// April 2026
130 articles published this month
cPanel and WHM CVE-2026-41940 — CVSS 9.8 Authentication Bypass Exploited as Zero-Day Before Patch
CVE-2026-41940, a CVSS 9.8 authentication bypass in cPanel and WHM web hosting control panel software, was exploited in the wild before the vendor issued a patch. All versions from 11.40 onwards are affected. Proof-of-concept code is now public. Web hosting providers, managed service providers, and any organisation running cPanel/WHM for server management should apply the emergency patch immediately.
Jenkins GitHub Plugin CVE-2026-42523 — CVSS 9.0 Stored XSS Enables Pipeline Hijacking and Secret Extraction
CVE-2026-42523, rated CVSS 9.0, is a stored cross-site scripting vulnerability in the Jenkins GitHub Plugin 1.46.0 and earlier. Exploitation allows an attacker with job creation rights to inject malicious JavaScript that executes in the browser of any Jenkins administrator who views the affected job — enabling session hijacking, secret extraction, and full pipeline takeover. Update to GitHub Plugin 1.46.1 or later.
Official SAP npm Packages Compromised to Steal Enterprise Developer Credentials
Threat actors compromised official SAP npm packages to insert credential-harvesting code targeting enterprise developers working on SAP integration projects. The malicious packages exfiltrate environment variables, SSH keys, and cloud credentials from developer workstations. Enterprise teams using SAP npm packages in their CI/CD pipelines should audit package integrity and rotate potentially exposed credentials.
Scattered Spider's 'Tylerb' Pleads Guilty — Senior Member Faces 20 Years for $8M SIM Swap and Enterprise Breaches
Tyler Robert Buchanan, 24, known online as 'Tylerb', has pleaded guilty to wire fraud conspiracy and aggravated identity theft for his role in Scattered Spider's 2022 SMS phishing and SIM-swapping campaign that breached Twilio, LastPass, DoorDash, Cloudflare, and at least 130 other organisations. The guilty plea represents a significant law enforcement milestone against the English-language cybercrime group responsible for the MGM and Caesars casino breaches.
Wazuh SIEM/XDR Platform CVE-2026-30893 — CVSS 9.0 Remote Code Execution in Enterprise SOC Infrastructure
CVE-2026-30893, rated CVSS 9.0, is a remote code execution vulnerability in the Wazuh open-source security platform affecting versions 4.x and later. Wazuh is widely deployed as a SIEM, XDR, and compliance platform in enterprise SOC environments. Compromising the Wazuh manager means compromising your security monitoring backbone — patch to 4.11.2 immediately.
WordPress Redirect Plugin Carried Dormant Backdoor for Three Years Before Activation
Researchers have uncovered a dormant backdoor in a widely-installed WordPress redirect management plugin that remained inactive for approximately three years before being activated by the attackers. The backdoor, present across an estimated 200,000+ active installations, highlights the long-game threat of supply chain compromise in the WordPress plugin ecosystem and the limits of periodic security scanning.
Apache Thrift 0.23.0 Patches Out-of-Bounds Read (CVE-2026-41604) and Node.js Uncontrolled Recursion DoS (CVE-2026-41636)
Apache Thrift 0.23.0 addresses two vulnerabilities: CVE-2026-41604, an out-of-bounds read in the binary protocol parser affecting all language bindings that can crash Thrift-based services and potentially leak memory contents; and CVE-2026-41636, an uncontrolled recursion flaw in the Node.js library that enables remote denial of service via deeply nested Thrift structures. Organisations operating Thrift-based microservices or inter-service RPC should upgrade to 0.23.0.
CISA KEV Additions: Windows Shell Spoofing CVE-2026-32202 and Cisco SD-WAN Sensitive File Exposure CVE-2026-20133
CISA's late-April Known Exploited Vulnerabilities additions include a Windows Shell protection mechanism failure under active exploitation and a Cisco Catalyst SD-WAN Manager flaw allowing unauthenticated access to sensitive OS files. Federal agencies face a May 12 remediation deadline for CVE-2026-32202; enterprise organisations should treat both additions as confirmation of active threat actor interest and patch accordingly.
D-Link DIR-823X Command Injection CVE-2025-29635 Added to CISA KEV — Mirai Botnet Exploiting Actively
CVE-2025-29635, an authenticated command injection in D-Link DIR-823X routers, has been added to CISA's Known Exploited Vulnerabilities catalogue following an active Mirai botnet campaign documented by Akamai. CVSS 7.2 understates the real risk: D-Link DIR-823X reached end of life, meaning no patch will be issued. Organisations with these routers must replace them. Federal deadline: May 19, 2026.
CISA ICS Advisory: Milesight AIOT Cameras Carry Five CVEs Including CVSS 9.8 Hard-Coded SSL Key Flaw
CISA advisory ICSA-26-113-03 covers five vulnerabilities across 18-plus Milesight AIOT camera model families, including a CVSS 9.8 flaw where all devices share a hard-coded factory SSL private key that cannot be changed. An attacker with the key — which is extractable from any unit — can conduct undetectable man-in-the-middle attacks against the entire deployed fleet. Organisations using Milesight cameras in operational technology or physical security environments should isolate these devices immediately.
Spring AI CVE-2026-40978 and CVE-2026-40967 — SQL Injection and Filter Expression Injection in RAG Vector Store Components
Two injection vulnerabilities in Spring AI's vector store integration layer affect AI applications using retrieval-augmented generation pipelines. CVE-2026-40978 (CVSS 8.8) allows SQL injection through the CosmosDB vector store component; CVE-2026-40967 (CVSS 8.6) enables filter expression injection in the FilterExpressionConverter used across multiple backends. Both flaws affect Spring AI 1.0.x and 1.1.x and are patched in 1.1.5.
Spring Boot 4.0 CVE-2026-40976 — Default Security Misconfiguration Exposes All Actuator Endpoints Unauthenticated
CVE-2026-40976 in Spring Boot 4.0.0 through 4.0.5 allows unauthenticated network access to all Spring Boot Actuator management endpoints when applications rely on the default Spring Security auto-configuration but omit the spring-boot-health dependency. Exposed endpoints include heapdump, env, mappings, and loggers — enough to extract secrets and manipulate application behaviour. Upgrade to Spring Boot 4.0.6 or later.
AI Agents Can Autonomously Compromise Cloud Infrastructure With Minimal Human Oversight, Research Finds
New academic research demonstrates that AI agents equipped with common cloud security tools can autonomously identify, chain, and exploit misconfigurations in production-like cloud environments — achieving lateral movement, privilege escalation, and data exfiltration in multi-step attack sequences without human guidance. The findings have direct implications for red team methodologies, cloud security posture management, and the adversarial use of AI-assisted attack tooling.
SentinelLabs Uncovers Fast16 — NSA-Linked OT Sabotage Malware Active Five Years Before Stuxnet
SentinelLabs has published research identifying Fast16, a Lua-based OT sabotage framework compiled in 2005 that predates Stuxnet and is attributed to a US intelligence-linked operation targeting Iranian high-precision calculation software. The discovery rewrites the timeline of state-sponsored ICS sabotage and provides new technical context for understanding the development of destructive OT malware.
FTC: Americans Lost $2.1 Billion to Social Media Scams in 2025 — AI-Enhanced Fraud Doubles Investment Losses
The US Federal Trade Commission's annual consumer fraud report records $2.1 billion in social media scam losses in 2025, a 47% increase from 2024 driven by AI-generated deepfake impersonations, synthetic romance fraud accounts, and AI-personalised investment scam targeting. Investment scams account for 53% of losses at $1.1 billion. The report carries compliance implications for organisations under FTC Section 5 and EU AI Act Article 50 transparency obligations.
Hugging Face LeRobot CVE-2026-25874 — Critical Unpatched RCE via Pickle Deserialization in Unauthenticated gRPC Endpoint
A critical unpatched remote code execution vulnerability in Hugging Face's LeRobot robotics AI framework allows unauthenticated attackers to execute arbitrary code on any server running the gRPC control interface. CVE-2026-25874, rated CVSS 9.3, affects the project's dataset loading and remote control pipeline via Python pickle deserialization. No patch is available; mitigations focus on network isolation.
Medtronic Confirms Data Breach — ShinyHunters Claims 9 Million Medical Device Patient Records Stolen
Medtronic, the world's largest medical device manufacturer, has confirmed a data breach after the ShinyHunters threat actor claimed to have stolen nine million patient records. The breach includes patient names, device serial numbers, implant dates, clinic details, and in some cases diagnostic data from cardiac, diabetes, and spinal device programmes across 150 countries. Regulatory notifications under HIPAA, GDPR, and MDR are expected.
Rituals Cosmetics Discloses Data Breach — Up to 40 Million My Rituals Members' PII Potentially Exposed
Amsterdam-based luxury cosmetics brand Rituals has disclosed a breach of its My Rituals membership platform affecting potentially up to 40 million registered members across its 1,170-plus retail locations in 37 countries. Exposed data includes names, contact details, date of birth, gender, and purchase history. The breach carries significant GDPR obligations as Rituals is headquartered in the EU.
Silk Typhoon Operator Xu Zewei Extradited to US — First MSS Shanghai Bureau Hacker Held Accountable
Xu Zewei, a hacker attributed to the MSS Shanghai Bureau and the Silk Typhoon (formerly Hafnium) APT group, has been extradited from Italy to face US federal charges relating to the theft of COVID-19 vaccine research, defence contractor IP, and financial sector data via Exchange Server zero-days. The extradition marks the first successful prosecution of a Silk Typhoon operator and sends a direct signal to MSS-affiliated cyber operators.
Azure Arc Windows Agent CVE-2026-26117 Lets Low-Privilege Users Escalate to SYSTEM and Seize Cloud-Managed Identity
CVE-2026-26117, a local privilege escalation flaw in the Azure Arc Connected Machine Agent for Windows, allows any domain user on a managed host to escalate to SYSTEM and inherit the host's Azure managed identity — granting access to all Azure resources the machine identity can reach. Microsoft rated the flaw CVSS 7.8; patch immediately given Arc's growing enterprise footprint.
Itron Smart Grid Giant Discloses Internal IT Breach via SEC Filing — Critical Infrastructure Supplier Affected
Itron, the world's largest smart meter and grid management vendor, has disclosed a breach of its internal IT network in an SEC 8-K filing. Attackers accessed systems supporting grid data analytics and workforce management. No operational technology networks were confirmed compromised, but the supplier-to-utility trust relationship demands immediate third-party risk assessment.
Linux Kernel nf_tables Use-After-Free CVE-2026-23231 Enables Privilege Escalation on Most Distributions
A use-after-free vulnerability in the Linux kernel's nf_tables netfilter subsystem allows a local attacker to escalate privileges to root on unpatched systems. CVE-2026-23231 affects kernels 5.14 through 6.9 and most major distributions including RHEL 9, Ubuntu 22.04/24.04, Debian 12, and SLES 15. Stable kernel patches are available and distribution security teams are issuing advisories.
Microsoft Entra Agent ID Role Misconfiguration Enabled Full Tenant Takeover via Service Principal Hijack
A flaw in Microsoft Entra's Agent ID role assignment model allowed an attacker with low-level Entra access to hijack privileged service principals and achieve full tenant administrator rights. Microsoft silently patched the issue on April 9; organisations with agentic AI workloads or automation service accounts should audit role bindings immediately.
NIST Halts NVD Enrichment for Lowest-Priority CVEs as Submission Volume Surges 263% — Vulnerability Management Impact
NIST has announced it will no longer provide full CVSS scoring, CPE matching, and CWE classification for the lowest-priority tier of CVE submissions in the NVD. The change, driven by a 263% surge in annual CVE volumes since 2024, means thousands of CVE records will remain in an unenriched 'DEFERRED' state — with no CVSS score, no affected product mapping, and no severity rating. Enterprise vulnerability management programmes that rely on NVD as their authoritative source must adapt their workflows immediately.
OpenSSH 10.3 Patches Shell Metacharacter Injection CVE-2026-35386 in Non-Default scp Configurations
OpenSSH 10.3, released April 26, addresses CVE-2026-35386, a shell metacharacter injection flaw in the scp client that can result in unintended remote command execution when transferring files from attacker-controlled servers. While exploitation requires non-default configuration, scp is still widely used in automated backup and deployment pipelines and should be updated promptly.
SAP April 2026 Patch Day: CVE-2026-34256 ABAP Code-Overwrite Lets Authenticated Attacker Sabotage Core ERP Functions
SAP's April 2026 Security Patch Day includes a fix for CVE-2026-34256, an ABAP code-overwrite vulnerability rated CVSS 7.1 that allows an authenticated attacker with low-privilege access to modify executable ABAP programme objects, potentially corrupting core business logic in SAP ERP, S/4HANA, and BW systems. The flaw requires no special administrative roles and affects all SAP NetWeaver ABAP Server releases through the current patched version.
APT28 Operation Masquerade: GRU Hijacked 18,000 Routers to Steal Microsoft 365 OAuth Tokens
Russia's GRU Unit 26165 operated an 18,000-router DNS hijacking network targeting Microsoft 365 OAuth tokens across 120 countries. The US DOJ's Operation Masquerade dismantled US-based infrastructure on April 7 2026, but the global campaign continues. Organisations should audit DNS resolver settings, revoke OAuth sessions, and enforce Conditional Access for remote users.
DPRK's Sapphire Sleet Backdoors Axios npm Package: 100 Million Weekly Downloads at Risk
North Korea's Sapphire Sleet compromised an axios npm maintainer account on March 31, publishing backdoored versions 1.14.1 and 0.30.4 that delivered a cross-platform RAT during a three-hour exposure window. Axios has approximately 100 million weekly downloads. CISA issued Advisory AA26-110A on April 20 — organisations that ran npm installs during the window should treat their CI/CD pipeline as compromised and rotate all secrets immediately.
CanisterSprawl: Self-Propagating npm Worm Steals Developer Credentials and Re-Infects Package Ecosystems
Researchers discovered CanisterSprawl, a self-propagating npm supply chain worm attributed to TeamPCP that compromised at least 16 packages including pgserve and @automagik/genie. A postinstall hook harvests npm tokens, cloud credentials, SSH keys, and AI tool configs, exfiltrating to a blockchain canister before using stolen tokens to inject the worm into every other package owned by the compromised developer. Organisations should audit postinstall scripts and rotate all credentials from affected development environments.
CVE-2026-6074: Unauthenticated Path Traversal in Intrado 911 Emergency Gateway Threatens PSAP Call Routing
CISA ICS advisory ICSA-26-113-06 discloses CVE-2026-6074, a CVSS 9.1 path traversal flaw in Intrado 911 Emergency Gateway versions 5.x–7.x that allows unauthenticated network access to read, write, and delete arbitrary files on the management interface. Exploitation could modify 911 call routing rules or disable emergency call processing. Intrado patched on March 2 2026 and is directly contacting affected PSAP operators.
France Titres (ANTS) Breach Exposes 11.7 Million Citizens' Identity Records
France's national secure-ID document agency confirmed a breach affecting 11.7 million citizens — roughly one in five residents — after threat actor 'breach3d' claimed to have exfiltrated records including names, dates of birth, addresses, email addresses, and phone numbers. CNIL, ANSSI, and the Paris Public Prosecutor have been notified. Organisations operating in France face elevated customer account fraud and social engineering risk from the compromised data.
Germany BKA Identifies REvil and GandCrab Leader 'UNKN' as Russian National Daniil Shchukin
Germany's federal criminal police (BKA) publicly attributed the REvil and GandCrab ransomware-as-a-service platforms to 31-year-old Russian national Daniil Shchukin, holding him responsible for 130+ attacks in Germany causing over €35 million in economic damage. Shchukin operates from Krasnodar and remains beyond extradition reach, but the attribution breaks the historical anonymity of top-tier RaaS operators and may precede US OFAC sanctions.
Microsoft Issues Emergency Patch KB5091157 After April Updates Crash Domain Controllers
Microsoft's April 2026 Patch Tuesday updates triggered LSASS crash-reboot loops on non-Global Catalogue domain controllers in PAM-enabled deployments and forced some Windows Server 2025 systems into BitLocker recovery mode. Emergency out-of-band updates were released April 19 for all affected Server versions. Immediate installation is required — affected DCs cause complete authentication outages across their domains.
ADT Confirms Customer Data Breach After ShinyHunters Vishing Attack on Help Desk
ADT, the US home and business security monitoring provider, has confirmed a data breach after ShinyHunters used voice phishing to social-engineer a support employee into granting access to customer management systems. Names, phone numbers, and account data were exfiltrated. The incident underlines how thoroughly attackers have made help desk social engineering a standard tool.
CISA Adds Four Exploited Flaws to KEV — SimpleHelp RMT and Samsung MagicINFO Head New Additions
CISA's Known Exploited Vulnerabilities catalogue has grown by four entries including critical flaws in SimpleHelp remote management tooling and Samsung's MagicINFO digital signage platform. Federal agencies face a May 2026 remediation deadline. Enterprise operators of RMM tools and display infrastructure should treat these as urgent.
Critical Flaw in CrowdStrike Falcon LogScale and High-Severity Nessus Bug Patched — Security Tooling Vulnerabilities Demand Rapid Response
CrowdStrike has patched a critical SSRF vulnerability in Falcon LogScale, its SIEM and log management platform, while Tenable has addressed a privilege escalation flaw in Nessus. Security tooling vulnerabilities are among the most consequential: a compromised SIEM or vulnerability scanner has privileged visibility across the entire environment it monitors.
FIRESTARTER Backdoor Persists on Cisco Firepower Devices After Patching — Federal Agency Confirmed Victim
A joint CISA and NCSC advisory reveals FIRESTARTER, a sophisticated backdoor implanted on Cisco FTD and ASA firewalls that survives firmware updates and reimaging. At least one US federal agency is a confirmed victim. Defenders must verify device integrity rather than assume patching closed the access.
LMDeploy RCE Vulnerability CVE-2026-33626 Weaponised in the Wild 13 Hours After Disclosure
A critical remote code execution flaw in LMDeploy, a widely used LLM inference serving framework, was exploited in active attacks just 13 hours after public disclosure. Organisations running self-hosted AI inference infrastructure must treat these platforms with the same urgency as any internet-exposed web application server — because attackers already do.
Microsoft Entra Passkeys Rolling Out to All Windows Devices — Phishing-Resistant MFA Now Generally Available
Microsoft has begun rolling out Entra passkey support to managed, unmanaged, and shared Windows devices, with general availability set for mid-June 2026. Passkeys close the credential-phishing gap that conventional passwords, SMS codes, and TOTP leave open, and enterprise deployment is now achievable at scale through existing Conditional Access policies.
Tropic Trooper APT Delivers AdaptixC2 via Trojanised SumatraPDF Installer and GitHub C2 Relay
The Chinese APT group Tropic Trooper has been observed deploying the AdaptixC2 post-exploitation framework through a malicious SumatraPDF installer distributed from a convincing lookalike site. Command-and-control communications are routed through GitHub's REST API, blending malicious traffic with the high-volume legitimate developer activity that most enterprises whitelist.
Azure IoT Central Privilege Escalation via Sensitive Data Exposure — CVSS 9.9
A CVSS 9.9 privilege escalation vulnerability in Azure IoT Central exposes sensitive platform data allowing authenticated low-privilege attackers to gain administrative control. April 2026 Patch Tuesday addressed the flaw — audit IoT Central role assignments and rotate provisioning credentials now.
CISA Adds Quest KACE (CVSS 10.0), Kentico Xperience, and Zimbra ZCS to Known Exploited Vulnerabilities — Federal Deadline May 4
CISA's April 2026 KEV additions include a CVSS 10.0 unauthenticated SQL injection in Quest KACE Systems Management Appliance, active exploitation of Kentico Xperience CMS, and Zimbra Collaboration Suite vulnerabilities. Federal agencies have a May 4 remediation deadline; enterprise organisations should treat confirmed KEV additions as indicators of active attacker tooling and prioritise these systems immediately.
26 Fake Crypto Wallet Apps Found on Apple App Store Harvesting Mnemonic Seed Phrases
Researchers have discovered 26 malicious applications that bypassed Apple's App Store review and actively harvest cryptocurrency wallet seed phrases from victims. Users who installed any suspect app should rotate all wallet credentials immediately — mnemonic phrase compromise results in permanent, irreversible asset loss.
KTransformers AI Inference Framework Exposes Unauthenticated RCE via Pickle Deserialization — CVSS 9.8
CVE-2026-26210 is a CVSS 9.8 pre-authentication RCE in KTransformers, a popular AI inference acceleration framework. The scheduler's ZMQ ROUTER socket binds to all interfaces with no authentication and deserialises arbitrary pickle payloads — any network-reachable host can execute code on the inference server.
Microsoft Bing Remote Code Execution via Deserialization — CVSS 10.0 Patch Now
A critical CVSS 10.0 unauthenticated RCE vulnerability in Microsoft Bing allows attackers to execute arbitrary code over the network via unsafe deserialization. Patched in April 2026 Patch Tuesday — update immediately.
Microsoft Entra ID Entitlement Management SSRF (CVE-2026-35431, CVSS 10.0) — Cloud IAM Attack Surface Disclosed Before Silent Server-Side Fix
A perfect-score SSRF vulnerability in Microsoft Entra ID Entitlement Management allowed unauthenticated network-accessible exploitation of Microsoft's cloud identity governance platform. Microsoft patched it server-side with no customer action required, but the disclosure surfaces a structural question enterprise security teams need to answer: how do you monitor for exploitation of a vulnerability in infrastructure you don't control?
NASA OIG: Chinese Spear-Phishing Campaign Targeted Defence Software Over Four Years
A newly released NASA OIG report details a sustained Chinese spear-phishing operation by Song Wu that targeted NASA, DoD contractors, and universities to steal defence software source code. The campaign ran from 2017 to 2021 — a defence supply chain IP theft template that remains relevant today.
SAP BPC SQL Injection (CVE-2026-27681, CVSS 9.9) Gives Low-Privilege Users Full Access to Financial ERP Data
A near-perfect CVSS 9.9 SQL injection vulnerability in SAP Business Planning and Consolidation and BW/4HANA allows any authenticated user with standard access to read, modify, and delete financial consolidation data. SAP patched the flaw in its April 2026 Security Patch Day; organisations should treat unpatched SAP financial systems as having their financial data integrity at risk from any internal user with SAP credentials.
CISA Advisory: TPM 2.0 Out-of-Bounds Read in Siemens SIMATIC Industrial PCs (CVE-2025-2884)
CISA advisory ICSA-26-111-01 covers a TPM 2.0 out-of-bounds read vulnerability in Siemens SIMATIC CN 4100, Field PG M5/M6, and IPC BX series industrial computers. The flaw enables information disclosure or denial of service against the hardware root of trust, with direct implications for Secure Boot integrity and the trusted execution environment of industrial control systems.
TeamPCP Supply Chain Campaign Expands to npm and Docker Hub — Bitwarden CLI and Checkmarx KICS Both Backdoored
The TeamPCP supply chain threat group has extended its campaign beyond GitHub Actions and PyPI to poison the @bitwarden/cli npm package and overwrite Checkmarx KICS Docker images and VS Code extensions. The campaign now spans four developer distribution channels across six weeks, deploying a self-propagating worm that exfiltrates SSH keys, cloud credentials, and MCP configuration files from compromised developer environments.
UNC6692 Abuses Microsoft Teams to Deliver SNOW Malware via IT Help Desk Vishing
Threat actor UNC6692 is impersonating IT help desk staff via Microsoft Teams to socially engineer victims into installing SNOW malware. The campaign exploits trusted internal communication channels where detection tooling is typically absent — immediate Teams external access policy review is recommended.
Wormable Windows TCP/IP Race Condition RCE (CVE-2026-33827) — IPv6-Enabled Networks Face EternalBlue-Class Propagation Risk
A race condition in the Windows TCP/IP stack allows unauthenticated remote code execution against systems with IPv6 or IPSec enabled, demonstrated at Pwn2Own 2026 and patched in April's Patch Tuesday. The vulnerability's wormable characteristics — no user interaction, no authentication, network-adjacent propagation — place it in the same risk category as EternalBlue for environments that have not applied the April update.
BeigeBurrow: New Go-Based Covert C2 Agent Deployed via Active Directory RCE CVE-2026-33826
A previously undocumented post-exploitation tool named BeigeBurrow has been observed in at least two enterprise intrusions following exploitation of the Windows Active Directory RCE CVE-2026-33826. The Go-based agent uses HashiCorp's Yamux library to multiplex covert relay channels over port 443, blending into encrypted enterprise traffic. CVE-2026-33826 was patched in April Patch Tuesday; organisations that have not yet applied the patch should treat it as urgent.
Seized Gentlemen Ransomware C2 Server Exposes 1,570 Victims — GPO Deployment Reveals Full Domain Compromise
Check Point Research's analysis of a seized SystemBC command-and-control server linked to The Gentlemen ransomware operation exposed 1,570+ victim IP addresses and documented the group's use of Group Policy Objects to deploy ransomware domain-wide. GPO-based distribution is a forensic marker that attackers achieved Domain Admin access days before encryption — defenders should treat it as an indicator of extended dwell time, not a starting point.
Sanctioned Russian Crypto Exchange Grinex Shut Down After $13.74M Hack — Blames Western Intelligence
Grinex, a cryptocurrency exchange linked to the sanctioned Garantex operation, suspended all services after attackers drained $13.74 million in a targeted April 15 incident. The exchange blamed 'hostile state intelligence agencies,' pointing to the attack's technical sophistication. Elliptic and Chainalysis analysts have traced the funds but stop short of confirming attribution. The shutdown removes a significant node in Russia's sanctions-evasion infrastructure.
Kyber Ransomware Deploys Dual Windows and VMware ESXi Variants — Claims Post-Quantum Encryption
A new ransomware operation named Kyber is targeting enterprise Windows servers and VMware ESXi infrastructure with two distinct variants analysed by Rapid7. The Windows variant written in Rust implements genuine Kyber1024 post-quantum key encapsulation; the ESXi variant falsely markets the same capability while using ChaCha8 and RSA-4096. Both variants share Tor-based ransom infrastructure and have been deployed simultaneously on the same networks.
Marimo AI Notebook RCE CVE-2026-39987 Exploited at Scale — 662 Events in Three Days, NKAbuse Malware Deployed
CVE-2026-39987 (CVSS 9.3) in the Marimo Python notebook has been weaponised at scale, with Sysdig recording 662 exploitation events over three days and attackers completing credential theft within minutes of gaining access. The unauthenticated WebSocket RCE is being used to deploy NKAbuse, a multi-platform malware using the NKN peer-to-peer network for command and control. Upgrade to Marimo 0.23.0 immediately.
Anthropic's Claude Mythos AI Discovers Thousands of Zero-Days Across Every Major OS — Project Glasswing Offers Private Access
Anthropic's specialised vulnerability-hunting AI, Claude Mythos, has systematically discovered thousands of zero-day vulnerabilities across Windows, macOS, Linux, and major browsers — including a 17-year-old NFS RCE in FreeBSD and a 27-year-old OpenBSD denial-of-service. Project Glasswing provides private early access to Microsoft, Google, Apple, and select others. The implications for enterprise risk governance are immediate.
Microsoft Issues Emergency Patch for ASP.NET Core DataProtection Key Exposure — CVE-2026-40372
A critical security regression in Microsoft.AspNetCore.DataProtection (CVSS 9.1) introduced in .NET 10.0.0 causes encryption keys to leak on Linux deployments. Applications using cookie authentication, anti-forgery tokens, or TempData are at immediate risk. Update to .NET 10.0.7 now.
Cohere Terrarium AI Sandbox Escape — CVSS 9.3 WebAssembly Flaw Allows Root Code Execution on Host
CVE-2026-5752 (CVSS 9.3) in Cohere Terrarium allows an attacker to escape the Pyodide WebAssembly sandbox via JavaScript prototype chain traversal, achieving root code execution on the host Node.js process. Organisations running AI code execution environments should patch immediately and network-isolate these workloads.
Everest Ransomware Claims Citizens Bank Breach — 380 GB Including 250,000 SSNs and 3.4 Million Records
The Everest ransomware group claims to have stolen 380 GB of Citizens Bank customer data via a third-party vendor, including 250,000 Social Security Numbers and 3.4 million banking records. Citizens attributes the breach to a vendor, not its core systems — but regulatory notification obligations apply regardless.
Google Antigravity AI Coding Assistant Had Two Chained Vulnerabilities — Prompt Injection to RCE and Reinstall-Surviving Backdoor
Mindgard researchers discovered two vulnerabilities in Google's Antigravity AI coding assistant: a prompt injection via the find_by_name tool that bypasses Strict Mode to achieve code execution, and a persistent backdoor via workspace trust that survives reinstallation of the IDE extension. Google has patched both; update immediately and audit workspace trust settings.
ShinyHunters Claims Breaches at Zara, Carnival, and 7-Eleven — Extortion Deadline Set
Prolific threat actor ShinyHunters posted simultaneous claims of data theft from Inditex/Zara, Carnival Corporation, and 7-Eleven on dark web forums on 21 April, threatening to publish stolen datasets. None of the companies has confirmed the breaches. Given ShinyHunters' track record, claims should be treated as credible pending investigation.
CISA Adds Eight CVEs to KEV: PaperCut, JetBrains TeamCity, and Cisco SD-WAN Actively Exploited
CISA's April 20 Known Exploited Vulnerabilities addition is the largest single-day batch this month, confirming active exploitation across enterprise print management, CI/CD pipelines, content management, and Cisco SD-WAN infrastructure. The batch spans CVE publication years from 2023 to 2026, demonstrating that unpatched legacy vulnerabilities continue to be weaponised alongside newly disclosed flaws. Federal agencies face a BOD 22-01 remediation deadline, and private sector organisations should treat these as immediate prioritisation signals.
Four Critical Cisco Flaws: Webex SSO User Impersonation (CVSS 9.8) and ISE Root Code Execution (CVSS 9.9)
Cisco patched four critical vulnerabilities across Webex Services and Identity Services Engine. CVE-2026-20184 allows unauthenticated attackers to impersonate any Webex user via crafted SSO tokens. Three ISE flaws at CVSS 9.9 let read-only admins execute arbitrary commands as root. Webex deployments with SSO require urgent manual action — Cisco's cloud fix is not sufficient without administrator intervention.
Public Exploit Released for Critical FortiSandbox RCE (CVE-2026-39808, CVSS 9.1) — Unauthenticated Root Access
A public proof-of-concept exploit has been released for CVE-2026-39808, a critical OS command injection vulnerability in Fortinet FortiSandbox that allows unauthenticated attackers to execute arbitrary commands as root via a single HTTP request. A companion authentication bypass flaw (CVE-2026-39813) affects the same versions. Patch to FortiSandbox 4.4.9 or 5.0.6 immediately.
Two Unpatched Windows Defender Zero-Days (RedSun + UnDefend) Actively Exploited — No Fix Available
A security researcher released two additional Windows Defender zero-days — RedSun and UnDefend — after Microsoft failed to patch them. RedSun exploits Defender's cloud file rollback mechanism to achieve SYSTEM privileges on all supported Windows versions. UnDefend silently prevents Defender from updating its threat signatures. Both are confirmed exploited in the wild, and neither has a patch or assigned CVE.
Vercel Confirms Breach via Compromised AI Tool — Developer Environment Variables and Credentials Exposed
Cloud deployment platform Vercel has confirmed a breach traced to a Lumma infostealer infection at Context.ai, a third-party AI tool used by a Vercel employee. Attackers used the stolen Google Workspace OAuth access to reach Vercel's internal environments, exposing environment variables and a limited set of customer credentials. ShinyHunters is claiming responsibility and demanding $2 million for the stolen data.
McGraw Hill Confirms 13.5 Million Account Breach After ShinyHunters Exploits Salesforce Misconfiguration
Education publisher McGraw Hill has confirmed a data breach affecting 13.5 million accounts after the ShinyHunters cybercriminal group threatened to publish 45 million Salesforce records. The breach stemmed from a misconfiguration within Salesforce's environment — one McGraw Hill acknowledges is part of a broader issue affecting multiple organisations. Over 100GB of data has been publicly released.
Payouts King Ransomware Deploys Hidden QEMU VMs to Blind Endpoint Security — New EDR Evasion Technique
The Payouts King ransomware operation, linked to former BlackBasta affiliates, has introduced a novel EDR bypass: deploying a legitimate QEMU virtual machine running Alpine Linux on compromised Windows hosts. Because endpoint security agents cannot inspect inside the VM, attackers operate the full intrusion — credential theft, lateral movement, and data exfiltration — completely invisible to host-level detection.
Five-Year-Old ShowDoc RCE Flaw CVE-2025-0520 (CVSS 9.4) Now Under Active Exploitation — Over 2,000 Instances Exposed
Threat actors are actively exploiting CVE-2025-0520, a critical unauthenticated remote code execution vulnerability in ShowDoc — an IT documentation tool used by developers and operations teams. The flaw, patched in October 2020 but present in thousands of unupgraded installations, allows file upload exploitation to deploy web shells. More than 2,000 publicly accessible ShowDoc instances remain vulnerable.
April Patch Tuesday Bug Crashes LSASS on PAM-Enabled Domain Controllers — No Fix Yet
KB5082063, Microsoft's April 2026 cumulative update, is causing LSASS to crash on non-Global Catalog domain controllers in Privileged Access Management environments, triggering unrecoverable reboot loops that take down Active Directory authentication. Microsoft has confirmed the issue across all Windows Server versions from 2016 to 2025 and is developing a corrected update, but none is available yet.
CISA Confirms Active Exploitation of Windows Task Host Privilege Escalation CVE-2025-60710 — Four Public Exploits Available
A link-following flaw in the Windows Host Process for Tasks allows any local user to escalate to SYSTEM privileges. Patched in November 2025, CVE-2025-60710 has been confirmed as actively exploited — CISA added it to the Known Exploited Vulnerabilities catalogue on 13 April with a 27 April federal deadline. Four public proof-of-concept exploits are now freely available on GitHub.
NIST Ends Full NVD Enrichment — What It Means for Your Vulnerability Management Programme
NIST has announced it will no longer enrich every CVE record in the National Vulnerability Database, shifting to a risk-based model that prioritises only the most critical submissions. With CVE volumes up 263% since 2020 and the NVD backlog now officially unresolvable, security teams that rely on NVD CVSS scores and CPE data for vulnerability prioritisation must urgently adapt their tooling and workflows.
Standard Bank Breach: 1.2TB of Client Data — Including Credit Card Details — Published Online
A threat actor claiming to have spent three weeks inside Standard Bank's network has published approximately 1.2TB of stolen data online, including client names, national identity numbers, account details, and a subset of credit card numbers. One of Africa's largest banks, Standard Bank operates across more than 20 countries and holds significant international exposure. The double-extortion attack pattern and lessons for database-layer monitoring are directly relevant to financial services defenders globally.
CVE-2026-33826: Windows Active Directory RCE via Crafted RPC Calls — Patch Now
A critical remote code execution flaw in Windows Active Directory allows any authenticated domain user to execute arbitrary code on domain controllers and other AD-joined servers by sending specially crafted RPC calls. Rated CVSS 8.0 and assessed by Microsoft as 'Exploitation More Likely', CVE-2026-33826 poses a serious lateral-movement and domain-compromise risk for every Windows Server environment. The April 2026 Patch Tuesday update provides the only full remediation.
CVE-2026-33824: Critical Windows IKE Service RCE Demands Urgent Patching
A CVSS 9.8 double-free vulnerability in the Windows Internet Key Exchange service allows unauthenticated remote attackers to achieve SYSTEM-level code execution on all supported Windows versions. With no user interaction required and confirmation of pre-patch exploitation, every unpatched Windows host with IKEv2 enabled is at immediate risk. Apply the April 2026 Patch Tuesday update or block UDP ports 500 and 4500 immediately.
CVE-2026-5194: Critical wolfSSL Flaw Enables Certificate Forgery Across 5 Billion Devices
A critical cryptographic validation flaw in wolfSSL, a lightweight TLS library embedded in billions of IoT devices, routers, industrial control systems, and automotive components, allows attackers to present forged X.509 certificates that pass signature verification without a legitimate private key. The vulnerability enables man-in-the-middle attacks and authentication bypass across an enormous installed base. wolfSSL version 5.9.1, released 8 April 2026, provides the fix.
nginx-ui CVE-2026-33032 Actively Exploited — Unauthenticated Full Server Takeover
A critical authentication bypass vulnerability (CVSS 9.8) in the nginx-ui web management interface allows any network attacker to take complete control of the underlying Nginx server without credentials. Over 2,600 instances are internet-exposed and the flaw is being actively exploited. Update to version 2.3.4 immediately.
OpenSSH 10.3 Patches CVE-2026-35385 — SCP Privilege Escalation via Setuid Bit Preservation
OpenSSH 10.3 fixes CVE-2026-35385 (CVSS 7.5), a privilege escalation flaw in the legacy SCP protocol where files downloaded as root without the -p flag may retain their setuid or setgid bits. Any Linux or macOS system with OpenSSH prior to 10.3 and a workflow involving scp downloads as root is affected.
ShinyHunters Leaks 78.6M Rockstar Records — The Real Story Is Anodot's Access
ShinyHunters has released 78.6 million records stolen from Rockstar Games, following the company's refusal to pay a ransom by the April 14 deadline. The breach did not involve Rockstar's own systems: attackers compromised Anodot, a third-party SaaS analytics vendor with direct access to Rockstar's Snowflake data warehouse. No player records were exposed, but the incident illustrates the persistent enterprise risk of SaaS vendor data access.
Microsoft Closes APT29's Favourite Phishing Door With New RDP File Protections
The April 2026 Windows update introduces mandatory security warnings and redirections-blocked-by-default for RDP connection files, directly countering the technique used by APT29 and other threat actors to silently redirect local drives and harvest credentials. Organisations using Windows 10 and 11 should confirm the KB is deployed.
Google Patches Fourth Chrome Zero-Day of 2026 — CVE-2026-5281 Use-After-Free in WebGPU
Google has patched CVE-2026-5281, a use-after-free vulnerability in Chrome's Dawn WebGPU implementation that is being actively exploited in the wild. This is the fourth Chrome zero-day exploited in attacks in 2026. CISA added it to the KEV catalogue on 1 April with a deadline of 15 April for federal agencies. Update to Chrome 146.0.7680.177/178.
Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Actively Exploited — Emergency Hotfix Available
A pre-authentication remote code execution zero-day in Fortinet FortiClient Enterprise Management Server (CVE-2026-35616, CVSS 9.1) has been under active exploitation since 31 March 2026, ahead of Fortinet's advisory. CISA added it to the KEV catalogue on 6 April with a federal deadline of 9 April. An emergency hotfix is available without requiring system downtime.
Microsoft April 2026 Patch Tuesday: 167 Flaws Patched Including Two Zero-Days
Microsoft's April 2026 Patch Tuesday addresses 167 vulnerabilities, including an actively exploited SharePoint spoofing zero-day (CVE-2026-32201) and a publicly disclosed Defender elevation-of-privilege flaw. Eight Critical-rated vulnerabilities include a CVSS 9.8 IKE RCE and a Critical Active Directory RCE assessed as exploitation more likely.
North Korea's UNC4736 Spent Six Months Infiltrating Drift Protocol Before Stealing $285 Million
North Korean state hackers (UNC4736/AppleJeus) executed a meticulously planned six-month social engineering operation against Drift Protocol, culminating in a $285 million theft from the Solana DeFi platform on 1 April 2026. The attack leveraged fabricated tokens and pre-signed transactions to hand attackers admin control — the largest DeFi exploit of 2026 and the second-largest in Solana's history.
Basic-Fit Breach Exposes Personal and Bank Data of One Million European Gym Members
Dutch fitness chain Basic-Fit has disclosed a data breach affecting approximately one million members across six European countries, with bank account details among the compromised data. The breach targeted the company's visit-tracking system, exposing names, contact details, dates of birth, and banking information. GDPR notifications have been filed.
Linux Kernel Netfilter Vulnerability Batch: CVE-2026-31414 and Cluster Require Prompt Patching
A cluster of Linux kernel vulnerabilities in the netfilter subsystem — led by CVE-2026-31414 — has been patched across stable kernel branches, affecting versions 6.1 through 6.10. The flaws span NULL pointer dereferences and connection tracking weaknesses that can cause privilege escalation or denial of service. Enterprise Linux distributions are releasing updates; unmanaged servers and container hosts running custom kernel builds require manual attention.
CISA Flags SharePoint Zero-Day CVE-2026-32201 as Actively Exploited — Patch Arrives Tomorrow
CISA has added CVE-2026-32201, a Microsoft SharePoint Server spoofing vulnerability under active exploitation, to the KEV catalogue with a 28 April remediation deadline. The timing is unusual: Microsoft has not yet released a patch as of this alert, with the fix expected in tomorrow's Patch Tuesday release. Organisations must decide whether to implement mitigations today or accept overnight exposure until the patch lands.
Adobe Acrobat Reader Zero-Day CVE-2026-34621 Exploited for Four Months Before Patch
Adobe has released an emergency patch for CVE-2026-34621, a prototype pollution vulnerability in Acrobat Reader that has been actively exploited since at least November 2025. Opening a crafted PDF triggers JavaScript execution that fingerprints the victim's system and can deploy RCE and sandbox escape payloads. CISA added the CVE to the KEV catalogue the same day, requiring federal agencies to patch by 27 April.
CISA Adds Seven CVEs to KEV Including Decade-Old Microsoft Bugs Exploited by Storm-1175
CISA has added seven vulnerabilities to the Known Exploited Vulnerabilities catalogue, including four Microsoft flaws spanning from 2012 to 2025 being actively leveraged by the Storm-1175 ransomware group. The additions highlight a persistent patching blind spot: vulnerabilities patched years ago that never made it into legacy system maintenance cycles, now routinely weaponised for initial access and privilege escalation.
FBI and Indonesian Police Dismantle W3LL Phishing Platform Behind $20M in MFA-Bypass Fraud
The FBI Atlanta Field Office and Indonesia's National Police have dismantled the W3LL phishing-as-a-service platform, arresting its alleged developer and seizing domains used in a global credential-theft and MFA-bypass operation. W3LL targeted over 17,000 victims in Microsoft 365 environments, capturing not just passwords but session tokens that allowed attackers to bypass multi-factor authentication.
Booking.com Breach Exposes Reservation Data — Phishing Wave Follows
Booking.com has disclosed unauthorised access to customer reservation data including names, contact details, and booking information. No payment data was taken, but the exposed reservation details create a high-quality dataset for targeted travel-themed phishing campaigns. Reservation PINs have been reset across affected bookings.
Second Critical FortiClient EMS Flaw in a Month: CVE-2026-21643 Pre-Auth SQL Injection Exposed
Bishop Fox has published full technical details of CVE-2026-21643, a CVSS 9.8 pre-authentication SQL injection in Fortinet FortiClient EMS 7.4.4 that enables unauthenticated remote code execution. The flaw is distinct from last week's CVE-2026-35616 and affects a different version — organisations that patched for CVE-2026-35616 by upgrading to 7.4.5 or 7.4.6 may now be running a version vulnerable to the newer access control flaw.
CISA Adds Ivanti EPMM CVE-2026-1340 to KEV — Federal Patch Deadline Today
CISA has added CVE-2026-1340, a critical unauthenticated remote code execution flaw in Ivanti Endpoint Manager Mobile, to the Known Exploited Vulnerabilities catalogue with a federal agency deadline of 11 April. The vulnerability chains with CVE-2026-1281 to enable full appliance takeover and has been actively exploited since January 2026. All organisations running Ivanti EPMM on-premises must patch immediately.
NIS2 Moves From Grace Period to Enforcement — Germany's BSI Registration Deadline Is Now
Eighteen months after the NIS2 transposition deadline, EU member states are moving from legislative implementation to active supervisory enforcement. Germany's BSI has set April 2026 as the registration deadline for essential and important entities under the national NIS2 implementation (NIS2UmsuCG). Organisations still treating NIS2 as a future requirement face immediate regulatory exposure as national competent authorities begin audit and penalty activity.
Apache ActiveMQ CVE-2026-34197: 13-Year-Old Jolokia API Flaw Enables Unauthenticated RCE
A critical unauthenticated remote code execution vulnerability in Apache ActiveMQ's Jolokia management API allows attackers to execute arbitrary OS commands by invoking a management MBean. CVE-2026-34197 roots in a design flaw present since ActiveMQ 5.x and chains dangerously with CVE-2024-32114. Patches are available in ActiveMQ 6.2.3 and 5.19.4.
BlueHammer Windows LPE Zero-Day Gives Attackers SYSTEM Access — No Patch Available
A publicly disclosed zero-day local privilege escalation vulnerability in Windows Defender's signature-update mechanism allows any authenticated user to escalate to SYSTEM. Named BlueHammer by researchers at Cyderes, the flaw has a working public exploit and no Microsoft patch as of publication. Security teams should implement interim mitigations immediately.
CIRCIA Final Rule Expected May 2026: What Critical Infrastructure Operators Must Do Now
CISA is expected to publish the long-awaited CIRCIA final rule in May 2026, mandating 72-hour cyber incident reporting and 24-hour ransomware payment reporting for critical infrastructure sectors. With weeks remaining, organisations that have not started preparing face significant compliance and legal exposure when the rule takes effect.
CISA Supplemental Direction ED 26-03: How to Hunt for Compromise in Cisco Catalyst SD-WAN
CISA has issued supplemental hunt-and-hardening guidance for Cisco Catalyst SD-WAN systems under Emergency Directive 26-03, providing defenders with specific indicators to look for in environments exposed to CVE-2026-20127 — a CVSS 10.0 authentication bypass exploited since 2023. Organisations running Cisco SD-WAN infrastructure should treat this guidance as a mandatory compromise assessment checklist.
NSA's January 2027 PQC Deadline Is Nine Months Away — Enterprise Migration Is Now Mandatory
With NIST's post-quantum cryptography standards finalised and the NSA's CNSA 2.0 deadline requiring all new National Security System acquisitions to be quantum-resistant by January 2027, the migration window for enterprise and federal contractor environments is closing fast. Most organisations have yet to inventory their cryptographic assets, let alone begin migration.
AI-Powered Device Code Phishing Bypasses MFA at Hundreds of Organisations
A sophisticated phishing campaign is abusing the OAuth device authorisation flow to hijack Microsoft 365 access tokens while victims complete entirely genuine MFA challenges. Hundreds of organisations have been compromised. FIDO2 passkeys block this attack; push notifications, TOTP, and SMS codes do not. Organisations should block the device code grant in Conditional Access immediately.
DPRK's Contagious Interview Campaign Spreads 1,700+ Malicious Packages Across Five Ecosystems
North Korea's UNC1069 (BlueNoroff) threat group has expanded its Contagious Interview supply chain operation to five package registries — npm, PyPI, Go Modules, crates.io, and Packagist — publishing more than 1,700 malicious packages that deliver a cross-platform infostealer and RAT. The operation is the largest coordinated open-source supply chain attack attributed to a nation-state actor.
World Leaks Exposes 7.7TB of LAPD Records After City Attorney's Discovery Tool Breach
Extortion group World Leaks has published more than 337,000 sensitive LAPD files — including officer personnel records, Internal Affairs investigations, and witness medical information — after breaching a third-party legal discovery transfer tool used by the Los Angeles City Attorney's Office. The incident illustrates how legal and compliance workflows that touch sensitive data are increasingly targeted as a softer entry point than agency systems themselves.
Palo Alto PAN-OS CVE-2026-3197: SAML Auth Bypass Under Mass Exploitation by Nation-State Actors
A critical SAML authentication bypass in Palo Alto Networks PAN-OS GlobalProtect allows unauthenticated remote attackers to gain administrative firewall access. CVE-2026-3197 chains with a command injection flaw to achieve root-level OS execution and is being exploited by at least three distinct threat actor clusters including a China-nexus nation-state group. CISA has added it to the KEV catalogue.
Secure Boot Certificates Expire June 2026 — Enterprise Action Window Is Now
Microsoft's 2011 Secure Boot signing certificates expire on 26 June 2026, with the Windows bootloader certificate following in October. Organisations that fail to apply firmware and OS updates before these deadlines lose the ability to receive boot-level security fixes and risk UEFI bootkit exposure. Microsoft has begun displaying warnings in Windows Security app in April 2026, but the update process requires OEM firmware coordination that takes weeks.
ShinyHunters Breach Anodot SaaS Integrator, Steal Snowflake Customer Data via Harvested Tokens
The ShinyHunters threat group breached Anodot, an AI analytics platform used to integrate with Snowflake cloud data warehouses, and stole authentication tokens that enabled downstream data theft from over a dozen Snowflake customer environments. The attack is a textbook fourth-party risk incident: the direct target was not the victim organisations' systems but a trusted third-party integration layer.
Citrix NetScaler CVE-2026-3055 Actively Exploited — CISA Orders Patch by 2 April
A critical unauthenticated memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway is being actively exploited in the wild, with CISA adding it to the Known Exploited Vulnerabilities catalogue. Appliances configured as SAML Identity Providers are leaking sensitive memory contents including session tokens via a crafted SAML request.
DPRK-Linked Hackers Steal $285 Million from Drift Protocol in Six-Month Social Engineering Operation
North Korean threat actors attributed to UNC4736 (Citrine Sleet/AppleJeus) stole $285 million from Solana-based Drift Protocol after a six-month infiltration campaign combining social engineering of multisig signers with a novel durable nonce pre-signing technique. The incident reveals social engineering tactics directly transferable to enterprise environments.
Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Actively Exploited — Apply Emergency Hotfix Now
A critical pre-authentication API bypass in Fortinet FortiClient EMS (CVSS 9.1) is being actively exploited in the wild, with CISA adding the vulnerability to its Known Exploited Vulnerabilities catalogue on 6 April. Organisations running FortiClient EMS 7.4.5 or 7.4.6 must apply the emergency hotfix immediately — FCEB agencies faced a remediation deadline of 9 April.
Iranian-Affiliated Hackers Target US Water, Energy and Government Facilities via Internet-Exposed PLCs
A joint advisory from CISA, FBI, NSA, and the Department of Energy warns that Iranian-affiliated APT actors have been compromising internet-facing programmable logic controllers at water utilities, energy facilities and local government sites since at least March 2026. Operators should treat any internet-exposed OT device as potentially compromised and implement immediate network isolation.
Progress ShareFile Pre-Auth RCE Chain Puts 30,000 Exposed Servers at Risk — Patch to 5.12.4
Researchers at watchTowr Labs have disclosed a two-vulnerability chain in Progress ShareFile Storage Zones Controller that enables unauthenticated remote code execution via webshell upload. Approximately 30,000 Storage Zone Controller instances are internet-exposed and remain at risk if not patched to version 5.12.4, which was released on 10 March 2026 before full public disclosure of the attack path.
Smart Slider 3 Pro Update Infrastructure Compromised — Backdoored Plugin Pushed to 800,000 Sites
Attackers breached Nextend's update servers and distributed a fully weaponised backdoor through the official Smart Slider 3 Pro update channel, affecting WordPress and Joomla sites that auto-updated between 7–8 April 2026. The compromised version 3.5.1.35 creates rogue admin accounts, drops persistent remote access tools, and exfiltrates credentials — all delivered through the trusted plugin update mechanism.
April Windows Update Enforces AES-Only Kerberos — RC4 Fallback Blocked Across Active Directory
Microsoft's April 2026 cumulative update moves Windows domain controllers into AES-only Kerberos enforcement mode, permanently blocking RC4-HMAC as an authentication fallback under CVE-2026-20833. Organisations with legacy service accounts or unmanaged devices that have not set the msDS-SupportedEncryptionTypes attribute will begin seeing Kerberos authentication failures when the update is deployed.
ChipSoft Ransomware Attack Takes Down Patient Records Across 80% of Dutch Hospitals
Dutch healthcare IT vendor ChipSoft, whose HiX electronic patient record system is used by approximately 80% of hospitals in the Netherlands, was struck by a ransomware attack on 7 April. Eleven hospitals have disconnected from ChipSoft systems and reverted to emergency paper procedures. ChipSoft has confirmed a 'data incident' with possible unauthorised access to patient records, and Z-CERT has advised all connected healthcare institutions to disconnect VPN links to the vendor.
Storm-1175 Deploys Medusa Ransomware Within 24 Hours Using Zero-Day Exploits
Microsoft has identified Storm-1175, a China-linked financially motivated threat group, as the affiliate behind a surge in Medusa ransomware deployments exploiting zero-day and n-day vulnerabilities in internet-facing systems. The group is exploiting vulnerabilities within days — sometimes within 24 hours — of public disclosure, with particular focus on healthcare, education, and finance sectors in the US, UK, and Australia.
CVSS 10.0 Flowise RCE Actively Exploited Across 12,000 Exposed Instances
CVE-2025-59528, a maximum-severity remote code execution vulnerability in the Flowise AI workflow platform, is being actively exploited in the wild. Over 12,000 internet-exposed instances remain unpatched, allowing attackers to execute arbitrary JavaScript on host machines and extract API keys, credentials, and configuration secrets.
Anubis Ransomware Hits Signature Healthcare, Brockton Hospital Diverts Ambulances
A ransomware attack on Signature Healthcare's Brockton Hospital in Massachusetts forced the facility to divert ambulances to neighbouring hospitals and cancel chemotherapy treatments. The Anubis ransomware group claimed responsibility on April 9, marking another significant attack on US healthcare infrastructure at a time when the sector remains one of the most targeted by ransomware operators.
Handala Ransomware Surges to 23 Victims in March — Geopolitically-Motivated Wiper Threat Expands Beyond Israel
Handala ransomware claimed 23 victims in March 2026 — the group's most active month, accounting for more than half of its total 2026 activity to date. While predominantly targeting Israeli organisations with suspected IRGC ties, Handala has begun extending its reach into European financial services, healthcare, and utilities. The group deploys wiper functionality alongside ransomware, meaning recovery from an attack is frequently impossible even without a ransom payment.
Qilin and Warlock Ransomware Deploy BYOVD Technique to Disable 300+ EDR Tools Before Encryption
Cisco Talos and Trend Micro have documented that Qilin and Warlock ransomware operations are now using the Bring Your Own Vulnerable Driver (BYOVD) technique to systematically disable endpoint detection and response software before deploying ransomware payloads. The technique exploits a legitimate but outdated signed kernel driver to terminate over 300 EDR products from virtually every security vendor — including CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and Carbon Black.
Linux Kernel AP VLAN Flaw CVE-2026-31394 Allows Privilege Escalation in Virtualised and Cloud Environments
CVE-2026-31394 is a privilege escalation vulnerability in the Linux kernel's AP VLAN (access point virtual LAN) network driver. Highlighted in Microsoft's Windows Update security reference guide and tracked by multiple Linux distributions, the flaw allows a local user with network namespace access to escalate privileges. Virtual machine hosts, Kubernetes nodes, and container infrastructure are the highest-risk deployment contexts.
March 2026 Patch Cycle: The Governance and Risk Metrics That CISOs Should Be Reporting
March 2026 has been an unusually demanding patch cycle — 83 Microsoft CVEs, three new CISA KEV additions across F5, Citrix, and Active Directory, and concurrent exploitable vulnerabilities across Linux, PAN-OS, and Dell hardware. CISOs face board-level questions about patching velocity and exposure windows. This analysis provides the governance framework and risk metrics to answer those questions accurately.
Windows Kerberos Security Feature Bypass CVE-2026-24297 — Race Condition Enables Unauthenticated Network Attack
CVE-2026-24297 is a security feature bypass in the Windows Kerberos implementation caused by a race condition that can be triggered remotely without credentials or user interaction. Patched in the March 2026 Patch Tuesday, the vulnerability allows an attacker with network access to a Kerberos-speaking service to bypass security validation in the authentication flow. No active exploitation has been confirmed but the attack vector requires no credentials, increasing urgency.
PAN-OS GlobalProtect Denial-of-Service CVE-2026-0227 — PoC Published, Firewalls Risk Forced Maintenance Mode
A proof-of-concept exploit has been published for CVE-2026-0227, a denial-of-service vulnerability in Palo Alto Networks PAN-OS affecting GlobalProtect gateways and portals. An unauthenticated remote attacker can crash the firewall into a mandatory maintenance mode by sending malformed requests to the GlobalProtect interface. Prisma Access deployments are also affected. Palo Alto has released patches; the PoC significantly elevates exploitation risk.
Citrix CVE-2026-3055 Confirmed Exploited — CISA KEV Addition Triggers Mandatory Patch Deadline
CISA added CVE-2026-3055 to its Known Exploited Vulnerabilities catalogue on 30 March, confirming active exploitation of the critical Citrix NetScaler memory overread vulnerability disclosed the previous week. NetScaler appliances configured as SAML Identity Providers are leaking session tokens from memory, allowing attackers to impersonate users without credentials. Organisations must patch immediately.
Dell iDRAC Service Module CVE-2026-23856 Allows Local Privilege Escalation on PowerEdge Servers
Dell has patched CVE-2026-23856, a privilege escalation vulnerability in the iDRAC Service Module (iSM) shipped with PowerEdge servers. A local attacker with standard user privileges can exploit improper access controls in the iSM — which runs with elevated system privileges to communicate with the hardware management interface — to elevate to SYSTEM or root. Updated iSM packages are available for both Windows and Linux.
Apple macOS CoreMedia Out-of-Bounds Write RCE Disclosed — Remote Exploitation via Malicious Media Files
Zero Day Initiative researchers have disclosed ZDI-26-230, an out-of-bounds write vulnerability in the Apple macOS CoreMedia framework that could allow remote code execution when a user processes a specially crafted media file. A companion vulnerability ZDI-26-231 discloses a separate macOS information disclosure flaw. Both were disclosed on 30 March 2026 following Apple's 120-day coordinated disclosure window.
March 2026 Brought 83 Patch Tuesday CVEs and Three CISA KEV Additions — How to Prioritise
March 2026's Patch Tuesday addressed 83 vulnerabilities including three critical Office RCEs, an Active Directory privilege escalation now in CISA's KEV catalogue, and a Kerberos security feature bypass. Add three separate CISA KEV additions throughout the month — F5 BIG-IP, Citrix NetScaler, and Active Directory — and security teams are managing a substantial patching backlog entering April. This analysis cuts through the volume to identify where to focus.
Active Directory Privilege Escalation CVE-2026-25177 Added to CISA KEV — Domain Admin Risk via SPN Abuse
CVE-2026-25177, a privilege escalation vulnerability in Active Directory Domain Services patched in March's Patch Tuesday, has been added to CISA's Known Exploited Vulnerabilities catalogue. An authenticated attacker with low-privileged domain credentials can exploit improper SPN and UPN name validation to escalate to domain administrator level. The KEV addition confirms in-the-wild exploitation approximately three weeks after patching was available.
Qilin Ransomware Posts Record 131 Victims in March — Third Consecutive Month Above 100
Qilin ransomware posted 131 confirmed victims in March 2026, its highest monthly total since emerging as a major ransomware-as-a-service operation. This marks three consecutive months above 100 victims — a sustained tempo that no tracked ransomware group has previously achieved. Healthcare, manufacturing, and professional services bear the heaviest burden, with the US accounting for half of all March ransomware victims across all groups.