Vulnerabilities

Adobe Reader Zero-Day Patched After Four-Month Wild Exploitation Window

CVE-2026-34621

Adobe has patched CVE-2026-34621, an RCE in Acrobat DC, Reader DC, and Acrobat 2024 (Windows and macOS) triggered by opening a malicious PDF. The vulnerability has been confirmed exploited in the wild since at least December 2025 — four months before today's patch. CISA has added it to KEV. No CVSS score is published yet and EPSS remains artificially low (0.061) because the scoring models hadn't ingested exploitation confirmation at the time of calculation. The extended pre-patch exploitation window is the critical factor. Threat actors had months of runway for targeted delivery before any defensive patch existed. Financial services environments carry outsized exposure given PDF ubiquity in client communications, vendor contracts, regulatory filings, and investor materials. The implicit trust PDFs carry in business workflows makes them a persistently favored delivery mechanism for both nation-state operators and financially-motivated actors.

Adobe Reader zero-days have been a preferred delivery vector for APT28, Lazarus Group, and crimeware operators precisely because PDFs don't trigger the suspicion that other file types do. The multi-month patch lag pattern has recurred across prior Acrobat CVEs — Adobe's internal detection posture for in-the-wild exploitation of its own products is a structural weakness at this point, not an isolated miss.

Editorial

The most consequential pattern today isn't a vulnerability — it's the convergence of two distinct threat actors on the same strategic playbook. Scattered Spider breached McGraw-Hill through Salesforce misconfiguration while former Black Basta affiliates are scaling Teams helpdesk impersonation to 100+ targets. Both are bypassing technical controls entirely, exploiting the trust layer of enterprise SaaS and collaboration platforms. For financial institutions, this means the Salesforce guest user policy and Teams external federation configuration deserve the same rigor as network segmentation — and right now, they probably don't get it.

FortiClient EMS landing two separate confirmed-exploited CVEs in a single patch cycle is the kind of signal that warrants a conversation beyond patching. Fortinet products have appeared in KEV with uncomfortable regularity, and a double-hit in one product within one cycle suggests active, sustained research interest from threat actors — possibly shared tooling across groups. Pair this with the Adobe Reader zero-day that ran unpatched for four months in the wild, and the strategic takeaway is clear: dwell-time assumptions in your threat models need to account for multi-month exploitation windows as baseline, not worst-case. The things protecting you and the things your users open every day are both, increasingly, the things being exploited first.

Notable

Vulnerabilities

April Patch Tuesday: 167 CVEs With a Buried Overdue FortiClient EMS KEV

CVE-2023-20585 CVE-2026-0390 CVE-2026-20806 CVE-2026-20928 CVE-2026-20930 CVE-2026-20945 CVE-2026-21637 CVE-2026-23653 CVE-2026-23657 CVE-2026-23666 CVE-2026-23670 CVE-2026-25184 CVE-2026-25250 CVE-2026-26143 CVE-2026-26149 CVE-2026-26151 CVE-2026-26152 CVE-2026-26153 CVE-2026-26154 CVE-2026-26155 CVE-2026-26156 CVE-2026-26159 CVE-2026-26160 CVE-2026-26161 CVE-2026-26162 CVE-2026-26163 CVE-2026-26165 CVE-2026-26166 CVE-2026-26167 CVE-2026-26168 CVE-2026-26169 CVE-2026-26170 CVE-2026-26171 CVE-2026-26172 CVE-2026-26173 CVE-2026-26174 CVE-2026-26175 CVE-2026-26176 CVE-2026-26177 CVE-2026-26178 CVE-2026-26179 CVE-2026-26180 CVE-2026-26181 CVE-2026-26182 CVE-2026-26183 CVE-2026-26184 CVE-2026-27906 CVE-2026-27907 CVE-2026-27908 CVE-2026-27909 CVE-2026-27910 CVE-2026-27911 CVE-2026-27912 CVE-2026-27913 CVE-2026-27914 CVE-2026-27915 CVE-2026-27916 CVE-2026-27917 CVE-2026-27918 CVE-2026-27919 CVE-2026-27920 CVE-2026-27921 CVE-2026-27922 CVE-2026-27923 CVE-2026-27924 CVE-2026-27925 CVE-2026-27926 CVE-2026-27927 CVE-2026-27928 CVE-2026-27929 CVE-2026-27930 CVE-2026-27931 CVE-2026-32068 CVE-2026-32069 CVE-2026-32070 CVE-2026-32071 CVE-2026-32072 CVE-2026-32073 CVE-2026-32074 CVE-2026-32075 CVE-2026-32076 CVE-2026-32077 CVE-2026-32078 CVE-2026-32079 CVE-2026-32080 CVE-2026-32081 CVE-2026-32082 CVE-2026-32083 CVE-2026-32084 CVE-2026-32085 CVE-2026-32086 CVE-2026-32087 CVE-2026-32088 CVE-2026-32089 CVE-2026-32090 CVE-2026-32091 CVE-2026-32093 CVE-2026-32149 CVE-2026-32150 CVE-2026-32151 CVE-2026-32152 CVE-2026-32153 CVE-2026-32154 CVE-2026-32155 CVE-2026-32156 CVE-2026-32157 CVE-2026-32158 CVE-2026-32159 CVE-2026-32160 CVE-2026-32162 CVE-2026-32163 CVE-2026-32164 CVE-2026-32165 CVE-2026-32167 CVE-2026-32168 CVE-2026-32171 CVE-2026-32176 CVE-2026-32178 CVE-2026-32181 CVE-2026-32183 CVE-2026-32184 CVE-2026-32188 CVE-2026-32189 CVE-2026-32190 CVE-2026-32192 CVE-2026-32195 CVE-2026-32196 CVE-2026-32197 CVE-2026-32198 CVE-2026-32199 CVE-2026-32200 CVE-2026-32201 CVE-2026-32202 CVE-2026-32203 CVE-2026-32212 CVE-2026-32214 CVE-2026-32215 CVE-2026-32216 CVE-2026-32217 CVE-2026-32218 CVE-2026-32219 CVE-2026-32220 CVE-2026-32221 CVE-2026-32222 CVE-2026-32223 CVE-2026-32224 CVE-2026-32225 CVE-2026-32226 CVE-2026-32631 CVE-2026-33095 CVE-2026-33096 CVE-2026-33098 CVE-2026-33099 CVE-2026-33100 CVE-2026-33101 CVE-2026-33103 CVE-2026-33104 CVE-2026-33114 CVE-2026-33115 CVE-2026-33116 CVE-2026-33120 CVE-2026-33822 CVE-2026-33824 CVE-2026-33825 CVE-2026-33826 CVE-2026-33827 CVE-2026-33829 CVE-2026-35616

Microsoft's April 2026 Patch Tuesday addresses 167 flaws including two zero-days and eight critical-severity vulnerabilities. CVE-2026-32201 (SharePoint Server) is the headline Microsoft-native patch with active exploitation confirmed and a KEV deadline of April 28. The more easily missed signal is CVE-2026-35616 (FortiClient EMS, EPSS 0.253), which also appears in this cycle's KEV data with a deadline of April 9 — already six days overdue. This is the second confirmed-exploited FortiClient EMS vulnerability surfaced today, following CVE-2026-21643 flagged in this morning's digest. Two distinct KEV entries for the same product in the same cycle demands treat-as-compromised analysis on any exposed EMS instances, not just patching.

FortiClient EMS has had a dire security track record — CVE-2023-48788 (SQL injection, CVSS 9.8) was heavily weaponized in 2024 ransomware campaigns. Two separate confirmed-exploited CVEs in one cycle on the same product is a pattern, not a coincidence. If you're running EMS, the question isn't whether to patch — it's whether you've already been hit.

Story Timeline

2026-04-14

1 source

+ CVE-2023-20585 · + CVE-2026-0390 · + CVE-2026-20806 · + CVE-2026-20928 · + CVE-2026-20930 · + CVE-2026-20945 · + CVE-2026-21637 · + CVE-2026-23653 · + CVE-2026-23657 · + CVE-2026-23666 · + CVE-2026-23670 · + CVE-2026-25184 · + CVE-2026-25250 · + CVE-2026-26143 · + CVE-2026-26149 · + CVE-2026-26151 · + CVE-2026-26152 · + CVE-2026-26153 · + CVE-2026-26154 · + CVE-2026-26155 · + CVE-2026-26156 · + CVE-2026-26159 · + CVE-2026-26160 · + CVE-2026-26161 · + CVE-2026-26162 · + CVE-2026-26163 · + CVE-2026-26165 · + CVE-2026-26166 · + CVE-2026-26167 · + CVE-2026-26168 · + CVE-2026-26169 · + CVE-2026-26170 · + CVE-2026-26171 · + CVE-2026-26172 · + CVE-2026-26173 · + CVE-2026-26174 · + CVE-2026-26175 · + CVE-2026-26176 · + CVE-2026-26177 · + CVE-2026-26178 · + CVE-2026-26179 · + CVE-2026-26180 · + CVE-2026-26181 · + CVE-2026-26182 · + CVE-2026-26183 · + CVE-2026-26184 · + CVE-2026-27906 · + CVE-2026-27907 · + CVE-2026-27908 · + CVE-2026-27909 · + CVE-2026-27910 · + CVE-2026-27911 · + CVE-2026-27912 · + CVE-2026-27913 · + CVE-2026-27914 · + CVE-2026-27915 · + CVE-2026-27916 · + CVE-2026-27917 · + CVE-2026-27918 · + CVE-2026-27919 · + CVE-2026-27920 · + CVE-2026-27921 · + CVE-2026-27922 · + CVE-2026-27923 · + CVE-2026-27924 · + CVE-2026-27925 · + CVE-2026-27926 · + CVE-2026-27927 · + CVE-2026-27928 · + CVE-2026-27929 · + CVE-2026-27930 · + CVE-2026-27931 · + CVE-2026-32068 · + CVE-2026-32069 · + CVE-2026-32070 · + CVE-2026-32071 · + CVE-2026-32072 · + CVE-2026-32073 · + CVE-2026-32074 · + CVE-2026-32075 · + CVE-2026-32076 · + CVE-2026-32077 · + CVE-2026-32078 · + CVE-2026-32079 · + CVE-2026-32080 · + CVE-2026-32081 · + CVE-2026-32082 · + CVE-2026-32083 · + CVE-2026-32084 · + CVE-2026-32085 · + CVE-2026-32086 · + CVE-2026-32087 · + CVE-2026-32088 · + CVE-2026-32089 · + CVE-2026-32090 · + CVE-2026-32091 · + CVE-2026-32093 · + CVE-2026-32149 · + CVE-2026-32150 · + CVE-2026-32151 · + CVE-2026-32152 · + CVE-2026-32153 · + CVE-2026-32154 · + CVE-2026-32155 · + CVE-2026-32156 · + CVE-2026-32157 · + CVE-2026-32158 · + CVE-2026-32159 · + CVE-2026-32160 · + CVE-2026-32162 · + CVE-2026-32163 · + CVE-2026-32164 · + CVE-2026-32165 · + CVE-2026-32167 · + CVE-2026-32168 · + CVE-2026-32171 · + CVE-2026-32176 · + CVE-2026-32178 · + CVE-2026-32181 · + CVE-2026-32183 · + CVE-2026-32184 · + CVE-2026-32188 · + CVE-2026-32189 · + CVE-2026-32190 · + CVE-2026-32192 · + CVE-2026-32195 · + CVE-2026-32196 · + CVE-2026-32197 · + CVE-2026-32198 · + CVE-2026-32199 · + CVE-2026-32200 · + CVE-2026-32201 · + CVE-2026-32202 · + CVE-2026-32203 · + CVE-2026-32212 · + CVE-2026-32214 · + CVE-2026-32215 · + CVE-2026-32216 · + CVE-2026-32217 · + CVE-2026-32218 · + CVE-2026-32219 · + CVE-2026-32220 · + CVE-2026-32221 · + CVE-2026-32222 · + CVE-2026-32223 · + CVE-2026-32224 · + CVE-2026-32225 · + CVE-2026-32226 · + CVE-2026-32631 · + CVE-2026-33095 · + CVE-2026-33096 · + CVE-2026-33098 · + CVE-2026-33099 · + CVE-2026-33100 · + CVE-2026-33101 · + CVE-2026-33103 · + CVE-2026-33104 · + CVE-2026-33114 · + CVE-2026-33115 · + CVE-2026-33116 · + CVE-2026-33120 · + CVE-2026-33822 · + CVE-2026-33824 · + CVE-2026-33825 · + CVE-2026-33826 · + CVE-2026-33827 · + CVE-2026-33829 · + CVE-2026-35616

BleepingComputer

Ransomware

Scattered Spider Exploits Salesforce Misconfiguration in McGraw-Hill Extortion Breach

Scattered Spider

McGraw-Hill has confirmed a breach by Scattered Spider in which the group exploited a Salesforce misconfiguration — not a zero-day — to access internal data and demand extortion payment. The company claims customer databases and core systems were unaffected, which should be held provisionally pending independent verification. The operational significance is the TTP evolution: Scattered Spider is hunting SaaS misconfigurations rather than burning exploits. Experience Cloud guest user permissions, overly permissive community portal configurations, and object-level access control gaps are the attack surface. Financial services organizations with Salesforce deployments — which is effectively all of them — should audit these configurations and verify Salesforce Shield event monitoring coverage.

Scattered Spider continues to demonstrate remarkable operational resilience across arrests and law enforcement pressure. The shift from SIM swapping and MFA fatigue toward SaaS misconfiguration harvesting is a maturation — lower noise, higher deniability, harder to detect without dedicated SSPM tooling. Combined with their prior appearance in the Anodot/Snowflake campaign this cycle, they remain the most operationally active threat to financial sector SaaS infrastructure right now.

Vulnerabilities

Chrome Dawn WebGPU Zero-Day (CVE-2026-5281) in KEV With Today's Deadline

CVE-2026-0390 CVE-2026-20806 CVE-2026-20928 CVE-2026-20930 CVE-2026-20945 CVE-2026-23653 CVE-2026-23657 CVE-2026-23666 CVE-2026-23670 CVE-2026-25184 CVE-2026-26143 CVE-2026-26149 CVE-2026-26151 CVE-2026-26152 CVE-2026-26153 CVE-2026-26154 CVE-2026-26155 CVE-2026-26156 CVE-2026-26159 CVE-2026-26160 CVE-2026-26161 CVE-2026-26162 CVE-2026-26163 CVE-2026-26165 CVE-2026-26166 CVE-2026-26167 CVE-2026-26168 CVE-2026-26169 CVE-2026-26170 CVE-2026-26171 CVE-2026-26172 CVE-2026-26173 CVE-2026-26174 CVE-2026-26175 CVE-2026-26176 CVE-2026-26177 CVE-2026-26178 CVE-2026-26179 CVE-2026-26180 CVE-2026-26181 CVE-2026-26182 CVE-2026-26183 CVE-2026-26184 CVE-2026-27906 CVE-2026-27907 CVE-2026-27908 CVE-2026-27909 CVE-2026-27910 CVE-2026-27911 CVE-2026-27912 CVE-2026-27913 CVE-2026-27914 CVE-2026-27915 CVE-2026-27916 CVE-2026-27917 CVE-2026-27918 CVE-2026-27919 CVE-2026-27920 CVE-2026-27921 CVE-2026-27922 CVE-2026-27923 CVE-2026-27924 CVE-2026-27925 CVE-2026-27926 CVE-2026-27927 CVE-2026-27928 CVE-2026-27929 CVE-2026-27930 CVE-2026-27931 CVE-2026-32068 CVE-2026-32069 CVE-2026-32070 CVE-2026-32071 CVE-2026-32072 CVE-2026-32073 CVE-2026-32074 CVE-2026-32075 CVE-2026-32076 CVE-2026-32077 CVE-2026-32078 CVE-2026-32079 CVE-2026-32080 CVE-2026-32081 CVE-2026-32082 CVE-2026-32083 CVE-2026-32084 CVE-2026-32085 CVE-2026-32086 CVE-2026-32087 CVE-2026-32088 CVE-2026-32089 CVE-2026-32090 CVE-2026-32091 CVE-2026-32093 CVE-2026-32149 CVE-2026-32150 CVE-2026-32151 CVE-2026-32152 CVE-2026-32153 CVE-2026-32154 CVE-2026-32155 CVE-2026-32156 CVE-2026-32157 CVE-2026-32158 CVE-2026-32159 CVE-2026-32160 CVE-2026-32162 CVE-2026-32163 CVE-2026-32164 CVE-2026-32165 CVE-2026-32167 CVE-2026-32168 CVE-2026-32171 CVE-2026-32176 CVE-2026-32178 CVE-2026-32181 CVE-2026-32183 CVE-2026-32184 CVE-2026-32188 CVE-2026-32189 CVE-2026-32190 CVE-2026-32192 CVE-2026-32195 CVE-2026-32196 CVE-2026-32197 CVE-2026-32198 CVE-2026-32199 CVE-2026-32200 CVE-2026-32201 CVE-2026-32202 CVE-2026-32203 CVE-2026-32212 CVE-2026-32214 CVE-2026-32215 CVE-2026-32216 CVE-2026-32217 CVE-2026-32218 CVE-2026-32219 CVE-2026-32220 CVE-2026-32221 CVE-2026-32222 CVE-2026-32223 CVE-2026-32224 CVE-2026-32225 CVE-2026-32226 CVE-2026-33095 CVE-2026-33096 CVE-2026-33098 CVE-2026-33099 CVE-2026-33100 CVE-2026-33101 CVE-2026-33103 CVE-2026-33104 CVE-2026-33114 CVE-2026-33115 CVE-2026-33116 CVE-2026-33118 CVE-2026-33119 CVE-2026-33120 CVE-2026-33822 CVE-2026-33824 CVE-2026-33825 CVE-2026-33826 CVE-2026-33827 CVE-2026-33829 CVE-2026-5272 CVE-2026-5273 CVE-2026-5274 CVE-2026-5275 CVE-2026-5276 CVE-2026-5277 CVE-2026-5279 CVE-2026-5280 CVE-2026-5281 CVE-2026-5283 CVE-2026-5284 CVE-2026-5285 CVE-2026-5286 CVE-2026-5287 CVE-2026-5289 CVE-2026-5290 CVE-2026-5291 CVE-2026-5292 CVE-2026-5858 CVE-2026-5859 CVE-2026-5860 CVE-2026-5861 CVE-2026-5862 CVE-2026-5863 CVE-2026-5864 CVE-2026-5865 CVE-2026-5866 CVE-2026-5867 CVE-2026-5868 CVE-2026-5869 CVE-2026-5870 CVE-2026-5871 CVE-2026-5872 CVE-2026-5873 CVE-2026-5874 CVE-2026-5875 CVE-2026-5876 CVE-2026-5877 CVE-2026-5878 CVE-2026-5879 CVE-2026-5880 CVE-2026-5881 CVE-2026-5882 CVE-2026-5883 CVE-2026-5884 CVE-2026-5885 CVE-2026-5886 CVE-2026-5887 CVE-2026-5888 CVE-2026-5889 CVE-2026-5890 CVE-2026-5891 CVE-2026-5892 CVE-2026-5893 CVE-2026-5894 CVE-2026-5895 CVE-2026-5896 CVE-2026-5897 CVE-2026-5898 CVE-2026-5899 CVE-2026-5900 CVE-2026-5901 CVE-2026-5902 CVE-2026-5903 CVE-2026-5904 CVE-2026-5905 CVE-2026-5906 CVE-2026-5907 CVE-2026-5908 CVE-2026-5909 CVE-2026-5910 CVE-2026-5911 CVE-2026-5912 CVE-2026-5913 CVE-2026-5914 CVE-2026-5915 CVE-2026-5918 CVE-2026-5919

SANS ISC's Patch Tuesday analysis surfaces CVE-2026-5281, a vulnerability in Chrome's Dawn WebGPU implementation that is confirmed exploited in the wild and carries a CISA KEV deadline of today (April 15). EPSS is low (0.033), likely reflecting the recency of exploitation confirmation. This patches through Chromium and propagates to Microsoft Edge, where enterprise browser update management often lags behind consumer Chrome auto-update. The practical concern is Edge in managed enterprise environments with delayed update policies. Verify that Chromium-based browser updates have propagated across the fleet.

Dawn's attack surface is growing as WebGPU ships broadly. The GPU driver exposure pathway through WebGPU APIs creates a hardware-specific attack surface that's difficult to audit at scale. This is unlikely to be the last KEV from this component — worth establishing monitoring for Dawn-related CVEs going forward.

Story Timeline

2026-04-14

1 source

+ CVE-2026-0390 · + CVE-2026-20806 · + CVE-2026-20928 · + CVE-2026-20930 · + CVE-2026-20945 · + CVE-2026-23653 · + CVE-2026-23657 · + CVE-2026-23666 · + CVE-2026-23670 · + CVE-2026-25184 · + CVE-2026-26143 · + CVE-2026-26149 · + CVE-2026-26151 · + CVE-2026-26152 · + CVE-2026-26153 · + CVE-2026-26154 · + CVE-2026-26155 · + CVE-2026-26156 · + CVE-2026-26159 · + CVE-2026-26160 · + CVE-2026-26161 · + CVE-2026-26162 · + CVE-2026-26163 · + CVE-2026-26165 · + CVE-2026-26166 · + CVE-2026-26167 · + CVE-2026-26168 · + CVE-2026-26169 · + CVE-2026-26170 · + CVE-2026-26171 · + CVE-2026-26172 · + CVE-2026-26173 · + CVE-2026-26174 · + CVE-2026-26175 · + CVE-2026-26176 · + CVE-2026-26177 · + CVE-2026-26178 · + CVE-2026-26179 · + CVE-2026-26180 · + CVE-2026-26181 · + CVE-2026-26182 · + CVE-2026-26183 · + CVE-2026-26184 · + CVE-2026-27906 · + CVE-2026-27907 · + CVE-2026-27908 · + CVE-2026-27909 · + CVE-2026-27910 · + CVE-2026-27911 · + CVE-2026-27912 · + CVE-2026-27913 · + CVE-2026-27914 · + CVE-2026-27915 · + CVE-2026-27916 · + CVE-2026-27917 · + CVE-2026-27918 · + CVE-2026-27919 · + CVE-2026-27920 · + CVE-2026-27921 · + CVE-2026-27922 · + CVE-2026-27923 · + CVE-2026-27924 · + CVE-2026-27925 · + CVE-2026-27926 · + CVE-2026-27927 · + CVE-2026-27928 · + CVE-2026-27929 · + CVE-2026-27930 · + CVE-2026-27931 · + CVE-2026-32068 · + CVE-2026-32069 · + CVE-2026-32070 · + CVE-2026-32071 · + CVE-2026-32072 · + CVE-2026-32073 · + CVE-2026-32074 · + CVE-2026-32075 · + CVE-2026-32076 · + CVE-2026-32077 · + CVE-2026-32078 · + CVE-2026-32079 · + CVE-2026-32080 · + CVE-2026-32081 · + CVE-2026-32082 · + CVE-2026-32083 · + CVE-2026-32084 · + CVE-2026-32085 · + CVE-2026-32086 · + CVE-2026-32087 · + CVE-2026-32088 · + CVE-2026-32089 · + CVE-2026-32090 · + CVE-2026-32091 · + CVE-2026-32093 · + CVE-2026-32149 · + CVE-2026-32150 · + CVE-2026-32151 · + CVE-2026-32152 · + CVE-2026-32153 · + CVE-2026-32154 · + CVE-2026-32155 · + CVE-2026-32156 · + CVE-2026-32157 · + CVE-2026-32158 · + CVE-2026-32159 · + CVE-2026-32160 · + CVE-2026-32162 · + CVE-2026-32163 · + CVE-2026-32164 · + CVE-2026-32165 · + CVE-2026-32167 · + CVE-2026-32168 · + CVE-2026-32171 · + CVE-2026-32176 · + CVE-2026-32178 · + CVE-2026-32181 · + CVE-2026-32183 · + CVE-2026-32184 · + CVE-2026-32188 · + CVE-2026-32189 · + CVE-2026-32190 · + CVE-2026-32192 · + CVE-2026-32195 · + CVE-2026-32196 · + CVE-2026-32197 · + CVE-2026-32198 · + CVE-2026-32199 · + CVE-2026-32200 · + CVE-2026-32201 · + CVE-2026-32202 · + CVE-2026-32203 · + CVE-2026-32212 · + CVE-2026-32214 · + CVE-2026-32215 · + CVE-2026-32216 · + CVE-2026-32217 · + CVE-2026-32218 · + CVE-2026-32219 · + CVE-2026-32220 · + CVE-2026-32221 · + CVE-2026-32222 · + CVE-2026-32223 · + CVE-2026-32224 · + CVE-2026-32225 · + CVE-2026-32226 · + CVE-2026-33095 · + CVE-2026-33096 · + CVE-2026-33098 · + CVE-2026-33099 · + CVE-2026-33100 · + CVE-2026-33101 · + CVE-2026-33103 · + CVE-2026-33104 · + CVE-2026-33114 · + CVE-2026-33115 · + CVE-2026-33116 · + CVE-2026-33118 · + CVE-2026-33119 · + CVE-2026-33120 · + CVE-2026-33822 · + CVE-2026-33824 · + CVE-2026-33825 · + CVE-2026-33826 · + CVE-2026-33827 · + CVE-2026-33829 · + CVE-2026-5272 · + CVE-2026-5273 · + CVE-2026-5274 · + CVE-2026-5275 · + CVE-2026-5276 · + CVE-2026-5277 · + CVE-2026-5279 · + CVE-2026-5280 · + CVE-2026-5281 · + CVE-2026-5283 · + CVE-2026-5284 · + CVE-2026-5285 · + CVE-2026-5286 · + CVE-2026-5287 · + CVE-2026-5289 · + CVE-2026-5290 · + CVE-2026-5291 · + CVE-2026-5292 · + CVE-2026-5858 · + CVE-2026-5859 · + CVE-2026-5860 · + CVE-2026-5861 · + CVE-2026-5862 · + CVE-2026-5863 · + CVE-2026-5864 · + CVE-2026-5865 · + CVE-2026-5866 · + CVE-2026-5867 · + CVE-2026-5868 · + CVE-2026-5869 · + CVE-2026-5870 · + CVE-2026-5871 · + CVE-2026-5872 · + CVE-2026-5873 · + CVE-2026-5874 · + CVE-2026-5875 · + CVE-2026-5876 · + CVE-2026-5877 · + CVE-2026-5878 · + CVE-2026-5879 · + CVE-2026-5880 · + CVE-2026-5881 · + CVE-2026-5882 · + CVE-2026-5883 · + CVE-2026-5884 · + CVE-2026-5885 · + CVE-2026-5886 · + CVE-2026-5887 · + CVE-2026-5888 · + CVE-2026-5889 · + CVE-2026-5890 · + CVE-2026-5891 · + CVE-2026-5892 · + CVE-2026-5893 · + CVE-2026-5894 · + CVE-2026-5895 · + CVE-2026-5896 · + CVE-2026-5897 · + CVE-2026-5898 · + CVE-2026-5899 · + CVE-2026-5900 · + CVE-2026-5901 · + CVE-2026-5902 · + CVE-2026-5903 · + CVE-2026-5904 · + CVE-2026-5905 · + CVE-2026-5906 · + CVE-2026-5907 · + CVE-2026-5908 · + CVE-2026-5909 · + CVE-2026-5910 · + CVE-2026-5911 · + CVE-2026-5912 · + CVE-2026-5913 · + CVE-2026-5914 · + CVE-2026-5915 · + CVE-2026-5918 · + CVE-2026-5919

SANS Internet Storm Center

Ransomware

Former Black Basta Affiliates Scaling Teams Helpdesk Impersonation Campaigns

Black Basta Black Basta

ReliaQuest reports that former Black Basta affiliates have targeted 100+ employees across dozens of organizations using a two-stage social engineering chain: mass email bombing to overwhelm the inbox, followed by Microsoft Teams messages impersonating IT helpdesk staff offering to 'fix' the problem. The campaign has surged in recent weeks, demonstrating operational continuity from operators who nominally disbanded after their internal chat logs leaked in early 2025. The Teams vector is specifically relevant to financial services environments where external federation is typically enabled for client communication and receives less rigorous anti-phishing scrutiny than email. The email-bombing-plus-Teams combo exploits the cognitive vulnerability of overwhelmed staff — flood the inbox, then offer rescue through a channel that doesn't trigger email-trained phishing instincts.

Black Basta's playbook surviving the gang's operational disruption is the textbook case of affiliate-program ransomware resilience — operators carry proven TTPs regardless of which brand they work under. Researcher-documented overlaps with CACTUS and Storm-1811 suggest these operators have redistributed across multiple active affiliate programs. The TTPs persist even as the brand fades.

Briefs

Vulnerabilities

Tenable Corroborates SharePoint Server as April Patch Tuesday Priority

Comprehensive vendor analysis of Microsoft's April 2026 patch addressing 163 vulnerabilities with CVE-2026-32201 on CISA KEV due 2026-04-28; covers environment-relevant SharePoint and Windows updates.

CVE-2026-20945 CVE-2026-26151 CVE-2026-27913 CVE-2026-32201 CVE-2026-33824 CVE-2026-33825 CVE-2026-33826

Vulnerabilities

Canadian CCCS Issues April 2026 Microsoft Patch Advisory

Microsoft April 2026 security advisory rollup includes CVE-2026-32201 with CISA KEV deadline 2026-04-28; environment-relevant update to patch Tuesday coverage.

CVE-2026-32201

Vulnerabilities

GCP Updates Serverless VPC Advisory for 2024 OpenSSH regreSSHion Bug

Google Cloud Platform advisory on CVE-2024-6387 with EPSS 0.446 and available proof-of-concept; affects cloud infrastructure deployments with moderate exploitation likelihood.

CVE-2024-6387

AI Threats

GitHub Security Lab Demonstrates Prompt-Injection-to-Shell in AI Agent CTF

Vendor research analyzes autonomous AI agent vulnerabilities demonstrated in OpenClaw threat, covering exploitation pathways and detection via enterprise telemetry; multiple sources confirm findings.

CVE-2026-25253 CALENDAR

Vulnerabilities

DPRK Campaigns Show Convergent Initial Access Despite Divergent Strategic Goals

Vendor analysis of state-sponsored threat campaigns (Contagious Interview and Famous Chollima) reveals convergent initial access techniques despite divergent strategic objectives.

Contagious Interview Famous Chollima Remcos Smoke Loader

ICS/OT

Siemens ICS/OT Security Advisory AV26-347

Siemens industrial control systems security advisory (AV26-347); technical details unavailable.

ICS/OT

Schneider Electric ICS/OT Security Advisory AV26-350

Schneider Electric industrial control systems security advisory (AV26-350); limited technical detail provided.

Vulnerabilities

AWS Research and Engineering Studio: Three Low-Risk CVEs

AWS addresses three CVEs (CVE-2026-5707, 5708, 5709) in Research and Engineering Studio with minimal exploitation risk (EPSS <0.004).

CVE-2026-5707 CVE-2026-5708 CVE-2026-5709

Vulnerabilities

Amazon Athena ODBC Driver: Six Low-Risk Patches

AWS patches six CVEs in Athena ODBC Driver with negligible exploitation risk (EPSS <0.002); routine vendor advisory.

CVE-2026-35558 CVE-2026-35559 CVE-2026-35560 CVE-2026-35561 CVE-2026-35562 CVE-2026-5485

Vulnerabilities

Firecracker Virtio-PCI Out-of-Bounds Write (Low Risk)

AWS releases patch for CVE-2026-5747 affecting Firecracker virtual machine monitor virtio-PCI transport; negligible exploitation risk (EPSS near zero).

CVE-2026-5747

Cryptography

OpenSSL 4.0.0 Major Release

OpenSSL releases version 4.0.0 with cryptography improvements; major version release without associated vulnerability disclosures.

Vulnerabilities

AWS C Event Stream Library Buffer Overflow (Low Risk)

AWS addresses stack buffer overflow in C Event Stream library (CVE-2026-5190) with minimal exploitation risk (EPSS near zero).

CVE-2026-5190

Vulnerabilities

Microsoft Admin Center XSS (CVE-2026-32196)

Cross-site scripting vulnerability documented in Microsoft Admin Center versions 2.6.2.6 and 2.6.4 (CVE-2026-32196); insufficient technical detail provided.

CVE-2026-32196

Vulnerabilities

Radware Alteon vADC XSS (CVE-2026-5754)

Cross-site scripting vulnerability in Radware Alteon vADC load balancer (CVE-2026-5754); minimal technical information available.

CVE-2026-5754

Vulnerabilities

Kiro IDE Webview XSS via Color Theme (Low Risk)

Cross-site scripting in Kiro IDE webview triggered via workspace color theme manipulation (CVE-2026-5429); negligible exploitation risk (EPSS near zero).

CVE-2026-5429

Geopolitical

FCC Reaffirms Cyber Trust Mark Device Security Initiative

Federal Communications Commission signals continued commitment to Cyber Trust Mark device security labeling program; regulatory/policy announcement.

Inception