Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-04-27April 27, 2026

Cyber Threats Daily — 2026-04-27

TITLE: Cyber Threats Daily — Cisco SD-WAN Manager trio, SimpleHelp & D-Link join KEV; PaperCut and TeamCity flagged for ransomware

---

Top of the Stack: Edge & Management Plane Under Fire

Cisco's management plane took the brunt of this KEV cycle. CVE-2026-20122, CVE-2026-20133, and CVE-2026-20128 form a three-bug cluster in Cisco Catalyst SD-WAN Manager covering privileged-API misuse, sensitive-info exposure, and recoverable password storage — all carrying an aggressive CISA remediation deadline of 2026-04-23 (already past), so federal operators should be in cleanup mode and enterprises should treat this as overdue.

Separately, CVE-2026-20131 in Cisco Secure Firewall Management Center (FMC) and Security Cloud Control firewall management is an untrusted-deserialization bug flagged for known ransomware use (deadline 2026-03-22, well past). If your FMC isn't patched, assume hands-on-keyboard risk.

Fresh KEV Additions (this week)

  • CVE-2025-29635 in D-Link DIR-823X is an unauthenticated command-injection bug now in KEV with a 2026-05-08 federal deadline; treat any DIR-823X reachable from the internet as compromised until proven otherwise.
  • CVE-2024-7399 path traversal in Samsung MagicINFO 9 Server (digital signage backend) is being exploited to drop payloads on unauthenticated endpoints; agencies must remediate by 2026-05-08.
  • CVE-2024-57728 and CVE-2024-57726 in SimpleHelp remote-support software (path traversal + missing authorization) were chained earlier this year by ransomware crews against MSPs; both land in KEV with a 2026-05-08 due date.
  • CVE-2026-39987 is a Marimo notebook RCE (deadline 2026-05-07) — relevant for data-science/ML environments where Marimo is increasingly deployed alongside Jupyter.
  • CVE-2026-33825 in Microsoft Defender (insufficient access-control granularity) made KEV with a 2026-05-06 deadline; review Defender tenant role assignments and audit any unexpected policy changes.

Ransomware-Tagged Legacy Bugs Resurfacing

CISA explicitly flagged three older bugs as known ransomware vectors in this batch — a reminder that initial-access brokers are still mining unpatched estate:

  • CVE-2023-27351 improper authentication in PaperCut NG/MF (deadline 2026-05-04). PaperCut has been a recurring ransomware on-ramp since 2023; if you still run it on-prem, verify the patch level today.
  • CVE-2024-27199 relative path traversal in JetBrains TeamCity (deadline 2026-05-04) — abused by multiple ransomware affiliates against CI/CD systems with secrets and signing keys.
  • CVE-2023-21529 Exchange Server deserialization (deadline 2026-04-27, today). Any unpatched on-prem Exchange should be treated as high-priority; this is the tail of the long Exchange exploitation arc.

Microsoft Patch-Catchup Block (deadline today, 2026-04-27)

A cluster of Microsoft KEV entries hit their federal due date today and should be your morning standup checklist:

  • CVE-2026-32201 SharePoint Server input-validation flaw and CVE-2026-20963 SharePoint deserialization bug — both server-side, both with the SharePoint-targeting threat actors that have plagued 2025–2026 already weaponizing similar bugs.
  • CVE-2025-60710 Windows link-following and CVE-2023-36424 Windows OOB-read for local privilege escalation paths.
  • CVE-2012-1854 VBA insecure library loading and CVE-2009-0238 Office RCE — yes, 2009 and 2012 — added because operators are still seeing them land in real intrusions via macro-laden documents on legacy installs.

Other Notables

  • CVE-2026-34197 improper input validation in Apache ActiveMQ (deadline 2026-04-30) — ActiveMQ has been a steady RCE target since the 2023 CVE-2023-46604 wave; broker exposure should be locked down behind auth and network controls.
  • CVE-2026-21643 SQL injection and CVE-2026-35616 improper access control, both in Fortinet FortiClient EMS, are past-due (2026-04-16 and 2026-04-09); EMS console exposure to the internet is a recurring intrusion vector worth re-auditing.
  • CVE-2026-1340 code injection in Ivanti EPMM (deadline 2026-04-11, past) extends the long Ivanti exploitation streak; mobile-device management consoles continue to be high-value targets.
  • CVE-2026-3055 out-of-bounds read in Citrix NetScaler and CVE-2025-53521 stack overflow in F5 BIG-IP are both past their deadlines — load balancer/edge appliance hygiene remains the single highest-leverage patching task most orgs still defer.
  • Apple shipped a multi-product trio — CVE-2025-43510 (improper locking), CVE-2025-43520 (classic buffer overflow), and CVE-2025-31277 (buffer overflow) — all past-due 2026-04-03; ensure macOS/iOS fleet management has caught up.
  • CVE-2025-32432 in Craft CMS and CVE-2025-54068 in Laravel Livewire are code-injection bugs being used against PHP web stacks; web-app teams should verify framework versions even if WAFs are in place.
  • CVE-2026-33634 is an embedded-malicious-code finding in Aquasecurity Trivy — a supply-chain concern given Trivy's role in CI scanning; verify you're on a clean release and rotate any tokens used by affected pipelines.
  • CVE-2026-33017 code injection in Langflow and CVE-2026-39987 in Marimo highlight a clear trend: AI/LLM tooling is now a routine KEV category. Inventory these tools the same way you'd inventory Jenkins.

What To Do Today

1. Confirm Cisco SD-WAN Manager and FMC patches are deployed — these deadlines are already blown.

2. Close out the Microsoft KEV block due today, especially Exchange (ransomware-tagged) and SharePoint.

3. Hunt for SimpleHelp, PaperCut, and TeamCity exploitation indicators if your patch lag exceeded a week.

4. Add Marimo, Langflow, and Trivy to your software inventory if they aren't already tracked.