Interlock ransomware hit Cisco Secure Firewall Management Center starting January 26. Amazon threat intelligence disclosed on March 18 that the group exploited CVE-2026-20131 (CVSS 10.0) as a zero-day. Exploitation ran 36 days before Cisco's March 4 patch. A misconfigured staging server exposed Interlock's full toolkit.
CISA added the flaw to its Known Exploited Vulnerabilities catalog on March 19. Federal agencies have three days to patch.
CVSS 10.0 Java deserialization to root
CVE-2026-20131 is an insecure deserialization flaw in the FMC web management interface. An unauthenticated remote attacker sends a crafted serialized Java object and executes arbitrary code as root. No authentication, no user interaction, low complexity. The root cause is CWE-502. The application trusts user-supplied Java byte streams without validation.
Cisco disclosed it alongside CVE-2026-20079 (CVSS 10.0), an authentication bypass that reaches root via crafted HTTP requests. Both carry changed scope (S:C). A compromised FMC management plane cascades to every Cisco Secure Firewall Threat Defense device it manages. On-premises FMC requires manual patching. Cisco upgraded the SaaS-delivered Security Cloud Control offering automatically.
36 days of zero-day access
Our research found that Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26.
— CJ Moses, CISO, Amazon Integrated Security
Amazon's MadPot honeypot network detected the exploitation. HTTP requests to a specific FMC path carried Java code execution attempts and two embedded URLs. One delivered configuration data for the exploit. The other confirmed success by triggering the target to perform an HTTP PUT uploading a generated file. Amazon analysts mimicked a compromised system, performing the expected PUT. Interlock responded by delivering a malicious ELF binary from a remote server.
The remote server was Interlock's misconfigured staging host. Artifacts sat in separate paths per target. The same paths served for deploying tools and exfiltrating data.
We appreciate Amazon's partnership on this, and we have updated our security advisory with the latest information.
— Cisco spokesperson
Six components in the exposed toolkit
A PowerShell reconnaissance script mapped the Windows environment systematically. It collected OS details, running services, Hyper-V VM inventory, and browser artifacts from Chrome, Edge, Firefox, IE, and 360 Browser. It pulled active connections, ARP tables, iSCSI sessions, and RDP auth events. Results staged to \\JK-DC2\Temp using hostname-based directories, compressed into ZIPs, raw data deleted.
Interlock deployed two functionally identical RATs in different languages. The JavaScript implant uses persistent WebSocket connections with RC4 encryption and per-message 16-byte random keys. It provides interactive shell, file transfer, and SOCKS5 proxy capability. The Java implant, built on GlassFish ecosystem libraries (Grizzly for I/O, Tyrus for WebSocket), mirrors every feature. Two RATs in two languages give the operators redundancy if defenders detect one.
A memory-resident webshell registered a ServletRequestListener with the server's StandardContext. Incoming requests with crafted parameters are decrypted using AES-128 (key derived from MD5 of a hardcoded seed, first 16 characters being 09b1a8422e8faed0). Decrypted payloads are loaded as Java bytecode and executed in memory. No files ever touch disk.
A Bash script configured Linux servers as disposable HTTP reverse proxies. It compiled HAProxy 3.1.2 from source and forwarded all port 80 traffic to a hardcoded IP. A cron job ran every five minutes to truncate all logs under /var/log and unset HISTFILE.
ConnectWise ScreenConnect provided redundant remote access. Volatility harvested credentials from RAM dumps. Certify targeted Active Directory Certificate Services misconfigurations for persistent access.
Healthcare, education, and critical infrastructure
Interlock emerged as a ransomware operation in late 2024 and has claimed at least 40 victims. DaVita, the kidney dialysis provider, was hit in March 2025. DaVita's SEC filing confirmed 2.69 million individuals affected and $13.5 million in incident costs in Q2 2025. Kettering Health, an Ohio hospital network, lost systems on May 20, 2025. Interlock disrupted chemotherapy sessions and pre-surgery appointments, then leaked 941 GB including cancer patients' personal details.
In July 2025, CISA, FBI, HHS, and MS-ISAC issued a joint alert on Interlock's TTPs. Amazon's temporal analysis of recovered artifacts places the operators in UTC+3 with 75-80% confidence. Activity starts around 08:30, peaks between 12:00 and 18:00, and drops to zero between 00:30 and 08:30. UTC+3 covers Moscow, Minsk, Istanbul, and Riyadh.
Per-target customization defeats signatures
Interlock modifies scripts and binaries for each target. Functionally identical tools produce different file hashes across victims. Amazon published network IOCs (IPs, domains, TLS JA3/JA4 fingerprints) instead of file hashes because signature-based matching is unreliable against this group.
Per-target polymorphism, memory-resident webshells, log destruction every five minutes, and self-deleting implants. Interlock's operational tradecraft sits closer to state-sponsored APT groups than to typical ransomware crews.
— Artem Safonov, Threat Analyst at AnonHaven
Patches and IOCs
Cisco released patches for both CVEs on March 4, 2026. CISA's March 19 KEV entry gives federal agencies a three-day remediation deadline. Amazon confirmed that AWS infrastructure and customer workloads were not involved in the campaign.
Apply FMC patches and review logs for the published IOCs. Key exploit source IPs include 206.251.239[.]164, 199.217.98[.]153, and 89.46.237[.]33. C2 domains include browser-updater[.]com and os-update-server[.]com. Watch for Java ServletRequestListener registrations in web app contexts and HAProxy installations with aggressive log deletion.
Internet-reachable FMC interfaces from January 26 through March 4 should be treated as potentially compromised. A compromised FMC controls every firewall policy it manages.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
