Interlock Ransomware Exploits Cisco Zero-Day Since January, AWS Warns
AWS warns that the Interlock ransomware group has been exploiting CVE-2026-20131, a critical Cisco Secure Firewall Management Center zero-day, since January 26, with ongoing attacks.
AWS has issued an urgent warning that the Interlock ransomware group has been actively exploiting a critical zero-day vulnerability in Cisco Secure Firewall Management Center (FMC) Software since January 26, 2026. The flaw, tracked as CVE-2026-20131, carries a maximum CVSS score of 10 and allows unauthenticated attackers to execute arbitrary Java code as root on affected devices. Cisco confirmed that attacks are ongoing, and organizations are urged to apply patches immediately.
The vulnerability resides in the web-based management interface of Cisco Secure FMC, a central management platform for Cisco firewalls. An unauthenticated, remote attacker can exploit it to gain full root access without any user interaction. AWS gained rare visibility into Interlock's operational toolkit after the group misconfigured an infrastructure server, revealing a sophisticated multi-stage attack chain.
Following initial access via the zero-day, Interlock deploys a PowerShell script to collect network details and two custom remote access trojans (RATs) written in JavaScript and Java for persistent control. The group also installs a memory-resident webshell that intercepts HTTP requests entirely in memory to evade antivirus detection, and uses ConnectWise ScreenConnect as a backup entry point in case they are discovered.
Interlock is a prolific ransomware operation that has previously targeted US healthcare, IT, and government sectors. The group's use of a zero-day with a CVSS 10 score underscores the criticality of the threat. AWS CISO CJ Moses emphasized that the real challenge is the fundamental problem zero-day exploits pose to every security model, as even diligent patching programs cannot protect during the window between exploit and patch.
Cisco has released security patches for CVE-2026-20131, and AWS recommends organizations apply them immediately. Additionally, organizations should review logs for indicators of compromise (IoCs) provided in AWS's write-up, conduct security assessments to identify compromise, check ScreenConnect deployments for unauthorized installations, and monitor for PowerShell scripts staging data to network shares with hostname-based directory structures.
Other recommended actions include detecting Java ServletRequestListener registrations in web application contexts, identifying HAProxy installations with aggressive log deletion cron jobs, and watching for TCP connections to unusual high-numbered ports (e.g., 45588). In the long term, AWS advocates for defense in depth, continuous threat monitoring and hunting, and regular testing of incident response procedures combined with updated training on Interlock TTPs.
The exploitation of CVE-2026-20131 by Interlock highlights the persistent threat posed by ransomware groups leveraging zero-day vulnerabilities. As attacks continue, organizations must prioritize patching and adopt layered security controls to mitigate risk during the critical window between exploit and patch deployment.