Here are today’s top cybersecurity stories for Wednesday, March 25, 2026.
Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access
Interlock ransomware is actively exploiting CVE-2026-20131 (CVSS 10.0) in Cisco Firewall Management Center, enabling unauthenticated remote code execution as root. Amazon’s MadPot sensor network confirms attackers used the flaw as a zero-day since January 26 — over a month before Cisco’s public disclosure. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on March 19. The Hacker News
FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials
Threat actors are actively abusing FortiGate Next-Generation Firewalls to breach networks and extract LDAP service account credentials and network topology data. The campaign targets healthcare, government, and managed service providers, exploiting recently disclosed CVEs and weak credentials. In one confirmed incident, attackers established persistence as early as November 2025 and returned to extract credentials in February 2026. The Hacker News
TeamPCP Backdoors LiteLLM Python Package in Latest Supply Chain Attack
TeamPCP, the threat group behind earlier supply chain attacks on Trivy and KICS, injected malicious code into LiteLLM versions 1.82.7 and 1.82.8 on PyPI on March 24, 2026. The payload deploys a credential harvester sweeping SSH keys, cloud credentials, and Kubernetes secrets, a Kubernetes lateral movement toolkit, and a persistent systemd backdoor. The compromised packages have been removed from PyPI; LiteLLM is pausing new releases pending a supply-chain audit. The Hacker News
FBI and Europol Seize LeakBase Cybercrime Forum in Operation Leak
International law enforcement from 14 countries seized LeakBase, a 142,000-member forum used to trade stolen credentials and stealer logs, on March 3–4, 2026. Operation Leak included search warrants and arrests across the U.S., Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK, and targeted 37 of the platform’s most active users. The forum domains were redirected to FBI servers; all user data has been preserved for prosecution. The Hacker News | Europol
CISA Flags Actively Exploited n8n RCE Bug as 24,700 Instances Remain Exposed
CISA added CVE-2025-68613 — a critical remote code execution vulnerability in the n8n workflow automation platform — to its Known Exploited Vulnerabilities catalog, with a federal remediation deadline of today, March 25, 2026. The flaw, patched by n8n in December 2025, allows an authenticated attacker to execute arbitrary code on the n8n server. More than 24,700 unpatched instances remain publicly exposed. The Hacker News
CISA Adds Zimbra and SharePoint Flaws to Known Exploited Vulnerabilities Catalog
CISA added CVE-2025-66376, a stored XSS flaw in Zimbra Collaboration Suite actively exploited by a suspected Russian state-sponsored group targeting Ukrainian government entities, and CVE-2026-20963, a deserialization flaw in Microsoft SharePoint enabling remote code execution. Both carry binding federal remediation deadlines. The Hacker News
Citrix Patches Critical NetScaler Flaw Enabling Unauthenticated Memory Leaks
Citrix released security updates for two vulnerabilities in NetScaler ADC and NetScaler Gateway. CVE-2026-3055 (CVSS 9.3) is an out-of-bounds read flaw in SAML IDP configurations, allowing unauthenticated remote attackers to extract sensitive data from appliance memory. CVE-2026-4368 is a race condition causing session mixup on gateway and AAA virtual servers. Fixed versions include 14.1-66.59 and 13.1-62.23. The Hacker News
New Torg Grabber Infostealer Targets 728 Cryptocurrency Wallet Extensions
A new infostealer named Torg Grabber targets 850 browser extensions — 728 for cryptocurrency wallets — along with 103 password managers and two-factor authentication tools. The malware spreads through ClickFix attacks, tricking users into executing malicious PowerShell commands via clipboard hijacking. Gen Digital researchers identified 334 unique samples compiled over three months, with new command-and-control servers registered weekly. BleepingComputer
TP-Link Patches Critical Authentication Bypass in Archer NX Router Series
TP-Link patched two vulnerabilities in Archer NX200, NX210, NX500, and NX600 routers. CVE-2025-15517 is a missing authentication flaw allowing unauthenticated attackers to upload firmware and alter device configurations without credentials. CVE-2025-15605 is a hardcoded cryptographic key flaw allowing authenticated attackers to decrypt, modify, and re-encrypt configuration files. BleepingComputer
ClickFix Campaign Distributes MacSync Infostealer via Fake AI Tool Installers on macOS
A ClickFix campaign is spreading MacSync, a macOS infostealer, through fake installers for popular AI applications. Victims are social-engineered into running malicious terminal commands disguised as installation steps, after which MacSync harvests saved credentials, cookies, cryptocurrency wallet files, and system data. The Hacker News
Stay tuned for today’s in-depth analysis posts.
