INTERLOCK ransomware is targeting Cisco enterprise firewalls, with Amazon Web Services summarising an advisory that the campaign exploits CVE-2026-20131, a critical zero-day in the Web-based management interface of Cisco’s Secure Firewall Management Center (FMC) Software. The vulnerability is rated 10 on the CVSS scale and, if exploited, could allow an unauthenticated remote attacker to execute arbitrary Java code as root on an affected device.
Cisco disclosed the flaw on 4 March, explaining it stems from insecure deserialization of a user-supplied Java byte stream, and urged FMC users to upgrade to a fixed release. An AWS advisory notes that threat actors had access to this critical zero-day weeks before public disclosure, and CJ Moses, the CISO of Amazon Integrated Security, wrote on 18 March about how Interlock is actively exploiting the vulnerability to target at-risk organisations.
Following Cisco’s disclosure, Amazon researchers indicated Interlock exploited CVE-2026-20131 as far back as 26 January, revealing a misconfigured infrastructure server that exposed Interlock’s complete operational toolkit.