Interlock Ransomware Used Cisco FMC Zero Day for Root Access

Amazon Threat Intelligence warns that Interlock ransomware actively exploited a critical Cisco Secure Firewall Management Center flaw. The issue is tracked as CVE-2026-20131. Cisco assigned it a CVSS score of 10.0 and described it as insecure deserialization of a user supplied Java byte stream that can allow unauthenticated code execution as root. Amazon said the exploit ran in the wild before the public disclosure.

Amazon’s MadPot sensor network first saw exploitation activity on January 26, 2026. Cisco publicly disclosed the vulnerability on March 4, 2026. “This wasn’t just another vulnerability exploit; Interlock had a zero day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look,” CJ Moses, chief information security officer of Amazon Integrated Security, said.

How the attack worked

Amazon investigators reconstructed the attack chain after discovering a misconfigured Interlock staging server. That server leaked the group’s operational toolkit and showed the full multi stage chain, Amazon said. The initial step involved specially crafted HTTP requests to a path in FMC that attempted to run Java code. Successful exploitation caused the target to perform an HTTP PUT to the attacker server and then fetch an ELF binary for follow up stages.

Amazon listed the core tools observed. These include:

• A PowerShell reconnaissance script that harvests OS details, running services, installed software, VM inventory, file listings, browser artifacts, active connections, and RDP events.
• Custom remote access trojans in JavaScript and Java for interactive shells, file transfer, SOCKS5 proxying, and self update and self delete features.
• A Bash script that configures Linux boxes as HTTP reverse proxies with HAProxy and schedules aggressive log deletion to erase traces.
• A memory resident Java web shell that inspects incoming requests for encrypted payloads and runs them in memory to avoid disk detection.
• A lightweight network beacon used to verify successful code execution or network reachability.
• ConnectWise ScreenConnect deployed for redundant persistent access.

Amazon said these artifacts tied the campaign to the Interlock ransomware family through convergent technical and operational indicators, including the embedded ransom note and TOR negotiation portal. The note and infrastructure matched Interlock’s known patterns, Amazon added.

What organizations should do now

Amazon urged immediate action. Apply Cisco’s security patches for FMC at once, the company said. Conduct security assessments and hunt for indicators of compromise. Review all ScreenConnect deployments for unauthorized installs. Amazon also recommended layered controls and continuous monitoring.

“The real story here isn’t just about one vulnerability or one ransomware group, it’s about the fundamental challenge zero day exploits pose to every security model,” Moses said. He added, “This is precisely why defense in depth is essential. Rapid patching remains foundational, but layered controls help organizations survive the window between exploit and patch.”

Google has also warned that ransomware actors are shifting tactics. “While we anticipate ransomware to remain one of the most dominant threats globally, the reduction in profits may cause some threat actors to seek other monetization methods,” Google said. That includes more focus on vulnerabilities in VPNs and firewalls, and on using built in Windows capabilities instead of external tools.

Amazon Threat Intelligence said it continues to monitor Interlock activity and is sharing indicators and protections with Cisco and the security community. Organizations running Cisco FMC should assume risk until patches are applied and investigations are complete.

#CiscoFMC #InterlockRansomware #ZeroDay #Cybersecurity #Vulnerability