The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Cisco FMC and Cisco SCC Firewall Management to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management, tracked as CVE-2026-20131 (CVSS score of 10.0), to its Known Exploited Vulnerabilities (KEV) catalog.

“A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.” reads the advisory. “This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.”

The vulnerability is a remote code execution flaw that resides in Cisco Secure FMC’s web interface and allows unauthenticated remote attackers to exploit insecure Java deserialization and execute arbitrary code as root by sending a crafted serialized object.

The networking giant addressed the flaw in early March 2026.

The Interlock ransomware group has been exploiting this critical zero-day RCE vulnerability since late January.

Interlock ransomware group has been active since September 2024, it has targeted multiple organizations, including DaVita, Kettering Health, and Texas Tech University. Recently, researchers observed a new AI-assisted malware strain called Slopoly used in its operations.

Amazon researchers observed the Interlock group exploiting the CVE-2026-20131 flaw 36 days before disclosure, starting on January 26, 2026. This gave attackers time to compromise targets before detection. The activity was uncovered via honeypots and shared with Cisco to aid in the investigation and protect customers.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by March 22, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

The Interlock ransomware group has exploited a Cisco FMC zero-day RCE vulnerability in attacks since late January.

The Interlock ransomware group has been exploiting a critical zero-day RCE vulnerability, tracked as CVE-2026-20131 (CVSS score of 10.0), in Cisco Secure Firewall Management Center (FMC) since late January.

The vulnerability is a remote code execution flaw that resides in Cisco Secure FMC’s web interface and allows unauthenticated remote attackers to exploit insecure Java deserialization and execute arbitrary code as root by sending a crafted serialized object.

“A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.” reads the advisory. “This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.”

CVE-2026-20131 also impacts Cisco Security Cloud Control (SCC) Firewall Management. The networking giant addressed the flaw in early March 2026.

Interlock ransomware group has been active since September 2024, it has targeted multiple organizations, including DaVita, Kettering Health, and Texas Tech University. Recently, researchers observed a new AI-assisted malware strain called Slopoly used in its operations.

Amazon researchers observed the Interlock group exploiting the CVE-2026-20131 flaw 36 days before disclosure, starting on January 26, 2026. This gave attackers time to compromise targets before detection. The activity was uncovered via honeypots and shared with Cisco to aid in the investigation and protect customers.

“After Cisco’s disclosure, Amazon threat intelligence began research into this vulnerability using Amazon MadPot’s global sensor network—a system of honeypot servers that attract and monitor cybercriminal activity. While looking for any current or past exploits of this vulnerability, our research found that Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26, 2026.” reads the report published by Amazon. “This wasn’t just another vulnerability exploit, Interlock had a zero-day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look. Upon making this discovery, we shared our findings with Cisco to help support their investigation and protect customers.”

A misconfigured server exposed Interlock’s full toolkit, revealing its multi-stage attacks, custom backdoors, reconnaissance tools, and evasion methods. AWS pointed out that its systems were not affected. The findings provide detailed indicators to help detect compromises, and organizations using Cisco FMC are urged to apply patches and review the shared indicators immediately.

“Amazon threat intelligence identified threat activity potentially related to CVE-2026-20131 beginning January 26, 2026, predating the public disclosure.” continues the report. “Observed activity involved HTTP requests to a specific path in the affected software. Request bodies contained Java code execution attempts and two embedded URLs: one used to deliver configuration data supporting the exploit, and another designed to confirm successful exploitation by causing a vulnerable target to perform an HTTP PUT request and upload a generated file. Multiple variations of these URLs were observed across different exploit attempts.”

Researchers mimicked a compromised system to trigger Interlock’s next step, leading to the download of a malicious Linux binary. Analysis showed a single server hosted the group’s full toolkit, organizing files by target and using the same paths to both deploy tools and collect stolen data.

The recovered ELF malware is attributed to the Interlock ransomware group based on consistent ransom notes, TOR negotiation portals, and unique victim IDs used for tracking. The group is known for targeting sectors where disruption drives payment, including education, healthcare, industry, and government. Timeline analysis suggests operators likely work in a UTC+3 timezone.

After initial access, Interlock deploys PowerShell scripts to systematically map compromised networks, collecting system, user, and browser data across multiple machines. They then use custom remote access trojans (in JavaScript and Java) to maintain persistent control, execute commands, transfer files, and exfiltrate data via encrypted communications.

To hide their activity, attackers set up proxy-based relay infrastructure that masks the origin of attacks and regularly wipes logs to erase evidence. They also use fileless webshells that run entirely in memory, decrypting and executing malicious code without touching disk—making detection by traditional security tools far more difficult.

Researchers found a simple Java tool acting as a “phone home” beacon, confirming access by logging connections on a hidden port. Interlock also abused legitimate tools like ConnectWise ScreenConnect for stealthy remote access, ensuring persistence if malware is removed. Additional tools such as Volatility and Certify were used to extract credentials, move laterally, escalate privileges, and maintain long-term control of compromised systems.

Amazon provided Indicators of compromise (IoCs) for these attacks and defensive recommendations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2026-20131)

Amazon’s threat intelligence teams have uncovered a new cyber campaign linked to the Interlock ransomware group. The campaign centers around a flaw affecting Cisco Secure Firewall Management Center (FMC) software. The vulnerability, tracked as CVE-2026-20131, was disclosed by Cisco on March 4. It allows an unauthenticated remote attacker to execute arbitrary Java code with root privileges on affected FMC devices. However, research conducted through Amazon MadPot, a global honeypot network designed to observe malicious activity, revealed that Interlock had already begun exploiting this flaw as early as January 26, 2026, 36 days before public disclosure.  This meant the attackers were operating with a zero-day advantage, enabling them to compromise organizations before defenders were even aware of the risk. According to Amazon’s findings, the exploitation involved crafted HTTP requests targeting specific paths in vulnerable systems. These requests carried embedded Java code and URLs—one delivering configuration data to support the exploit, and another confirming successful compromise by triggering an HTTP PUT request from the victim system.  To deepen the investigation, researchers simulated a compromised device by responding to the attacker’s verification mechanism. This triggered the next phase of the attack, where Interlock issued commands to download and execute a malicious Linux binary. 

Amazon MadPot Reveals Interlock’s Toolkit 

The use of Amazon MadPot proved critical in exposing the full scope of the operation. A misconfigured infrastructure server used by the attackers inadvertently revealed their entire toolkit. This included reconnaissance scripts, custom remote access trojans (RATs), and evasion mechanisms, offering rare visibility into Interlock’s multi-stage attack chain.  The infrastructure was organized in a way that separated data by target, with directories used both to distribute tools and collect stolen information. This level of organization reflects a structured and repeatable attack methodology.  Importantly, Amazon confirmed that its own cloud infrastructure and customer workloads were not impacted by this campaign. 

Interlock Ransomware Tactics and Attribution 

The recovered malware and artifacts were attributed to the Interlock ransomware family based on several consistent indicators. These included a ransom note and a TOR-based negotiation portal aligned with Interlock’s known branding and operational style.  The ransom notes notably referenced multiple data protection regulations, a tactic used by Interlock to pressure victims by threatening not only data encryption but also potential regulatory penalties. Each victim was assigned a unique organization identifier, consistent with the group’s tracking model.  Historically, Interlock has targeted industries where disruption creates maximum leverage. The education sector has been the most affected, followed by engineering, construction, manufacturing, healthcare, and public sector organizations.  Temporal analysis of the attack activity suggests the operators likely function in a UTC+3 time zone, with activity typically beginning around 08:30, peaking between 12:00 and 18:00, and declining overnight. 

Post-Exploitation 

Once access is gained through CVE-2026-20131, Interlock deploys a range of tools to expand control within the compromised network. A PowerShell-based reconnaissance script systematically collects detailed system and network information, including installed software, running services, browser data, and active connections.  The script organizes this data into per-host directories on a centralized network share, compressing it into ZIP archives for exfiltration. This structured approach indicates preparation for large-scale ransomware deployment across multiple systems.  Interlock uses multiple RATs to maintain persistent access. One variant, written in JavaScript, suppresses debugging output and gathers system details before establishing encrypted communication with command-and-control servers via WebSockets. Messages are encrypted using RC4 with unique keys for each transmission.  A second variant, implemented in Java, provides the same capabilities using different libraries. This dual-implementation strategy ensures continued access even if one version is detected and removed.  To hide their tracks, Interlock employs a Bash script that converts compromised Linux servers into HTTP reverse proxies. These proxies forward traffic to attacker-controlled systems while erasing logs every five minutes, making forensic analysis extremely difficult. 

Fileless Backdoors and Advanced Techniques 

One of the more advanced components observed in the campaign is a memory-resident webshell. Delivered as a Java class, it operates entirely in memory, avoiding disk-based detection. It intercepts HTTP requests and executes encrypted payloads dynamically within the Java Virtual Machine.  Additionally, a lightweight TCP server tool was identified, used to verify successful exploitation by confirming connectivity on a specific port.  Interlock also blends malicious activity with legitimate software. The group deployed ConnectWise ScreenConnect, a commercial remote desktop tool, to maintain access while avoiding detection. This redundancy ensures attackers retain control even if custom malware is removed.  Other tools found in the attack environment include Volatility, typically used for memory forensics, and Certify, an offensive security tool targeting Active Directory Certificate Services. These tools enable credential access, privilege escalation, and persistent footholds within compromised environments.