CRITICAL 4 min read 19 Mar 2026

Interlock Ransomware & CVE-2026-20131 — 36-Day Zero-Day Exploitation of Cisco FMC

Interlock ransomware exploited a CVSS 10.0 zero-day in Cisco Secure Firewall Management Center (CVE-2026-20131) for 36 days before patching, while Marquis fintech exposed 672,000 records via a SonicWall flaw and RansomHub issued a $50M extortion demand against a major university. CISA's KEV catalogue now includes SharePoint CVE-2026-20963 and Zimbra CVE-2025-66376 following confirmed active exploitation.

Key findings
01
Interlock Ransomware: CVE-2026-20131 Exploited 36 Days Before Cisco Patch
CRITICAL
[High] Amazon Threat Intelligence (MadPot) confirmed that Interlock ransomware actors exploited CVE-2026-20131 — a CVSS 10.0 unauthenticated remote code execution flaw in Cisco Secure Firewall Management Center — as a zero-day starting 26 January 2026, a full 36 days before Cisco released its patch on 4 March 2026.
CVE-2026-20131
02
Marquis Fintech Breach: 672,000+ Records Stolen via SonicWall Flaw (CVE-2026-20079)
HIGH
[High] Texas-based Marquis, a bank analytics and fintech platform used by hundreds of US financial institutions, disclosed a ransomware breach originating in August 2025.
CVE-2026-20079
03
RansomHub: $50 Million Extortion Demand Against Major University
HIGH
[Medium] RansomHub has claimed responsibility for a $50 million extortion targeting a large, unnamed public university, with a reported 72-hour ransom deadline. The identity of the targeted institution has not been confirmed in primary reporting, though the claim is consistent with RansomHub's established operational pattern of high-value institutional targeting.
04
Medusa Ransomware: $800K Demand and March 20 Deadline for UMMC
HIGH
[Medium] The Medusa ransomware group has stated an $800,000 ransom demand for the University of Mississippi Medical Center (UMMC), with a hard deadline of 20 March 2026 — tomorrow. UMMC clinics were closed statewide following the initial breach on 19 February 2026.
05
CISA KEV Update: SharePoint CVE-2026-20963 and Zimbra CVE-2025-66376 Added
HIGH
[High] CISA added two vulnerabilities to its Known Exploited Vulnerabilities catalogue on 18 March 2026, confirming active in-the-wild exploitation. CVE-2026-20963 is a CVSS 8.8 deserialisation remote code execution flaw in Microsoft SharePoint.
CVE-2026-20963
06
GNU telnetd CVE-2026-32746: Unauthenticated Root RCE, Unpatched, PoC Public
CRITICAL
[High] CVE-2026-32746 (CVSS 9.8) in GNU InetUtils telnetd allows unauthenticated remote code execution as root via an out-of-bounds write in the LINEMODE SLC handler.
CVE-2026-32746

Interlock Ransomware & CVE-2026-20131 — 36-Day Zero-Day Exploitation of Cisco FMC

Interlock Ransomware: CVE-2026-20131 Exploited 36 Days Before Cisco Patch

Confidence: High

Amazon Threat Intelligence (MadPot) confirmed that Interlock ransomware actors exploited CVE-2026-20131 — a CVSS 10.0 unauthenticated remote code execution flaw in Cisco Secure Firewall Management Center — as a zero-day starting 26 January 2026, a full 36 days before Cisco released its patch on 4 March 2026. The vulnerability stems from insecure deserialisation of Java byte streams, allowing an unauthenticated attacker to execute arbitrary code as root on any FMC instance reachable from the internet.

Interlock's operational toolkit was inadvertently exposed via a misconfigured staging server. It includes JavaScript- and Java-based RATs with WebSocket command-and-control, RC4 encryption, and SOCKS5 proxy tunnelling; a PowerShell reconnaissance script staging output to ; and Bash scripts configuring Linux hosts as HAProxy reverse proxies, with 5-minute log erasure cron jobs to hinder forensic recovery. Attribution indicators point to a UTC+3 time zone. The actors are known to pressure victims by citing GDPR and regulatory fine exposure.

Any organisation running Cisco FMC must treat the period from 26 January 2026 onwards as a presumed-breach window and conduct forensic review accordingly.

Marquis Fintech Breach: 672,000+ Records Stolen via SonicWall Flaw (CVE-2026-20079)

Confidence: High

Texas-based Marquis, a bank analytics and fintech platform used by hundreds of US financial institutions, disclosed a ransomware breach originating in August 2025. Attackers exploited a vulnerability in SonicWall cloud backup infrastructure — equivalent to CVE-2026-20079 — to exfiltrate the sensitive personal data of over 672,000 individuals, including Social Security numbers, bank account details, and related financial records.

The seven-month delay between breach and notification has prompted class-action litigation. Financial sector organisations that partner with Marquis should conduct comprehensive third-party risk assessments and validate the patching status of any SonicWall-connected infrastructure.

RansomHub: $50 Million Extortion Demand Against Major University

Confidence: Medium

RansomHub has claimed responsibility for a $50 million extortion targeting a large, unnamed public university, with a reported 72-hour ransom deadline. The identity of the targeted institution has not been confirmed in primary reporting, though the claim is consistent with RansomHub's established operational pattern of high-value institutional targeting. Universities and public-sector organisations should treat this as a signal of sector-wide escalation.

Medusa Ransomware: $800K Demand and March 20 Deadline for UMMC

Confidence: Medium

The Medusa ransomware group has stated an $800,000 ransom demand for the University of Mississippi Medical Center (UMMC), with a hard deadline of 20 March 2026 — tomorrow. UMMC clinics were closed statewide following the initial breach on 19 February 2026. The $800K figure and deadline are widely corroborated across threat intelligence feeds but have not been formally confirmed by UMMC. Healthcare and higher-education organisations should monitor this case for evolving tactics.

CISA KEV Update: SharePoint CVE-2026-20963 and Zimbra CVE-2025-66376 Added

Confidence: High

CISA added two vulnerabilities to its Known Exploited Vulnerabilities catalogue on 18 March 2026, confirming active in-the-wild exploitation. CVE-2026-20963 is a CVSS 8.8 deserialisation remote code execution flaw in Microsoft SharePoint. CVE-2025-66376 is a CVSS 7.2 cross-site scripting vulnerability in Zimbra, exploitable via malicious CSS directives. Both require immediate prioritised patching under CISA's Binding Operational Directive 22-01.

GNU telnetd CVE-2026-32746: Unauthenticated Root RCE, Unpatched, PoC Public

Confidence: High

CVE-2026-32746 (CVSS 9.8) in GNU InetUtils telnetd allows unauthenticated remote code execution as root via an out-of-bounds write in the LINEMODE SLC handler. Critically, the vulnerability is triggered during initial option negotiation — before the login prompt is ever presented — meaning no credentials are required. A public proof-of-concept exploit was released on 18 March 2026. No patch is available; a fix is expected by 1 April 2026.

Organisations should immediately audit exposure on port 23 and isolate or decommission any internet-facing telnetd instances pending the forthcoming patch.

Why This Matters

The 36-day exploitation window for Cisco FMC's CVE-2026-20131 is a benchmark failure case for patch lag risk: a CVSS 10.0 vulnerability was actively weaponised by a ransomware group for over a month whilst defenders had no patch to apply. Combined with a public RCE exploit now available for GNU telnetd (CVE-2026-32746, CVSS 9.8, also unpatched), the current vulnerability landscape demands proactive network segmentation and forensic investigation, not just patch management.

The Marquis breach underscores the systemic risk from fintech third-party supply chains: a single SonicWall flaw in a cloud backup component exposed the personal data of over 672,000 individuals across hundreds of financial institutions. The concurrent ransomware deadlines facing UMMC and an unnamed university confirm that education and healthcare remain primary targets for high-volume, high-pressure extortion operations.

  • Recommended Actions
  • Cisco FMC: Apply CVE-2026-20131 patch immediately if not already done. Initiate forensic review covering the period from 26 January 2026 to 4 March 2026. Look for HAProxy relay configurations, RC4-encrypted C2 traffic, and PowerShell staging activity as Interlock IOCs.
  • SharePoint & Zimbra: Prioritise patching CVE-2026-20963 and CVE-2025-66376 under CISA KEV Binding Operational Directive 22-01.
  • GNU telnetd: Audit all internet-facing and network-adjacent hosts for port 23 exposure. Isolate or disable telnetd until CVE-2026-32746 is patched (expected 1 April 2026).
  • Marquis/SonicWall: Financial institutions should request evidence of patching from Marquis and all cloud backup providers. Validate access logs for anomalous exfiltration indicators dating from August 2025.
  • Ransomware readiness: Education and healthcare organisations should review incident response playbooks and ensure offline backup integrity ahead of the UMMC March 20 deadline.

All findings grounded in A13E intelligence sweeps through 04:30 UTC 19 March 2026.

cisco-fmccve-2026-20079cve-2026-20131cve-2026-20963cve-2026-32746fintech-breachinterlockmedusaransomhubransomware

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed