A new ransomware campaign linked to Interlock has been identified exploiting a critical zero day vulnerability in Cisco Secure Firewall Management Center software, raising fresh concerns about enterprise network security. The flaw, tracked as CVE 2026 20131, carries a maximum severity score and enables attackers to bypass authentication and execute arbitrary Java code with root level privileges on affected systems. The issue stems from insecure deserialization of user supplied Java byte streams, making it possible for remote attackers to gain complete control without prior authentication.
According to Amazon Threat Intelligence, the vulnerability has been actively exploited since January 26, 2026, well before its public disclosure by Cisco. Data collected through Amazon’s MadPot global sensor network revealed that attackers had a significant head start, allowing them to compromise systems before defenders were aware of the flaw. The discovery was further supported by an operational lapse from the threat actor, which exposed elements of their infrastructure and toolkit through a misconfigured server. This provided researchers with detailed visibility into the group’s attack chain, including reconnaissance tools, custom malware, and evasion techniques designed to avoid detection.
The attack sequence begins with specially crafted HTTP requests targeting a specific endpoint within Cisco FMC software, enabling execution of malicious Java code. Once access is achieved, the compromised system communicates with an external server to confirm successful exploitation and proceeds to download additional payloads, including ELF binaries linked to Interlock operations. These payloads enable a wide range of post exploitation activities such as system reconnaissance, remote command execution, and persistent access. The toolkit includes PowerShell scripts for detailed Windows environment enumeration, custom remote access trojans developed in JavaScript and Java, and Linux based scripts that configure reverse proxy infrastructure to mask attacker origins while aggressively erasing logs to hinder forensic analysis.
Further capabilities observed in the campaign include deployment of memory resident web shells for executing encrypted commands, lightweight network beacons for validating connectivity, and the use of legitimate remote access tools such as ConnectWise ScreenConnect to maintain persistence. The attackers also leveraged the Volatility Framework for memory analysis, indicating a high level of sophistication in managing compromised environments. Attribution to Interlock is based on converging technical indicators, including ransom note characteristics and TOR based negotiation infrastructure, with activity suggesting operations aligned to a UTC plus three time zone.
Security experts are advising organizations to apply patches immediately, conduct thorough security assessments, and review deployments of remote access tools to detect unauthorized installations. The incident highlights ongoing challenges posed by zero day vulnerabilities, where exploitation occurs before patches are available. Researchers have emphasized the importance of layered security strategies, noting that defense in depth remains critical for mitigating risks during the window between vulnerability discovery and remediation.
The findings also align with broader observations from Google, which noted a shift in ransomware tactics as attackers increasingly target vulnerabilities in VPNs and firewall systems for initial access. Threat actors are also relying more on built in system tools, compromised credentials, and methods such as malvertising and search engine optimization to distribute malware and establish footholds. While ransomware continues to remain a dominant threat, evolving tactics suggest attackers are diversifying their approaches, including data theft and alternative monetization strategies using compromised infrastructure.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
