ACCORDING to a new analysis from AWS, a prolific ransomware group has been exploiting a zero-day vulnerability in a Cisco firewall product since January. AWS CISO CJ Moses warned that the Interlock operation had been using CVE-2026-20131 in attacks since January 26.
CVE-2026-20131 is a remote code execution flaw in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, with a maximum CVSS score of 10, and it could “allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device,” according to Cisco. Thanks to a “misconfigured infrastructure server,” the AWS security team gained rare and full visibility into Interlock’s operational toolkit, Moses said.
Following initial access via zero-day exploitation, the group used a PowerShell script to collect details on victims’ networks, as well as two custom remote access trojans written in JavaScript and Java for persistent control, and deployed a memory-resident backdoor (webshell) that intercepted HTTP requests in memory to evade antivirus detection, along with ConnectWise ScreenConnect as a backup entry point.