CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Increased Scanning for PAN-OS GlobalProtect Vulnerability

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

The Interlock ransomware gang has exploited a zero-day RCE vulnerability (CVE-2026-20131) in Cisco’s Secure Firewall Management Center (FMC) software since January 26, 2026, two months before Cisco’s March 4, 2026 patch. The flaw, enabling unauthenticated root-level code execution via the web interface, was actively exploited against enterprise firewalls until at least mid-March 2026. AWS CISO CJ Moses confirmed the timeline and provided rare operational visibility into Interlock’s post-exploitation activities, including PowerShell-based network enumeration, deployment of custom JavaScript and Java RATs, and a memory-resident webshell for evasion. The group also installed ConnectWise ScreenConnect as a backup access method. Cisco’s March 4 patch addressed the insecure Java deserialization flaw in the management interface. Interlock’s activities align with their broader campaigns targeting critical infrastructure, including prior links to ClickFix and NodeSnake malware against U.K. universities since 2024.

Timeline

  1. 18.03.2026 18:53 2 articles · 1d ago

    Interlock ransomware exploits Cisco FMC zero-day since January 2026

    AWS CISO CJ Moses confirmed Interlock exploited CVE-2026-20131 since January 26, 2026, enabling unauthenticated root-level Java code execution via Cisco Secure Firewall Management Center (FMC) Software. Post-exploitation, Interlock used PowerShell to enumerate victims' networks and deployed two custom RATs (JavaScript and Java), a memory-resident webshell for evasion, and ConnectWise ScreenConnect as a backup access method. AWS also provided specific IOCs including ServletRequestListener registrations, PowerShell scripts staging data to hostname-based directory structures, TCP connections to high-numbered ports (e.g., 45588), and HAProxy log deletion via cron jobs. Cisco patched the flaw on March 4, 2026.

    Show sources
    Open in new tab
  2. 02.10.2025 14:30 1 articles · 5mo ago

    Increased Scanning for PAN-OS GlobalProtect Vulnerability

    SANS Internet Storm Center observed a significant rise in internet-wide scans targeting the critical PAN-OS GlobalProtect vulnerability (CVE-2024-3400). The scans involve attempts to upload and retrieve files, indicating potential pre-exploit staging activities. This vulnerability allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. The scans are part of a broader trend of increased cyber activity targeting critical infrastructure and enterprise networks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Interlock ransomware leverages Cisco FMC insecure deserialization zero-day (CVE-2026-20131) for root access

A critical insecure deserialization vulnerability in Cisco Secure Firewall Management Center (FMC) Software, tracked as CVE-2026-20131 (CVSS 10.0), is being actively exploited by the Interlock ransomware group to gain unauthenticated remote root access on unpatched systems. The flaw enables unauthenticated remote attackers to bypass authentication and execute arbitrary Java code with root privileges via crafted HTTP requests to a specific endpoint. Exploitation has been observed as a zero-day since January 26, 2026, more than a month before public disclosure and patch availability. The attack chain includes post-exploitation tooling such as custom JavaScript/Java RATs, PowerShell reconnaissance scripts, Linux reverse proxy configuration tools, memory-resident web shells, and ConnectWise ScreenConnect for persistence. Compromised environments are being leveraged for ransomware operations and secondary monetization.

Open in new tab

Critical Authentication Bypass in Cisco Catalyst SD-WAN Exploited Since 2023

A critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN has been actively exploited in zero-day attacks since at least 2023. The flaw allows remote attackers to compromise controllers and add malicious rogue peers to targeted networks. The vulnerability stems from a peering authentication mechanism that does not work properly, enabling attackers to log in as high-privileged users and manipulate network configurations. Cisco has released specific software updates to address the issue, and CISA has issued an emergency directive requiring federal agencies to patch affected systems by February 27, 2026. Attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting CVE-2022-20775, and have taken steps to clear evidence of the intrusion by purging logs and command history. Additionally, Cisco has flagged two more Catalyst SD-WAN Manager security flaws (CVE-2026-20128 and CVE-2026-20122) as actively exploited in the wild, urging administrators to upgrade vulnerable devices. CVE-2026-20128 is an information disclosure issue affecting the Data Collection Agent (DCA) feature, allowing an authenticated, local attacker to gain DCA user privileges. CVE-2026-20122 is an arbitrary file overwrite bug affecting the API, allowing a remote, authenticated attacker to overwrite arbitrary files and gain elevated privileges. Cisco Talos has linked the attacks exploiting CVE-2026-20127 to UAT-8616, a highly sophisticated threat actor active since at least 2023. Cisco has also released updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: CVE-2026-20079 and CVE-2026-20131.

Open in new tab

Exploitation of Network Security Flaws by APT Actors

Multiple network security products, including those from Fortinet, SonicWall, Cisco, and WatchGuard, have been targeted by threat actors exploiting critical vulnerabilities. Cisco's AsyncOS flaw (CVE-2025-20393) is being exploited by a China-nexus APT group, UAT-9686, to deliver malware such as ReverseSSH and AquaPurge. SonicWall's SMA 100 series appliances are also being targeted through a combination of vulnerabilities to achieve unauthenticated remote code execution. These attacks highlight the increasing focus on network security products as entry points for deeper network infiltration.

Open in new tab

Critical Fortinet Vulnerabilities: FortiCloud SSO Bypass and FortiClientEMS SQLi Patched

Fortinet has released patches for a **new critical SQL injection vulnerability (CVE-2026-21643, CVSS 9.1)** in FortiClientEMS, which allows unauthenticated attackers to execute arbitrary code via crafted HTTP requests. The flaw affects FortiClientEMS 7.4.4 (fixed in 7.4.5) but does not impact versions 7.2 or 8.0. This follows Fortinet’s recent emergency updates for **CVE-2026-24858**, a critical FortiCloud SSO authentication bypass flaw (CVSS 9.4) actively exploited to create admin accounts, modify firewall configurations, and exfiltrate data. Over 25,000 Fortinet devices with FortiCloud SSO enabled remain exposed, with CISA mandating patches for federal agencies by January 30, 2026. Fortinet has also confirmed that CVE-2026-24858 was exploited via malicious FortiCloud accounts ('[email protected]', '[email protected]') to breach fully patched devices, prompting global SSO restrictions until fixes were deployed. The vulnerabilities stem from improper input validation (SQLi in FortiClientEMS; authentication bypass in FortiCloud SSO) and have been linked to automated attacks since January 15, 2026. Fortinet advises disabling FortiCloud SSO until patches are applied, restricting management interface access, and treating compromised systems as fully breached—requiring credential rotation and configuration restoration from clean backups. Patches for CVE-2026-24858 are available in FortiOS 7.4.11, FortiManager 7.4.10, and FortiAnalyzer 7.4.10, with additional fixes planned for older versions.

Open in new tab

Microsoft to Strengthen Entra ID Sign-Ins Against Script Injection Attacks

Microsoft plans to enhance the security of Entra ID authentication by implementing a strengthened Content Security Policy (CSP) starting in mid-to-late October 2026. This update will allow script downloads only from Microsoft-trusted content delivery network domains and inline script execution only from Microsoft-trusted sources during sign-ins. The policy aims to protect users against cross-site scripting (XSS) attacks, where attackers inject malicious code to steal credentials or compromise systems. The update will apply only to browser-based sign-in experiences at URLs beginning with login.microsoftonline.com, excluding Microsoft Entra External ID. Microsoft urges organizations to test sign-in scenarios before the deadline to identify and address dependencies on code-injection tools. IT administrators can review sign-in flows in the browser developer console to identify violations. Enterprise customers are advised to stop using browser extensions and tools that inject code or scripts into sign-in pages before the change takes effect. This move is part of Microsoft's Secure Future Initiative (SFI), launched in November 2023, following a report by the Cyber Safety Review Board of the U.S. Department of Homeland Security. The initiative also includes updates to Microsoft 365 security defaults to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols, and the disabling of all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 apps. Additionally, Microsoft has expanded its bug bounty program to cover all online services, including third-party and open-source components, if they impact Microsoft online services. The company has paid over $17 million in bounty awards to 344 security researchers over the last 12 months, and another $16.6 million to 343 security researchers during the previous year. Microsoft has deployed over 50 new detections in its infrastructure to target high-priority tactics, techniques, and procedures. The adoption of phishing-resistant multi-factor authentication (MFA) for users and devices has hit 99.6%. Microsoft has enforced Mandatory MFA across all services, including for all Azure service users. The company has also introduced Automatic recovery capabilities via Quick Machine Recovery, expanded passkey and Windows Hello support, and improved memory safety in UEFI firmware and drivers by using Rust. Microsoft has migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute and moved 94.3% of Microsoft Entra ID security token validation to its standard identity Software Development Kit (SDK). The company has discontinued the use of Active Directory Federation Services (ADFS) in its productivity environment and decommissioned 560,000 additional unused and aged tenants and 83,000 unused Microsoft Entra ID apps across Microsoft production and productivity environments. Microsoft has advanced threat hunting by centrally tracking 98% of production infrastructure, achieved complete network device inventory and mature asset lifecycle management, and almost entirely locked code signing to production identities. The company has published 1,096 CVEs, including 53 no-action cloud CVEs, and paid out $17 million in bounties. Microsoft plans to introduce smartphone-style app permission prompts in Windows 11 to request user consent before apps can access sensitive resources such as files, cameras, and microphones. The "Windows Baseline Security Mode" and "User Transparency and Consent" changes will prompt for permission when apps try to install unwanted software or access sensitive resources, allowing users to change their choices at any time. Baseline Security Mode will enable runtime integrity safeguards by default, ensuring that only properly signed apps, services, and drivers can run, but allowing users and IT administrators to override these safeguards for specific apps when needed.

Open in new tab