Three CVEs, One Bad Week: Cisco FMC Zero-Day, SharePoint Exploited, ScreenConnect at Risk
Three critical vulnerabilities are demanding your attention this weekend. One was exploited by ransomware operators before Cisco even issued a patch. Another just landed on CISA's Known Exploited Vulnerabilities list. The third leaves ScreenConnect servers open to session hijacking right now, if you haven't updated.
This is your patch weekend.
CVE-2026-20131: Cisco FMC Zero-Day, Ransomware First
The Interlock ransomware gang was exploiting a critical flaw in Cisco Secure Firewall Management Center (FMC) weeks before Cisco published the fix. That's not a slip — that's a coordinated attack on the window between discovery and disclosure.
Cisco patched CVE-2026-20131 in early March 2026. Amazon's CISO and VP of Security Engineering CJ Moses confirmed the zero-day exploitation publicly this week. The vulnerability sits in the FMC management interface — the thing that controls your firewall estate. If your FMC is internet-accessible or reachable from a compromised network segment, this isn't theoretical.
Interlock has been active since at least mid-2025. They're methodical: they research target environments, identify management plane exposures, then move laterally through the infrastructure they've effectively bought the keys to. FMC access means they can see your firewall rules, your network topology, your policy exceptions. Then they pivot.
What to do: Patch FMC immediately if you haven't. Check your access logs for anomalous management plane activity from before the March patch. If FMC is directly internet-facing, that needs to change regardless of patch status.
CVE-2026-20963: Microsoft SharePoint RCE Now in the Wild
CISA added CVE-2026-20963 to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday. This is a remote code execution flaw in Microsoft SharePoint that Microsoft fixed in January 2026 — which means anyone who hasn't applied January patches is exposed to a now-weaponized exploit.
The KEV catalog is CISA's signal that exploitation is confirmed, active, and not hypothetical. Federal agencies have 21 days to patch. For everyone else, that timeline is a useful benchmark, not a ceiling.
SharePoint continues to be a high-value target because of what lives there: internal documents, project files, credentials embedded in wikis, HR records, M&A materials. RCE on a SharePoint server is rarely the end goal — it's the jumping-off point. Attackers get code execution, then they look for stored credentials, Active Directory connections, or paths to more sensitive systems.
What to do: Apply the January 2026 SharePoint cumulative update if you haven't. Audit who can access your SharePoint externally and whether it needs to be internet-exposed at all. Review SharePoint server logs for unusual process spawning activity.
CVE-2026-3564: ConnectWise ScreenConnect Session Hijacking
ConnectWise patched a critical flaw in ScreenConnect this week — CVE-2026-3564 — that allows attackers to forge trusted authentication by abusing ASP.NET machine keys.
Here's the practical impact: if an attacker knows or can derive your machine key (often leaked through misconfigurations, IIS logs, or prior access), they can forge session tokens and impersonate legitimate users in ScreenConnect. For managed service providers, that means potentially pivoting to every client endpoint the platform touches.
ScreenConnect is deeply embedded in MSP operations. When it's exploited, it's not one company at risk — it's the entire client roster. That's exactly the leverage attackers want.
ConnectWise has pushed updates to cloud-hosted instances. If you're running ScreenConnect on-premises or in your private cloud, you need to apply the patch manually. The company has published guidance, but unpatched servers are actively vulnerable right now.
What to do: Cloud customers — verify your instance is on the latest version. On-premises — patch immediately. Rotate your ASP.NET machine keys as a precaution regardless. Review ScreenConnect audit logs for session activity that doesn't match normal user patterns.
The Bigger Pattern
Three unrelated products. Three critical vulnerabilities. All actively exploited or at high exploitation risk, all disclosed in the same week.
This isn't unusual — patch Tuesday and the surrounding days tend to compress disclosures — but it's a useful reminder that vulnerability management is a throughput problem. You can't treat every CVE with equal urgency and actually triage effectively. The signal here: management plane tools (FMC, ScreenConnect) and collaboration infrastructure (SharePoint) are priority targets because they offer lateral movement at scale, not just single-machine compromise.
Patch these three. Everything else can wait until Monday.
*CybrPulse tracks thousands of security feeds daily. These CVEs surfaced in our feeds this week with confirmed exploitation signals.*
