Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-04-25April 25, 2026

Cyber Threats Daily — 2026-04-25

TITLE: KEV surge: D-Link, Samsung MagicINFO, SimpleHelp added; Cisco SD-WAN trio past deadline

---

Top of the watch: fresh KEV additions (2026-04-24)

CISA pushed four new entries to the Known Exploited Vulnerabilities catalog yesterday, all carrying a 2026-05-08 federal remediation deadline. Patch or compensate now — these are confirmed exploited in the wild.

  • CVE-2025-29635 is a command-injection flaw in D-Link DIR-823X routers; given D-Link's history of botnet recruitment (Mirai variants, Mozi), expect mass scanning against exposed admin interfaces within days.
  • CVE-2024-7399 is a path traversal in Samsung MagicINFO 9 Server (digital signage CMS) that yields arbitrary file read/write and has been chained to RCE in public PoCs — internet-exposed signage servers are the obvious soft target.
  • CVE-2024-57728 and CVE-2024-57726, paired path-traversal and missing-authorization bugs in SimpleHelp remote support software, were previously linked to ransomware affiliates pivoting through MSPs; if you run SimpleHelp servers, assume probing and audit session logs.

Past-due deadlines — verify your patch state today

Several KEV entries hit their CISA deadlines this week. If federal or contractually bound, you are out of compliance unless mitigated:

  • CVE-2026-20122, CVE-2026-20133, and CVE-2026-20128 — a trio of Cisco Catalyst SD-WAN Manager flaws (privileged-API misuse, sensitive info exposure, recoverable password storage) — were due 2026-04-23. Treat any unpatched vManage instance as compromised pending review.
  • CVE-2025-48700, a stored XSS in Synacor Zimbra Collaboration Suite, shared the same 2026-04-23 deadline; Zimbra remains a favorite of state-aligned actors (UNC1151, Winter Vivern) for credential theft.
  • CVE-2026-34197, an input-validation bug in Apache ActiveMQ, is due 2026-04-30 — note ActiveMQ's track record with HelloKitty/Andariel ransomware (CVE-2023-46604), so expedite even without specific IOCs.

Ransomware-flagged entries — prioritize accordingly

CISA explicitly tagged three recent additions as having known ransomware use:

  • CVE-2023-27351 — improper authentication in PaperCut NG/MF print management. Same product family abused by Cl0p and LockBit in 2023; remediation due 2026-05-04.
  • CVE-2024-27199 — relative path traversal in JetBrains TeamCity; CI/CD compromise leads directly to supply-chain poisoning. Due 2026-05-04.
  • CVE-2026-20131 — deserialization in Cisco Secure Firewall Management Center (FMC) and Security Cloud Control. Deadline already passed (2026-03-22); confirm patching of every FMC, including air-gapped management VLANs.

Microsoft Patch Tuesday fallout (April 13–14 KEV batch)

Microsoft's April cycle dumped a heavy block of exploited bugs onto the catalog, all with 2026-04-27/28 deadlines now within 48–72 hours:

  • CVE-2026-32201 — input validation in Microsoft SharePoint Server — and CVE-2026-20963, a separate SharePoint deserialization (deadline already 2026-03-21). SharePoint RCE chains continue to be the entry vector of choice for both Storm-0506 and Chinese state clusters.
  • CVE-2023-21529Exchange Server deserialization, ransomware-flagged. If you still operate on-prem Exchange, treat this as a hair-on-fire item.
  • CVE-2025-60710 (Windows link-following) and CVE-2023-36424 (Windows OOB read) round out the OS-level privilege escalation set.
  • Two legacy Office bugs — CVE-2009-0238 (Office RCE) and CVE-2012-1854 (VBA insecure library load) — were also added, indicating ongoing exploitation against unpatched/legacy estates; hunt for old Office binaries in your environment.
  • Adobe joined the party with CVE-2020-9715 (Acrobat UAF) and CVE-2026-34621 (Acrobat/Reader prototype pollution), commonly weaponized via phishing-delivered PDFs.

Network/edge appliances under active exploitation

  • CVE-2026-21643 (SQL injection) and CVE-2026-35616 (improper access control) in Fortinet FortiClient EMS are both past deadline (2026-04-16 and 2026-04-09). FortiClient EMS holds VPN provisioning data — assume credential exposure on unpatched servers.
  • CVE-2026-3055, an out-of-bounds read in Citrix NetScaler, was due 2026-04-02. NetScaler bugs have been the gift that keeps giving since CitrixBleed; verify session token rotation.
  • CVE-2025-53521, a stack buffer overflow in F5 BIG-IP, deadline 2026-03-30, remains a high-value target for initial access brokers.
  • CVE-2026-1340 — code injection in Ivanti Endpoint Manager Mobile (EPMM) — was due 2026-04-11; Ivanti's MDM products have been chained repeatedly by APT groups (UNC5325, UNC5337).

Developer toolchain & AI/ML platforms — a growing category

A notable cluster of recent KEV adds targets developer and ML infrastructure, where compromise yields supply-chain reach:

  • CVE-2026-39987 in Marimo notebooks and CVE-2026-33017 in Langflow are both code-injection RCEs in AI/LLM tooling, reflecting attacker pivot toward MLOps stacks.
  • CVE-2026-33634Aqua Security Trivy shipping with embedded malicious code — indicates a supply-chain compromise of the scanner itself; if you pinned a bad version in CI, your scan results were the attack vector.
  • CVE-2025-32432 (Craft CMS code injection) and CVE-2025-54068 (Laravel Livewire code injection) round out web-framework RCEs already being scanned at scale.

Apple multi-product cluster

CVE-2025-43510, CVE-2025-43520, and CVE-2025-31277 — improper locking and two buffer overflows across Apple multiple products — were added 2026-03-20 with deadlines now passed. Confirm macOS/iOS fleets are on the corresponding April security update train; targeted exploitation against journalists and dissidents has been the pattern.

Also worth a glance

  • CVE-2026-33825Microsoft Defender insufficient access-control granularity (deadline 2026-05-06): an attacker with footholds can blind EDR, so prioritize alongside any active IR.
  • CVE-2025-2749 (Kentico Xperience path traversal) and CVE-2025-32975 (Quest KACE SMA improper authentication) — both due 2026-05-04 — are high-value pivots in mid-market enterprises.
  • CVE-2026-3502, a code-integrity check failure in TrueConf Client, enables malicious update delivery; verify autoupdate channels are signed and pinned.
  • CVE-2026-5281, a UAF in Google Dawn (Chrome's WebGPU implementation), and CVE-2025-66376 (second Zimbra XSS this month) close out the recent additions.

Editor's take

The week's signal is twofold: (1) edge management planes — Cisco SD-WAN Manager, FortiClient EMS, Ivanti EPMM, NetScaler, BIG-IP — keep getting hit, and several of these deadlines are already in the rearview mirror; and (2) the AI/dev-tool attack surface (Marimo, Langflow, Trivy) is now a recurring KEV category. If your patch cadence is monthly, that is no longer fast enough for management-plane CVEs.