March 2026 marked an intense period for cybersecurity, with 31 high-impact vulnerabilities actively exploited across nearly two dozen major technology vendors. This surge in real-world attacks included a significant zero-day vulnerability targeting Cisco’s Secure Firewall Management Center, exploited by the Interlock Ransomware Group before a patch was available. Microsoft and Apple systems bore a substantial portion of these exploits, underscoring their continued prominence as targets for threat actors.
According to security researchers, 29 of the identified vulnerabilities carried a “Very Critical” Recorded Future Risk Score, signaling a high probability of exploitation at the time of their discovery. The immediacy of these attacks left security teams with minimal response windows, as every single one of these vulnerabilities saw active exploitation during March. The emergence of a zero-day at the heart of a sophisticated campaign, particularly one affecting critical network infrastructure like Cisco’s FMC, highlighted the critical need for rapid patching and robust security measures.
Interestingly, a nearly decade-old vulnerability, CVE-2017-7921 affecting Hikvision devices, was also found to be actively exploited. This underscores a persistent challenge in vulnerability management: older flaws remain a significant risk if systems are not consistently updated and secured. The age of a vulnerability is less critical than its potential for exploitation in unpatched environments.
Recorded Future analysts identified all 31 vulnerabilities, noting that ten had publicly available proof-of-concept (PoC) exploits. Insikt Group also developed Nuclei templates for two newly discovered high-severity flaws, aiding security teams in testing their exposure. A template for a previously identified vulnerability in n8n, discovered in December, was found to be in use by attackers by March.
Ensure your systems are patched. Learn about the latest Cisco FMC zero-day exploit and its implications.
Several vulnerabilities stood out due to their association with organized threat actor activity. Nine of the CVEs documented enabled remote code execution across products from vendors including Google, Langflow, Craft CMS, Laravel, Microsoft, n8n, SolarWinds, and Apple. Furthermore, two vulnerabilities and a multi-component exploit kit were linked to active malware campaigns, including a sophisticated iOS exploit chain known as DarkSword, which delivered GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads. However, the most impactful event was the Interlock Ransomware Group’s exploitation of a zero-day in Cisco’s Secure Firewall Management Center.
Interlock’s Exploitation of Cisco FMC Zero-Day
The Interlock Ransomware Group initiated their exploitation of CVE-2026-20131 on January 26, 2026, a considerable time before Cisco issued its security advisory on March 4. This timeline indicates that the group was operating within enterprise networks using a vulnerability for which no official patch or public awareness existed. The flaw resides in Cisco’s Secure Firewall Management Center (FMC), a central platform for managing firewall policies, monitoring security events, and controlling device configurations.
This vulnerability, classified as a critical deserialization of untrusted data issue (CWE-502), received the highest possible Recorded Future Risk Score of 99. The attack chain involves an unauthenticated threat actor sending a specially crafted HTTP request to the FMC’s web interface. The FMC’s failure to properly validate user-supplied Java byte streams allows attackers to inject serialized Java objects, which the application then processes and executes with root-level privileges.
Following initial access, attackers deploy a malicious ELF binary from a staging server to facilitate further network operations. The Interlock group employs custom Java and JavaScript-based remote access trojans (RATs), a memory-resident web shell, and proxy infrastructure to maintain stealth and propagate across the network. Their post-compromise activities include reconnaissance, data exfiltration, lateral movement, and the use of legitimate tools like ConnectWise ScreenConnect, Volatility, and Certify for credential theft and privilege escalation. The ultimate objective of these operations is ransomware deployment, with the initial intrusion via the FMC zero-day being a particularly dangerous entry point into network security infrastructure itself.
On March 11, 2026, a GitHub user reportedly shared a proof-of-concept (PoC) for CVE-2026-20131. This alleged PoC leverages the open-source tool `ysoserial` to create a malicious Java-serialized payload. The tool is used to submit this payload to susceptible endpoints and interprets an HTTP 500 response as confirmation that deserialization has triggered command execution. Security teams are advised to exercise extreme caution when testing any PoC in production or staging environments.
The ongoing exploitation of these vulnerabilities, including the Cisco FMC zero-day, highlights the persistent threat posed by unpatched systems and the need for proactive security measures. Organizations must prioritize timely patching, implement robust network segmentation, and maintain continuous monitoring to defend against sophisticated threat actors. The next crucial step for affected organizations is the immediate application of Cisco’s provided patches and a thorough review of their security posture to detect any signs of compromise.