Amazon Threat Intelligence has issued an urgent warning: the Interlock ransomware group has been actively exploiting CVE-2026-20131, a maximum-severity zero-day in Cisco Secure Firewall Management Center, since at least January 26, 2026 — more than five weeks before Cisco publicly disclosed or patched the flaw. Organizations running unpatched FMC software should treat this as an active emergency.
On March 4, 2026, Cisco released fixes for 48 vulnerabilities across its security product line, two of which — CVE-2026-20079 and CVE-2026-20131 — carry a CVSS score of 10.0, the highest possible rating. Both affect the web-based management interface of Cisco Secure Firewall Management Center (FMC), a platform Cisco itself describes as the "administrative nerve center" for firewall management, application control, intrusion prevention, URL filtering, and malware protection. Compromising it doesn't just hand an attacker one system. It hands them the keys to an organization's entire network perimeter.
What makes this disclosure uniquely alarming is the gap between exploitation and patch. According to data gathered from Amazon Web Services' MadPot global sensor network, Interlock had already been exploiting CVE-2026-20131 as a zero-day for over five weeks when Cisco finally issued its advisory. That window represents dozens of potential victims who had no patch, no public advisory, and no way to know the vulnerability even existed.
What CVE-2026-20131 Is and Why It Scores a Perfect 10
CVE-2026-20131 is a remote code execution vulnerability rooted in insecure deserialization. In plain terms: the FMC web interface accepts Java serialized objects from the network without first validating who is sending them or what they contain. An unauthenticated attacker — someone with no credentials, no prior foothold — can send a specially crafted serialized Java object directly to the management interface and trigger arbitrary code execution with root-level privileges.
The technical mechanism involves what researchers call a "gadget chain." Because the FMC application uses common Java libraries — such as Apache Commons Collections or Spring — an attacker can manipulate pre-existing classes already loaded in the application's Java Virtual Machine (JVM). By crafting an object graph that exploits how the JVM reconstructs serialized objects, the attacker causes the application to execute arbitrary operating system commands during the deserialization process itself, entirely bypassing application logic. No authentication prompt is ever reached.
"An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root." — Cisco Security Advisory
The CVSS vector tells the full story of the risk surface. The attack vector is Network (AV:N), meaning it is exploitable remotely. Attack Complexity is Low (AC:L), requiring no special conditions such as race conditions or unusual configurations. Privileges Required is None (PR:N), and User Interaction is None (UI:N). The Scope is Changed (S:C) — meaning a successful exploit on the FMC extends the blast radius to every managed Cisco Firewall Threat Defense (FTD) device under its control. Confidentiality, Integrity, and Availability impacts are all rated High. The result is a perfect 10.0.
There are no workarounds. Cisco has confirmed that standard mitigations — disabling specific services, changing configurations — are ineffective because the vulnerability lives in the core startup and management logic of the FMC. The only remediation is upgrading to a fixed software release. The advisory does note that if the FMC management interface lacks public internet exposure, the attack surface is reduced — but not eliminated, since many enterprise FMC deployments are accessible from broad internal network segments that an attacker with any foothold could reach.
CVE-2026-20131 also affects Cisco Security Cloud Control (SCC) Firewall Management. Cisco states it has already upgraded that cloud-hosted service as part of routine maintenance, so no action is required for SCC customers. On-premises FMC deployments are the primary concern.
Patch immediately. Use Cisco's Software Checker to confirm whether your FMC version is affected and identify the correct fixed release. If patching is not immediately possible, isolate the FMC management interface from untrusted networks using firewall rules or ACLs, and audit all FMC user accounts for unauthorized additions or modifications.
How Interlock Weaponized the Zero-Day: The Full Attack Chain
Amazon Threat Intelligence's disclosure, informed by telemetry from the MadPot global sensor network, describes a precise and deliberate attack sequence. Interlock's exploitation of CVE-2026-20131 follows a multi-stage process that begins with a single crafted HTTP request and ends with ransomware encryption across compromised infrastructure.
The initial exploitation step involves sending a specially crafted HTTP request to a specific path within the FMC web interface. This triggers the insecure deserialization flaw and causes arbitrary Java code to execute as root. The compromised system then issues an HTTP PUT request to an external server — a callback that confirms successful exploitation to the attacker's infrastructure. Once that beacon is received, the attacker sends commands to download an ELF binary from a remote server. That binary is linked to additional Interlock tooling and serves as the staging vehicle for everything that follows.
From there, Interlock's established post-exploitation playbook takes over. The group uses tools including Cobalt Strike, AnyDesk, and PuTTY for lateral movement and persistence. Credential harvesting relies on custom stealers alongside commodity tools such as Lumma Stealer and Berserk Stealer. For data exfiltration — the engine of the group's double extortion leverage — Interlock routes stolen data through AzCopy to Azure blob storage, a technique that exploits the trustworthiness of Microsoft infrastructure to evade network-level detection.
Ransomware payloads are typically disguised as conhost.exe, a name chosen to blend with legitimate Windows processes. The encryption routine combines AES and RSA algorithms and appends either .interlock or .1nt3rlock extensions to encrypted files. The encryptor is then deleted post-execution to complicate forensic recovery.
Amazon Threat Intelligence's researchers linked this campaign to Interlock through what they describe as convergent technical and operational indicators — specifically the embedded ransom note format and the TOR-based negotiation portal. The evidence also suggests the threat actor operates within the UTC+3 time zone, a data point consistent with findings from other Interlock investigations.
"This wasn't just another vulnerability exploit; Interlock had a zero-day in their hands, giving them a week's head start to compromise organizations before defenders even knew to look. The real story here isn't just about one vulnerability or one ransomware group — it's about the fundamental challenge zero-day exploits pose to every security model." — Amazon Threat Intelligence researcher (via The Hacker News)
The ransom notes generated by Interlock do not include an initial ransom demand or payment instructions. Instead, victims receive a unique code and are directed to contact the group through the TOR portal to begin negotiation. This design creates a pressure dynamic: the victim must initiate contact, placing them immediately in a reactive position while the clock runs on data publication threats.
Who Is Interlock? A Group Built to Evolve
Interlock first emerged in September 2024 and has operated at the intersection of targeted intrusion and financially motivated ransomware ever since. It is not a Ransomware-as-a-Service (RaaS) operation. FortiGuard Labs researchers noted in January 2026 that Interlock appears to be a smaller, dedicated group of operators who develop and maintain their own malware across the full attack lifecycle — an unusual level of vertical integration that gives them tighter operational security and faster iteration cycles.
The group has claimed over 60 victims since its founding, with more than 50 of those coming in 2025 alone, according to analysis by Forescout. A joint advisory issued in July 2025 by the FBI, CISA, the Department of Health and Human Services, and the Multi-State Information Sharing and Analysis Center identified Interlock as a significant threat to healthcare organizations in particular — with roughly a third of their confirmed 2025 incidents targeting healthcare providers directly.
What makes Interlock difficult to defend against is its consistent willingness to adopt new initial access techniques. The group began with drive-by downloads from compromised websites, using traffic distribution systems to serve fake browser update prompts. By January 2025, researchers at Sekoia observed them pivoting to ClickFix attacks — a technique that uses fraudulent CAPTCHA pages or browser error messages to trick users into manually pasting and executing malicious PowerShell commands through the Windows Run dialog. By early 2025, Interlock had added FileFix, an adaptation that routes the same malicious commands through the Windows File Explorer address bar.
Their post-exploitation toolkit has kept pace. In January 2026, FortiGuard Labs documented a novel process-killing utility Interlock developed called "Hotta Killer," which exploits a zero-day vulnerability in a gaming anti-cheat driver — a Bring Your Own Vulnerable Driver (BYOVD) technique — to disable endpoint detection and response tools during active intrusions. The ability to develop custom driver-level kill tools while simultaneously weaponizing network device zero-days places Interlock in a category of threat actors that security teams cannot afford to treat as opportunistic.
"When attackers exploit vulnerabilities before patches exist, even the most diligent patching programs can't protect you in that critical window. This is precisely why defense-in-depth is essential — layered security controls provide protection when any single control fails or hasn't yet been deployed." — Amazon Threat Intelligence researcher (via The Hacker News)
Security researchers have observed technical overlaps between Interlock and the Rhysida ransomware group, including similarities in data exfiltration infrastructure and encryption approaches. Some analysts have drawn potential connections to Vice Society, a threat group previously flagged by Microsoft for targeting U.S. entities. Neither link has been confirmed as a formal affiliation, but the overlaps suggest at minimum shared tooling, shared personnel, or active knowledge-sharing between groups.
Interlock's average dwell time — the period between initial access and ransomware deployment — runs 15 to 24 days across observed incidents, according to Forescout. This extended reconnaissance window is deliberate. The group uses the time to map the environment thoroughly, harvest privileged credentials, stage exfiltration, and position ransomware payloads for simultaneous detonation. The January 2026 FortiGuard intrusion analysis documented one case where the attacker maintained quiet access for months before activating, demonstrating a patience unusual even among sophisticated ransomware actors.
What This Means for Defenders: Key Takeaways
- Patch CVE-2026-20131 immediately: There are no workarounds. Use Cisco's Software Checker to identify your affected version and the corresponding fixed release. Organizations with FMC deployments should treat this as a P1 remediation regardless of their standard patch cadence.
- Audit FMC access and review ScreenConnect deployments: Amazon Threat Intelligence specifically recommends reviewing ScreenConnect and similar remote management tool deployments for unauthorized installations, which Interlock has historically used to maintain persistent access after initial compromise.
- Restrict FMC management interface exposure: Cisco notes that limiting public internet access to the FMC management interface reduces — though does not eliminate — the attack surface. Use firewall rules and ACLs to restrict interface access to known, trusted IP ranges only.
- Assume breach if unpatched since January 26, 2026: Amazon Threat Intelligence's MadPot sensor data places the start of active zero-day exploitation at January 26, 2026. Any organization running a vulnerable FMC during that period without compensating controls should conduct a thorough security assessment for indicators of compromise, including unexpected network beaconing, unauthorized ELF binary downloads, or new user account creation on the FMC.
- Defense-in-depth is not optional: The Interlock campaign is a textbook demonstration of why perimeter security cannot be a single line of defense. Once the FMC falls, managed firewall policies across the enterprise fall with it. Network segmentation, behavioral monitoring, and cloud exfiltration controls — particularly for AzCopy traffic — are the controls that slow or stop what comes after the initial breach.
The pattern here is not unique to Interlock or Cisco. Google's threat intelligence teams noted in parallel reporting that ransomware actors broadly are shifting toward vulnerabilities in perimeter devices — VPNs, firewalls, and management platforms — as their preferred initial access vectors, while simultaneously reducing dependence on external tooling in favor of built-in Windows capabilities that evade detection. Interlock's CVE-2026-20131 campaign is the sharpest current example of where that trend leads: a single unauthenticated HTTP request to a management interface that was supposed to be securing the network, and a ransomware group waiting weeks for the world to catch up.