Interlock takes advantage of a day zero in Cisco FMC with unsafe deerialization and forces to rethink the layer defense

Recently, Amazon threat intelligence teams alerted about an active Ransomware campaign linked to the group known as Interlock that is taking advantage of a critical failure in the Cisco Secure Firewall Management Center (FMC) software. According to Amazon's report, the vulnerability identified as CVE-2026-20131 - qualified with a maximum score in the CVSS system according to that report - is a case of unsafe deerialization of Java byte flows supplied by the user that would allow a remote and unauthenticated attacker to evade controls and run arbitrary Java code with root privileges on affected devices. To understand why this is dangerous is not enough with the number: insecure deerialization is a way that has been repeatedly exploited to get remote execution when applications accept serialized data without correctly validating them; the security community has been warning about this type of risk for years ( OWASP - Insecure Deserialization).

What makes this incident particularly worrying is that, according to Amazon, exploitation began in a zero-day mode several weeks before Cisco made vulnerability public. The detection came from global sensors that Amazon operates for threat monitoring, and after confirming malicious activity they shared findings with Cisco to help in the investigation. When a vulnerability is exploited before a published patch exists, organizations become vulnerable during this critical period even if they usually apply updates quickly.

The attack chain described by Amazon begins with specially made HTTP requests aimed at a specific FMC route, aimed at causing malicious deerialization and thus running Java code. After this first stage, the compromised device makes an HTTP PUT request to an external server as a confirmation of the operation, and then downloads and runs an ELF binary that acts as a gateway for other tools used by the attacking actor. Amazon further details that, due to an operational error of the criminal group itself, part of its infrastructure and tools was exposed on a poorly configured server, allowing researchers to rebuild a very complete attack flow and to catalogue artifacts and techniques.

The tools assigned to the campaign include PowerShell recognition scripts looking for comprehensive Windows environment information, remote access implants written in Java and JavaScript with SOCKS5 proxy capabilities and file transfer, Bash scripts to prepare Linux servers as reverse proxies and remove traces, a memory-based web shell that disfigures and runs commands received in HTTP requests, and a small network beacon to check the availability of infrastructure controlled by the attacker. The use of ConnectWise ScreenConnect to maintain persistent access in compromised environments is also mentioned. The combination of artifacts shows a complete intrusion pattern: initial access, tool download, recognition, establishment of control channels and measures to hide and maintain the presence.

Forensic evidence and technical indicators, including a rescue note and a portal on the Tor network, allow Amazon to link the operation to Interlock. The operational analysis also suggests that operators were active in a time range corresponding to the UTC + 3 slate, a detail that helps to shape their routine and correlate activity in network and system records.

This episode fits with broader changes that are observing several intelligence teams: as the payout rates of bailouts fall, many groups have modified tactics to prioritize access through vulnerabilities in network devices and remote access software, or to exploit stolen credentials and legitimate tools already installed on the networks. The result is a greater preference for vectors that allow reliable initial access and for techniques that make tracking and attribution difficult, rather than relying exclusively on "external" malware. In order to keep an eye on the changes in the threat landscape, there are publications from security agencies and companies that follow these trends, such as the recommendations of CISA on Ransomware ( CISA - Stop Ransomware) or analysis of security providers.

What can and should organizations do now? First, apply the patches and mitigations published by the supplier for the Cisco FMC as soon as they are available and verify versions in their environments. In parallel, it is prudent to conduct commitment assessments that include the search for operating indicators in network and application records, the revision of remote access tool facilities such as ScreenConnect to detect unauthorized deployments, and the integrity analysis of systems that may have downloaded binary or foreign code. Effective defense requires a layer strategy: fast patching, network segmentation, egress controls, endpoints detection and continuous log monitoring.

It is also necessary to strengthen operational controls that limit the impact of an intrusion: apply the principle of minimum privileges, protect credentials with multifactor authentication, audit administrative access and enable monitoring mechanisms that alert to abnormal behaviour, such as outgoing connections to unusual servers or processes that perform binary downloads. To mitigate specific techniques used by attackers, tools such as fail2ban can help to harden exposed services and reduce noise from automated access ( tutorial on failed), while the use of memory and forensic analysis solutions may be key to detecting web shells resident in RAM; projects such as Volatiility are a reference in this field ( Volatility Foundation).

The broader lesson that this case leaves is not new, but it is urgent: zero- day-type gaps are the most difficult part of the defense, because they appear before patches or signatures exist and reduce the effectiveness of well-managed update programs. So, having multiple protective layers and rapid detection and response capabilities is what allows an organisation to earn time and minimize window damage between initial operation and final correction. Security teams and IT leaders should take this incident as a reminder to validate their response procedures, practice engagement scenarios on edge devices and prioritize visibility and segmentation in critical architectures.

Finally, sharing information with third parties and the vulnerable supplier was crucial in this case: the collaboration between detectors and the manufacturer accelerated the collective response. In an environment where attackers constantly adjust their methods, cooperation, the exchange of indicators and the monitoring of official bulletins are essential components for protecting critical infrastructure.

For those who want to deepen the technical details and complete recommendations, Amazon Threat Intelligence's report on this campaign offers a detailed analysis and can be consulted on the AWS security blog ( Amazon Threat Intelligence - report), while agency good practice guides such as CISA offer practical steps for Ransomware preparation and response ( CISA - Stop Ransomware).