31 High-Impact Vulnerabilities Exploited in March as Interlock
March 2026 proved a highly active month for vulnerability exploitation, standing out as one of the year’s most significant periods for observed threats. Security researchers tracked 31...
March 2026 proved a highly active month for vulnerability exploitation, standing out as one of the year’s most significant periods for observed threats.
Security researchers tracked 31 high-impact vulnerabilities that were actively used against real-world systems, touching products from more than 20 major vendors including Cisco, Microsoft, Google, Apple, Langflow, ConnectWise, Citrix, and others.
Among those vendors, Microsoft and Apple together accounted for roughly 32% of the affected products, reinforcing how widely used platforms continue to draw the heaviest targeting from threat actors.
Of the 31 vulnerabilities identified this month, 29 carried a “Very Critical” Recorded Future Risk Score, meaning the probability of exploitation was already high at the time of discovery.
Attackers did not wait long, as the every single one of these vulnerabilities saw active exploitation during March, a pace that gives security teams very little room to respond.
What makes this month stand out even further is the presence of a zero-day at the center of one of the most damaging campaigns tracked in recent months — one that targeted a widely deployed Cisco network security platform before a patch was even available.
One of the most striking data points in this month’s landscape is the inclusion of CVE-2017-7921, a vulnerability affecting Hikvision that is approximately nine years old.
Attackers are still actively exploiting it in environments where patching has never happened. That detail alone tells a larger story about the real state of vulnerability management across enterprises: age does not reduce risk when systems remain unpatched and exposed.
Defenders should never dismiss an older CVE based on its date alone — what matters is whether it can still be reached and exploited.
Recorded Future analysts identified all 31 vulnerabilities and noted that ten of them had publicly available proof-of-concept (PoC) exploits at the time of discovery.
Insikt Group also created Nuclei templates for two new high-severity vulnerabilities this month — a path traversal flaw in MindsDB (CVE-2026-27483) and a critical missing authentication issue in Nginx UI (CVE-2026-27944) — as part of their ongoing effort to help security teams test exposure quickly.
A previously published template for CVE-2025-68613 in n8n was already in circulation in December before attackers began using it in March.
Two vulnerabilities stood out in terms of linkage to organized threat actor activity. Nine of the 31 CVEs enabled remote code execution across products from Google, Langflow, Craft CMS, Laravel, Microsoft, n8n, SolarWinds, and Apple.
Additionally, two vulnerabilities and a multi-component exploit kit were directly connected to active malware campaigns, including a sophisticated iOS full-chain exploit called DarkSword that delivered the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads.
However, the most consequential event this month centered on the Interlock Ransomware Group and a zero-day in Cisco’s Secure Firewall Management Center.
Interlock’s Exploitation of CVE-2026-20131
The Interlock Ransomware Group’s exploitation of CVE-2026-20131 began on January 26, 2026 — weeks before Cisco published its security advisory on March 4.
This means the group had been operating inside enterprise networks using a vulnerability that defenders had no official patch or public knowledge of at the time.
The flaw exists in Cisco’s Secure Firewall Management Center (FMC), a centralized platform used by administrators to manage firewall policies, monitor network security events, and control device configurations across enterprise environments.
The vulnerability is classified as a critical deserialization of untrusted data issue (CWE-502) and carries a Recorded Future Risk Score of 99 — the highest possible.
| # | CVE ID | Risk Score | Affected Vendor / Product | Vulnerability Type | Public PoC |
|---|---|---|---|---|---|
| 1 | CVE-2026-20131 | 99 | Cisco Secure Firewall Management Center (FMC) | CWE-502 – Deserialization of Untrusted Data | Yes |
| 2 | CVE-2026-21262 | 99 | Microsoft SQL Server (2016, 2019, 2022, 2025) | CWE-284 – Improper Access Control | No |
| 3 | CVE-2026-26127 | 99 | Microsoft .NET (9.0, 10.0) & Microsoft.Blazor.Memory | CWE-125 – Out-of-bounds Read | No |
| 4 | CVE-2026-39094 | 99 | Google Skia | CWE-787 – Out-of-bounds Write | No |
| 5 | CVE-2026-39104 | 99 | Google Chromium V8 | CWE-119 – Improper Restriction of Operations within Bounds of Memory | No |
| 6 | CVE-2026-35645 | 99 | ConnectWise ScreenConnect | CWE-347 – Improper Verification of Cryptographic Signature | No |
| 7 | CVE-2026-33017 | 99 | Langflow | CWE-94 / CWE-95 / CWE-306 – Code Injection / Missing Authentication | Yes |
| 8 | CVE-2026-30554 | 99 | Citrix NetScaler | CWE-125 – Out-of-bounds Read | Yes |
| 9 | CVE-2026-30083 | 99 | Enlow / Citrix ADC | CWE-306 – Missing Authentication for Critical Function | Yes |
| 10 | CVE-2026-33364 | 99 | Aquasecurity Trivy | CWE-506 – Embedded Malicious Code | Yes |
| 11 | CVE-2026-25187 | 94 | Microsoft Windows | CWE-59 – Improper Link Resolution Before File Access (Link Following) | No |
| 12 | CVE-2026-33032 | 94 | Nginx UI | CWE-306 – Missing Authentication for Critical Function | No |
| 13 | CVE-2026-21385 | 89 | Qualcomm (Multiple Chipsets) | CWE-190 – Integer Overflow or Wraparound | No |
| 14 | CVE-2026-30335 | 99 | Jungle Scout UI | CWE-306 – Missing Authentication for Critical Function | Yes |
| 15 | CVE-2026-21213 | 99 | Qualcomm (Multiple Chipsets) | CWE-190 – Integer Overflow or Wraparound | No |
| 16 | CVE-2025-38421 | 99 | F5 BIG-IP | CWE-121 – Stack-based Buffer Overflow | No |
| 17 | CVE-2026-32521 | 99 | Google Chrome / Chromium Browser | CWE-416 – Use After Free | No |
| 18 | CVE-2026-29451 | 99 | Apple macOS / iOS / iPadOS | CWE-787 – Out-of-bounds Write | No |
| 19 | CVE-2026-20982 | 99 | Ivanti Connect Secure | CWE-22 – Path Traversal | No |
| 20 | CVE-2026-27483 | 99 | MindsDB | CWE-22 – Path Traversal | Yes |
| 21 | CVE-2026-27944 | 99 | Nginx UI | CWE-306 – Missing Authentication for Critical Function | Yes |
| 22 | CVE-2026-33021 | 99 | Craft CMS | CWE-94 – Code Injection | No |
| 23 | CVE-2026-31015 | 99 | SolarWinds Web Help Desk | CWE-502 – Deserialization of Untrusted Data | No |
| 24 | CVE-2025-68613 | 99 | n8n (Workflow Automation) | CWE-94 – Code Injection | Yes |
| 25 | CVE-2026-33044 | 94 | Broadcom VMware vCenter | CWE-284 – Improper Access Control | No |
| 26 | CVE-2026-20415 | 94 | Cisco IOS XE | CWE-20 – Improper Input Validation | No |
| 27 | CVE-2026-24021 | 99 | Laravel Framework | CWE-94 – Code Injection | No |
| 28 | CVE-2026-32183 | 99 | Apple iOS / iPadOS (DarkSword Chain) | CWE-119 – Memory Corruption | No |
| 29 | CVE-2017-7921 | 94 | Hikvision IP Cameras | CWE-287 – Improper Authentication | No |
| 30 | CVE-2026-31022 | 99 | Craft CMS | CWE-502 – Deserialization of Untrusted Data | No |
| 31 | CVE-2026-20976 | 99 | Ivanti Connect Secure | CWE-287 – Improper Authentication | No |
The attack mechanism is straightforward but highly effective. An unauthenticated threat actor sends a specially crafted HTTP request to the FMC web-based management interface.
Since the platform fails to properly validate user-supplied Java byte streams, the attacker can inject a serialized Java object that the application processes and executes as root-level code.
The attacker then pulls a malicious ELF binary from a staging server at 37[.]27[.]244[.]222 to support follow-on operations inside the network.
Once inside, the Interlock group uses custom Java- and JavaScript-based remote access trojans (RATs), a memory-resident web shell, and proxy infrastructure to stay hidden and move across the network.
Post-compromise activity includes active reconnaissance, data collection, lateral movement, and the use of legitimate tools such as ConnectWise ScreenConnect, Volatility, and Certify for credential theft and privilege escalation.
The end goal of these operations is ransomware deployment, but the initial foothold through the FMC zero-day is what makes the campaign so dangerous — network security infrastructure itself becomes the entry point.
On March 11, 2026, a GitHub user shared an alleged PoC for CVE-2026-20131. That PoC uses the open-source tool ysoserial to generate a malicious Java-serialized payload, submits it to candidate endpoints that accept serialized Java data, and interprets an HTTP 500 response as confirmation that deserialization triggered command execution.
Insikt Group has not tested this PoC for accuracy or confirmed its reliability, and vulnerability management teams should exercise caution before testing any PoC in a production or staging environment.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.