Staff

Outbreak Alert: Interlock Ransomware Attack

Forum|Forum|2 months ago
March 23, 2026
0 replies
277 views

FortiRecon Digital Risk Protection (DRP), a SaaS-based service, includes External Attack Surface Management, Brand Protection, and Adversary Centric Intelligence. Adversary Centric Intelligence (ACI): leverages FortiGuard Threat Analysis to provide comprehensive coverage of dark web, open-source, and technical threat intelligence, including threat actor insights to enable organizations to respond proactively assess risks, respond faster to incidents, better understand their attackers, and guard assets. The Vulnerability Intelligence Module under Adversary Centric Intelligence (ACI) provides a realistic view of the impact of the vulnerability based upon chatter and discussion of the same across various external sources such as Darkweb, social media, News / Blogs etc.
Adversary Name	Interlock ransomware group, Interlock Ransomware, Interlock ransomware operators, Interlock Ransomware Operators, Interlock Ransomware Operator, Interlock ransomware Operators
Exploited Vulnerabilities	CVE-2025-8876:N-able N-Central Command Injection Vulnerability CVE-2025-8875:N-able N-Central Insecure Deserialization Vulnerability CVE-2025-8671:A mismatch caused by client-triggered server-sent stream resets between HTTP/2... CVE-2025-8088:RARLAB WinRAR Path Traversal Vulnerability CVE-2025-53786:On April 18th 2025, Microsoft announced Exchange Server Security Changes... CVE-2025-53779:Relative path traversal in Windows Kerberos allows an authorized attacker... CVE-2025-53766:Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker... CVE-2025-50165:Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized... CVE-2025-49712:Deserialization of untrusted data in Microsoft Office SharePoint allows an... CVE-2025-32433:Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability CVE-2025-26633:Microsoft Windows Management Console (MMC) Improper Neutralization Vulnerability CVE-2025-25256:An improper neutralization of special elements used in an OS... CVE-2025-20265:A vulnerability in the RADIUS subsystem implementation of Cisco Secure...
ACI Reporting Coverage	12 (Technical Intelligence), 1 (OSINT)
Addition Reference	Have targeted organizations operating in Unknown, Oceania, North America, Europe, Asia, South America . Have targeted organizations within sectors All Sectors, Education, Financial Services, Government, Health Care, Hospitality, Manufacturing, Technology, Not Known, Critical Infrastructure .

CVE ID	CVE-2025-8876
CVE Title	N-able N-Central Command Injection Vulnerability
NVD Severity	HIGH
FortiRecon Severity	HIGH
FortiRecon Score	78/100
Epss Score	0.07848
Exploited	Yes
Exploited by Ransomware Group(s)	Yes (RomCom)
Exploited by APT Group(s)	No
Included in CISA KEV List	Yes
Available working exploit(s)	0
Available POC exploit(s)	1
Darknet Mention(s)	1 (underc0de)
Telegram Mention(s)	0
FortiRecon Intelligence Reporting(s)	8 (OSINT), 1 (Technical Intelligence), 3 (FortiGuard Research)
Vendor Advisory:	https://status.n-able.com/2025/08/13/announcing-the-ga-of-n-central-2025-3-1/ https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-8876

CVE ID	CVE-2025-8875
CVE Title	N-able N-Central Insecure Deserialization Vulnerability
NVD Severity	HIGH
FortiRecon Severity	HIGH
FortiRecon Score	78/100
Epss Score	0.02608
Exploited	Yes
Exploited by Ransomware Group(s)	Yes (RomCom)
Exploited by APT Group(s)	No
Included in CISA KEV List	Yes
Available working exploit(s)	0
Available POC exploit(s)	1
Darknet Mention(s)	1 (underc0de)
Telegram Mention(s)	0
FortiRecon Intelligence Reporting(s)	8 (OSINT), 1 (Technical Intelligence), 3 (FortiGuard Research)
Vendor Advisory:	https://status.n-able.com/2025/08/13/announcing-the-ga-of-n-central-2025-3-1/ https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-8875

CVE ID	CVE-2025-8671
CVE Title	A mismatch caused by client-triggered server-sent stream resets between HTTP/2...
NVD Severity	HIGH
FortiRecon Severity	LOW
FortiRecon Score	23/100
Epss Score	0.00538
Exploited	No
Exploited by Ransomware Group(s)	Yes (RomCom)
Exploited by APT Group(s)	No
Included in CISA KEV List	No
Available working exploit(s)	0
Available POC exploit(s)	4
Darknet Mention(s)	0
Telegram Mention(s)	0
FortiRecon Intelligence Reporting(s)	4 (OSINT)
Vendor Advisory:	https://github.com/envoyproxy/envoy/issues/40739 https://www.imperva.com/blog/madeyoureset-turning-http-2-server-against-itself/ https://www.kb.cert.org/vuls/id/767506 https://deepness-lab.org/publications/madeyoureset/ https://github.com/h2o/h2o/commit/4729b661e3c6654198d2cc62997e1af58bef4b80 https://gitlab.isc.org/isc-projects/bind9/-/issues/5325 https://galbarnahum.com/made-you-reset https://kb.cert.org/vuls/id/767506 https://varnish-cache.org/security/VSV00017.html https://www.fastlystatus.com/incident/377810 https://support2.windriver.com/index.php?page=security-notices https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq https://www.suse.com/support/kb/doc/?id=000021980 https://github.com/varnish/hitch/issues/397 https://github.com/Kong/kong/discussions/14731 http://www.openwall.com/lists/oss-security/2025/08/13/6 http://www.openwall.com/lists/oss-security/2025/09/18/1

CVE ID	CVE-2025-8088
CVE Title	RARLAB WinRAR Path Traversal Vulnerability
NVD Severity	HIGH
FortiRecon Severity	CRITICAL
FortiRecon Score	95/100
Epss Score	0.0795
Exploited	Yes
Exploited by Ransomware Group(s)	Yes (RomCom)
Exploited by APT Group(s)	Yes (APT-C-53, Bitter APT Group, UNC4895, Lazarus, Autumn Dragon, RomCom, Gamaredon Group, Amaranth-Dragon, Earth Estries, UNC2970, Amaranth Dragon)
Included in CISA KEV List	Yes
Available working exploit(s)	0
Available POC exploit(s)	30
Darknet Mention(s)	10 (exploit, sinister, xss, underc0de, damagelib)
Telegram Mention(s)	1 (DragonForce Malaysia)
FortiRecon Intelligence Reporting(s)	10 (Technical Intelligence), 16 (OSINT), 1 (Darknet), 15 (FortiGuard Research)
Vendor Advisory:	https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=283&cHash=a64b4a8f662d3639dec8d65f47bc93c5 https://arstechnica.com/security/2025/08/high-severity-winrar-0-day-exploited-for-weeks-by-2-groups/ https://support.dtsearch.com/faq/dts0245.htm https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/#the-discovery-of-cve-2025-8088 https://www.vicarius.io/vsociety/posts/cve-2025-8088-detect-winrar-zero-day https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-8088 https://www.vicarius.io/vsociety/posts/cve-2025-8088-mitigate-winrar-zero-day-using-srp-and-ifeo

CVE ID	CVE-2025-53786
CVE Title	On April 18th 2025, Microsoft announced Exchange Server Security Changes...
NVD Severity	HIGH
FortiRecon Severity	LOW
FortiRecon Score	23/100
Epss Score	0.00109
Exploited	No
Exploited by Ransomware Group(s)	Yes (RomCom)
Exploited by APT Group(s)	No
Included in CISA KEV List	No
Available working exploit(s)	0
Available POC exploit(s)	1
Darknet Mention(s)	0
Telegram Mention(s)	0
FortiRecon Intelligence Reporting(s)	13 (OSINT), 1 (FortiGuard Research)
Vendor Advisory:	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786

CVE ID	CVE-2025-53779
CVE Title	Relative path traversal in Windows Kerberos allows an authorized attacker...
NVD Severity	HIGH
FortiRecon Severity	LOW
FortiRecon Score	26/100
Epss Score	0.00453
Exploited	No
Exploited by Ransomware Group(s)	Yes (RomCom)
Exploited by APT Group(s)	No
Included in CISA KEV List	No
Available working exploit(s)	0
Available POC exploit(s)	1
Darknet Mention(s)	3 (exploit)
Telegram Mention(s)	0
FortiRecon Intelligence Reporting(s)	14 (OSINT), 1 (Darknet), 2 (FortiGuard Research)
Vendor Advisory:	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53779

CVE ID	CVE-2025-53766
CVE Title	Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker...
NVD Severity	CRITICAL
FortiRecon Severity	LOW
FortiRecon Score	23/100
Epss Score	0.00449
Exploited	No
Exploited by Ransomware Group(s)	Yes (RomCom)
Exploited by APT Group(s)	No
Included in CISA KEV List	No
Available working exploit(s)	0
Available POC exploit(s)	2
Darknet Mention(s)	0
Telegram Mention(s)	0
FortiRecon Intelligence Reporting(s)	9 (OSINT)
Vendor Advisory:	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53766

CVE ID	CVE-2025-50165
CVE Title	Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized...
NVD Severity	CRITICAL
FortiRecon Severity	LOW
FortiRecon Score	29/100
Epss Score	0.03877
Exploited	No
Exploited by Ransomware Group(s)	Yes (RomCom)
Exploited by APT Group(s)	No
Included in CISA KEV List	No
Available working exploit(s)	0
Available POC exploit(s)	1
Darknet Mention(s)	0
Telegram Mention(s)	0
FortiRecon Intelligence Reporting(s)	9 (OSINT)
Vendor Advisory:	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-50165

CVE ID	CVE-2025-49712
CVE Title	Deserialization of untrusted data in Microsoft Office SharePoint allows an...
NVD Severity	HIGH
FortiRecon Severity	LOW
FortiRecon Score	21/100
Epss Score	0.05642
Exploited	No
Exploited by Ransomware Group(s)	Yes (RomCom)
Exploited by APT Group(s)	No
Included in CISA KEV List	No
Available working exploit(s)	0
Available POC exploit(s)	0
Darknet Mention(s)	0
Telegram Mention(s)	0
FortiRecon Intelligence Reporting(s)	5 (OSINT)
Vendor Advisory:	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49712

CVE ID	CVE-2025-32433
CVE Title	Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability
NVD Severity	CRITICAL
FortiRecon Severity	CRITICAL
FortiRecon Score	91/100
Epss Score	0.50314
Exploited	Yes
Exploited by Ransomware Group(s)	Yes (RomCom)
Exploited by APT Group(s)	No
Included in CISA KEV List	Yes
Available working exploit(s)	0
Available POC exploit(s)	42
Darknet Mention(s)	12 (xss, ramp, exploit)
Telegram Mention(s)	2 (Системный Администратор (Сисадмин), Proxy Bar)
FortiRecon Intelligence Reporting(s)	3 (Darknet), 7 (FortiGuard Research), 14 (OSINT)
Vendor Advisory:	https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2 https://security.netapp.com/advisory/ntap-20250425-0001/ https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html http://www.openwall.com/lists/oss-security/2025/04/18/6 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a0d8650209cf54892f https://github.com/ProDefense/CVE-2025-32433/blob/main/CVE-2025-32433.py http://www.openwall.com/lists/oss-security/2025/04/18/2 https://github.com/erlang/otp/commit/0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12 http://www.openwall.com/lists/oss-security/2025/04/18/1 https://github.com/erlang/otp/commit/b1924d37fd83c070055beb115d5d6a6a9490b891 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32433 http://www.openwall.com/lists/oss-security/2025/04/19/1 http://www.openwall.com/lists/oss-security/2025/04/16/2

CVE ID	CVE-2025-26633
CVE Title	Microsoft Windows Management Console (MMC) Improper Neutralization Vulnerability
NVD Severity	HIGH
FortiRecon Severity	HIGH
FortiRecon Score	78/100
Epss Score	0.07822
Exploited	Yes
Exploited by Ransomware Group(s)	Yes (EncryptHub, RomCom)
Exploited by APT Group(s)	Yes (Water Gamayun)
Included in CISA KEV List	Yes
Available working exploit(s)	0
Available POC exploit(s)	2
Darknet Mention(s)	2 (bdf, crdclub)
Telegram Mention(s)	0
FortiRecon Intelligence Reporting(s)	9 (OSINT), 4 (Technical Intelligence), 2 (Darknet), 13 (FortiGuard Research)
Vendor Advisory:	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-26633 https://www.vicarius.io/vsociety/posts/cve-2025-26633-security-feature-bypass-in-microsoft-management-console-mitigation-script https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633 https://www.vicarius.io/vsociety/posts/cve-2025-26633-security-feature-bypass-in-microsoft-management-console-detection-script

CVE ID	CVE-2025-25256
CVE Title	An improper neutralization of special elements used in an OS...
NVD Severity	CRITICAL
FortiRecon Severity	HIGH
FortiRecon Score	78/100
Epss Score	0.44919
Exploited	Yes
Exploited by Ransomware Group(s)	Yes (RomCom)
Exploited by APT Group(s)	No
Included in CISA KEV List	No
Available working exploit(s)	0
Available POC exploit(s)	1
Darknet Mention(s)	1 (underc0de)
Telegram Mention(s)	0
FortiRecon Intelligence Reporting(s)	11 (OSINT), 1 (Technical Intelligence), 5 (FortiGuard Research)
Vendor Advisory:	https://fortiguard.fortinet.com/psirt/FG-IR-25-152 https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-all-wrong-fortinet-fortisiem-pre-auth-command-injection-cve-2025-25256/ https://www.theregister.com/2025/08/13/fortinet_discloses_critical_bug/ https://github.com/watchtowrlabs/watchTowr-vs-FortiSIEM-CVE-2025-25256

CVE ID	CVE-2025-20265
CVE Title	A vulnerability in the RADIUS subsystem implementation of Cisco Secure...
NVD Severity	CRITICAL
FortiRecon Severity	LOW
FortiRecon Score	26/100
Epss Score	0.00225
Exploited	No
Exploited by Ransomware Group(s)	Yes (RomCom)
Exploited by APT Group(s)	No
Included in CISA KEV List	No
Available working exploit(s)	0
Available POC exploit(s)	3
Darknet Mention(s)	3 (duty_free, alphv, underc0de)
Telegram Mention(s)	1 (Proxy Bar)
FortiRecon Intelligence Reporting(s)	6 (OSINT)
Vendor Advisory:	https://www.theregister.com/2025/08/15/cisco_secure_firewall_management_bug/ https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79 https://www.bleepingcomputer.com/news/security/cisco-warns-of-max-severity-flaw-in-firewall-management-center/