Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-04-26April 26, 2026

Cyber Threats Daily — 2026-04-26

TITLE: Cyber Threats Daily — Cisco SD-WAN, Apr-24 KEV wave, and overdue ransomware-linked flaws

---

Top of the Stack: Fresh KEV Adds (Apr 22–24)

CISA pushed three additions on 2026-04-24, all with a 2026-05-08 federal remediation deadline. Patch posture for edge and signage gear is the through-line:

  • CVE-2025-29635 — command injection in D-Link DIR-823X routers; consumer/SMB perimeter device, expect commodity botnet uptake within days of public PoC traffic.
  • CVE-2024-7399 — path traversal in Samsung MagicINFO 9 Server; the digital-signage management plane is internet-exposed at many retail and transit operators, making this a soft target for initial access.
  • CVE-2024-57728 and CVE-2024-57726 — paired SimpleHelp RMM flaws (path traversal + missing authorization). RMM compromises have been a recurring ransomware on-ramp; treat as critical regardless of "high" CVSS framing.

Earlier in the week, CVE-2026-39987 (Marimo RCE, due 2026-05-07) and CVE-2026-33825 (Microsoft Defender access-control weakness allowing tamper or bypass, due 2026-05-06) were added. The Defender entry is notable — attackers exploiting the EDR itself flips the assumed-good control surface.

Cisco SD-WAN: Three Bugs, One Manager, Deadline Already Burned

CISA added three Cisco Catalyst SD-WAN Manager issues on 2026-04-20 with a 2026-04-23 remediation due date — meaning federal civilian agencies are now past due as of today:

  • CVE-2026-20122 — incorrect use of privileged APIs.
  • CVE-2026-20133 — sensitive information disclosure to unauthorized actors.
  • CVE-2026-20128 — passwords stored in recoverable format, enabling credential harvest post-foothold.

If you operate vManage/Catalyst SD-WAN, assume the cluster is in scope of active scanning; pull controller logs for unexpected API auth and config exports back to mid-March.

Ransomware-Tagged Backlog

Three KEV entries carry CISA's "Known ransomware use" tag and remain worth surfacing because remediation deadlines are imminent or already past:

  • CVE-2023-27351PaperCut NG/MF authentication bypass, due 2026-05-04. Long-running ransomware affiliate favorite (Cl0p, Bl00dy historically).
  • CVE-2024-27199JetBrains TeamCity path traversal, due 2026-05-04. CI/CD compromise = supply-chain blast radius.
  • CVE-2023-21529Microsoft Exchange Server deserialization RCE, due 2026-04-27 (Monday). On-prem Exchange operators have one business day.
  • CVE-2026-20131Cisco Secure FMC / Security Cloud Control deserialization; deadline 2026-03-22 already lapsed. If unpatched, treat as assume-breach on the firewall management plane.

Microsoft Patch Cycle (Apr 13–14 batch, deadline Apr 27–28)

Five Microsoft entries cluster around next Monday/Tuesday:

  • CVE-2026-32201SharePoint Server input validation flaw and CVE-2026-20963 — SharePoint deserialization (deadline 2026-03-21, already overdue). SharePoint deserialization chains have been weaponized for unauth RCE in the recent past; verify ULS logs and w3wp child processes.
  • CVE-2025-60710Windows link-following (local privilege escalation primitive).
  • CVE-2023-36424Windows OOB read.
  • CVE-2012-1854VBA insecure library loading; the 14-year-old CVE landing on KEV signals an active campaign abusing legacy Office docs, likely as a maldoc loader.
  • CVE-2009-0238Office RCE from 2009 also added; same read — expect macro/RTF lures in current intrusion sets.

Fortinet, Ivanti, Citrix, F5 — Edge Devices Stacking Up Past Due

Several network-edge entries are already past their CISA deadlines and should be confirmed patched today:

  • CVE-2026-21643Fortinet FortiClient EMS SQL injection (due 2026-04-16, lapsed).
  • CVE-2026-35616FortiClient EMS improper access control (due 2026-04-09, lapsed).
  • CVE-2026-1340Ivanti EPMM code injection (due 2026-04-11, lapsed). Ivanti MDM compromises have repeatedly led to mass device enrollment abuse.
  • CVE-2026-3055Citrix NetScaler OOB read (due 2026-04-02, lapsed).
  • CVE-2025-53521F5 BIG-IP stack buffer overflow (due 2026-03-30, lapsed).

Apple, Google, and Dev-Tooling Supply Chain

  • Three Apple multi-product memory-safety bugs — CVE-2025-43510 (improper locking), CVE-2025-43520 (classic buffer overflow), CVE-2025-31277 (buffer overflow) — all due 2026-04-03 and lapsed; ensure macOS/iOS fleets are on the corresponding April security train.
  • CVE-2026-5281Google Dawn (WebGPU) use-after-free, browser-exploitable surface; deadline 2026-04-15 lapsed.
  • CVE-2026-33634Aqua Security Trivy embedded malicious code: a scanner-side supply-chain compromise. If Trivy is in CI pipelines, audit pulled image versions against the vendor advisory.
  • CVE-2026-33017Langflow code injection (LLM orchestration tool); shadow-IT installs in data-science teams are the realistic exposure.

Also on the Board

  • CVE-2025-2749 (Kentico Xperience path traversal) and CVE-2025-32975 (Quest KACE SMA improper auth) — both due 2026-05-04; KACE is an admin-tier asset, treat with the same urgency as RMM.
  • CVE-2025-48700 and CVE-2025-66376 — two Zimbra ZCS stored-XSS issues; webmail XSS reliably leads to mailbox exfil via session theft.
  • CVE-2026-34197Apache ActiveMQ improper input validation (due 2026-04-30); ActiveMQ has been a ransomware target throughout 2024–25, do not let this one slide.
  • CVE-2025-32432 (Craft CMS) and CVE-2025-54068 (Laravel Livewire) — both code-injection on PHP web stacks, deadlines already lapsed; expect webshell drops on unpatched hosts.
  • CVE-2026-3502TrueConf Client missing integrity check on downloaded code, a classic update-channel hijack primitive.
  • CVE-2020-9715 and CVE-2026-34621Adobe Acrobat/Reader UAF and prototype pollution; client-side exploitation via PDF lures, deadline 2026-04-27.

Analyst Take

The Apr-13/Apr-20 KEV waves are the story this week: 30+ adds, with several deadlines having already passed and Cisco SD-WAN Manager + Cisco FMC carrying ransomware-use tags. Prioritization for today: (1) Exchange CVE-2023-21529 before Monday; (2) Cisco SD-WAN Manager triple-CVE — patch and credential-rotate; (3) FortiClient EMS and Ivanti EPMM if internet-reachable. The reappearance of two pre-2013 Office/VBA CVEs on KEV is a quiet but clear signal that a current campaign is leaning on legacy-doc lures — push your mail-gateway macro and RTF policies.