// CIO Briefings
68 briefings — page 3 of 4
FIRESTARTER Backdoor Confirmed on US Federal Cisco Firewalls — Patching Alone Does Not Remove the Implant
A joint CISA and NCSC advisory confirms that sophisticated attackers have implanted a backdoor on Cisco Firepower and ASA firewalls that survives firmware updates and reimaging. At least one US federal agency is a confirmed victim. Organisations must run vendor-provided integrity checks — not just apply patches — to confirm their devices are clean.
Microsoft's Cloud Identity Platform Had a CVSS 10.0 Vulnerability — And Patched It Silently
A perfect-score SSRF vulnerability in Microsoft Entra ID Entitlement Management — the governance layer controlling access requests to Azure resources and Microsoft 365 — was disclosed and confirmed patched by Microsoft. No customer action is required. But the disclosure raises a governance question organisations cannot avoid: how do you detect exploitation of a vulnerability in cloud infrastructure you cannot inspect?
Critical Microsoft Bing Vulnerability Allows Unauthenticated Remote Takeover — Apply April Patches Immediately
A maximum-severity vulnerability in Microsoft Bing allows attackers with no account or credentials to take full control of affected systems over the internet. Microsoft has released a patch as part of April 2026 updates — all organisations should apply immediately and verify that enterprise search infrastructure is updated.
Wormable Windows Network Vulnerability Requires Immediate Patching — All IPv6-Enabled Networks at Risk
A race condition in the Windows TCP/IP stack allows self-propagating, unauthenticated remote code execution across networks with IPv6 enabled — which is the default configuration for all modern Windows systems. Demonstrated at Pwn2Own 2026 and patched in April's Patch Tuesday, unpatched organisations face a threat capable of spreading automatically from a single compromised host across entire network segments, comparable in propagation characteristics to EternalBlue.
Kyber Ransomware Targets Enterprise Windows Servers and VMware ESXi in Coordinated Dual-Platform Attacks
A new ransomware operation named Kyber has been analysed by Rapid7 following an enterprise incident response engagement. The group deploys two simultaneous variants — one targeting Windows file servers, one targeting VMware ESXi — using the same campaign infrastructure. The ESXi variant terminates virtual machines and defaces the management interface; the Windows variant implements genuine post-quantum key encapsulation and includes experimental Hyper-V targeting.
AI Development Infrastructure Under Active Attack — Marimo RCE Exploited at Scale Across Data Science Environments
A critical pre-authentication RCE vulnerability in the Marimo Python notebook (CVE-2026-39987, CVSS 9.3) has been weaponised at mass scale, with 662 exploitation events recorded in three days, credential theft completing within minutes of compromise, and NKAbuse malware being deployed for persistent access. Organisations running Marimo in data science, AI/ML, or research environments must patch immediately and hunt for indicators of prior compromise.
Emergency .NET 10 Patch Required — DataProtection Key Leak Exposes Enterprise Web Application Sessions
A critical security flaw in Microsoft's .NET 10 framework (CVE-2026-40372, CVSS 9.1) has caused encryption keys protecting web application sessions to be exposed on Linux servers since November 2025. Any organisation running .NET 10 web applications on Linux must apply an emergency patch and rotate all session keys immediately.
Everest Ransomware Claims Citizens Bank Data via Vendor — 250,000 SSNs and 3.4 Million Banking Records Allegedly Stolen
The Everest ransomware group claims to have stolen 380 GB of Citizens Bank customer data including 250,000 Social Security Numbers and 3.4 million banking records through a third-party vendor breach. Under GLBA and NYDFS regulations, Citizens bears breach notification obligations regardless of vendor attribution. Regulatory timelines may already be running.
Critical Cisco Webex SSO and Identity Services Engine Vulnerabilities Require Immediate Action
Four critical Cisco vulnerabilities patched April 15 demand urgent enterprise response. CVE-2026-20184 (CVSS 9.8) enables unauthenticated user impersonation in Webex — Cisco's cloud fix is insufficient without administrator action. Three ISE vulnerabilities at CVSS 9.9 allow read-only admins to achieve root code execution on the network access control system underpinning enterprise segmentation.
Two Unpatched Windows Defender Zero-Days Actively Exploited — No Microsoft Fix Available
RedSun and UnDefend are two unpatched zero-day vulnerabilities in Windows Defender that are actively exploited in real attacks. RedSun escalates any local user to SYSTEM; UnDefend silently prevents Defender from receiving threat intelligence updates. Both affect all supported Windows versions and remain fully exploitable after April Patch Tuesday.
Ransomware Group Uses Virtual Machines to Operate Invisibly Inside Enterprise Networks
The Payouts King ransomware operation, linked to former BlackBasta affiliates, deploys a legitimate QEMU virtual machine on compromised Windows hosts to conduct credential theft and data exfiltration in a zone where endpoint security cannot see. The technique directly defeats EDR investment and is now actively used in attacks. Organisations must extend detection beyond endpoint telemetry.
April Patch Tuesday Defect Triggers Authentication Outage on PAM Domain Controllers
KB5082063 causes LSASS to crash on non-Global Catalog domain controllers in PAM-enabled environments, creating unrecoverable reboot loops that take Active Directory authentication offline. No corrected update is available. All organisations with PAM-enabled AD must immediately pause KB5082063 deployment on domain controllers and engage Microsoft Support if affected DCs are already looping.
Critical Windows IKE Vulnerability Allows Unauthenticated Remote Takeover of All Windows Servers
A severity-9.8 flaw in Windows networking software allows an attacker on the internet to seize complete control of any unpatched Windows server or workstation with no login credentials required. Microsoft has confirmed the flaw was exploited before the patch was released. All organisations running Windows must apply the April 2026 security update as an emergency measure.
wolfSSL Certificate Forgery Flaw Exposes Billions of Connected Devices to Network Interception
A critical flaw in a widely embedded networking security library allows attackers to present forged digital identity certificates that connected devices accept as genuine, enabling interception and manipulation of supposedly secure communications. The library is present in an estimated 5 billion devices including routers, industrial controllers, and automotive systems. Organisations must audit which of their devices and vendor-supplied equipment are affected.
Critical nginx-ui Flaw Enables Unauthenticated Web Server Takeover — Patch Now
A CVSS 9.8 vulnerability in nginx-ui is being actively exploited, allowing attackers without any credentials to take full control of Nginx web servers. Organisations running nginx-ui as a server management interface should patch immediately or isolate the service from external access.
Rockstar Games Breach Exposes the SaaS Vendor Access Risk Every CISO Should Address
ShinyHunters stole 78.6 million records from Rockstar Games without touching Rockstar's own systems — they compromised a third-party analytics vendor that held persistent access to Rockstar's cloud data warehouse. The same access model exists in most large enterprises and represents a significant unmanaged exposure.
SharePoint Zero-Day Added to CISA KEV Before Patch Exists — Action Required Today
CISA has added an actively exploited SharePoint Server vulnerability (CVE-2026-32201) to its Known Exploited Vulnerabilities catalogue while no vendor patch exists. Microsoft's fix arrives in tomorrow's Patch Tuesday. Boards and security leaders face a rare decision: implement compensating controls now, or accept a confirmed zero-day exposure overnight.
Adobe Acrobat Zero-Day: Four Months of Silent PDF-Based Attacks Across Enterprise Desktops
A zero-day in Adobe Acrobat Reader (CVE-2026-34621) has been exploited since November 2025 — meaning enterprise environments have been exposed for over four months without a patch. Simply opening a PDF triggered the attack. Adobe released an emergency fix on 13 April 2026; the financial and reputational exposure window is now a board-level question.