Here’s a number MSPs need to sit with: 36.
That’s how many days the Interlock ransomware group was exploiting a max-severity vulnerability in Cisco’s Secure Firewall Management Center before Cisco patched it. Thirty-six days of active exploitation, invisible to defenders, while the attackers ran reconnaissance, deployed multiple backdoors, and set up redundant access mechanisms across enterprise networks.
CISA called it. Amazon’s threat intelligence team caught it. Cisco acknowledged it after the fact. Partners found out when the advisory dropped — weeks after their customers’ firewalls were already compromised.
That’s the obvious story. Here’s the one that matters more: once Interlock was inside, they deployed ConnectWise ScreenConnect as a backup persistence mechanism. Not because they hacked it. Because they installed it. On machines they already owned. And it worked. Because ConnectWise ScreenConnect traffic looks like MSP traffic. In most monitored environments, it is MSP traffic.
That detail should rewrite how you think about your toolstack.
The structural problem
MSPs have spent the last decade consolidating around a small number of management platforms — ConnectWise, Kaseya, N-able, Datto. The Kaseya vs. ConnectWise vs. Pax8 wars have dominated the ecosystem, and that concentration creates risk. The logic was sound: standardize, automate, scale. The side effect nobody priced in is that this standardization handed attackers a playbook. They know exactly what tools are running in managed environments. They know how the traffic patterns look. They know which processes are trusted.
Cisco’s CVE-2026-20131 is a CVSS 10.0. Unauthenticated remote code execution as root. That’s not a gap in your security posture — that’s a hole in the foundation. But the firewall bug is the entry point. The toolstack is the persistence layer. Interlock got in through Cisco. They stayed through ScreenConnect.
The distinction matters because most MSP security frameworks are designed to catch intrusions. They’re not designed to catch authorized tools being used by unauthorized people.
What the numbers actually tell you
The latest ScreenConnect CVE only reinforces the pattern. ConnectWise ScreenConnect has been deployed in ransomware intrusion chains at least three times in the last 18 months in documented cases. Not because the software has a vulnerability. Because it’s ubiquitous, trusted, and generates traffic that blends with normal managed service operations.
If you’re an MSP running ScreenConnect in 200 customer environments, you have 200 endpoints generating outbound RDP/web traffic that your security tooling has been trained to ignore. Interlock knows that. They’re banking on it.
The same logic applies to any tool with persistent agent installs: RMM software, PSA connectors, backup agents. The footprint that makes managed services operationally viable is the same footprint that makes it hard to distinguish legitimate access from attacker access.
Security has overtaken hardware as the top channel revenue category — which means more MSPs are positioning themselves as security providers. That positioning requires answering a question most of them aren’t ready for: how do you audit your own access for unauthorized use?
The old answer is broken
The standard MSP security story is perimeter-in. You sell the firewall, the endpoint protection, the email security. You patch what you manage. You monitor what you can see.
That model assumed the attacker was outside trying to get in. Interlock demonstrated that attackers are now operating inside the management layer — deploying the same tools, in the same patterns, generating the same traffic signatures. Your perimeter is irrelevant when the attacker has your remote access credentials or can install your remote access software themselves.
The partners running “managed security” without auditing their own tool deployments aren’t selling security. They’re selling the feeling of security. That’s a liability, not a product.
What replaces it
Three things that aren’t optional anymore:
Tool deployment auditing. Every RMM and remote access agent install in your customer environments should be logged, versioned, and anomaly-checked against a baseline. A new ScreenConnect instance on a domain controller that wasn’t provisioned through your platform is an incident. Treat it that way.
Agent-to-agent traffic baselining. Your management tools generate predictable traffic patterns — times of day, destination IPs, frequency. Deviations from that baseline are investigable events. This requires telemetry most MSPs aren’t collecting.
Supply chain access reviews. The Cisco zero-day got Interlock in. But the reason they stayed is that nobody was reviewing which remote access sessions were attributable to known maintenance windows. Quarterly access reviews on management tooling are table stakes for any MSP calling itself a security provider.
None of this is complicated. All of it requires operational discipline that most MSP leaders know they’re missing but haven’t had a concrete reason to prioritize.
Thirty-six days of active exploitation before disclosure is your concrete reason. The Cisco firewall zero-day interlock and the Cisco SD-WAN nation-state zero-day show this is a systemic pattern, not an isolated incident. Build the audit before you need to use it.