A prolific ransomware group has been exploiting a zero-day vulnerability in a Cisco firewall product since January, according to a new analysis from AWS.
AWS CISO, CJ Moses, warned yesterday that the Interlock operation had been using CVE-2026-20131 in attacks since January 26.
CVE-2026-20131 is a remote code execution (RCE) flaw in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software.
Given a maximum CVSS score of 10, it could “allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device,” according to Cisco.
Read more on Interlock: Interlock Ransomware Targets US Healthcare, IT and Government Sectors.
Thanks to a “misconfigured infrastructure server,” the AWS security team was able to gain rare and full visibility in Interlock’s operational toolkit, Moses said.
Following initial access via zero-day exploitation, the group used a PowerShell script to collect details on victims’ networks, as well as two custom remote access trojans (RATs) written in JavaScript and Java for persistent control.
The group also deployed a “persistent memory-resident backdoor” (webshell) that intercepted HTTP requests entirely in memory to evade antivirus detection, and installed ConnectWise ScreenConnect as a backup entry point in case they were discovered.
Recommendations from AWS
According to Moses, organizations should take the following actions to protect against Interlock ransomware operations:
- Apply Cisco’s security patches
- Review logs for the IoCs listed in its write up
- Conduct security assessments to identify compromise
- Check ScreenConnect deployments for unauthorized installations
- Monitor for PowerShell scripts staging data to network shares with hostname-based directory structures
- Detect Java ServletRequestListener registrations in web application contexts
- Identify HAProxy installations with aggressive log deletion cron jobs
- Watch for TCP connections to unusual high-numbered ports (e.g., 45588)
In the long term, defense in depth, continuous threat monitoring/hunting and regular testing of incident response procedures should be combined with updated training for security teams on Interlock TTPs, AWS said.
“The real story here isn’t just about one vulnerability or one ransomware group – it’s about the fundamental challenge zero-day exploits pose to every security model. When attackers exploit vulnerabilities before patches exist, even the most diligent patching programs can’t protect you in that critical window,” concluded Moses.
“This is precisely why defense in depth is essential – layered security controls provide protection when any single control fails or hasn’t yet been deployed. Rapid patching remains foundational in vulnerability management, but defense in depth helps organizations not to be defenseless during the window between exploit and patch.”
According to Cisco, attacks are still ongoing.
