Interlock Ransomware - Exploiting Cisco FMC Zero-Day Flaw
Basically, a dangerous ransomware is using a flaw in Cisco software to take control of systems.
A new ransomware campaign is exploiting a critical flaw in Cisco's software. Organizations using Cisco FMC are at risk of severe breaches. Immediate patching and security assessments are crucial to protect against this threat.
What Happened
Amazon Threat Intelligence has issued a warning about an active ransomware campaign led by Interlock. This group is exploiting a critical zero-day vulnerability, identified as CVE-2026-20131, in Cisco's Secure Firewall Management Center (FMC) Software. The vulnerability, which has a CVSS score of 10.0, allows unauthenticated remote attackers to bypass authentication and execute arbitrary Java code as root on affected devices. This exploit has reportedly been active since January 26, 2026, well before it was publicly disclosed by Cisco.
The discovery of this exploit was partly due to a misconfigured infrastructure server used by the attackers, which inadvertently exposed their operational toolkit. This toolkit provides insights into their multi-stage attack chain and the sophisticated methods they employ to compromise systems.
Who's Being Targeted
Organizations using Cisco FMC software are at significant risk from this ransomware campaign. The attack targets systems that have not yet been patched against this critical vulnerability. The Interlock group is known for its advanced tactics, and their use of a zero-day exploit gives them a considerable advantage over defenders. As the vulnerability is actively being exploited, many organizations may already be compromised without their knowledge.
The implications of this attack are severe, as it not only affects the integrity of the systems but also poses a risk to sensitive data that may be stored within these environments. Organizations must remain vigilant and proactive in their security measures to protect against such threats.
Signs of Infection
Indicators of compromise from the Interlock ransomware campaign include unusual HTTP requests directed at specific paths within the Cisco FMC software. Once the exploit is successful, the compromised systems may attempt to communicate with external servers, confirming the successful execution of the malicious code.
Other signs may include the presence of unknown scripts or binaries on affected devices, particularly those related to reconnaissance and remote access. Organizations should also be on the lookout for any unauthorized installations of remote access tools, such as ConnectWise ScreenConnect, which are commonly used by attackers for persistent access.
How to Protect Yourself
Organizations are advised to take immediate action by applying patches for the CVE-2026-20131 vulnerability. Conducting thorough security assessments can help identify any potential compromises. It is crucial to review all deployments of remote access software for unauthorized installations and implement robust defense-in-depth strategies to mitigate risks.
Additionally, maintaining a layered security approach is essential. This includes rapid patching of known vulnerabilities, continuous monitoring for unusual activity, and employing advanced threat detection solutions. As the landscape of ransomware evolves, organizations must adapt their security practices to stay one step ahead of attackers.