Key Takeaways
- Insikt Group identified 31 actively exploited vulnerabilities in March 2026, with Microsoft and Apple representing the largest share.
- Amazon Threat Intelligence linked a Cisco zero-day to an Interlock ransomware campaign involving custom RATs and staged payload delivery.
- Older CVEs, including a nine-year-old Hikvision flaw, remain frequent attack vectors due to lagging patching and persistent misconfigurations.
The March wave of exploited vulnerabilities, cataloged by Insikt Group, shows attackers continuing to lean heavily on known weaknesses in internet-facing services, often seizing on newly disclosed flaws before defenders can deploy patches. These findings arrive amid a broader industry focus on preventable exposure, a trend highlighted throughout 2026 in the Palo Alto Networks Unit 42 Global Incident Response Report.
The 31 vulnerabilities affected a wide spectrum of enterprise tools, including products from Cisco, Microsoft, Google, ConnectWise, Langflow, Citrix, Aquasecurity, Nginx UI, Qualcomm, F5, Craft CMS, Laravel, Apple, Synacor, Wing FTP Server, n8n, Omnissa, SolarWinds, Ivanti, Hikvision, Rockwell, and Broadcom. This diverse list touches cloud, network, application, and OT environments. Microsoft and Apple together accounted for approximately 32% of the total vulnerabilities, illustrating a wide variety of exploitation paths pursued by attackers.
Older flaws also continue to surface in active attacks. Hikvision's CVE-2017-7921, approximately nine years old, remained in play. This reinforces how attackers consistently exploit long-known weaknesses in unpatched, internet-facing devices that remain visible on enterprise networks.
For newer vulnerabilities, Insikt Group created Nuclei templates to help security teams validate exposure to issues like a high-severity path traversal in MindsDB (CVE-2026-27483) and a critical missing-authentication flaw in Nginx UI (CVE-2026-27944). A template for CVE-2025-68613 in n8n was released in December, well before exploitation of that flaw surged in March. 10 of the 31 vulnerabilities had public proof-of-concept (PoC) exploits circulating, demonstrating how rapidly threat actors weaponize newly disclosed issues.
The Center for Strategic and International Studies monitors how state-linked and criminal operators adopt new exploitation techniques, often within days of disclosure. Data from the CSIS Significant Cyber Incidents timeline shows a pattern mirroring the activity Insikt Group tracked, demonstrating that threat actors rapidly execute campaigns when a vulnerability can be chained, automated, or deployed at scale.
A standout case in March involved the Interlock Ransomware Group. Amazon Threat Intelligence reported that the group exploited a zero-day vulnerability in Cisco Secure Firewall Management Center, tracked as CVE-2026-20131. The flaw enabled the unauthenticated execution of arbitrary Java code as root. According to the reporting, exploitation began on January 26, 2026, before the vulnerability became public.
After compromising exposed Cisco FMC instances through crafted HTTP requests, Interlock operators deployed a malicious ELF binary through a staging server. Their toolkit included Java and JavaScript remote access trojans, a memory-resident web shell, and proxy infrastructure designed to conceal command activity. The operators also blended legitimate tools into their workflow, utilizing ConnectWise ScreenConnect for remote access and Volatility for memory inspection to evade detection during the intrusion's early stages.
Amazon Threat Intelligence also provided Insikt Group with a screen-locker sample for analysis. While the specific payload was benign, it changed the victim's wallpaper to explicit imagery, introduced execution delays, and performed debugger checks, illustrating the psychological pressure tactics often integrated into ransomware playbooks.
Other exploited vulnerabilities in March enabled remote code execution (RCE) against products from Google, Langflow, Craft CMS, Laravel, Microsoft, n8n, SolarWinds, and Apple. Threat actors frequently chain RCE flaws with authentication bypasses or deserialization weaknesses to achieve full system compromise. CWE-502 and CWE-94 were the two most common weakness types observed, primarily affecting internet-facing systems that lack hardened configurations.
Industry frameworks like the NIST Cybersecurity Framework continue to guide how enterprises organize controls around asset visibility and vulnerability response. Maintaining an accurate asset inventory is critical for timely remediation; the UCF InfoSec Security Awareness Newsletter noted that the number of active ransomware groups grew by 56% in the first half of 2024, accelerating competition among threat actors for exposed and easily compromised targets.
These incident reports reinforce a consistent attacker playbook: exploit exposed services, chain vulnerable systems, and move rapidly before organizations can complete patch cycles. Enterprises that maintain continuous exposure management across SaaS, cloud, and firewall layers can better defend against newly surfaced vulnerabilities.
The activity highlighted by Insikt Group demonstrates that improving configuration hygiene, accelerating patch deployment windows, and monitoring for unexpected API behavior can significantly reduce exposure to ransomware deployment and data exfiltration.
⬇️