March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day

March 2026 witnessed a 139% surge in high-impact vulnerabilities, with Recorded Future's Insikt Group identifying 31 critical vulnerabilities requiring immediate remediation. The Interlock ransomware group notably exploited a zero-day vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center to compromise enterprise networks and deploy custom remote access trojans. Additionally, the DarkSword iOS full-chain exploit enabled sandbox escape and kernel-level access, delivering GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads. The Coruna exploit kit targeted iOS devices with PlasmaLoader malware. Microsoft and Apple were the most affected vendors, accounting for 32% of vulnerabilities. Organizations should prioritize patching based on observed exploitation activity, maintain strong asset visibility, and implement compensating controls where immediate remediation is not feasible.

March 2026 saw a 139% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 31 vulnerabilities requiring immediate remediation, up from 13 in February 2026.

March 2026 witnessed a 139% surge in high-impact vulnerabilities, with Recorded Future's Insikt Group identifying 31 critical vulnerabilities requiring immediate remediation. The Interlock ransomware group notably exploited a zero-day vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center to compromise enterprise networks and deploy custom remote access trojans. Additionally, the DarkSword iOS full-chain exploit enabled sandbox escape and kernel-level access, delivering GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads. The Coruna exploit kit targeted iOS devices with PlasmaLoader malware. Microsoft and Apple were the most affected vendors, accounting for 32% of vulnerabilities. Organizations should prioritize patching based on observed exploitation activity, maintain strong asset visibility, and implement compensating controls where immediate remediation is not feasible. March 2026 saw a 139% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 31 vulnerabilities requiring immediate remediation, up from 13 in February 2026. In March 2026, Insikt Group® identified 31 high-impact vulnerabilities that should be prioritized for remediation , 29 of which had a Very Critical Recorded Future Risk Score. These vulnerabilities affected products from the following vendors: Cisco, Microsoft, Google, ConnectWise, Langflow, Citrix, Aquasecurity, Nginx UI, Qualcomm, F5, Craft CMS, Laravel, Apple, Synacor, Wing FTP Server, n8n, Omnissa, SolarWinds, Ivanti, Hikvision, Rockwell, and Broadcom. This month’s most affected vendors were Microsoft and Apple, together accounting for approximately 32% of the 31 vulnerabilities. One vulnerability ( CVE-2017-7921 affecting Hikvision) is approximately nine years old, reinforcing how attackers continue to exploit long-known weaknesses in environments where patching has lagged . Legacy and unpatched systems remain attractive targets. Defenders should not discount older CVEs; instead, they should prioritize based on observed activity, maintain strong asset visibility, and apply compensating controls where remediation is not possible. In March, Insikt Group® created Nuclei templates for a high-severity path traversal vulnerability in MindsDB (CVE-2026-27483) and a critical missing authentication vulnerability in Nginx UI (CVE-2026-27944). Additionally, Insikt Group® had already published a Nuclei template for CVE-2025-68613 (n8n) in December, prior to its exploitation this month. We also identified public proof-of-concept (PoC) exploits for 10 of the 31 vulnerabilities. Quick Reference: March 2026 Vulnerability Table All 31 vulnerabilities below were actively exploited in March 2026. The table below also provides examples of public PoCs identified by Insikt Group®. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing. # Vulnerability Risk Score Affected Vendor/Product Vulnerability Type/Component Public PoC 1 CVE-2026-20131 99 Cisco Secure Firewall Management Center (FMC) CWE-502 (Deserialization of Untrusted Data) Yes 2 CVE-2026-21262 99 Microsoft SQL Server (2016 SP3, 2017, 2019, 2022, 2025) CWE-284 (Improper Access Control) No 3 CVE-2026-26127 99 Microsoft .NET (9.0, 10.0) and Microsoft.Bcl.Memory CWE-125 (Out-of-bounds Read) No 4 CVE-2026-3909 99 Google Skia CWE-787 (Out-of-bounds Write) No 5 CVE-2026-3910 99 Google Chromium V8 CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) No 6 CVE-2026-3564 99 ConnectWise ScreenConnect CWE-347 (Improper Verification of Cryptographic Signature) No 7 CVE-2026-33017 99 Langflow CWE-94 (Code Injection), CWE-95 (Eval Injection), CWE-306 (Missing Authentication for Critical Function) Yes 8 CVE-2026-3055 99 Citrix NetScaler CWE-125 (Out-of-bounds Read) Yes 9 CVE-2026-33634 99 Aquasecurity Trivy CWE-506 (Embedded Malicious Code) Yes 10 CVE-2026-25187 94 Microsoft Windows CWE-59 (Link Following) No 11 CVE-2026-33032 94 Nginx UI CWE-306 (Missing Authentication for Critical Function) No 12 CVE-2026-21385 89 Qualcomm (Multiple Chipsets) CWE-190 (Integer Overflow or Wraparound) No 13 CVE-2025-53521 99 F5 BIG-IP CWE-121 (Stack-based Buffer Overflow) No Table 1: List of vulnerabilities that were actively exploited in March based on Recorded Future data. Key Trends: March 2026 Most commonly observed weaknesses: CWE-502 (Deserialization of Untrusted Data) and CWE-94 (Code Injection). Two vulnerabilities and one exploit kit (consisting of 23 exploits, 12 of which are currently associated with specific CVEs) were linked to malware campaigns. Interlock Ransomware Group exploited a zero-day in Cisco Secure Firewall Management Center to compromise enterprise networks, deploy custom remote access trojans (RATs), and facilitate ransomware operations. Separately, the DarkSword iOS full-chain exploit enabled Safari-based remote code execution (RCE), sandbox escape, and kernel-level...