### Zero-Day Exploitation of Cisco Vulnerability **Amazon** Threat Intelligence is sounding the alarm on an active **Interlock** ransomware campaign exploiting **CVE-2026-20131**, a critical security flaw (CVSS score: 10.0) in **Cisco** Secure Firewall Management Center (FMC) Software. This vulnerability involves insecure deserialization of user-supplied Java byte streams, potentially allowing an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on affected devices. According to data from **Amazon's** MadPot global sensor network, the flaw was exploited as a zero-day starting January 26, 2026 – over a month before **Cisco's** public disclosure. "This wasn't just another vulnerability exploit; **Interlock** had a zero-day in their hands, giving them a week's head start to compromise organizations before defenders even knew to look. Upon making this discovery, we shared our findings with **Cisco** to help support their investigation and protect customers," said **CJ Moses**, chief information security officer (CISO) of **Amazon** Integrated Security. ### Operational Security Blunder Exposes Interlock's Toolkit **Amazon's** discovery was aided by an operational security mistake by the threat actors. A misconfigured infrastructure server exposed their cybercrime group's operational toolkit, revealing insights into their multi-stage attack chain, custom remote access trojans, reconnaissance scripts, and evasion techniques. ### Attack Chain and Identified Tools The attack chain involves sending crafted HTTP requests to execute arbitrary Java code. A compromised system then issues an HTTP PUT request to an external server to confirm successful exploitation. Subsequently, commands are sent to fetch an ELF binary hosting other **Interlock**-related tools. The identified tools include: * A PowerShell reconnaissance script for comprehensive Windows environment enumeration. * Custom remote access trojans written in JavaScript and Java, offering command-and-control, interactive shell access, command execution, file transfer, and SOCKS5 proxy capability. They also feature self-update and self-delete mechanisms. * A Bash script configuring Linux servers as HTTP reverse proxies, delivering **fail2ban**, and using **HAProxy** to obscure the attacker's origins. It also includes a log erasure routine. * A memory-resident web shell for inspecting incoming requests for encrypted command payloads. * A lightweight network beacon for validating code execution or network port reachability. * **ConnectWise ScreenConnect** for persistent remote access. * **Volatility Framework**, an open-source memory forensics framework.  Links to **Interlock** are based on technical and operational indicators, including the ransom note and TOR negotiation portal. The threat actor is likely operational during the UTC+3 time zone. ### Recommendations Given the active exploitation, users are urged to apply patches immediately, conduct security assessments, review **ScreenConnect** deployments, and implement defense-in-depth strategies. "The real story here isn't just about one vulnerability or one ransomware group—it's about the fundamental challenge zero-day exploits pose to every security model," **Moses** stated. "When attackers exploit vulnerabilities before patches exist, even the most diligent patching programs can't protect you in that critical window." He emphasized, "This is precisely why defense-in-depth is essential—layered security controls provide protection when any single control fails or hasn't yet been deployed. Rapid patching remains foundational in vulnerability management, but defense in depth helps organizations not to be defenseless during the window between exploit and patch." ### Evolving Ransomware Tactics The disclosure coincides with **Google's** findings that ransomware actors are adapting their tactics due to declining payment rates. This includes targeting vulnerabilities in common VPNs and firewalls and relying more on built-in Windows capabilities. Multiple threat clusters are also using malvertising and SEO tactics to distribute malware. Other common techniques include compromised credentials, backdoors, and legitimate remote desktop software for initial access, along with the use of built-in tools for reconnaissance, privilege escalation, and lateral movement. **Google** anticipates that ransomware will remain a dominant threat, but reduced profits may lead actors to explore other monetization methods, such as increased data theft extortion or using compromised infrastructure for phishing. ### Cisco Updates Advisory **Cisco** has updated its advisory for **CVE-2026-20131** to confirm active exploitation and strongly recommends upgrading to a fixed software release.