Amazon Threat Intelligence has revealed that the Interlock ransomware group exploited CVE-2026-20131—a critical CVSS 10.0 vulnerability in Cisco Secure Firewall Management Center—as a zero-day since January 26, 2026, more than five weeks before Cisco publicly disclosed the flaw on March 4.
Why It Matters
This case demonstrates the dangerous window between zero-day exploitation and vendor disclosure. Organizations running Cisco FMC had no way to defend against an attack that threat actors had already been leveraging for over a month. The discovery underscores why defense-in-depth strategies are essential—when attackers exploit vulnerabilities before patches exist, even the most diligent patching programs cannot provide protection.
Attack Chain Details
According to Amazon’s MadPot global sensor network, the attack involves:
- Initial Access: Crafted HTTP requests to exploit insecure deserialization of Java byte streams, allowing unauthenticated remote code execution as root
- Confirmation: Compromised systems issue HTTP PUT requests to external servers to confirm successful exploitation
- Payload Delivery: ELF binaries fetched from attacker-controlled infrastructure
- Persistence: Custom JavaScript and Java RATs for C2, interactive shells, file transfer, and SOCKS5 proxy capability
Exposed Toolkit Reveals Sophistication
An operational security blunder by the threat actor exposed their full toolkit via a misconfigured server:
- PowerShell reconnaissance scripts for Windows environment enumeration (OS, hardware, services, browser artifacts, RDP events)
- Memory-resident web shells that decrypt and execute encrypted command payloads
- Infrastructure laundering scripts that configure Linux servers as HTTP reverse proxies with aggressive log erasure every five minutes
- ConnectWise ScreenConnect for persistent remote access
- Volatility Framework for memory forensics
Attribution
Links to Interlock stem from convergent technical indicators including embedded ransom notes and TOR negotiation portals. Evidence suggests the threat actor operates in the UTC+3 time zone.
Recommended Actions
- Apply Cisco FMC patches immediately
- Conduct security assessments to identify potential compromise
- Review ScreenConnect deployments for unauthorized installations
- Implement defense-in-depth strategies
- Monitor for indicators of the exposed attack toolkit
This vulnerability is confirmed under active exploitation. Organizations should prioritize patching and conduct incident response assessments.
