Overview
- Amazon Threat Intelligence reports Interlock began exploiting CVE-2026-20131 on January 26, thirty-six days before public disclosure.
- CVE-2026-20131 is a CVSS 10 flaw in Cisco Secure Firewall Management Center that enables unauthenticated remote Java code execution as root.
- Cisco released fixes on March 4, updated its advisory with new details, and urged customers to upgrade as soon as possible.
- Researchers reconstructed a multi-stage attack chain involving crafted HTTP requests, a confirmation PUT callback, and retrieval of an ELF payload hosting Interlock tools.
- Guidance calls for immediate patching, targeted compromise assessments, and reviews for unauthorized ScreenConnect and related indicators as investigations continue.