Amazon’s threat intelligence teams have uncovered a new cyber campaign linked to the Interlock ransomware group. The campaign centers around a flaw affecting Cisco Secure Firewall Management Center (FMC) software.

The vulnerability, tracked as CVE-2026-20131, was disclosed by Cisco on March 4. It allows an unauthenticated remote attacker to execute arbitrary Java code with root privileges on affected FMC devices.

However, research conducted through Amazon MadPot, a global honeypot network designed to observe malicious activity, revealed that Interlock had already begun exploiting this flaw as early as January 26, 2026, 36 days before public disclosure. 

This meant the attackers were oper...