Amazon Threat Intelligence has issued a warning regarding an active Interlock ransomware campaign that is exploiting a recently disclosed critical security vulnerability in Cisco Secure Firewall Management Center (FMC) Software. The flaw, tracked as CVE-2026-20131 and carrying a maximum CVSS score of 10.0, is an insecure deserialization vulnerability in the handling of user-supplied Java byte streams. This allows an unauthenticated, remote attacker to bypass authentication entirely and execute arbitrary Java code with root-level privileges on a vulnerable device. According to data from Amazon's MadPot global sensor network, this vulnerability was exploited as a zero-day in the wild beginning January 26, 2026—over a month before Cisco's public disclosure.
The discovery of this active exploitation was significantly aided by an operational security failure from the threat actors themselves. A misconfigured infrastructure server exposed the cybercrime group's operational toolkit, providing Amazon researchers with detailed insights into their multi-stage attack chain. This toolkit included bespoke remote access trojans (RATs), reconnaissance scripts, and various evasion techniques. CJ Moses, Chief Information Security Officer (CISO) of Amazon Integrated Security, emphasized the severity of the situation, stating, "This wasn't just another vulnerability exploit; Interlock had a zero-day in their hands, giving them a week's head start to compromise organizations before defenders even knew to look." Upon this discovery, Amazon promptly shared its findings with Cisco to aid their investigation and help protect customers.
The technical attack chain begins with the threat actors sending crafted HTTP requests to a specific path within the vulnerable Cisco FMC software. The goal of this request is to trigger the insecure deserialization flaw and achieve arbitrary Java code execution. Following a successful compromise, the infected system initiates an HTTP PUT request to an external command-and-control (C2) server to confirm the exploitation. Subsequently, commands are issued to download an ELF binary from a remote server. This server also hosts additional tools definitively linked to the Interlock ransomware operation, with the links established through convergent technical and operational indicators.
This incident underscores several critical lessons for the cybersecurity community. First, it highlights the persistent threat of software supply chain and management console vulnerabilities, which provide high-value targets for ransomware groups. Second, it demonstrates how threat actor mistakes, like misconfigured servers, can provide invaluable intelligence to defenders. Finally, it reinforces the necessity of rapid threat intelligence sharing between private sector entities and vendors to mitigate attacks before widespread patches can be applied. Organizations using Cisco FMC are urged to apply the relevant security updates immediately if they have not already done so and to monitor their networks for any signs of the described compromise chain.
