An active exploitation campaign by the Interlock ransomware group is targeting a significant zero-day vulnerability, CVE-2026-20131, found in the Cisco Secure Firewall Management Center (FMC) Software. This vulnerability allows unauthenticated remote attackers to execute arbitrary Java code with root privileges.
Discovery and Impact
Cisco publicly acknowledged this critical flaw on March 4, 2026. However, Amazon’s threat intelligence team discovered that the Interlock group had been exploiting this weakness 36 days prior to its disclosure. The campaign began on January 26, 2026, allowing the attackers ample time to infiltrate systems unnoticed by cybersecurity defenses.
Amazon provided Cisco with detailed findings to aid in their investigation. Notably, AWS infrastructure and customer environments were unaffected by this exploit. The exposure of a misconfigured Interlock server further advanced the investigation, revealing the group’s operational toolkit and methodologies.
Attack Methodology and Indicators
The initial intrusion involved specially crafted HTTP requests targeting vulnerable software paths, embedding Java code, and URLs for exploitation. Successful breaches were confirmed by HTTP PUT requests that uploaded a generated file, prompting further malicious actions. Researchers simulated compromised systems to witness the deployment of a harmful Linux ELF binary.
Technical indicators strongly associate these activities with the Interlock ransomware family, active since September 2024. Their tactics include a double extortion model, often highlighting regulatory risks in ransom notes to pressure victims. The group usually targets sectors like education, healthcare, manufacturing, and government.
Defensive Measures and Recommendations
Organizations utilizing Cisco Secure Firewall Management Center are urged to implement the latest security updates without delay. Interlock’s approach involves customized tools for each target, rendering traditional file hash detection ineffective. Instead, defenders should focus on behavioral analysis and detecting memory-resident anomalies.
The ransomware group employs sophisticated methods to maintain network access and evade detection, including custom remote access tools and fileless, memory-resident webshells. They also leverage legitimate software for malicious purposes. Vigilance in network monitoring and rapid patch application remains crucial to thwarting these advanced threats.
Stay updated on cybersecurity developments by following us on Google News, LinkedIn, and X. Contact us for more information or to share your cybersecurity stories.
