Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-04-20April 20, 2026

Cyber Threats Daily — 2026-04-20

TITLE: Cyber Threats Daily — 2026-04-20: Cisco FMC RCE tied to ransomware; Apache ActiveMQ, SharePoint, Ivanti EPMM added to KEV

---

Executive Summary

Over the past two weeks, CISA added a heavy slate of actively exploited vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog. The standout is CVE-2026-20131 in Cisco Secure Firewall Management Center (FMC) — the only new KEV entry flagged with Known ransomware campaign use in this window. Also notable: new entries for Apache ActiveMQ, Microsoft SharePoint Server, Ivanti EPMM, Fortinet FortiClient EMS, Citrix NetScaler, and F5 BIG-IP APM. Several remediation deadlines are already in the rear-view mirror — confirm your patch status today.

---

Priority 1 — Ransomware-Linked KEV

CVE-2026-20131 — Cisco Secure Firewall Management Center (FMC) / Security Cloud Control (SCC) Firewall Management

  • Type: Deserialization of untrusted data in the web management interface
  • Impact: Unauthenticated remote attacker can execute arbitrary Java code as root
  • KEV added: 2026-03-19 • Due: 2026-03-22 (OVERDUE)
  • Ransomware use: Known
  • SOC action: Treat any unpatched FMC/SCC instance as compromised until proven otherwise. Hunt for anomalous Java process spawns, outbound beacons from the management VM, and new local accounts. Restrict the management interface to dedicated admin networks only.

---

Priority 2 — Fresh KEV Additions (April 2026)

CVE-2026-34197 — Apache ActiveMQ (Improper Input Validation → code injection)

  • KEV added: 2026-04-16 • Due: 2026-04-30
  • Internet-exposed brokers remain a perennial ransomware target. Inventory ActiveMQ assets, apply vendor fixes, and block 61616/8161 at the perimeter if not required.

CVE-2026-32201 — Microsoft SharePoint Server (Improper Input Validation → spoofing)

  • KEV added: 2026-04-14 • Due: 2026-04-28
  • Spoofing-class but actively exploited. Prioritize internet-facing SharePoint farms; pair with the earlier CVE-2026-20963 (SharePoint deserialization RCE, KEV 2026-03-18, due 2026-03-21 — OVERDUE).

CVE-2026-34621 — Adobe Acrobat and Reader (Prototype Pollution → arbitrary code execution)

  • KEV added: 2026-04-13 • Due: 2026-04-27
  • Client-side exploitation via crafted PDFs. Push updates through endpoint management and watch for phishing-delivered PDFs.

CVE-2025-60710 — Microsoft Windows (Link Following → privilege escalation)

  • KEV added: 2026-04-13 • Due: 2026-04-27
  • Likely chained with initial access exploits. Patch endpoints and servers promptly.

CVE-2023-21529 — Microsoft Exchange Server (Deserialization → authenticated RCE)

  • KEV added: 2026-04-13 • Due: 2026-04-27
  • Older CVE, now observed in the wild. Confirm Exchange CU/SU levels; hunt for suspicious OWA/ECP child processes.

CVE-2023-36424 — Windows CLFS driver (Out-of-Bounds Read → LPE)

  • KEV added: 2026-04-13 • Due: 2026-04-27
  • CLFS continues to be a favored LPE primitive for ransomware operators.

CVE-2020-9715 — Adobe Acrobat (Use-After-Free → code execution)

  • KEV added: 2026-04-13 • Due: 2026-04-27

CVE-2012-1854 — Microsoft VBA (Insecure Library Loading → RCE)

  • KEV added: 2026-04-13 • Due: 2026-04-27
  • Legacy CVE resurfacing; ensure Office baseline hardening and macro/DLL-side-loading controls are in force.

CVE-2009-0238 — Microsoft Office Excel (RCE via malformed object)

  • KEV added: 2026-04-14 • Due: 2026-04-28
  • Very old bug appearing in KEV — implies legacy Office footprints are being targeted. Audit for unsupported Office versions.

CVE-2026-21643 — Fortinet FortiClient EMS (SQL Injection → unauthenticated code execution)

  • KEV added: 2026-04-13 • Due: 2026-04-16 (OVERDUE)

CVE-2026-35616 — Fortinet FortiClient EMS (Improper Access Control → unauthenticated code execution)

  • KEV added: 2026-04-06 • Due: 2026-04-09 (OVERDUE)
  • Two EMS bugs within a week. Pull EMS off the public internet, review DB audit logs, and rotate any credentials stored on the server.

CVE-2026-1340 — Ivanti Endpoint Manager Mobile (EPMM) (Code Injection → unauthenticated RCE)

  • KEV added: 2026-04-08 • Due: 2026-04-11 (OVERDUE)
  • EPMM's track record (pre-existing Ivanti MobileIron zero-days) warrants a compromise assessment, not just patching.

CVE-2026-3502 — TrueConf Client (update chain / no integrity check)

  • KEV added: 2026-04-02 • Due: 2026-04-16 (OVERDUE)
  • Supply-chain style: tampered updates yield code execution. Validate update channel integrity and endpoint inventory.

CVE-2026-5281 — Google Dawn (Use-After-Free in Chromium stack)

  • KEV added: 2026-04-01 • Due: 2026-04-15 (OVERDUE)
  • Affects Chrome, Edge, and other Chromium-based browsers. Force browser restarts via policy.

---

Priority 3 — Still-Active March Additions Worth Re-Checking

  • CVE-2026-3055 — Citrix NetScaler ADC/Gateway (OOB read, SAML IDP). KEV 2026-03-30; due 2026-04-02 (OVERDUE). Memory overread enabling further exploitation — familiar NetScaler territory.
  • CVE-2025-53521 — F5 BIG-IP APM (stack buffer overflow → RCE). Due 2026-03-30 (OVERDUE).
  • CVE-2026-22719 — VMware Aria Operations (command injection → unauth RCE during migration). Due 2026-03-24 (OVERDUE).
  • CVE-2025-26399 — SolarWinds Web Help Desk (deserialization RCE via AjaxProxy). Due 2026-03-12 (OVERDUE).
  • CVE-2026-1603 — Ivanti Endpoint Manager (EPM) (auth bypass → credential leak). Due 2026-03-23 (OVERDUE).
  • CVE-2026-33634 — Aqua Trivy (embedded malicious code in CI/CD). Due 2026-04-09 (OVERDUE). Rotate all CI/CD secrets if affected versions ran in pipelines.
  • CVE-2026-33017 — Langflow (code injection, unauth flow builder). Due 2026-04-08 (OVERDUE).
  • CVE-2025-54068 — Laravel Livewire (code injection → unauth RCE).
  • CVE-2025-32432 — Craft CMS (code injection → RCE).
  • CVE-2025-68613 — n8n (workflow expression RCE). Due 2026-03-25 (OVERDUE).
  • Apple multi-product chain — CVE-2025-43510, CVE-2025-43520, CVE-2025-31277, plus older CVE-2023-43000, CVE-2023-41974, CVE-2021-30952. Apple fleet management should confirm minimum OS versions across iOS/iPadOS/macOS/watchOS/visionOS/tvOS.
  • CVE-2025-66376 — Zimbra Collaboration Suite (XSS via CSS @import in Classic UI). Phishing-enabling; mitigate by disabling Classic UI or patching.
  • CVE-2026-3910 / CVE-2026-3909 — Chromium V8 / Skia memory bugs. Browser-wide update push if not already completed.
  • CVE-2025-47813 — Wing FTP Server (info disclosure via long UID cookie).
  • CVE-2021-22054 — Omnissa Workspace ONE UEM (unauth SSRF).
  • CVE-2017-7921 — Hikvision (auth bypass). ICS/physical-sec crossover; check NVRs/cameras on management networks.
  • CVE-2021-22681 — Rockwell Studio 5000 / Logix controllers (protected credential weakness). OT teams: review controller communication trust.
  • CVE-2026-21385 — Qualcomm chipsets (memory corruption). Push mobile OEM patches.

---

Recommended SOC Actions This Week

1. Prioritize ransomware-linked CVE-2026-20131 (Cisco FMC/SCC). Assume breach on unpatched units; isolate and hunt.

2. Clear the overdue KEV backlog — especially Fortinet EMS, Ivanti EPMM/EPM, Citrix NetScaler, F5 BIG-IP APM, VMware Aria Ops, SolarWinds WHD. Each is a proven pivot point.

3. Sweep for legacy Office/Windows exposure — 2009- and 2012-era CVEs on KEV indicate opportunistic adversary targeting of unmanaged endpoints.

4. Browser + PDF push: Chromium (Dawn, V8, Skia) and Adobe Acrobat/Reader patches across the fleet.

5. CI/CD hygiene: If Trivy or Langflow were in pipelines, rotate tokens, SSH keys, and cloud credentials.

Stay sharp — patch windows are closing on multiple exploited-in-the-wild bugs.

Cyber Threats Daily — 2026-04-20 · Cyber Threats Daily