Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-04-29April 29, 2026

Cyber Threats Daily — 2026-04-29

TITLE: KEV surge: ConnectWise, Windows, Cisco SD-WAN, and SimpleHelp dominate 30-day exploitation wave

---

Top of the Stack: Fresh KEV Adds (April 28)

  • CVE-2024-1708 ConnectWise ScreenConnect path traversal returns to active exploitation, added to KEV on April 28 with a May 12 federal remediation deadline — defenders should re-verify patch state given ScreenConnect's history as a ransomware launchpad.
  • CVE-2026-32202 in Microsoft Windows (protection-mechanism failure) was added the same day with a May 12 deadline; pair Windows patching cycles with detection for security-control bypass artifacts.

High-Priority Remote Access & RMM Exploitation

The April KEV cadence shows attackers methodically working through remote-management tooling — a pattern consistent with ransomware affiliate playbooks.

  • CVE-2024-57728 (path traversal) and CVE-2024-57726 (missing authorization) in SimpleHelp were added April 24 with May 8 deadlines, continuing the campaign against support-tooling chains observed since early 2025.
  • CVE-2024-7399 in Samsung MagicINFO 9 Server (path traversal) joined KEV the same day; digital-signage servers are common pivots into corporate networks.
  • CVE-2025-29635 D-Link DIR-823X command injection rounds out the April 24 batch — expect botnet recruitment activity against exposed edge devices.

Cisco SD-WAN: Three-Bug Cluster, Past-Due

CISA added three Cisco Catalyst SD-WAN Manager flaws on April 20 with an aggressive April 23 deadline that is now overdue:

  • CVE-2026-20122 (incorrect privileged-API use), CVE-2026-20133 (sensitive-info exposure), and CVE-2026-20128 (recoverable password storage) together enable credential theft and privileged action abuse on SD-WAN orchestrators. Federal agencies past the deadline should treat these as incident-response triggers, not patch tickets.
  • Adjacent: CVE-2026-20131 in Cisco Secure FMC / Security Cloud Control (deserialization, known ransomware use) was added March 19 with a March 22 deadline — confirm remediation evidence given ransomware tie-in.

Ransomware-Linked Flaws in Active Use

Three KEV entries this month carry the explicit "known ransomware use" tag — prioritize hunt over patch verification:

  • CVE-2023-27351 PaperCut NG/MF improper authentication (added April 20, due May 4) — perennial ransomware staple, repeat offender.
  • CVE-2024-27199 JetBrains TeamCity path traversal (added April 20, due May 4) — CI/CD compromise leads to supply-chain implants; review build-agent integrity.
  • CVE-2023-21529 Microsoft Exchange Server deserialization (added April 13, due April 27, now past due) — on-prem Exchange remains a top ransomware initial-access vector.

Microsoft Patch-Tuesday Aftermath (April 13 batch)

A notable cluster of legacy and current Microsoft bugs landed in KEV mid-month, suggesting active exploitation chains stitching old VBA/Office bugs into modern intrusions:

  • CVE-2026-32201 SharePoint Server improper input validation (due April 28 — today).
  • CVE-2025-60710 Windows link-following and CVE-2023-36424 Windows OOB read (both due April 27, past due).
  • Legacy revivals CVE-2009-0238 (Office RCE) and CVE-2012-1854 (VBA insecure library load) indicate phishing payloads still leveraging unpatched legacy installs — audit Office baselines on long-tail endpoints.
  • CVE-2026-33825 in Microsoft Defender (insufficient access-control granularity, added April 22, due May 6) is particularly ugly: an EDR-bypass primitive in the EDR itself.

Adobe, Apple, and Browser-Adjacent

  • CVE-2026-34621 Adobe Acrobat/Reader prototype pollution and CVE-2020-9715 Acrobat UAF (both due April 27) — re-image any host showing post-exploitation indicators following PDF lures.
  • Apple multi-product cluster CVE-2025-43510, CVE-2025-43520, and CVE-2025-31277 (added March 20, due April 3 — past due) covers improper locking and buffer overflows; confirm MDM-pushed updates landed across the fleet.
  • CVE-2026-5281 Google Dawn (WebGPU) use-after-free was added April 1 with an April 15 deadline; browser-rendered exploit chains remain viable against unpatched Chromium derivatives.

Network Edge & Identity Infrastructure

  • CVE-2026-21643 and CVE-2026-35616 in Fortinet FortiClient EMS (SQL injection and improper access control respectively) carried tight April deadlines and are both past due — EMS compromise yields VPN endpoint provisioning abuse.
  • CVE-2026-3055 Citrix NetScaler OOB read (due April 2, past due) and CVE-2025-53521 F5 BIG-IP stack overflow (due March 30, past due) round out the load-balancer exploitation theme — assume both have credential-harvesting implants where patching slipped.
  • CVE-2026-1340 Ivanti EPMM code injection (due April 11, past due) continues Ivanti's bad year; mobile management compromise enables device-wide payload push.

Developer Tooling & AI Supply Chain

A noteworthy trend: KEV is increasingly populated with developer- and AI-stack components, signaling attacker pivot to supply-chain footholds.

  • CVE-2026-39987 Marimo RCE (added April 23, due May 7) and CVE-2026-33017 Langflow code injection (due April 8, past due) target AI/notebook frameworks frequently exposed without authentication.
  • CVE-2026-33634 Aquasecurity Trivy embedded malicious code (due April 9, past due) — verify scanner binaries against known-good hashes; a poisoned SAST tool is a worst-case telemetry-blind spot.
  • CVE-2025-32432 Craft CMS and CVE-2025-54068 Laravel Livewire code-injection flaws (both due April 3) round out the web-app developer-stack exposure.

Other Notables

  • CVE-2026-34197 Apache ActiveMQ improper input validation lands with a tomorrow (April 30) deadline — last call for federal remediation evidence.
  • CVE-2025-2749 Kentico Xperience path traversal and CVE-2025-32975 Quest KACE SMA improper auth (both due May 4) target enterprise content and endpoint management — credential-theft staging grounds.
  • CVE-2025-48700 Zimbra Collaboration Suite XSS (due April 23, past due) — Zimbra remains a state-actor favorite for mailbox access.
  • CVE-2026-3502 TrueConf Client integrity-check failure (due April 16, past due) enables malicious update delivery to videoconferencing endpoints.

Analyst Takeaways

1. Past-due cluster is large. Roughly half the April additions have BOD 22-01 deadlines that have already lapsed — agencies should be in IR posture, not patch posture, for Cisco SD-WAN, Fortinet EMS, F5, NetScaler, Ivanti EPMM, and Exchange.

2. RMM/support tooling is the through-line. ScreenConnect, SimpleHelp, TrueConf, and KACE SMA all hit KEV this month — review least-privilege and egress controls on any agent-based management platform.

3. AI/dev-stack exposure is the new normal. Marimo, Langflow, and Trivy entries indicate adversaries are scanning for AI experimentation servers; inventory shadow-AI deployments.