"This wasn't just another vulnerability exploit; Interlock had a zero-day in their hands, giving them a week's head start to compromise organizations before defenders even knew to look. Upon making this discovery, we shared our findings with Cisco to help support their investigation and protect customers."
"The vulnerability in question is CVE-2026-20131 (CVSS score: 10.0), a case of insecure deserialization of user-supplied Java byte stream, which could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device."
"The attack chain involves sending crafted HTTP requests to a specific path in the affected software with an aim to execute arbitrary Java code, after which the compromised system issues an HTTP PUT request to an external server to confirm successful exploitation."
Amazon Threat Intelligence detected an active Interlock ransomware campaign exploiting CVE-2026-20131, a critical vulnerability in Cisco Secure Firewall Management Center software with a perfect CVSS score of 10.0. The flaw involves insecure deserialization of Java byte streams, allowing unauthenticated remote attackers to bypass authentication and execute arbitrary code as root. The vulnerability was exploited as a zero-day starting January 26, 2026, approximately one month before public disclosure. Amazon discovered this through its MadPot sensor network and shared findings with Cisco. The threat actor's operational security mistake exposed their toolkit, revealing a multi-stage attack chain using crafted HTTP requests, remote access trojans, reconnaissance scripts, and evasion techniques.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]