THE Interlock ransomware group has been exploiting a Cisco Secure FMC zero-day RCE vulnerability, tracked as CVE-2026-20131 (CVSS score of 10.0), in Cisco Secure Firewall Management Center since late January. Amazon researchers observed the attackers exploiting the flaw 36 days before its public disclosure, beginning on 26 January 2026, using honeypot-based monitoring to uncover the activity and then sharing findings with Cisco.
The exploit targets the web-based management interface and allows unauthenticated remote code execution to achieve root privileges by deserialising a crafted Java object, with Cisco noting the vulnerability could let an attacker execute arbitrary code on affected devices. The data reveals a misconfigured server exposed Interlock’s full toolkit, including multi-stage attacks, backdoors, and evasion methods, though AWS stated its own systems were not affected.
According to Amazon threat intelligence, indicators of compromise were provided to help detect compromises, and organisations using Cisco FMC are advised to apply patches and review the shared indicators immediately. The Interlock group has previously targeted sectors such as education, healthcare, industry, and government, and researchers observed continued activity as part of ongoing campaigns.