TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Recorded Future Blog

March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day

2026-04-13 · Read original ↗

ATT&CK techniques detected

11 predictions
T1059.007JavaScript
99%
“where insecure deserialization of a user - supplied java byte stream allows threat actors to pass serialized objects into java object handling without sufficient validation. as a result, an unauthenticated remote threat actor can send a crafted serialized java object to the manag…”
T1190Exploit Public-Facing Application
96%
“by insikt group®. the full list of reports and detection rules from march is available to customers in the recorded future intelligence operations platform. interlock ransomware group exploits cisco fmc zero - day ( cve - 2026 - 20131 ) on march 18, 2026, amazon threat intelligen…”
T1190Exploit Public-Facing Application
93%
“. sandbox analysis detected the sample as benign. based on sandbox and static code analysis, the sample performs the following actions on a victim ’ s machine : changes the machine ’ s desktop wallpaper that displays a pornographic image delays execution using the sleep api funct…”
T1190Exploit Public-Facing Application
92%
“##c instances via crafted http requests exploiting cve - 2026 - 20131 to execute arbitrary java code as root. after gaining access, the threat actors deploy a malicious elf binary from a staging server at 37 [. ] 27 [. ] 244 [. ] 222 ( intelligence card ) to support follow - on o…”
T1587.004Exploits
87%
“##ing has lagged. legacy and unpatched systems remain attractive targets. defenders should not discount older cves ; instead, they should prioritize based on observed activity, maintain strong asset visibility, and apply compensating controls where remediation is not possible. in…”
T1588.006Vulnerabilities
72%
“march 2026 cve landscape : 31 high - impact vulnerabilities identified, interlock ransomware group exploits cisco fmc zero - day in march 2026, insikt group® identified 31 high - impact vulnerabilities that should be prioritized for remediation, 29 of which had a very critical re…”
T1587.004Exploits
66%
“products ) cwe - 190 ( integer overflow or wraparound ) no 30 cve - 2023 - 41974 99 apple ios and ipados cwe - 416 ( use after free ) no 31 cve - 2026 - 22719 89 broadcom vmware aria operations cwe - 77 ( command injection ) no table 1 : list of vulnerabilities that were actively…”
T1588.006Vulnerabilities
63%
“, or misconfigured assets. third - party intelligence – gain an external view of the security posture of your vendors and partners. eliminate time - consuming research and vendor communication cycles with the ability to promptly assess vulnerabilities in their internet - facing s…”
T1588.006Vulnerabilities
61%
“500 response as an indication that deserialization triggered command execution. the poc flags http 200 for manual verification because exploitation could succeed without returning visible output. insikt group® has not tested this poc for accuracy or efficacy. recorded future cust…”
T1059Command and Scripting Interpreter
38%
“500 response as an indication that deserialization triggered command execution. the poc flags http 200 for manual verification because exploitation could succeed without returning visible output. insikt group® has not tested this poc for accuracy or efficacy. recorded future cust…”
T1587.004Exploits
31%
“escape, and kernel - level access, leading to deployment of the ghostknife, ghostsaber, and ghostblade payloads. the coruna exploit kit similarly compromised ios devices to deliver the plasmaloader ( plasmagrid ) malware. 9 of the 31 vulnerabilities ( cve - 2026 - 3910, cve - 202…”

Summary

March 2026 saw a 139% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 31 vulnerabilities requiring immediate remediation, up from 13 in February 2026.