An active campaign by the Interlock ransomware group is targeting Cisco firewalls, according to a recent advisory from Amazon Web Services (AWS). The threat actors are utilizing CVE-2026-20131, a critical vulnerability (CVSS 10.0) in the web-based management interface of Cisco's Secure Firewall Management Center (FMC) software. If successfully leveraged, this flaw allows an unauthenticated, remote party to execute arbitrary Java code as root on an impacted device.
Cisco disclosed the vulnerability on March 4, noting in an advisory that the issue stems from "insecure deserialization of a user-supplied Java byte stream." To take advantage of the flaw, an unauthorized party would send a crafted serialized Java object to the web management interface of a vulnerable device.
CVE-2026-20131 affects all unpatched versions of Cisco Secure FMC Software and Cisco Security Cloud Control (SCC). Because SCC is a software-as-a-service (SaaS) product, Cisco upgrades it without requiring user action. However, organizations operating on-premises FMC deployments should immediately upgrade to a fixed release to secure their environments. Cisco confirmed that its Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software are not impacted. We recommend system administrators utilize the Cisco Software Checker to verify their exposure and apply updates.
On March 18, CJ Moses, Chief Information Security Officer of Amazon Integrated Security, published findings detailing how the Interlock group leverages this vulnerability. Interlock is a financially motivated threat actor recognized for dual-extortion tactics involving both data encryption and data exfiltration.
Following Cisco's public disclosure, Amazon researchers determined that Interlock had been utilizing CVE-2026-20131 as early as January 26, effectively operating with an undisclosed vulnerability. During their investigation, Amazon identified a misconfigured infrastructure server that exposed the group's complete operational toolkit.
"This rare mistake provided Amazon's security teams with visibility into the ransomware group's multi-stage attack chain, custom remote-access Trojans (backdoor programs that give attackers control of compromised systems), reconnaissance scripts (automated tools for mapping victim networks), and evasion techniques," Moses stated.
Analysis of Interlock's operational toolkit
Once the threat actors achieve initial access through the firewall software flaw, they run automated scripts, including a PowerShell sequence, to enumerate the Windows environment. This tool gathers system data and creates a directory on the external server to store information corresponding to each affected machine.
Following enumeration, the group deploys a remote-access Trojan (RAT) to establish persistent command and control (C2). Amazon's analysis revealed that Interlock utilizes both JavaScript and Java-based RATs. Moses observed that this redundancy helps the group maintain access if security teams detect and isolate one version of the software.
The exposed server also contained a disposable relay network built with a BASH script to obscure the threat actor's origin, a memory-resident tool designed to bypass standard antivirus detection, connectivity verification scripts, and legitimate remote-management software intended as a fallback access method.
While comprehensive toolkits are common, Moses noted that combining these capabilities with an undisclosed critical vulnerability presents a significant challenge for network defenders.
"The real story here isn't just about one vulnerability or one ransomware group, it's about the fundamental challenge zero-day exploits pose to every security model. When attackers exploit vulnerabilities before patches exist, even the most diligent patching programs can't protect you in that critical window," Moses wrote. "This is precisely why defense in depth is essential — layered security controls provide protection when any single control fails or hasn't yet been deployed."
AWS has provided indicators of compromise (IoCs) and specific detection recommendations in its advisory to assist security teams in identifying unauthorized activity.
Securing edge devices
Edge computing devices and network gateways remain frequent targets for unauthorized access. A recent H1 2025 Malware and Vulnerability Trends report from Recorded Future indicated that edge security and gateway devices, such as firewalls and VPNs—accounted for 17% of vulnerabilities utilized by threat actors in the first half of that year.
Vincenzo Iozzo, CEO and cofounder at identity vendor SlashID, explained to Dark Reading that firewalls present an attractive target because they are inherently internet-facing and highly accessible. Historically, these systems often rely on proprietary software "riddled with vulnerabilities" and sometimes lack sufficient internal detection telemetry. Furthermore, Iozzo noted they "tend to be useful as a pivot point for attackers that want to move laterally into a victim's network."
Jeff Liford, associate director at cyber disaster recovery firm Fenix24, observed that the firewall industry faced substantial security pressure over the past year, prompting major vendors to patch multiple critical flaws.
"In our incident response work throughout 2025, we saw firewall compromise act as the initial entry point in a significant number of ransomware cases," Liford stated. "These devices are often mission-critical. However, they are sometimes under-maintained, making them attractive targets."