Interlock Ransomware Exploits Cisco FMC Zero-Day

What Happened

Amazon Threat Intelligence has issued a warning regarding an active Interlock ransomware campaign. The threat actors are exploiting a recently disclosed critical security flaw, CVE-2026-20131, in Cisco Secure Firewall Management Center (FMC) Software. This zero-day vulnerability is being leveraged to gain root access to the management appliances, providing a powerful foothold within enterprise networks. Concurrently, a separate report details a new Android malware called “Perseus,” which scans user-curated notes for sensitive data like passwords and recovery phrases. While the Android threat is distinct, it underscores a landscape of active, multi-vector attacks.

Why It Matters

This incident is significant because it targets a critical network security management platform. Cisco FMC is a central console for configuring and monitoring enterprise firewalls. A compromise at this level allows attackers to potentially disable security policies, exfiltrate network configuration data, and move laterally to deploy ransomware like Interlock across the entire managed environment. The exploitation of a zero-day indicates the attackers are using previously unknown methods, leaving defenders with no prior warning before a patch is available. This campaign directly threatens the integrity of organizational network perimeters.

Technical Details

The primary attack vector is the exploitation of CVE-2026-20131 in Cisco FMC Software. While specific details of the flaw are limited in public reports, its designation as a critical vulnerability allowing for root access suggests it may involve improper access control or authentication bypass. Successful exploitation grants the attacker complete control over the FMC appliance. The Interlock ransomware is then deployed from this privileged position. The unrelated Perseus Android malware operates by abusing accessibility services to read content from note-taking applications, highlighting a trend of malware targeting specific data repositories.

Immediate Risk

The immediate risk is HIGH for organizations running unpatched Cisco FMC software. The active exploitation of this zero-day means attacks are happening in real-time. The risk extends beyond the initial compromise of the FMC appliance; the root access enables rapid deployment of ransomware across all firewalls managed by the center, leading to widespread encryption, operational disruption, and potential data theft. Organizations must treat this as an urgent incident requiring immediate defensive action, irrespective of the “MEDIUM” severity label which may not reflect the active threat landscape.

Security Insight

This campaign exemplifies the critical need for network segmentation and strict access control for management interfaces. Cisco FMC appliances should never be directly exposed to the internet. Security teams must immediately review their Cisco FMC instances, apply any available patches or mitigations from Cisco, and monitor for anomalous activity. Furthermore, the parallel Android threat serves as a reminder to enforce mobile device management (MDM) policies and educate users on the risks of storing sensitive secrets in plaintext applications, even on personal devices used for work.