Amazon Threat Intelligence confirmed that the Interlock ransomware group exploited CVE-2026-20131 (CVSS 10.0) in Cisco Secure Firewall Management Center as a zero-day for 36 days before Cisco's March 4 patch — gaining unauthenticated root access on enterprise firewalls. Amazon's MadPot honeypot network caught the exploitation and a misconfigured server exposed Interlock's complete attack toolkit. This is the second Cisco management plane zero-day confirmed exploited by a different threat actor in three weeks, reinforcing that the network management layer is the highest-value target. Also covered: GlassWorm supply chain campaign returns across GitHub, npm, and VS Code; Apple's first silent Background Security Improvement for a WebKit flaw; and a critical unpatched telnetd RCE vulnerability (CVE-2026-32746, CVSS 9.8).

Links & Resources

• https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/
• https://thehackernews.com/2026/03/interlock-ransomware-exploits-cisco-fmc.html
• https://www.theregister.com/2026/03/18/amazon_cisco_firewall_0_day_ransomware/
• https://www.bleepingcomputer.com/news/security/interlock-ransomware-exploited-secure-fmc-flaw-in-zero-day-attacks-since-january/
• https://cybersecuritynews.com/cisco-firewall-0-day-ransomware/
• https://www.bleepingcomputer.com/news/apple/apple-releases-first-background-security-improvement-update/
• https://thehackernews.com/2026/03/critical-unpatched-telnetd-flaw.html
• https://www.bleepingcomputer.com/news/security/glassworm-supply-chain-attack-targets-github-npm-vscode-extensions/