{ "Event": { "analysis": "1", "date": "2026-04-13", "extends_uuid": "", "info": "[Threat Intel] March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day", "protected": false, "publish_timestamp": "1776682894", "published": true, "threat_level_id": "2", "timestamp": "1776682894", "uuid": "9c298dea-f6bb-4628-8c6f-8f071d4db267", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#bf83fd", "local": false, "name": "misp-galaxy:producer=\"Recorded Future\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#f28fb8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"OS Credential Dumping - T1003\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#fe1ef0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#9dfeaa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Abuse Elevation Control Mechanism - T1548\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#0aebeb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Client Execution - T1203\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#3970d7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"vulnerability\"", "relationship_type": "" }, { "colour": "#150050", "local": false, "name": "rectifyq:sub-category=\"report\"", "relationship_type": "" }, { "colour": "#170057", "local": false, "name": "rectifyq:sub-category=\"critical-vuln\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"interlock\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "link", "uuid": "f7a0f031-454e-4483-beb6-30762c87d390", "value": "https://www.recordedfuture.com/blog/march-2026-cve-landscape" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "text", "uuid": "e6065bdd-ace0-47bf-bbe9-9bbfb8d3b768", "value": "In March 2026, 31 high-impact vulnerabilities were identified requiring prioritization for remediation, with 29 receiving Very Critical Risk Scores. Affected vendors included Cisco, Microsoft, Google, ConnectWise, and others, with Microsoft and Apple accounting for approximately 32% of vulnerabilities. Notably, the Interlock Ransomware Group exploited CVE-2026-20131, a zero-day deserialization vulnerability in Cisco Secure Firewall Management Center, as early as January 2026 to compromise enterprise networks. The group deployed custom remote access trojans and facilitated ransomware operations through crafted HTTP requests executing arbitrary Java code as root. Additional campaigns involved the DarkSword iOS exploit kit delivering GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads, and the Coruna exploit kit deploying PlasmaLoader malware. Nine vulnerabilities enabled remote code execution across multiple platforms. One vulnerability dated back nine years, emphasizing continued exploitation of legacy unpatched" }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "text", "uuid": "ec776ce2-bb43-4732-8bc2-08747acad6f1", "value": "Name: March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day\nAuthor: AlienVault\nAdversary: Interlock Ransomware Group\nTags: [\"cve-2026-27944\", \"ransomware\", \"cve-2021-30952\", \"ghostsaber\", \"cve-2026-3909\", \"cve-2026-33032\", \"cve-2026-3564\", \"cve-2026-20963\", \"plasmaloader\", \"cve-2025-53521\", \"cve-2026-20131\", \"ghostknife\", \"cve-2025-68613\", \"cve-2025-32432\", \"cve-2026-3910\", \"cve-2025-54068\", \"ghostblade\", \"cve-2023-41974\", \"cve-2026-3055\", \"deserialization vulnerability\", \"cve-2026-26127\", \"cve-2026-33634\", \"cve-2026-27483\", \"cve-2017-7921\", \"remote code execution\", \"ios exploit kit\", \"cve-2026-21262\", \"cve-2026-25187\", \"plasmagrid\", \"cve-2026-21385\", \"cve-2026-33017\", \"cve-2025-26399\", \"zero-day exploitation\", \"cisco fmc\"]\nTgtd countries: []\nMlwr families: [\"GHOSTKNIFE\", \"GHOSTSABER\", \"GHOSTBLADE\", \"PlasmaLoader\", \"PLASMAGRID\"]\nAttack_ids: [\"T1033\", \"T1003\", \"T1059.007\", \"T1082\", \"T1190\", \"T1055\", \"T1505.003\", \"T1548\", \"T1090\", \"T1059\", \"T1083\", \"T1078\", \"T1027\", \"T1486\", \"T1573\", \"T1203\", \"T1071.001\", \"T1018\", \"T1105\", \"T1021.001\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "threat-actor", "uuid": "80386700-01b0-4ecb-9687-c52b122966f5", "value": "Interlock Ransomware Group" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "c5a00220-67f5-4194-9d6c-c02708c4043f", "value": "CVE-2017-7921" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "e97d53c2-9fac-4d86-ab12-5f61e16f3524", "value": "CVE-2021-30952" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "5f19a240-6f06-40f6-9b50-fc2366960c62", "value": "CVE-2023-41974" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "f358a495-fde5-4b25-b2e7-ef38a007f1fd", "value": "CVE-2025-26399" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "cdd86564-f2cb-4d8b-9961-fcb0fbbabee1", "value": "CVE-2025-32432" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "2ad6b028-c78d-42ed-886b-63e0dc70ac24", "value": "CVE-2025-53521" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "e6295195-b086-4e30-a5c3-73e9887168e2", "value": "CVE-2025-54068" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "da55233c-dea9-4f10-8d95-ec1edd16f79b", "value": "CVE-2025-68613" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "a02b82c2-f678-4ae4-a8d5-834379938b97", "value": "CVE-2026-20131" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "f7d80c80-1506-4fcc-9edd-865f8cae6708", "value": "CVE-2026-20963" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "14f22bac-2b18-43d6-90a8-392a94b083cf", "value": "CVE-2026-21262" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "45eff8b5-7a83-4717-ae4c-7b83ccde29f6", "value": "CVE-2026-21385" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "b08219f3-fbd9-4e13-b9be-4deff31d93b7", "value": "CVE-2026-25187" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "b913942c-439e-455d-a757-66d3ae98f0e5", "value": "CVE-2026-26127" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "8fd4f9c8-4650-4da5-a398-ce5dea7cdf6d", "value": "CVE-2026-27483" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "cf6eaf7b-024e-4292-a844-f12982f12a9c", "value": "CVE-2026-27944" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "cefd6f3a-d5fc-4793-a07e-00a8bb210a4d", "value": "CVE-2026-3055" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "34dcc298-a3c3-49cd-9550-af79204abd73", "value": "CVE-2026-33017" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "228a7f9f-6f87-40d6-a689-915a57be28eb", "value": "CVE-2026-33032" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "2f8a29b3-a5e8-4ce0-bb57-3bdbbeca8a98", "value": "CVE-2026-33634" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "6cdd5046-c1ea-4652-b00a-bb185a69d9c3", "value": "CVE-2026-3564" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "c438ad32-5834-41c6-b1c8-0e9727ab6acd", "value": "CVE-2026-3909" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164420", "to_ids": false, "type": "vulnerability", "uuid": "c46bd17c-47f2-4301-80f2-1e7fee207b19", "value": "CVE-2026-3910" }, { "category": "Network activity", "comment": "threat actors deploy a malicious ELF binary from this staging server", "deleted": false, "disable_correlation": false, "timestamp": "1776654681", "to_ids": true, "type": "ip-dst", "uuid": "9855c729-fa4d-4955-8536-72af80c9eb65", "value": "37.27.244.222", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776650375", "to_ids": false, "type": "vulnerability", "uuid": "daa1f9a4-ff22-4ba4-9488-74392390889e", "value": "CVE-2025-43510" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776650375", "to_ids": false, "type": "vulnerability", "uuid": "0382d734-fdd4-4bca-ab3e-9888bf648993", "value": "CVE-2025-43520" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776650375", "to_ids": false, "type": "vulnerability", "uuid": "89dfe72f-3496-4d92-bfe5-ad526096498c", "value": "CVE-2025-31277" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776650375", "to_ids": false, "type": "vulnerability", "uuid": "54e0c932-3b0d-4ce5-b47f-281aeb139ae0", "value": "CVE-2025-66376" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776650375", "to_ids": false, "type": "vulnerability", "uuid": "bbf171db-4ce1-4888-a566-5b5e564656b2", "value": "CVE-2025-47813" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776650375", "to_ids": false, "type": "vulnerability", "uuid": "1176b40a-2b80-4661-b7e9-80bea26c9b5a", "value": "CVE-2021-22054" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776650375", "to_ids": false, "type": "vulnerability", "uuid": "9d8055b4-6548-4dfc-b4ec-aac9d24c2b97", "value": "CVE-2026-1603" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776650375", "to_ids": false, "type": "vulnerability", "uuid": "9a967f65-17a0-4a29-ab5c-d723c7cae5f2", "value": "CVE-2021-22681" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776650375", "to_ids": false, "type": "vulnerability", "uuid": "1ef829c2-f482-45f1-bee0-6332be16d497", "value": "CVE-2023-43000" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776650375", "to_ids": false, "type": "vulnerability", "uuid": "a9203fea-8c86-433f-88d6-8bf8a3ded899", "value": "CVE-2026-22719" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776654702", "uuid": "8c719fea-8105-4633-98eb-3120e29216c4", "Attribute": [ { "category": "Payload delivery", "comment": "screen locker sample", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776654702", "to_ids": true, "type": "md5", "uuid": "1ed0df7b-cf25-4b25-9994-3dccbc8fb596", "value": "12d399e6966db58f6d189d606ac34cc8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "screen locker sample", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776654479", "to_ids": true, "type": "sha1", "uuid": "834f0a70-0061-44fb-9052-e7c7c2fdd3a2", "value": "17986b6595fe960fe8e9757d3069d5daabd628ef", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "screen locker sample", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776654479", "to_ids": true, "type": "sha256", "uuid": "eb6e229b-2728-437a-bd73-1c48fa98bf8c", "value": "6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776653969", "to_ids": true, "type": "ssdeep", "uuid": "389f3081-5da3-4da9-b899-56b5f6d585ab", "value": "384:5J/++vXbOLh+S8DkuOa2+QGw/ECJYMEKTH07YjG3CW:5EO8+SKkuOpjEC2MLTUnSW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776653969", "to_ids": false, "type": "size-in-bytes", "uuid": "33a7c181-77e0-4084-b835-8386c8536f76", "value": "25088" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776653969", "to_ids": true, "type": "vhash", "uuid": "5883e926-f03e-439d-870e-bb6df601254d", "value": "0240b75d7555151c0d1d1bzc19hz11zffz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776653969", "to_ids": true, "type": "filename", "uuid": "a9704483-1060-4d0b-adfd-2ae14381978e", "value": "CYOywFTkk" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 17/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776653969", "to_ids": false, "type": "text", "uuid": "b40a9642-55ac-4f7e-97cb-a0688ad9a833", "value": "screen locker sample\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/ScreenLock!MTB\nVT Total Detection:44/72\nFirst Submission:2026-02-18T14:07:42.000000+00:00\nLast Submission:2026-03-24T11:43:54.000000+00:00" } ] } ] } }