Amazon’s threat intelligence teams uncovered an Interlock ransomware campaign exploiting a zero-day flaw in Cisco Secure Firewall Management Center (FMC), tracked as CVE-2026-20131. MadPot honeypots recorded exploitation beginning January 26, 2026—36 days before Cisco’s disclosure—and revealed the attackers’ multi-stage toolkit, post-exploitation RATs, memory-resident webshells, and organized data-exfiltration infrastructure while confirming no impact to Amazon cloud customers. #Interlock #CVE-2026-20131 #CiscoFMC #AmazonMadPot #ConnectWiseScreenConnect
Keypoints
- Interlock exploited CVE-2026-20131 in Cisco Secure FMC as early as January 26, 2026, giving the group a zero-day advantage.
- The vulnerability allowed unauthenticated remote execution of arbitrary Java code with root privileges on affected FMC devices.
- Amazon MadPot honeypots captured crafted HTTP requests, a memory-resident Java webshell, and verification mechanisms used by the attackers.
- The attackers’ toolkit included multiple RATs (JavaScript and Java), reconnaissance PowerShell scripts, reverse-proxy log erasure, and commercial tools like ConnectWise ScreenConnect to maintain access.
- Infrastructure was organized by target for tool distribution and data collection, with targeting focused on education and critical industries and operator activity consistent with a UTC+3 time zone.
Read More: https://thecyberexpress.com/interlock-fmc-cve-2026-20131/