31 high-impact vulnerabilities were exploited in March, with Interlock hitting a Cisco FMC zero-day

March 2026 was a brutal month for defenders. Recorded Future says attackers actively exploited 31 high-impact vulnerabilities during the month, spanning products from Cisco, Microsoft, Apple, Google, Citrix, Ivanti, n8n, Nginx UI, and others. Twenty-nine of those 31 flaws carried a “Very Critical” Recorded Future risk score, which signals a high likelihood of exploitation.

The standout case involved Cisco Secure Firewall Management Center, or FMC. Recorded Future says the Interlock ransomware group exploited CVE-2026-20131 from January 26, 2026, weeks before Cisco published its advisory on March 4, which made it a true zero-day in the field.

Cisco describes CVE-2026-20131 as a critical remote code execution flaw in the web-based management interface of Secure Firewall Management Center. The bug exists because the product does not safely deserialize user-supplied Java byte streams, which means an unauthenticated remote attacker can send a crafted serialized Java object and execute arbitrary Java code as root.

Why this month stands out

Recorded Future says March saw a 139% increase in high-impact vulnerabilities compared with the prior period it tracks. That alone would have made it a rough month, but the speed of exploitation made the picture worse because all 31 flaws were already seeing active abuse during March.

The vendor spread also matters. According to Recorded Future, the 31 exploited vulnerabilities affected products from more than 20 vendors, with Microsoft and Apple together accounting for about 32% of the affected products. That concentration shows how heavily attackers still lean toward widely deployed enterprise and consumer platforms.

Age did not protect older systems either. Recorded Future included CVE-2017-7921, a Hikvision flaw that is about nine years old, in its March list, which underlines a basic reality in vulnerability management: old bugs remain dangerous when exposed systems never get patched.

Interlock’s Cisco FMC zero-day drew the most attention

Recorded Future says Interlock used CVE-2026-20131 to break into networks before Cisco had published a fix. That matters because FMC sits in a sensitive spot inside enterprise environments, where teams use it to manage firewall policies, monitor security events, and control configurations across network security infrastructure.

Cisco’s advisory says a successful exploit lets an unauthenticated attacker run arbitrary code and escalate privileges to root on the device. In practical terms, that turns a security management platform into an entry point for a broader network compromise.

Recorded Future says the Interlock group followed exploitation by pulling a malicious ELF binary from a staging server and then using custom Java and JavaScript remote access trojans, a memory-resident web shell, and proxy infrastructure to keep access and move laterally. The report also says the attackers used tools such as ConnectWise ScreenConnect, Volatility, and Certify during post-compromise activity.

The broader March 2026 picture

Recorded Future says 10 of the 31 exploited vulnerabilities had public proof-of-concept code available at the time of discovery. It also says Insikt Group published Nuclei templates for some newly exploited issues, including CVE-2026-27483 in MindsDB and CVE-2026-27944 in Nginx UI, while an earlier template for CVE-2025-68613 in n8n had already circulated before attackers began exploiting it in March.

Remote code execution played a major role. Recorded Future says nine of the 31 CVEs enabled remote code execution across products from Google, Langflow, Craft CMS, Laravel, Microsoft, n8n, SolarWinds, and Apple.

Two of the March cases were also tied directly to malware activity, according to Recorded Future. One involved the DarkSword iOS exploit chain, while the other centered on the Interlock ransomware group’s abuse of Cisco FMC.

March’s exploited flaws at a glance

Metric	What Recorded Future reported
Total high-impact vulnerabilities exploited in March 2026	31
Vulnerabilities with “Very Critical” risk score	29
Vulnerabilities with public PoC code identified	10
Vendors affected	More than 20
Share tied to Microsoft and Apple products	About 32%
Most prominent zero-day case	CVE-2026-20131 in Cisco Secure Firewall Management Center

Why defenders should pay attention

This report is not just a list of bad CVEs. It shows how fast attackers now move from disclosure to exploitation, and in some cases how often they arrive before disclosure. The Interlock case is the clearest example because the group had a head start of several weeks before Cisco’s March 4 advisory.

It also shows why teams cannot focus only on newly disclosed bugs from a short list of vendors. March included everything from fresh zero-days to an older Hikvision flaw from 2017, which tells defenders to prioritize exposure and exploitation evidence, not just release dates.

For Cisco FMC users, the response is straightforward. Cisco says affected organizations should apply the available software updates from the March 2026 advisory bundle as soon as possible, because the flaw allows unauthenticated remote code execution as root.

What security teams should do now

• Patch internet-facing and management-plane systems first, especially products that appear on exploited-in-the-wild lists.
• Treat CVE-2026-20131 in Cisco FMC as an urgent priority if any affected deployments remain exposed.
• Do not dismiss older CVEs if exposed assets still run vulnerable versions.
• Be cautious with public PoC code in production or staging environments. Recorded Future explicitly says teams should verify PoC validity before testing.
• Track actively exploited vulnerability reports from vendors and threat intelligence teams, not just patch release notes.

FAQ