216.73.217.22

March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day

· Published 14/04/2026 10:53 · Modified 14/04/2026 09:22

Export JSON

Essential information

Published
14/04/2026 10:53
Modified
14/04/2026 09:22
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
cisco fmc cve-2017-7921 cve-2021-30952 cve-2023-41974 cve-2025-26399 cve-2025-32432 cve-2025-53521 cve-2025-54068 cve-2025-68613 cve-2026-20131 cve-2026-20963 cve-2026-21262 cve-2026-21385 cve-2026-25187 cve-2026-26127 cve-2026-27483 cve-2026-27944 cve-2026-3055 cve-2026-33017 cve-2026-33032 cve-2026-33634 cve-2026-3564 cve-2026-3909 cve-2026-3910 deserialization vulnerability ghostblade ghostknife ghostsaber ios exploit kit plasmagrid
Tags
2026-04-14 CVE-2017-7921 CVE-2021-30952 CVE-2023-41974 CVE-2025-26399 CVE-2025-32432 CVE-2025-53521 CVE-2025-54068 CVE-2025-68613 CVE-2026-20131 CVE-2026-20963 CVE-2026-21262 CVE-2026-21385 CVE-2026-25187 CVE-2026-26127 CVE-2026-27483 CVE-2026-27944 CVE-2026-3055 CVE-2026-33017 CVE-2026-33032 CVE-2026-33634 CVE-2026-3564 CVE-2026-3909 CVE-2026-3910 cisco fmc deserialization vulnerability ghostblade ghostknife ghostsaber ios exploit kit plasmagrid plasmaloader ransomware remote code execution zero-day exploitation
Related entities
23 vulnerabilities (cve), 2 indicators, 2 observables, 1 intrusion sets (apt), 20 techniques (mitre), 5 malware

Description

In March 2026, 31 high-impact vulnerabilities were identified requiring prioritization for remediation, with 29 receiving Very Critical Risk Scores. Affected vendors included Cisco, Microsoft, Google, ConnectWise, and others, with Microsoft and Apple accounting for approximately 32% of vulnerabilities. Notably, the Interlock Group exploited , a zero-day in Cisco Secure Firewall Management Center, as early as January 2026 to compromise enterprise networks. The group deployed custom remote access trojans and facilitated operations through crafted HTTP requests executing arbitrary Java code as root. Additional campaigns involved the DarkSword delivering , , and payloads, and the Coruna exploit kit deploying malware. Nine vulnerabilities enabled across multiple platforms. One vulnerability dated back nine years, emphasizing continued exploitation of legacy unpatched

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (23)

CVE-2025-32432 KEV
10.0 Critical

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before …

Attack vector
NETWORK
Complexity
LOW
Published
25/04/2025
Modified
27/03/2026
CVE-2017-7921 KEV
9.8 Critical

Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain …

Attack vector
NETWORK
Complexity
LOW
EPSS
0.9410 (P99.9%)
Published
06/05/2017
Modified
22/04/2026
CVE-2026-33032
9.8 Critical

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context …

Attack vector
NETWORK
Complexity
LOW
Published
30/03/2026
Modified
17/04/2026
CVE-2023-41974 KEV
7.8 High

Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges.

Attack vector
LOCAL
Published
10/01/2024
Modified
15/03/2026
CVE-2026-33634 KEV
9.4 Critical

Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, …

Attack vector
NETWORK
Complexity
LOW
EPSS
0.0007 (P20.9%)
Published
23/03/2026
Modified
14/04/2026
CVE-2025-53521 KEV
8.7 High

When a BIG-IP APM Access Policy is configured on a virtual server, undisclosed traffic can cause TMM to terminate. Note: Software versions …

Attack vector
Network
Complexity
Low
Published
15/10/2025
Modified
04/04/2026
CVE-2026-3910 KEV
8.8 High

Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote …

Attack vector
Network
EPSS
0.0008 (P23.4%)
Published
13/03/2026
Modified
14/04/2026
Analyzed
CVE-2026-3564
9.0 Critical

A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including …

Attack vector
Network
Published
17/03/2026
Modified
14/04/2026
Awaiting Analysis
CVE-2026-3909 KEV
8.8 High

Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a …

Attack vector
Network
EPSS
0.0007 (P20.7%)
Published
13/03/2026
Modified
14/04/2026
Analyzed
CVE-2026-27483
8.8 High

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.9.1.1, there is a path traversal vulnerability in …

Attack vector
NETWORK
Published
24/02/2026
Modified
14/04/2026
Undergoing Analysis
CVE-2025-68613 KEV
9.9 Critical

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical …

Attack vector
Network
Published
20/12/2025
Modified
12/03/2026
Awaiting Analysis
CVE-2026-27944
9.8 Critical

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without …

Attack vector
Network
Published
05/03/2026
Modified
14/04/2026
Undergoing Analysis
CVE-2026-21385 KEV
7.8 High

Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation.

Attack vector
LOCAL
Published
02/03/2026
Modified
14/04/2026
Undergoing Analysis
CVE-2026-20963 KEV
9.8 Critical

Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network.

Attack vector
NETWORK
Complexity
LOW
Published
13/01/2026
Modified
02/04/2026
CVE-2026-25187
7.8 High

Improper link resolution before file access ('link following') in Winlogon allows an authorized attacker to elevate privileges locally.

Attack vector
Local
Complexity
Low
Published
10/03/2026
Modified
26/05/2026
CVE-2025-26399 KEV
9.8 Critical

SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would …

Attack vector
Network
Published
23/09/2025
Modified
12/03/2026
Awaiting Analysis
CVE-2026-21262
8.8 High

Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.

Attack vector
NETWORK
Published
10/03/2026
Modified
14/04/2026
Awaiting Analysis
CVE-2025-54068 KEV
9.2 Critical

Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve …

Attack vector
NETWORK
Complexity
LOW
Published
17/07/2025
Modified
27/03/2026
CVE-2021-30952 KEV
7.8 High

Apple tvOS, macOS, Safari, iPadOS and watchOS contain an integer overflow or wraparound vulnerability due to the processing of maliciously crafted web …

Attack vector
LOCAL
Published
24/08/2021
Modified
10/03/2026
CVE-2026-20131 KEV
10.0 Critical

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to …

Attack vector
NETWORK
Complexity
Low
Published
04/03/2026
Modified
14/04/2026
CVE-2026-3055 KEV
9.3 Critical

Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability …

Attack vector
Network
Complexity
Low
Published
23/03/2026
Modified
14/04/2026
CVE-2026-26127
7.5 High

Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.

Attack vector
NETWORK
Complexity
Low
Published
10/03/2026
Modified
14/04/2026
CVE-2026-33017 KEV
9.3 Critical

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows …

Attack vector
Network
Complexity
Low
Published
20/03/2026
Modified
23/05/2026

Indicators (2)

Observables (2)

  • 37.27.244.222
  • 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f

Intrusion sets (APT) (1)

  • Interlock Ransomware Group
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 14/04/2026 11:20 · Modified 14/04/2026 11:20

Techniques (MITRE) (20)

  • T1003
    OS Credential Dumping
  • T1078
    Valid Accounts
  • T1548
    Abuse Elevation Control Mechanism
  • T1055
    Process Injection
  • T1573
    Encrypted Channel
  • T1059.007
    JavaScript
  • T1071.001
    Web Protocols
  • T1090
    Proxy
  • T1505.003
    Web Shell
  • T1486
    Data Encrypted for Impact
  • T1018
    Remote System Discovery
  • T1027
    Obfuscated Files or Information
  • T1190
    Exploit Public-Facing Application
  • T1105
    Ingress Tool Transfer
  • T1059
    Command and Scripting Interpreter
  • T1033
    System Owner/User Discovery
  • T1021.001
    Remote Desktop Protocol
  • T1083
    File and Directory Discovery
  • T1203
    Exploitation for Client Execution
  • T1082
    System Information Discovery

Malware (5)

  • PlasmaLoader
    Family
    Published 14/04/2026 08:53 · Modified 14/04/2026 08:53
  • GHOSTBLADE
    Family
    Published 14/04/2026 08:53 · Modified 14/04/2026 08:53
  • GHOSTKNIFE
    Family
    Published 14/04/2026 08:53 · Modified 14/04/2026 08:53
  • PLASMAGRID
    Family
    Published 14/04/2026 08:53 · Modified 14/04/2026 08:53
  • GHOSTSABER
    Family
    Published 14/04/2026 08:53 · Modified 14/04/2026 08:53

External references