Your firewall was a backdoor for 36 days.

Interlock Ransomware Lived Inside Cisco FMC for 36 Days Before Anyone Knew

CISA ordered federal agencies to patch CVE-2026-20131 in Cisco's Secure Firewall Management Center by last Sunday. The flaw scores a perfect 10.0 CVSS — unauthenticated remote code execution as root via insecure deserialization in the web management interface. That alone would be bad. Here is the part that should keep you up tonight.

Amazon's threat research team found that the Interlock ransomware gang had been exploiting this vulnerability since January 26 — a full 36 days before Cisco published its security bulletin on March 4. Interlock used it to gain root access to FMC appliances, then pivoted laterally into victim networks. Their confirmed victim list already includes DaVita, Kettering Health, Texas Tech University System, and the city of Saint Paul, Minnesota.

Think about what FMC is. It is not some edge application server. It is the console that manages your firewall rules, your network segmentation, your security policies. If an attacker owns FMC, they do not need to bypass your firewall — they rewrite it.

The uncomfortable question: how many security teams ran vulnerability scans against their firewalls but never scanned the management plane? FMC sits in a trusted zone, often with broad network access, and most organizations treat it as infrastructure rather than attack surface. That assumption just cost several large enterprises everything.

If you run Cisco FMC, patch it now. If you already patched it, go back and check whether you were compromised during the 36-day window. And if your security architecture treats management consoles as implicitly trusted — that is the real vulnerability here.

Foster City Declares State of Emergency Over Ransomware

A ransomware attack hit Foster City, California on March 19, shutting down all non-emergency public services. The city council declared a formal state of emergency on Monday — holding the vote in person because their network was still down. No Zoom, no remote access, no digital anything. Emergency services stayed operational, but everything else went dark. This is what "ransomware readiness" looks like when it fails: a city of 34,000 people running on paper for a week. If your incident response plan assumes you will have network connectivity to execute it, you do not actually have a plan.

Microsoft Teams Is Now a Vishing Platform

Microsoft published a detailed writeup of a campaign where threat actors impersonated IT support via Teams voice calls, then convinced users to grant remote access through Quick Assist. After two failed attempts, the third employee let them in. From there: malicious website, credential harvesting, payload delivery. The attack required zero technical sophistication — just patience and a convincing voice. If your organization allows external Teams calls from unmanaged accounts and has Quick Assist installed by default, you have handed attackers a turnkey social engineering toolkit. Disable what you do not need.

PolyShell Exploitation Goes Mass-Scale

Over 50 IP addresses are now actively scanning for PolyShell, a vulnerability in Magento Open Source and Adobe Commerce that has been under mass exploitation since March 19. Attackers are deploying payment skimmers that use WebRTC data channels to exfiltrate stolen card data — a technique specifically designed to bypass traditional network security monitoring. If you run Magento or Adobe Commerce, assume you are being probed right now.

That is the percentage of respondents in the World Economic Forum's Global Cybersecurity Outlook 2026 who reported that they or someone in their network had been personally affected by cyber-enabled fraud over the past year. Not their organization — them, personally. When nearly three-quarters of the global security community cannot keep themselves safe from fraud, it tells you something about the scale of the problem we are dealing with.

Across the DoGood network this week, conversations around management plane security and firewall infrastructure hardening spiked — particularly among mid-market CISOs evaluating their Cisco footprint. More on that Wednesday.

The CXO Brief is powered by the DoGood network — 5,000+ IT leaders sharing what they're actually working on.

Know a CIO who needs this? Forward it — they can subscribe here.