen data.

The recovered ELF malware is attributed to the Interlock ransomware group based on consistent ransom notes, TOR negotiation portals, and unique victim IDs used for tracking. The group is known for targeting sectors where disruption drives payment, including education, healthcare, industry, and government. Timeline analysis suggests operators likely work in a UTC+3 timezone.

After initial access, Interlock deploys PowerShell scripts to systematically map compromised networks, collecting system, user, and browser data across multiple machines. They then use custom remote access trojans (in JavaScript and Java) to maintain persistent control, execute commands, transfer files, and exfiltrate data via encrypted communications.

To hide their activity, attackers set up proxy-based relay infrastructure that masks the origin of attacks and regularly wipes logs to erase evidence. They also use fileless webshells that run entirely in memory, decrypting and executing malicious code without touching disk—making detection by traditional security tools far more difficult.

Researchers found a simple Java tool acting as a “phone home” beacon, confirming access by logging connections on a hidden port. Interlock also abused legitimate tools like ConnectWise ScreenConnect for stealthy remote access, ensuring persistence if malware is removed. Additional tools such as Volatility and Certify were used to extract credentials, move laterally, escalate privileges, and maintain long-term control of compromised systems.

Amazon provided Indicators of compromise (IoCs) for these attacks and defensive recommendations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2026-20131)