Interlock Ransomware Exploits Cisco FMC Zero-Day Campaign
🛡️ Amazon Threat Intelligence identified an active Interlock ransomware campaign exploiting CVE-2026-20131 in Cisco Secure Firewall Management Center, with exploitation observed beginning January 26, 2026—36 days before Cisco publicly disclosed the flaw on March 4, 2026. A misconfigured attacker-controlled staging server exposed Interlock's full operational toolkit, including custom remote access trojans, reconnaissance scripts, a fileless Java webshell, and infrastructure-laundering scripts. Organizations running Cisco Secure FMC should immediately apply Cisco patches, review the provided indicators of compromise, and hunt for signs of lateral movement and data staging.
