The Cisco FMC zero-day isn't a patching story. It's a detection story.

Amazon's threat intel team dropped something uncomfortable this week: Interlock ransomware has been exploiting CVE-2026-20131 in Cisco Secure Firewall Management Center since January 26. Cisco didn't disclose it until March 4. That's five weeks of silent root-level access to firewall management planes — no creds needed, no user interaction, just crafted HTTP requests.

Most CISOs I know would have patched after the March 4 advisory and moved on. That's the wrong response. If you're running FMC, the question isn't "did we patch." The question is "what happened between January 26 and March 4 that we didn't see." Interlock was deploying ScreenConnect through the access, which means lateral movement was happening while your team was blind.

The broader point: your threat model probably assumes you'll know about a zero-day within days. This one took five weeks. The next one might take longer. If your detection strategy starts with "wait for the advisory," you don't have a detection strategy.

67% of CISOs admit they can't see how AI is being used inside their own org.

Pentera's new benchmark surveyed 300 US security leaders. The number that should keep you up: two-thirds have limited-to-no visibility into AI adoption across their company. Shadow AI is shadow IT on steroids — except the attack surface moves faster and the tools to detect it are basically nonexistent. If you haven't had the "where are we actually using AI" conversation with your engineering leads this quarter, you're in the majority. That's not a good thing.

n8n just became a supply chain liability (CVSS 9.9).

CISA added a critical expression injection flaw in the n8n workflow automation platform to the KEV catalog. It gives attackers remote code execution plus access to every API key, OAuth token, and database credential stored in the tool. The uncomfortable question: does your security team even know which internal teams are running n8n? Most don't. Automation tools are the new shadow IT — they sit outside your security perimeter and hold the keys to everything.

That's the share of CISOs who told Pentera they have limited-to-no visibility into AI adoption inside their own organization. Shadow AI is shadow IT on steroids — except the attack surface moves faster and the detection tools don't exist yet. If you don't know where AI is running in your environment, you can't secure it. Start with your engineering leads this week.

Across the DoGood network this week, we're seeing a spike in members evaluating exposure management and security automation platforms. More on that Wednesday.

The CXO Brief is powered by the DoGood network — 5,000+ IT leaders sharing what they're actually working on.

Know a CIO who needs this? Forward it — they can subscribe here.