March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day
In March 2026, 31 high-impact vulnerabilities were actively exploited, highlighted by the Interlock Ransomware Group leveraging a CVSS 10.0 zero-day in Cisco Secure FMC (CVE-2026-20131). The attackers utilized insecure Java deserialization to gain root access, deploying custom RATs, memory-resident web shells, and ransomware across enterprise networks.
Authors: Insikt Group
Source:
Recorded Future
- sha2566c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5fScreen locker sample deployed by the Interlock Ransomware Group.
Key Takeaways
- 31 high-impact vulnerabilities were actively exploited in March 2026, with 29 rated as Very Critical.
- Interlock Ransomware Group exploited a zero-day in Cisco Secure FMC (CVE-2026-20131) to deploy RATs and ransomware.
- Attackers continue to exploit legacy vulnerabilities, such as a 9-year-old Hikvision flaw (CVE-2017-7921).
- iOS devices were targeted by the DarkSword full-chain exploit and Coruna exploit kit to deliver malware like GHOSTKNIFE and PlasmaLoader.
Affected Systems
- Cisco Secure Firewall Management Center (FMC)
- Cisco Security Cloud Control (SCC) Firewall Management
- Microsoft SQL Server (2016 SP3, 2017, 2019, 2022, 2025)
- Microsoft .NET (9.0, 10.0)
- Google Skia
- Google Chromium V8
- ConnectWise ScreenConnect
- Langflow
- Citrix NetScaler
- Aquasecurity Trivy
- Microsoft Windows
- Nginx UI
- Qualcomm Chipsets
- F5 BIG-IP
- Apple iOS
- MindsDB
- n8n
Vulnerabilities (CVEs)
- CVE-2026-20131 (CVSS 10.0 - Cisco Secure FMC Deserialization)
- CVE-2026-21262
- CVE-2026-26127
- CVE-2026-3909
- CVE-2026-3910
- CVE-2026-3564
- CVE-2026-33017
- CVE-2026-3055
- CVE-2026-33634
- CVE-2026-25187
- CVE-2026-33032
- CVE-2026-21385
- CVE-2025-53521
- CVE-2017-7921
- CVE-2026-27483
- CVE-2026-27944
- CVE-2025-68613
- CVE-2025-32432
- CVE-2025-54068
- CVE-2026-20963
- CVE-2025-26399
- CVE-2021-30952
- CVE-2023-41974
Attack Chain
The Interlock Ransomware Group exploited CVE-2026-20131 by sending crafted HTTP requests containing malicious serialized Java objects to Cisco Secure FMC instances. This insecure deserialization granted them root access, allowing the download of a malicious ELF binary from a remote staging server. The attackers then established persistence and lateral movement capabilities using custom Java and JavaScript RATs, alongside a memory-resident web shell. Finally, they utilized legitimate tools like ConnectWise ScreenConnect, Volatility, and Certify for credential theft and privilege escalation before deploying a screen locker payload.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: Nuclei
Insikt Group created Nuclei templates for detecting vulnerabilities in MindsDB (CVE-2026-27483), Nginx UI (CVE-2026-27944), and n8n (CVE-2025-68613).
Detection Engineering Assessment
EDR Visibility: Medium — EDR agents are often not supported on network appliances like Cisco FMC, limiting initial exploitation visibility. However, post-exploitation activity involving ELF binaries and tools like Volatility on downstream endpoints will be highly visible. Network Visibility: High — The initial exploit relies on crafted HTTP requests containing serialized Java objects, and subsequent stages involve downloading payloads from external IPs. Detection Difficulty: Moderate — While detecting the specific Java deserialization payload requires deep packet inspection, the subsequent staging server communications and use of unauthorized remote access tools provide solid detection opportunities.
Required Log Sources
- Web Application Firewall (WAF) logs
- HTTP access logs
- Network flow logs
- Endpoint process execution logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unexpected outbound network connections from Cisco FMC appliances to unknown external IP addresses, indicating potential payload staging. | Network flow logs, Firewall logs | Execution | Low |
| Monitor for the sudden installation or execution of remote access tools like ConnectWise ScreenConnect on servers that do not typically require them. | Endpoint process execution logs | Lateral Movement | Medium |
| Search for HTTP 500 internal server errors originating from Cisco FMC web interfaces, which may indicate failed or successful deserialization exploit attempts. | HTTP access logs, WAF logs | Initial Access | Low |
Control Gaps
- Lack of EDR support on network management appliances
- Insufficient egress filtering on management interfaces
Key Behavioral Indicators
- Java process spawning unexpected child shells
- Presence of ysoserial generated payloads in HTTP requests
- Execution of Volatility or Certify by non-admin accounts
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Apply Cisco's security updates for CVE-2026-20131 immediately.
- Block outbound and inbound traffic to the known staging IP 37.27.244.222.
Infrastructure Hardening
- Restrict access to the Cisco FMC web management interface to trusted internal IP addresses only.
- Implement strict egress filtering for network management appliances to prevent payload downloads.
User Protection
- Audit and restrict the use of legitimate remote access tools like ConnectWise ScreenConnect across the environment.
Security Awareness
- Ensure vulnerability management teams safely verify public PoC exploits in isolated environments before testing against production systems.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1505.003 - Server Software Component: Web Shell
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1219 - Remote Access Software
- T1003 - OS Credential Dumping
- T1486 - Data Encrypted for Impact