## What happened

Amazon Threat Intelligence reported an active **Interlock ransomware** campaign exploiting **CVE-2026-20131** in **Cisco Secure Firewall Management Center (FMC)**.

The flaw is described as an **insecure deserialization** issue that can allow an unauthenticated attacker to bypass authentication and run arbitrary Java code **as root** (CVSS 10.0).

Amazon’s sensor network indicates exploitation began as a **zero-day on Jan 26, 2026**, weeks before Cisco publicly disclosed it.

## How the intrusion worked (as described)

The attack chain included:

1. Crafted HTTP requests to a specific FMC path to trigger code execution

2. A “success” callback (HTTP PUT) to attacker infrastructure

3. Retrieval of additional payloads/tools, including Linux and Windows recon scripts and remote-access tooling

Amazon says it gained visibility after an operational mistake exposed attacker tooling via misconfigured infrastructure.

## Tooling and techniques observed

Reported components included:

- Windows environment enumeration (services, installed software, storage, VM inventory, browser artifacts, RDP events)

- Custom remote access trojans with file transfer and SOCKS5 proxying

- Infrastructure laundering scripts (reverse proxies) and aggressive log deletion

- Memory-resident web shell behavior using encrypted parameters

- Use of legitimate remote access software as fallback persistence

## What defenders should do

- **Patch/upgrade Cisco FMC immediately** to a fixed release

- Perform compromise assessments on FMC and adjacent management networks

- Review remote access tooling deployments (e.g., ScreenConnect) for unauthorized installs

- Strengthen **defense-in-depth** controls to reduce exposure during the “zero-day window”

## Bottom line

This incident underscores a hard truth for enterprise security: even perfect patch hygiene can’t eliminate risk when attackers have a head start. Layered controls, segmentation, and monitoring around management planes (like firewall controllers) are crucial.