INTERLOCK ransomware is exploiting Cisco Secure Firewall Management Center (FMC) zero-day CVE-2026-20131 to gain root access, with researchers noting the flaw allows an unauthenticated, remote attacker to bypass authentication and run arbitrary Java code as root. The vulnerability, which carries a CVSS score of 10.0, has been used in the wild as a zero-day since 26 January 2026, according to MadPot’s global sensor network.
Amazon Threat Intelligence described an active campaign targeting enterprise firewalls, with Interlock’s multi-stage attack chain starting from crafted HTTP requests to a specific FMC path, then an HTTP PUT to an external server to confirm exploitation before fetching an ELF binary and additional tools from remote infrastructure.
The toolkit reportedly includes PowerShell and JavaScript/Java remote access Trojans, Linux reverse-proxy scripts, a memory-resident web shell, a network beacon, and other utilities such as the Volatility Framework and ConnectWise ScreenConnect. Defence guidance emphasises applying patches promptly, conducting security assessments for compromise, reviewing ScreenConnect deployments, and enforcing defence-in-depth alongside rapid patching.