Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-04-24April 24, 2026

Cyber Threats Daily — 2026-04-24

TITLE: KEV Surge: Marimo RCE, Defender ACL Flaw, and Cisco SD-WAN Trio Headline Fresh Exploits

Top of the Stack: This Week's KEV Additions

  • CVE-2026-39987 lands Marimo on KEV for remote code execution in the Python notebook platform; CISA set a tight 2026-05-07 federal remediation deadline — treat internet-exposed Marimo instances as compromised until patched.
  • CVE-2026-33825 flags Microsoft Defender for insufficient granularity of access control, exploited in the wild with a 2026-05-06 fix deadline; review Defender role assignments and audit for tampering where EDR telemetry went quiet.
  • Cisco Catalyst SD-WAN Manager takes three simultaneous KEV hits — CVE-2026-20122 (privileged API misuse), CVE-2026-20133 (sensitive information exposure), and CVE-2026-20128 (recoverable password storage) — all with a past-due 2026-04-23 deadline, indicating active campaigns against SD-WAN management planes.

Ransomware-Linked Flaws You Can't Ignore

  • CVE-2023-27351 (PaperCut NG/MF improper authentication) was re-flagged with known ransomware use and a 2026-05-04 deadline; despite its age, print-management servers remain a soft entry point for affiliates pivoting into Windows domains.
  • CVE-2024-27199 (JetBrains TeamCity path traversal) is tagged for ransomware exploitation with a 2026-05-04 due date — unpatched CI/CD servers offer attackers credential troves and build-pipeline poisoning opportunities.
  • CVE-2023-21529 (Microsoft Exchange Server deserialization) returns to the ransomware watchlist with a 2026-04-27 deadline; on-prem Exchange remains a priority target, and federal agencies should verify CU/SU baseline.
  • CVE-2026-20131 (Cisco Secure FMC / Security Cloud Control deserialization) is being leveraged by ransomware operators; the 2026-03-22 deadline has passed, so any lagging agencies are now in violation and likely compromise territory.

Enterprise Edge and Identity Plane

  • Kentico Xperience path traversal CVE-2025-2749 and Quest KACE SMA auth bypass CVE-2025-32975 both carry 2026-05-04 deadlines; both are common mid-market stacks where patch cycles lag and admin consoles face the internet.
  • Fortinet FortiClient EMS was hit twice — SQLi CVE-2026-21643 (due 2026-04-16) and improper access control CVE-2026-35616 (due 2026-04-09) — with both deadlines now lapsed. EMS compromise typically yields downstream endpoint policy manipulation.
  • CVE-2026-1340 (Ivanti EPMM code injection, due 2026-04-11) continues the Ivanti streak; mobile-management servers should be pulled behind VPN-only access until the patch state is verified.
  • Citrix NetScaler OOB read CVE-2026-3055 (due 2026-04-02) and F5 BIG-IP stack overflow CVE-2025-53521 (due 2026-03-30) round out the load-balancer/ADC exposure — both are past due and likely seeing opportunistic scanning.

Microsoft Patch Tuesday Fallout

  • CVE-2026-32201 (SharePoint Server improper input validation) and CVE-2026-20963 (SharePoint deserialization) are both in KEV; the latter's 2026-03-21 deadline has passed and deserialization bugs in SharePoint historically translate to unauthenticated RCE.
  • CVE-2025-60710 (Windows link following) and CVE-2023-36424 (Windows OOB read) share a 2026-04-27 deadline — low-privilege-to-SYSTEM primitives commonly chained with phishing payloads.
  • CISA dusted off two legacy Office bugs — CVE-2009-0238 (Office RCE, due 2026-04-28) and CVE-2012-1854 (VBA insecure library loading, due 2026-04-27) — suggesting in-the-wild use against unpatched legacy document viewers, likely in targeted spear-phishing.

Developer Tooling and Supply-Chain Exposure

  • CVE-2026-33634 adds Aquasecurity Trivy to KEV for embedded malicious code (due 2026-04-09), a direct supply-chain signal — verify Trivy binary provenance and rotate any credentials scanned by compromised versions.
  • CVE-2026-33017 (Langflow code injection) and CVE-2025-68613 (n8n dynamic code execution) show attackers continue to target low-code/AI orchestration platforms where untrusted flows become RCE.
  • CVE-2025-32432 (Craft CMS) and CVE-2025-54068 (Laravel Livewire) are both code-injection flaws with 2026-04-03 deadlines; both are PHP-stack staples that frequently run with database and filesystem privileges.

Browser, Client, and Apple Ecosystem

  • Chrome/Chromium saw dual KEV entries — CVE-2026-3910 (V8 memory corruption) and CVE-2026-3909 (Skia OOB write) — plus CVE-2026-5281 (Dawn use-after-free, due 2026-04-15); all three are classic drive-by exploitation vectors.
  • Apple gets three entries — CVE-2025-43510, CVE-2025-43520, and CVE-2025-31277 (locking flaw and buffer overflows across multiple products, all due 2026-04-03) — consistent with chained mobile exploitation activity seen in commercial spyware operations.
  • CVE-2020-9715 and CVE-2026-34621 (Adobe Acrobat UAF and prototype pollution) share a 2026-04-27 deadline, underscoring that weaponized PDFs remain a durable initial-access vector.

Also on the Board

  • CVE-2025-48700 and CVE-2025-66376 place Zimbra Collaboration Suite back in the crosshairs with XSS flaws used for session theft against webmail users — review for anomalous OAuth grants and mail-forwarding rules.
  • CVE-2026-34197 (Apache ActiveMQ input validation, due 2026-04-30) continues the broker's long KEV history; expect crypto-mining and Godzilla-webshell payloads against exposed 61616/tcp.
  • CVE-2025-47813 (Wing FTP Server information disclosure) and CVE-2026-3502 (TrueConf Client integrity-check bypass) round out the smaller-vendor exposure — niche but reliably under-patched in SMB environments.

Analyst Takeaway

This batch is dominated by edge infrastructure (Cisco SD-WAN, Fortinet EMS, NetScaler, BIG-IP, Ivanti EPMM) and revived ransomware-linked CVEs in PaperCut, TeamCity, Exchange, and Cisco FMC. Prioritize the already-lapsed deadlines first — those indicate CISA has confidence in active exploitation at scale. Second wave: Marimo, Defender, and the SharePoint deserialization bug, where the attack surface is narrower but consequences are higher.