Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-04-30April 30, 2026

Cyber Threats Daily — 2026-04-30

TITLE: Cyber Threats Daily — KEV surge: ConnectWise, Windows, SharePoint, Cisco SD-WAN under active exploitation

---

Top of the Watchfloor

CISA's KEV catalog took a heavy load this cycle, with 40+ additions spanning fresh zero-days and resurrected legacy bugs. Several entries flag known ransomware use, and a handful of remediation deadlines have already lapsed — anything past due should be treated as an open incident-response item, not a patching backlog ticket.

Actively Exploited — Patch This Week

  • CVE-2024-1708 (ConnectWise ScreenConnect path traversal) was added to KEV on 2026-04-28 with a 2026-05-12 federal deadline; ScreenConnect remains a top initial-access vector for ransomware affiliates and MSP-pivot intrusions.
  • CVE-2026-32202 in Microsoft Windows is a protection-mechanism-failure bug now confirmed exploited, due 2026-05-12 — pair remediation with CVE-2025-60710 (Windows link following, due 2026-04-27, already past) and CVE-2023-36424 (Windows OOB read, also past due).
  • CVE-2026-32201 hits Microsoft SharePoint Server via improper input validation; KEV deadline 2026-04-28 lands this week, and SharePoint exploitation chains have historically led directly to domain compromise.
  • CVE-2026-33825 affects Microsoft Defender access controls (due 2026-05-06), an unusual KEV entry that suggests adversaries are actively neutralizing endpoint protection prior to payload delivery.
  • CVE-2023-21529, an Exchange Server deserialization flaw with known ransomware use, is due 2026-04-27 — past deadline for any agency still running unpatched Exchange on-prem.

Edge & Network Gear Under Fire

  • Cisco Catalyst SD-WAN Manager has a triple hit — CVE-2026-20122, CVE-2026-20133, and CVE-2026-20128 (privileged API misuse, info disclosure, recoverable password storage) — all with a 2026-04-23 deadline that has already lapsed; assume compromise if unpatched.
  • CVE-2026-20131 in Cisco Secure FMC / Security Cloud Control is flagged for known ransomware use, deadline 2026-03-22 long expired — this is an IR trigger, not a patch task.
  • CVE-2026-3055 (Citrix NetScaler OOB read) and CVE-2025-53521 (F5 BIG-IP stack overflow) extend the load-balancer exploitation trend; both deadlines passed in late March.
  • Fortinet FortiClient EMS racked up two KEV entries: CVE-2026-21643 (SQL injection) and CVE-2026-35616 (improper access control), with deadlines already past — EMS is increasingly being used as a foothold into managed endpoint fleets.
  • CVE-2025-29635 in D-Link DIR-823X routers (command injection, due 2026-05-08) is being abused for botnet recruitment and residential-proxy buildouts.

Remote Support & Management Tooling

SimpleHelp's CVE-2024-57728 (path traversal) and CVE-2024-57726 (missing authorization), both due 2026-05-08, continue the pattern of attackers weaponizing remote-support platforms as ransomware staging points. Pair with the ScreenConnect entry above and CVE-2025-32975 in Quest KACE SMA (improper auth, due 2026-05-04) — RMM/management surfaces are the dominant initial-access theme this week.

Enterprise Apps & CMS

  • CVE-2024-7399 in Samsung MagicINFO 9 Server (path traversal, due 2026-05-08) targets digital-signage deployments often forgotten in asset inventories.
  • CVE-2023-27351 in PaperCut NG/MF carries the ransomware-use flag and a 2026-05-04 deadline; this bug has been weaponized by multiple crews since 2023.
  • CVE-2025-2749 (Kentico Xperience path traversal) and CVE-2025-32432 (Craft CMS code injection) round out the CMS exploitation cluster — review any internet-facing marketing infrastructure.
  • CVE-2024-27199 in JetBrains TeamCity (ransomware use, due 2026-05-04) remains attractive for supply-chain pivots into build pipelines.
  • CVE-2025-48700 in Zimbra Collaboration Suite (XSS) had a 2026-04-23 deadline — past due, and Zimbra remains a favorite of state-aligned operators.
  • CVE-2026-34197 in Apache ActiveMQ (improper input validation) hits its deadline today, 2026-04-30; ActiveMQ has a track record of post-exploitation cryptominer and ransomware deployment.

AI/ML and Developer Toolchain

A notable cluster of supply-chain and AI-tooling bugs landed in KEV this cycle:

  • CVE-2026-39987 (Marimo notebook RCE, due 2026-05-07) and CVE-2026-33017 (Langflow code injection, deadline 2026-04-08 expired) show adversaries targeting LLM developer tooling directly.
  • CVE-2026-33634 in Aquasecurity Trivy is flagged as embedded malicious code — a supply-chain compromise of a security scanner itself, deadline 2026-04-09 already past. Audit any CI pipelines that pulled affected versions.
  • CVE-2025-54068 (Laravel Livewire code injection) and CVE-2026-3502 (TrueConf Client missing integrity check on downloaded code) extend the developer-tooling and client-side supply-chain theme.

Apple & Browser Engines

Three Apple multi-product bugs — CVE-2025-43510 (improper locking), CVE-2025-43520 (classic buffer overflow), and CVE-2025-31277 (buffer overflow) — were added together with a 2026-04-03 deadline now well past; iOS/macOS fleets should be verified at current patch level. CVE-2026-5281 (Google Dawn use-after-free, due 2026-04-15) covers Chromium's WebGPU layer and was added alongside in-the-wild exploitation reports.

Mobile Device Management

CVE-2026-1340 in Ivanti EPMM (code injection, deadline 2026-04-11 expired) continues Ivanti's troubled KEV streak. MDM compromise grants attackers policy-level control over enrolled devices — treat unpatched instances as breach scenarios.

Legacy Resurrections — Don't Ignore

CISA added three notably old CVEs this cycle: CVE-2009-0238 (Microsoft Office RCE), CVE-2012-1854 (VBA insecure library loading), and CVE-2020-9715 (Adobe Acrobat UAF). Their re-emergence in KEV typically signals active campaigns weaponizing maldocs against unpatched legacy estates — likely tied to recent phishing waves. CVE-2026-34621 (Adobe Acrobat/Reader prototype pollution, due 2026-04-27) rounds out the document-handler exposure.

Analyst Note

Of the 40 KEV additions tracked, roughly one-third have remediation deadlines that have already passed as of today. The pattern — RMM tools, edge appliances, and AI/dev tooling dominating the list — reflects where adversary tradecraft is moving. Prioritize the past-due items as compromise assessments, not patch windows.