Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access

2026-03-18

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

Amazon Threat Intelligence has exposed an active Interlock ransomware campaign exploiting CVE-2026-20131, a critical zero-day in Cisco Secure Firewall Management Center (FMC).

•CVE-2026-20131 (CVSS 10.0) is an insecure Java deserialization flaw allowing unauthenticated remote attackers to execute arbitrary code as root.
•The zero-day was actively exploited since January 26, 2026, over a month before Cisco's public disclosure.
•Interlock's toolkit includes custom JavaScript/Java RATs, a memory-resident web shell, PowerShell reconnaissance scripts, and an HAProxy-based reverse proxy for infrastructure laundering.
•Aggressive log erasure runs every five minutes via cron job, and ConnectWise ScreenConnect is used for persistent remote access.
•

Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture