Amazon Threat Intelligence says that an active Interlock ransomware campaign is taking advantage of a serious security hole that was recently made public in Cisco Secure Firewall Management Center (FMC) Software. The CVE-2026-20131 vulnerability (CVSS score: 10.0) is an example of insecure deserialization of a Java byte stream that a user provides. This could let an unauthenticated, remote attacker get around authentication and run any Java code as root on an affected device.
Data from the tech giant's MadPot global sensor network says that the security flaw has been used as a zero-day since January 26, 2026, more than a month before Cisco made it public.
Amazon said that the discovery was possible because the threat actor made a mistake with operational security that exposed their cybercrime group's operational toolkit through a misconfigured infrastructure server. This gave Amazon information about the group's multi-stage attack chain, custom remote access trojans, reconnaissance scripts, and evasion techniques. The attack chain sends specially made HTTP requests to a certain path in the affected software with the goal of running any Java code.
After that, the hacked system sends an HTTP PUT request to an outside server to confirm that the attack worked.
"When attackers take advantage of weaknesses before patches are available, even the best patching programs can't keep you safe during that time." "This is exactly why defense-in-depth is so important: layered security controls keep you safe even if one of them fails or hasn't been put in place yet." Rapid patching is still the most important part of managing vulnerabilities, but defense in depth helps businesses stay safe between the time when an exploit is found and when a patch is released.
The news comes after Google said that ransomware groups are changing how they work because fewer people are paying them. They are now targeting weaknesses in common VPNs and firewalls to get in, and they are using less external tools and more built-in Windows features.
Malvertising and/or search engine optimization (SEO) techniques have also been used by several threat clusters, including ransomware operators and initial access brokers, to spread malware payloads for initial access. Other common methods include using stolen credentials, backdoors, or legitimate remote desktop software to get a foothold, as well as using tools that are already installed and built into the system for reconnaissance, privilege escalation, and lateral movement. Google said, "We expect ransomware to remain one of the biggest threats in the world, but the drop in profits may lead some threat actors to look for other ways to make money."
