March 2026 CVE Roundup: 31 Critical Vulnerabilities Uncovered as Interlock Ransomware Targets Cisco FMC Zero-Day

In March 2026, Insikt Group® identified 31 high-impact vulnerabilities requiring immediate remediation, with 29 receiving a Very Critical Recorded Future Risk Score.

The affected products spanned 22 vendors: Cisco, Microsoft, Google, ConnectWise, Langflow, Citrix, Aquasecurity, Nginx UI, Qualcomm, F5, Craft CMS, Laravel, Apple, Synacor, Wing FTP Server, n8n, Omnissa, SolarWinds, Ivanti, Hikvision, Rockwell, and Broadcom. Microsoft and Apple dominated this month's vulnerability landscape, representing roughly 32% of the total.

Notably, one vulnerability—CVE-2017-7921 in Hikvision products—is nearly nine years old, demonstrating that attackers persistently target known weaknesses in unpatched environments. Legacy systems continue to present significant risk. Security teams should prioritize vulnerabilities based on active exploitation evidence, maintain comprehensive asset inventories, and implement compensating controls when patching isn't feasible.

Insikt Group® developed Nuclei templates for a high-severity path traversal flaw in MindsDB (CVE-2026-27483) and a critical authentication bypass in Nginx UI (CVE-2026-27944). The team had also released a template for CVE-2025-68613 (n8n) in December, months before exploitation began. Public proof-of-concept exploits were identified for 10 of the 31 vulnerabilities.

Quick Reference: March 2026 Vulnerability Table

All 31 vulnerabilities listed were actively exploited during March 2026. Public PoCs identified by Insikt Group® are noted below but were not validated for accuracy or effectiveness. Vulnerability management teams should verify PoC legitimacy before testing.

Table 1: Vulnerabilities actively exploited in March based on Recorded Future data.

Key Trends: March 2026

• Most prevalent weakness types: CWE-502 (Deserialization of Untrusted Data) and CWE-94 (Code Injection).
• Two vulnerabilities and one exploit kit (containing 23 exploits, 12 with assigned CVEs) were tied to malware campaigns.
  • The Interlock Ransomware Group weaponized a zero-day in Cisco Secure Firewall Management Center to breach enterprise networks, deploy custom remote access trojans, and enable ransomware deployment.
  • The DarkSword iOS full-chain exploit achieved Safari-based remote code execution, sandbox escape, and kernel-level compromise, delivering GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads.
  • The Coruna exploit kit similarly targeted iOS devices to distribute PlasmaLoader (PLASMAGRID) malware.
• Nine vulnerabilities (CVE-2026-3910, CVE-2026-33017, CVE-2025-32432, CVE-2025-54068, CVE-2026-20963, CVE-2025-68613, CVE-2025-26399, CVE-2021-30952, and CVE-2023-41974) enabled remote code execution.
  • Affected vendors included Google, Langflow, Craft CMS, Laravel, Microsoft, n8n, SolarWinds, and Apple.

Exploitation Analysis

This section examines two of the most significant actively exploited vulnerabilities from March. Where available, it notes Nuclei templates developed by Insikt Group®. The complete collection of reports and detection rules from March is accessible to customers through the Recorded Future Intelligence Operations Platform.

Interlock Ransomware Group Exploits Cisco FMC Zero-Day (CVE-2026-20131)

On March 18, 2026, Amazon Threat Intelligence published analysis of an active Interlock ransomware campaign exploiting CVE-2026-20131. This critical vulnerability in Cisco's Secure Firewall Management Center (FMC) software allows unauthenticated attackers to execute arbitrary Java code with root privileges on vulnerable devices. Cisco Secure FMC is a centralized management platform for configuring, monitoring, and controlling Cisco firewall devices and network security policies across enterprise environments. According to Amazon Threat Intelligence, the Interlock Ransomware Group began exploiting CVE-2026-20131 as a zero-day on January 26, 2026—nearly two months before public disclosure—enabling early compromise of enterprise networks.

The Interlock Ransomware Group exploits vulnerable Cisco FMC instances through crafted HTTP requests that leverage CVE-2026-20131 to execute arbitrary Java code with root privileges. After initial access, attackers deploy a malicious ELF binary from a staging server at 37[.]27[.]244[.]222 (Intelligence Card) to support subsequent operations.

The threat actors maintain persistence using custom Java- and JavaScript-based remote access trojans, a memory-resident web shell, and proxy infrastructure to facilitate lateral movement and evade detection. Post-compromise activities include reconnaissance, data collection and staging, and abuse of legitimate tools like ConnectWise ScreenConnect, Volatility, and Certify for remote access, credential theft, and privilege escalation.

Insikt Group® obtained a screen locker sample (SHA256: 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f) shared by Amazon Threat Intelligence from Recorded Future Malware Intelligence. Sandbox analysis flagged the sample as benign. Based on sandbox and static code analysis, the sample performs these actions on victim machines:

• Replaces the desktop wallpaper with a pornographic image
• Delays execution using the Sleep API function for evasion
• Detects debuggers using the GetTickCount API function to compare timing

Figure 1: Risk Rules History from Hash Intelligence Card® for 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f in Recorded Future (Source: Recorded Future)

Recorded Future customers can access additional exploitation details and MITRE ATT&CK techniques associated with CVE-2026-20131 in the Diamond Models section of this TTP Instance.

Critical Deserialization of Untrusted Data Vulnerability Affecting Cisco Secure FMC Software and Cisco SCC Firewall Management (CVE-2026-20131)

On March 11, 2026, GitHub user Sadaf Athar Khan (sak110) published an alleged proof-of-concept (PoC) exploit for CVE-2026-20131, a critical Deserialization of Untrusted Data vulnerability affecting both Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management. Cisco Secure FMC is a web-based platform for centrally managing firewall policies, events, and device administration, while Cisco SCC Firewall Management is a SaaS solution for centralized configuration, monitoring, and maintenance across firewall deployments.

Successful exploitation of CVE-2026-20131 allows an unauthenticated remote attacker to execute arbitrary code and gain root privileges on affected devices. Cisco published a security advisory and released patches on March 4, 2026. The vulnerability stems from insecure deserialization of user-supplied Java byte streams within FMC's web-based management interface. Because serialized objects are processed without sufficient validation, an attacker can submit a crafted serialized Java object to the management interface, trigger arbitrary code execution, and escalate to root.

Figure 2: Vulnerability Intelligence Card® for CVE-2026-20131 in Recorded Future (Source: Recorded Future)

According to Khan's repository, the PoC requires a target URL and a command as inputs. It then generates a malicious Java-serialized payload using ysoserial, embedding the supplied command before delivering it to the specified target.

The PoC attempts to submit the serialized object to a set of candidate endpoints known to accept serialized Java data. If a reachable deserialization path exists, the application processes the object and executes the embedded command on the target host. The PoC interprets an HTTP 500 response as a sign that deserialization triggered execution, while HTTP 200 responses are flagged for manual review, as exploitation may succeed without producing visible output.

Insikt Group® has not tested this PoC for accuracy or efficacy. Recorded Future customers can find the associated MITRE ATT&CK techniques in the Entities section of this TTP Instance.

Take Action

Timely, contextual vulnerability intelligence is essential for reducing risk across your environment and your broader supply chain. Recorded Future offers several capabilities to help security teams act with speed and confidence.

Vulnerability Intelligence — Prioritize vulnerabilities based on the likelihood of exploitation, not just severity scores. Real-time, contextualized intelligence helps teams patch what matters and get ahead of active threats.

Attack Surface Intelligence — Identify internet-facing assets exposed to a specific CVE. This outside-in view of your organization enables proactive discovery, prioritization, and remediation of unknown, vulnerable, or misconfigured assets.

Third-Party Intelligence — Assess the security posture of vendors and partners without lengthy research cycles or back-and-forth communication. Quickly evaluate vulnerabilities present in their internet-facing systems.

Insikt Group® — Access exclusive vulnerability research and trend reports from Recorded Future's expert threat intelligence team. Nuclei templates created by Insikt Group® are available for select CVEs to help test potentially vulnerable instances.

Recorded Future Professional Services — Engage the Professional Services team for a tailored Vulnerability Analysis Engagement, designed to advance your team's strategies for identifying, prioritizing, and mitigating threats. Learn more by watching the recent Vulnerability Prioritization Workshop.