You know that conversation partners have been having for years about vendor vulnerability disclosure? The one where someone raises their hand and asks why customers always seem to be the last to know?
This week, Amazon made that conversation impossible to dodge.
CJ Moses, Amazon’s chief information security officer, published a detailed account of how his threat intelligence team caught the Interlock ransomware group exploiting a max-severity bug in Cisco’s Secure Firewall Management Center — 36 days before Cisco went public with the patch. The attackers started on January 26. Cisco released the fix on March 4. That’s five weeks of a CVSS 10.0 vulnerability being actively weaponized in production networks.
CISA added CVE-2026-20131 to its Known Exploited Vulnerability catalog Wednesday night. They gave federal agencies three days to patch. Three days.
How they found it
Amazon’s MadPot honeypot network logged exploit traffic tied to Interlock’s infrastructure. The honeypot caught the attackers in the act, and Amazon published enough detail about the attack chain that any competent security operations team could check their environment. Cisco updated its advisory to acknowledge the pre-disclosure exploitation after Amazon went public. The spokesperson said they “appreciate Amazon’s partnership on this.”
That’s one way to put it.
What the attack actually looked like
This wasn’t smash-and-grab. Interlock ran a coordinated intrusion with multiple redundant access mechanisms, which is the kind of patience that keeps IR teams up at night. It echoes the tactics behind the Cisco SD-WAN nation-state zero-day we covered earlier.
The initial bug — CVE-2026-20131 — lets an unauthenticated attacker execute arbitrary Java code as root by sending crafted requests to the Management Center. No credentials. No social engineering. Just an API call and you’re in as root.
After initial access, the crew deployed a PowerShell script that hoovered up Windows environment data, running services, installed software, storage configs, Hyper-V inventory, and browser history from Chrome, Edge, Firefox, and IE. They compressed it all into per-host ZIP archives. This is ransomware reconnaissance at scale — they’re mapping your environment before they encrypt it.
From there: a JavaScript implant that overrides browser console methods to hide from detection tools, a Java-based backdoor running entirely in memory (no files written to disk), a Bash script configuring Linux servers as HTTP reverse proxies, and persistent WebSocket connections back to command-and-control. Multiple implants in two different programming languages, with an in-memory option specifically designed to evade antivirus.
Then, for insurance, they deployed ConnectWise ScreenConnect as a backup remote access point. The legitimate tool sitting inside your stack, working perfectly, routing traffic through the front door.
That ConnectWise detail
This is the part that should make MSPs uncomfortable. Interlock didn’t find a way to hack ConnectWise. They just installed it. On the machines they already owned. Because ConnectWise ScreenConnect is deployed across virtually every managed service environment, so its outbound traffic doesn’t trigger alerts. It blends in perfectly.
This isn’t a ConnectWise vulnerability story. This is a “your MSP tools are the attack surface” story. The same tools you use to manage your customers are the same tools ransomware crews use to maintain persistence after the breach. If your security monitoring isn’t specifically watching for unauthorized ScreenConnect deployments — new instances, new endpoints, new connection patterns — you’re flying blind.
We’ve been tracking how security has displaced hardware as the lead revenue category in the channel. This is the story behind that story. Attackers are operating in environments that look like managed environments. The line between “legitimate remote access” and “ransomware persistence” is getting thinner every quarter, and the audit burden on MSPs is increasing accordingly. The reality is your perimeter is gone — the attack surface is wherever your tools are.
Who is Interlock
This isn’t a group you want to be on the wrong side of. Interlock emerged in 2025 and hit hospitals and healthcare networks hard, including a kidney dialysis firm and a cancer care facility where the crew disrupted chemotherapy sessions before leaking patient data. They also claimed 43 GB from the city of Saint Paul, forcing Minnesota’s governor to call in the National Guard.
These are not script kiddies. They’re running multi-stage operations with the patience of a state actor and the financial motivation of a criminal enterprise.
The ransom notes, Amazon noted, explicitly threaten to expose victims to regulators — using compliance pressure as leverage on top of the operational disruption.
What your customers need to hear
If you manage Cisco Secure Firewall environments, the patch is out. The question is whether it’s applied. Cisco has urged immediate upgrades. CISA’s three-day window for federal agencies is long past for anyone reading this. Check your environments.
If you’re not managing those environments and you’re an MSP, this is your Monday morning conversation with every customer running Cisco firewall infrastructure you didn’t sell them. They bought from someone else. The vulnerability doesn’t care.
We covered a similar pattern in the ScreenConnect CVE-2026-3564 patch advisory — the same tool, the same risk profile. And if you’re not auditing your remote access tooling for unauthorized deployments, this is the reminder you needed. Your tools are someone else’s weapon. The difference is whether you know when they’re being used.
Send me your stories. I know at least three of you are patching right now and didn’t know about this until a minute ago. That’s what I’m here for.