ACCORDING to Amazon threat intelligence, a vulnerability patched earlier this month by Cisco in its firewalls has been exploited as a zero-day since at least late January, tracked as CVE-2026-20131 affecting the Secure Firewall Management Center (FMC) software. The vulnerability can be exploited by a remote, unauthenticated attacker to execute arbitrary Java code with root privileges on the FMC web-based management interface, and Cisco noted that not exposing FMC to the internet reduces the attack surface.
An Amazon investigation found that the Interlock ransomware group had been exploiting the flaw as a zero-day since 26 January, with IoCs shared to help defenders detect attacks. Cisco updated its advisory for CVE-2026-20131 on 4 March to inform customers about in-the-wild exploitation. Amazon’s analysis suggests the threat actor operates in UTC+3, with activity patterns indicating peak operations around midday and a likely base in Russia, with secondary possibilities in Belarus or select Middle Eastern countries.