Security research has uncovered an active Interlock ransomware campaign exploiting a critical zero-day vulnerability in Cisco Secure Firewall Management Centre (FMC) software.
Utilizing this unauthenticated remote code execution flaw via the Amazon MadPot network, threat actors compromised enterprise environments for over a month before public disclosure.
Cisco Firewall Zero-Day
The intrusion campaign centers entirely on CVE-2026-20131, an insecure deserialization vulnerability tracked as CWE-502, located within the web-based management interface of Cisco Secure FMC software.
By sending a maliciously crafted serialized Java object, an unauthenticated remote attacker can effortlessly execute arbitrary Java code and gain root privileges.
This critical severity flaw carries a maximum CVSS base score of 10.0, indicating the highest possible risk.
While Cisco Security Cloud Control (SCC) is also vulnerable, the widely deployed Adaptive Security Appliance (ASA) and Threat Defense (FTD) software configurations remain completely unaffected.
Researchers identified threat activity exploiting this vulnerability beginning January 26, 2026, granting Interlock a 36-day advantage before Cisco’s public disclosure.
Initial exploit attempts involved complex HTTP requests containing embedded URLs specifically designed to deliver configuration data to the targeted firewalls.
A misconfigured attacker staging server eventually exposed Interlock’s multi-stage operational toolkit, providing security teams with unprecedented visibility into their methodology.
Upon gaining network access, operators deploy a comprehensive PowerShell script designed for systematic Windows environment enumeration.
This script maps the target environment by collecting hardware details, virtual machine inventories, and active network connections, compressing the data into host-specific archives for exfiltration.
To maintain persistent administrative control, Interlock uses sophisticated, custom remote access trojans developed in both JavaScript and Java.
The JavaScript variant establishes WebSocket connections using rotating RC4 encryption keys. In contrast, the Java variant provides redundant backdoor access through GlassFish libraries.
Furthermore, attackers deploy a memory-resident webshell that dynamically decrypts incoming command payloads to avoid writing detectable files to disk.
Based on temporal artifact analysis, Interlock operators most likely operate from the UTC+3 time zone and focus heavily on sectors where operational disruption maximizes ransom leverage.
The syndicate primarily targets vulnerable organizations across education, manufacturing, healthcare, and critical engineering worldwide.
In a unique extortion tactic, their custom ransom notes cite data protection regulations to threaten victims with compliance fines alongside data encryption.
Because no viable workarounds exist to mitigate this deserialization flaw, immediate software updates are the only definitive defense against this critical vulnerability.
Organizations operating Cisco Secure Firewall Management Center must apply the official security patches immediately to secure their perimeter infrastructure.
Following the patching process, network defenders should thoroughly review indicators of compromise to hunt for any existing memory-resident anomalies within their active environments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
