Interlock ransomware targeting of max severity Cisco FMC zero-day precedes disclosure

Attacks exploiting the maximum severity insecure deserialization zero-day vulnerability in Cisco Secure Firewall Management Center software, tracked as CVE-2026-20131, have been launched by the Interlock ransomware gang since Jan. 26, or over a month before the flaw's public disclosure, The Hacker News reports.

Interlock weaponized CVE-2026-20131 by delivering crafted HTTP requests that ran arbitrary Java code and enabled the execution of commands that retrieved an ELF binary hosting various tools, including a PowerShell reconnaissance script for Windows environment enumeration, custom JavaScript- and Java-based remote access trojans, and a Bash script that converted Linux servers into HTTP reverse proxies, according to Amazon Threat Intelligence researchers, who discovered the exploitation due to an unsecured Interlock infrastructure server.

Also fetched by the commands were a memory-resident web shell and a lightweight network beacon, as well as ConnectWise ScreenConnect and the Volatility Framework. Immediate patching has already been urged by Cisco. Such a development emphasizes the importance of defense-in-depth tactics, said Amazon Integrated Security Chief Information Security Officer CJ Moses.

"Rapid patching remains foundational in vulnerability management, but defense-in-depth helps organizations not to be defenseless during the window between exploit and patch," Moses added.