Interlock ransomware exploits a zero‑day flaw in Cisco firewall management infrastructure
Researchers reported that Interlock ransomware exploited CVE-2026-20131 in Cisco Secure Firewall Management Center beginning in late January. The flaw stems from insecure deserialization in the web-based management interface and can allow an unauthenticated remote attacker to execute arbitrary Java code as root on affected devices.
The issue is especially important because FMC operates in a centralized management role for firewall infrastructure, so compromise there can provide both privileged visibility and a launch point for broader intrusion activity. Federal agencies were ordered to patch by March 22, 2026, which reflects the urgency of the risk.
This case shows that attackers are willing to target defensive infrastructure itself rather than ordinary user endpoints, increasing the chances of stealthy persistence and downstream lateral movement inside enterprise environments. Platforms that manage multiple protected assets remain high-value targets because one foothold can influence many systems at once.
Critical ScreenConnect flaw highlights risk of abuse in trusted remote support platforms
CVE-2026-3564 affects ScreenConnect versions before 26.1 and is tied to cryptographic signature verification weaknesses involving ASP.NET machine keys. If those keys are disclosed, an attacker may be able to generate or modify protected values that the ScreenConnect instance accepts as valid, resulting in unauthorized access and unauthorized actions.
The operational significance goes beyond the CVE itself because remote support platforms are highly trusted in MSP and enterprise environments and often hold privileged access into many systems. A weakness in this layer can translate into broad tenant or customer risk, especially for on-premises deployments that are not upgraded promptly.
ConnectWise said cloud customers were moved automatically to the safer version, while on-premises administrators must upgrade to 26.1. Researchers had already observed attempts to abuse disclosed ASP.NET machine key material, which shows real attacker interest in this path even though there was no confirmed in-the-wild exploitation of this specific flaw at publication time.
Marquis confirms ransomware incident that exposed 672,000 individuals and impacted 74 banks
Marquis Software Solutions disclosed that a 2025 ransomware attack exposed data belonging to 672,075 individuals and disrupted operations at 74 banks in the United States. The company said attackers stole personal and financial data including names, addresses, dates of birth, Social Security numbers, taxpayer IDs and financial account information.
Marquis said the attack was limited to its own systems rather than customer systems, but the downstream impact was still significant because the firm provides marketing, analytics, compliance and CRM services to more than 700 banks, credit unions and mortgage lenders. That makes the incident a strong example of how compromise at a sector-specific provider can ripple across a much wider customer base.
The company linked the intrusion to compromise of a SonicWall firewall, and the broader case has already expanded into legal and class-action exposure. Even when ransomware strikes a service provider rather than a bank directly, the event can still create regulatory, legal and customer-trust fallout across the sector it serves.
Navia incident highlights growing attacker focus on benefits and identity data aggregators
Navia Benefit Solutions disclosed a breach affecting nearly 2.7 million individuals after an unauthorized actor accessed its systems between December 22, 2025, and January 15, 2026. The exposed data may include full names, dates of birth, Social Security numbers, phone numbers, email addresses and benefits-related information tied to FSA, HRA, and COBRA administration.
The incident is operationally important because the company supports more than 10,000 employers and handles highly concentrated identity and benefits data. Even without payment-card or claims data, the combination of identity fields and benefits context is enough to support phishing, impersonation, fraud and social-engineering campaigns against affected individuals.
This breach reinforces a broader pattern: Third-party administrators and HR-benefits processors are attractive targets because they aggregate personal data across many companies in one place. That creates a multiplier effect in which one compromise can generate follow-on risk across thousands of employers and their employees.
Exploitation of patched Microsoft SharePoint vulnerability reinforces risk from delayed remediation
A critical Microsoft SharePoint vulnerability, CVE-2026-49704, that was patched in January is now being actively exploited in attacks. The flaw affects on-premises SharePoint servers and was added to the Known Exploited Vulnerabilities catalog during the week of March 16–22, 2026.
The issue matters because SharePoint servers often store internal documents, workflows and collaboration data and usually sit in a trusted position inside enterprise environments. Once exploited, they can provide attackers with a foothold for follow-on access, lateral movement or data theft.
This is operationally significant for MSPs and enterprise teams because internet-facing collaboration platforms remain attractive targets after disclosure, especially when organizations delay remediation or overlook older on-premises deployments. Known-exploited status raises the likelihood of opportunistic scanning and attacker interest.