On March 18, 2026, Amazon Threat Intelligence issued an urgent warning: the Interlock ransomware group has been actively exploiting CVE-2026-20131, a maximum-severity zero-day in Cisco Secure Firewall Management Center, since at least January 26, 2026 — 36 days before Cisco publicly disclosed or patched the flaw on March 4. CISA has since added the vulnerability to its Known Exploited Vulnerabilities catalog with a federal remediation deadline. Organizations running unpatched FMC software should treat this as an active emergency.
On March 4, 2026, Cisco released fixes for 48 vulnerabilities across its security product line, two of which — CVE-2026-20079 and CVE-2026-20131 — carry a CVSS score of 10.0, the highest possible rating. Both affect the web-based management interface of Cisco Secure Firewall Management Center (FMC), a platform Cisco itself describes as the "administrative nerve center" for firewall management, application control, intrusion prevention, URL filtering, and malware protection. Compromising it doesn't just hand an attacker one system. It hands them the keys to an organization's entire network perimeter.
What makes this disclosure uniquely alarming is the gap between exploitation and patch. According to data gathered from Amazon Web Services' MadPot global sensor network, Interlock had already been exploiting CVE-2026-20131 as a zero-day for over five weeks when Cisco finally issued its advisory. That window represents dozens of potential victims who had no patch, no public advisory, and no way to know the vulnerability even existed.
This is not a compromised endpoint. The FMC is the system that defines what your firewalls allow and block. Once it falls, the attacker doesn't just have access to one machine — they can rewrite the rules that protect every other machine. The trust boundary is inverted: the tool built to enforce security becomes the tool that disables it. That is why CVSS rates the Scope as "Changed" and why the score reaches a perfect 10.0.
What CVE-2026-20131 Is and Why It Scores a Perfect 10
CVE-2026-20131 is a remote code execution vulnerability rooted in insecure deserialization. In plain terms: the FMC web interface accepts Java serialized objects from the network without first validating who is sending them or what they contain. An unauthenticated attacker — someone with no credentials, no prior foothold — can send a specially crafted serialized Java object directly to the management interface and trigger arbitrary code execution with root-level privileges.
The technical mechanism involves what researchers call a "gadget chain." Because the FMC application uses common Java libraries — such as Apache Commons Collections or Spring — an attacker can manipulate pre-existing classes already loaded in the application's Java Virtual Machine (JVM). By crafting an object graph that exploits how the JVM reconstructs serialized objects, the attacker causes the application to execute arbitrary operating system commands during the deserialization process itself, entirely bypassing application logic. No authentication prompt is ever reached.
Think of it this way: the FMC has a front door (the login page) and a mail slot (the serialization endpoint). The front door has a lock. The mail slot doesn't — it just accepts packages and unpacks them automatically. Interlock's exploit is the equivalent of sliding a package through the mail slot that, when the system unpacks it, reassembles itself into a person standing inside the building with the master key. The FMC never asked who was sending the package. The vulnerability is not in what the package contains. It is in the act of opening it.
"A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device." — Cisco Security Advisory cisco-sa-fmc-rce-NKhnULJh
Every metric in the CVSS vector scores at maximum severity. Remotely exploitable, zero complexity, no credentials, no user interaction. But the field that elevates this from a 9.8 to a perfect 10.0 is Scope: Changed — meaning a successful exploit on the FMC extends the blast radius to every managed Cisco Firewall Threat Defense (FTD) device under its control. The attacker isn't confined to the system they compromised. They inherit control of the policy layer for the entire perimeter.
There are no workarounds. Cisco has confirmed that standard mitigations — disabling specific services, changing configurations — are ineffective because the vulnerability lives in the core startup and management logic of the FMC. The only remediation is upgrading to a fixed software release. The advisory does note that if the FMC management interface lacks public internet exposure, the attack surface is reduced — but not eliminated, since many enterprise FMC deployments are accessible from broad internal network segments that an attacker with any foothold could reach.
CVE-2026-20131 also affects Cisco Security Cloud Control (SCC) Firewall Management. Cisco states it has already upgraded that cloud-hosted service as part of routine maintenance, so no action is required for SCC customers. On-premises FMC deployments are the primary concern. On March 19, 2026, CISA added CVE-2026-20131 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active use in ransomware campaigns and ordering U.S. federal agencies to remediate by March 22, 2026. CVE-2026-20131 is the third Cisco vulnerability flagged as exploited as a zero-day since the start of 2026, following CVE-2026-20127 in Cisco Catalyst SD-WAN Controller and CVE-2026-20045 in Cisco unified communications products.
Patch immediately. Affected FMC versions include 6.x (all versions), 7.0.x (prior to 7.0.6.3), 7.2.x (prior to 7.2.5.1), and 7.4.x (prior to 7.4.2.1). Use Cisco's Software Checker to confirm whether your FMC version is affected and identify the correct fixed release. If patching is not immediately possible, isolate the FMC management interface from untrusted networks using firewall rules or ACLs, and audit all FMC user accounts for unauthorized additions or modifications.
How Interlock Weaponized the Zero-Day: The Full Attack Chain
Amazon Threat Intelligence's disclosure, informed by telemetry from the MadPot global sensor network, describes a precise and deliberate attack sequence. Interlock's exploitation of CVE-2026-20131 follows a multi-stage process that begins with a single crafted HTTP request and ends with ransomware encryption across compromised infrastructure.
The initial exploitation step involves sending a specially crafted HTTP request to a specific path within the FMC web interface. This triggers the insecure deserialization flaw and causes arbitrary Java code to execute as root. The compromised system then issues an HTTP PUT request to an external server — a callback that confirms successful exploitation to the attacker's infrastructure. Once that beacon is received, the attacker sends commands to download an ELF binary from a remote server. That binary is linked to additional Interlock tooling and serves as the staging vehicle for everything that follows.
From there, Interlock's established post-exploitation playbook takes over. The group uses tools including Cobalt Strike, AnyDesk, PuTTY, and ScreenConnect for lateral movement and persistence, alongside custom implants such as Interlock RAT and NodeSnake RAT for command-and-control. Credential harvesting relies on custom stealers alongside commodity tools such as Lumma Stealer and Berserk Stealer, as well as Certify — an offensive security tool that exploits Active Directory Certificate Services misconfigurations. For data exfiltration — the engine of the group's double extortion leverage — Interlock routes stolen data through AzCopy to Azure blob storage, a technique that exploits the trustworthiness of Microsoft infrastructure to evade network-level detection.
- Cobalt Strike
- AnyDesk
- PuTTY
- ScreenConnect
- RDP (native)
- Interlock RAT
- NodeSnake RAT
- SystemBC
- Slopoly (AI-generated)
- Lumma Stealer
- Berserk Stealer
- Certify (AD CS)
- Custom keylogger
- Hotta Killer (BYOVD)
- Process hollowing
- Log wiping
- conhost.exe masquerade
- AzCopy → Azure Blob
- WinSCP
- AES + RSA hybrid
- .interlock / .1nt3rlock
- Self-deleting encryptor
Ransomware payloads are typically disguised as conhost.exe, a name chosen to blend with legitimate Windows processes. The encryption routine combines AES and RSA algorithms and appends either .interlock or .1nt3rlock extensions to encrypted files. The encryptor is then deleted post-execution to complicate forensic recovery.
Amazon Threat Intelligence's researchers linked this campaign to Interlock through what they describe as convergent technical and operational indicators — specifically the embedded ransom note format and the TOR-based negotiation portal. A misconfigured infrastructure server used by the attackers inadvertently exposed their full toolkit, including reconnaissance scripts, custom RATs, and evasion mechanisms, organized by victim in separate directories. The evidence also suggests the threat actor operates within the UTC+3 time zone, a data point consistent with findings from other Interlock investigations.
"This wasn't just another vulnerability exploit; Interlock had a zero-day in their hands, giving them a week's head start to compromise organizations before defenders even knew to look." — CJ Moses, CISO of Amazon Integrated Security (via AWS Security Blog)
The ransom notes generated by Interlock do not include an initial ransom demand or payment instructions. Instead, victims receive a unique code and are directed to contact the group through the TOR portal to begin negotiation. This design creates a pressure dynamic: the victim must initiate contact, placing them immediately in a reactive position while the clock runs on data publication threats.
This is deliberate behavioral design. By withholding the demand, Interlock forces the victim to take the first action — psychologically shifting from "we were attacked" to "we are negotiating." That reframe matters. Once an organization is actively engaging with the threat actor, the sunk-cost fallacy begins to work: having already invested effort in negotiation, walking away feels harder. The latest versions of Interlock's ransom notes have also begun citing specific data protection regulations, weaponizing the victim's own compliance obligations as additional leverage.
Who Is Interlock? A Group Built to Evolve
- Also tracked as
- Nefarious Mantis, Hive0163
- First observed
- September 2024
- Confirmed victims
- 96+ as of February 2026
- Motivation
- Financial (double extortion)
- Operating model
- Private group, not RaaS
- Primary targets
- Healthcare, education, government
- Average dwell time
- 15 to 24 days
- Possible links
- Rhysida, Vice Society (unconfirmed)
Interlock first emerged in September 2024 and has operated at the intersection of targeted intrusion and financially motivated ransomware ever since. The group is tracked under multiple designations, including Nefarious Mantis by some threat intelligence firms and Hive0163 by IBM X-Force. It is not a Ransomware-as-a-Service (RaaS) operation. In a January 2026 analysis, FortiGuard Labs researchers noted that Interlock appears to be a smaller, dedicated group of operators who develop and maintain their own malware across the full attack lifecycle — an unusual level of vertical integration that gives them tighter operational security and faster iteration cycles.
The group has claimed over 60 victims since its founding, with more than 50 of those coming in 2025 alone, according to analysis by Forescout. Ransomware tracking platform Ransomware.live counted at least 96 Interlock victims as of February 2026. A joint advisory issued on July 22, 2025 by the FBI, CISA, the Department of Health and Human Services, and the Multi-State Information Sharing and Analysis Center identified Interlock as a significant threat to healthcare organizations in particular — with roughly a third of their confirmed 2025 incidents targeting healthcare providers directly. Named healthcare victims include the kidney dialysis provider DaVita, Texas Tech University Health Sciences Center, and Kettering Health in Ohio.
When Interlock hit Kettering Health in May 2025, chemotherapy sessions were canceled. Pre-surgery appointments were postponed. Emergency patients were diverted to other facilities. The ransomware group later published cancer patient records when the ransom went unpaid. This is not abstract. When a threat actor deliberately targets organizations where operational downtime intersects with patient safety, they are making a calculated bet that the cost of not paying exceeds the cost of paying — and that the organization's ethical obligation to its patients will override its security team's recommendation. Every day that a Cisco FMC running CVE-2026-20131 sits unpatched in a healthcare environment is a day that bet remains open.
What makes Interlock difficult to defend against is its consistent willingness to adopt new initial access techniques. The group began with drive-by downloads from compromised websites, using traffic distribution systems to serve fake browser update prompts. By January 2025, researchers at Sekoia observed them pivoting to ClickFix attacks — a technique that uses fraudulent CAPTCHA pages or browser error messages to trick users into manually pasting and executing malicious PowerShell commands through the Windows Run dialog. Interlock also expanded to FileFix, an adaptation that routes the same malicious commands through the Windows File Explorer address bar. By February 2025, the group had begun impersonating enterprise security software such as FortiClient VPN and Cisco AnyConnect in its fake updater campaigns.
Their post-exploitation toolkit has kept pace. In a January 29, 2026 report, FortiGuard Labs documented a novel process-killing utility Interlock developed called "Hotta Killer," which exploits CVE-2025-61155, a vulnerability in a gaming anti-cheat driver (GameDriverX64.sys) from the game Tower of Fantasy — a Bring Your Own Vulnerable Driver (BYOVD) technique — to disable endpoint detection and response tools during active intrusions. The tool drops a renamed version of the vulnerable driver as UpdateCheckerX64.sys and uses a companion DLL (polers.dll) to issue kernel-level IOCTL requests that terminate targeted security processes. The ability to develop custom driver-level kill tools while simultaneously weaponizing network device zero-days places Interlock in a category of threat actors that security teams cannot afford to treat as opportunistic.
"When attackers exploit vulnerabilities before patches exist, even the most diligent patching programs can't protect you in that critical window. This is precisely why defense-in-depth is essential — layered security controls provide protection when any single control fails or hasn't yet been deployed." — CJ Moses, CISO of Amazon Integrated Security (via AWS Security Blog)
Security researchers have observed technical overlaps between Interlock and the Rhysida ransomware group, including similarities in data exfiltration infrastructure, hardcoded exclusion lists in encryptor binaries, and encryption approaches. Microsoft has flagged potential connections to Vice Society (tracked by Microsoft as Vanilla Tempest), a threat group previously active against U.S. education and healthcare entities. Neither link has been confirmed as a formal affiliation — Cisco Talos assessed the Rhysida connection with low confidence — but the overlaps suggest at minimum shared tooling, shared personnel, or active knowledge-sharing between groups.
The Rhysida-Vice Society-Interlock thread illustrates something the industry routinely underestimates: ransomware groups are not isolated brands. They are nodes in a fluid ecosystem where operators, developers, and access brokers move between projects. Vice Society went quiet in mid-2023 as Rhysida emerged. Interlock appeared in late 2024 sharing code-level similarities with both. Whether this represents rebranding, splinter cells, or a shared developer pool, the practical consequence is the same: tracking a "group" by its name alone misses the continuity of the human operators behind it. Defenders who respond to Interlock as though it were an isolated newcomer are underestimating the institutional knowledge it inherited.
Interlock's average dwell time — the period between initial access and ransomware deployment — runs 15 to 24 days across observed incidents, according to Forescout. This extended reconnaissance window is deliberate. The group uses the time to map the environment thoroughly, harvest privileged credentials, stage exfiltration, and position ransomware payloads for simultaneous detonation. The January 2026 FortiGuard intrusion analysis documented one case in the education sector where the attacker maintained quiet access for nearly seven months — from an initial MintLoader infection in March 2025 through encryption in October 2025 — demonstrating a patience unusual even among sophisticated ransomware actors.
Consider the math. Interlock's dwell time averages 15 to 24 days. Their zero-day window on CVE-2026-20131 was 36 days. That means organizations compromised on day one of exploitation could have been fully encrypted and exfiltrated before Cisco even published the advisory — and certainly before they could have patched. This is the structural failure that CJ Moses was pointing to: any security model that depends entirely on vendor disclosure speed is architecting in a gap that sophisticated actors will fill. The question is not whether your patch cadence is fast enough. The question is what detects and contains the attacker during the weeks when no patch exists.
What This Means for Defenders: Key Takeaways
-
1Patch CVE-2026-20131 immediately
There are no workarounds. Use Cisco's Software Checker to identify your affected version and the corresponding fixed release. Organizations with FMC deployments should treat this as a P1 remediation regardless of their standard patch cadence.
-
2Audit FMC access and review ScreenConnect deployments
Amazon Threat Intelligence specifically recommends reviewing ScreenConnect and similar remote management tool deployments for unauthorized installations, which Interlock has historically used to maintain persistent access after initial compromise.
-
3Restrict FMC management interface exposure
Cisco notes that limiting public internet access to the FMC management interface reduces — though does not eliminate — the attack surface. Use firewall rules and ACLs to restrict interface access to known, trusted IP ranges only.
-
4Assume breach if unpatched since January 26, 2026
Amazon Threat Intelligence's MadPot sensor data places the start of active zero-day exploitation at January 26, 2026. Any organization running a vulnerable FMC during that period without compensating controls should conduct a thorough security assessment for indicators of compromise, including unexpected network beaconing, unauthorized ELF binary downloads, or new user account creation on the FMC.
-
5Defense-in-depth is not optional
The Interlock campaign is a textbook demonstration of why perimeter security cannot be a single line of defense. Once the FMC falls, managed firewall policies across the enterprise fall with it. Network segmentation, behavioral monitoring, and cloud exfiltration controls — particularly for AzCopy traffic — are the controls that slow or stop what comes after the initial breach.
sudoers entries on the FMC that do not correspond to authorized administrative changes
UpdateCheckerX64.sys or the DLL polers.dll — components of the Hotta Killer BYOVD tool used to disable EDR
One of the most consequential details in this campaign is easy to overlook: Interlock's infrastructure server was misconfigured. That single operational security failure gave Amazon's researchers visibility into the group's entire toolkit — their custom RATs, reconnaissance scripts, evasion mechanisms, per-victim directory structure, and redundant C2 architecture. It is a reminder that even sophisticated threat actors make human errors, and those errors are high-value detection opportunities. The defenders who benefit from this kind of windfall are the ones who are actively looking: running threat hunts against published IOCs, monitoring for anomalies in management-plane traffic, and correlating signals across network and endpoint telemetry. Interlock's mistake exposed the playbook. The question is whether defenders will read it before the next campaign begins.
The pattern here is not unique to Interlock or Cisco. Google's threat intelligence teams noted in parallel reporting that ransomware actors broadly are shifting toward vulnerabilities in perimeter devices — VPNs, firewalls, and management platforms — as their preferred initial access vectors, while simultaneously reducing dependence on external tooling in favor of built-in Windows capabilities that evade detection. Multiple threat clusters, including both ransomware operators and initial access brokers, have also adopted malvertising and SEO poisoning to distribute malware payloads.
This is the trajectory. For years, the ransomware threat model assumed the perimeter was the defended line and the interior was the contested space. CVE-2026-20131 inverts that assumption. The perimeter device itself is the entry point, and the tool that was supposed to be the defensive nerve center becomes the first thing the attacker owns. Interlock had 36 days of access to that nerve center before anyone outside their operation knew it was possible. The lesson is not that Cisco's FMC had a vulnerability — every complex system does. The lesson is that the time between an attacker discovering a flaw and a vendor disclosing it is the most dangerous window in enterprise security, and the only controls that matter during that window are the ones that don't depend on knowing the vulnerability exists: network segmentation that limits what a compromised management plane can reach, behavioral monitoring that flags what legitimate management traffic should never do, and exfiltration controls that question why a firewall appliance is uploading gigabytes to Azure. The organizations that survive zero-day campaigns are not the ones with the fastest patch cycles. They are the ones that assumed the patch would arrive too late and built accordingly.