Cyber Threats Daily2026-04-19April 19, 2026

Cyber Threats Daily — 2026-04-19

TITLE: Cyber Threats Daily — 2026-04-19: Ransomware-linked Cisco FMC RCE, fresh KEV adds hit Apache ActiveMQ, SharePoint, Windows

---

Executive Summary

CISA's KEV catalog saw heavy churn over the past six weeks, with the most urgent item remaining CVE-2026-20131 — a Cisco Secure Firewall Management Center (FMC) / SCC deserialization bug flagged with known ransomware campaign use. Multiple Microsoft, Fortinet, Ivanti, and Adobe entries were added in April with deadlines now active or imminent. This digest prioritizes the actively exploited and ransomware-linked items, then highlights near-term due dates SOC teams should be tracking this week.

> Note: Only the CISA KEV feed was available this run. No secondary corroborating sources were provided.

---

🔴 Priority 1 — Ransomware-Linked Exploitation

CVE-2026-20131 — Cisco Secure FMC / SCC Firewall Management (Deserialization → Unauth RCE as root)

Vendor/Product: Cisco Secure Firewall Management Center (FMC) Software; Cisco Security Cloud Control (SCC) Firewall Management
Impact: Unauthenticated remote attackers can execute arbitrary Java code as root via the web-based management interface.
KEV added: 2026-03-19 | Due: 2026-03-22 (overdue)
Ransomware use: Known
Action: If not already remediated, treat as an active incident. Patch per Cisco advisory, restrict management-plane exposure, and hunt for webshells, unexpected Java processes, and outbound C2 from FMC hosts. Rotate any credentials/secrets stored on the appliance.

---

🟠 Priority 2 — Recent KEV Additions (April 2026)

CVE-2026-34197 — Apache ActiveMQ Improper Input Validation (Code Injection)

Added: 2026-04-16 | Due: 2026-04-30
ActiveMQ remains a recurring ransomware target (historical HelloKitty/Andariel precedent). Prioritize internet-facing brokers; validate version against Apache's advisory and restrict 61616/OpenWire exposure.

CVE-2026-32201 — Microsoft SharePoint Server Spoofing (Improper Input Validation)

Added: 2026-04-14 | Due: 2026-04-28
Unauthenticated network spoofing. Pair remediation with hunt for SharePoint auth anomalies.

CVE-2009-0238 — Microsoft Office Excel RCE (legacy)

Added: 2026-04-14 | Due: 2026-04-28
Legacy Office RCE via malformed object in .xls. Re-emergence on KEV strongly suggests active phishing use against unpatched/legacy Office estates. Enforce Protected View and block legacy Office formats at mail gateway where feasible.

CVE-2012-1854 — Microsoft VBA Insecure Library Loading

Added: 2026-04-13 | Due: 2026-04-27
DLL side-loading via VBA. Review macro policy (Mark-of-the-Web enforcement, macro block from Internet).

CVE-2025-60710 — Microsoft Windows Link Following (LPE)

Added: 2026-04-13 | Due: 2026-04-27
Local privilege escalation via symlink/junction abuse — typical post-access escalation primitive.

CVE-2023-21529 — Microsoft Exchange Server Deserialization (Auth'd RCE)

Added: 2026-04-13 | Due: 2026-04-27
Requires authentication but pairs well with credential theft. On-prem Exchange should already be on the latest CU+SU; verify.

CVE-2023-36424 — Windows CLFS Driver Out-of-Bounds Read (LPE)

Added: 2026-04-13 | Due: 2026-04-27
CLFS continues to be a favored LPE surface for ransomware affiliates. Ensure April 2026 rollups applied.

CVE-2020-9715 — Adobe Acrobat Use-After-Free (RCE)

Added: 2026-04-13 | Due: 2026-04-27

CVE-2026-34621 — Adobe Acrobat & Reader Prototype Pollution (Arbitrary Code Execution)

Added: 2026-04-13 | Due: 2026-04-27
Two Acrobat entries on the same day suggests active document-based delivery. Patch reader fleet; consider disabling JavaScript in Acrobat where policy allows.

CVE-2026-21643 — Fortinet FortiClient EMS SQL Injection (Unauth RCE)

Added: 2026-04-13 | Due: 2026-04-16 (overdue)
Unauthenticated SQLi → code execution via crafted HTTP. Treat EMS as compromised until patched and audited; review FCTUID/enrollment logs.

CVE-2026-35616 — Fortinet FortiClient EMS Improper Access Control (Unauth RCE)

Added: 2026-04-06 | Due: 2026-04-09 (overdue)
Second EMS bug on KEV within two weeks — a strong signal of targeted exploitation of this product line.

CVE-2026-1340 — Ivanti EPMM Code Injection (Unauth RCE)

Added: 2026-04-08 | Due: 2026-04-11 (overdue)
Ivanti EPMM continues its pattern (cf. CVE-2023-35078/35082). Assume exposure = compromise if not patched pre-deadline.

CVE-2026-3502 — TrueConf Client Unsigned Update (ACE)

Added: 2026-04-02 | Due: 2026-04-16 (overdue)
Supply-chain/update-path hijack. Inventory TrueConf installs; restrict update endpoint egress.

CVE-2026-5281 — Google Dawn Use-After-Free (Chromium)

Added: 2026-04-01 | Due: 2026-04-15 (overdue)
Affects Chromium-based browsers (Chrome, Edge, etc.). Enforce browser auto-update + minimum version policies.

---

🟡 Late-March Adds Still Worth Verifying

CVE-2026-3055 — Citrix NetScaler OOB Read (SAML IDP memory overread). Due 2026-04-02.
CVE-2025-53521 — F5 BIG-IP APM stack overflow → RCE. Due 2026-03-30.
CVE-2026-33634 — Aquasecurity Trivy embedded malicious code → CI/CD secrets exposure. Due 2026-04-09. High blast radius for DevOps pipelines; audit build hosts for token exfil.
CVE-2026-33017 — Langflow code injection (unauth). Due 2026-04-08.
CVE-2025-32432 — Craft CMS code injection. Due 2026-04-03.
CVE-2025-54068 — Laravel Livewire code injection (unauth RCE in specific scenarios). Due 2026-04-03.
CVE-2025-43510 / 43520 / 31277 — Apple multi-product kernel/buffer/locking issues. Due 2026-04-03.
CVE-2026-20963 — Microsoft SharePoint deserialization (unauth RCE). Due 2026-03-21.
CVE-2025-66376 — Zimbra Classic UI XSS via CSS @import. Due 2026-04-01.
CVE-2025-47813 — Wing FTP Server info disclosure via long UID cookie. Due 2026-03-30.
CVE-2026-3910 / 3909 — Chromium V8 and Skia memory issues. Due 2026-03-27.
CVE-2025-68613 — n8n expression evaluator RCE. Due 2026-03-25.
CVE-2021-22054 — Omnissa Workspace ONE UEM SSRF. Due 2026-03-23.
CVE-2025-26399 — SolarWinds Web Help Desk deserialization (third in the WHD series; treat WHD as high-risk asset class).
CVE-2026-1603 — Ivanti EPM auth bypass → credential leak. Due 2026-03-23.
CVE-2026-22719 — Broadcom VMware Aria Operations command injection (unauth RCE during migration flow). Due 2026-03-24.
CVE-2026-21385 — Qualcomm multi-chipset memory corruption (mobile fleet). Due 2026-03-24.

---

Analyst Takeaways

1. Edge/management-plane products dominate this cycle. Cisco FMC, Fortinet FortiClient EMS (x2), Ivanti EPMM + EPM, Citrix NetScaler, F5 BIG-IP APM, VMware Aria Operations, Omnissa UEM, and SolarWinds WHD all appeared in ~6 weeks. If your change-management cadence for these is monthly, it is too slow.

2. Two FortiClient EMS CVEs within 7 days (CVE-2026-35616, CVE-2026-21643), both unauth-RCE class, with sub-week deadlines — a strong indicator of in-the-wild exploitation. Audit EMS hosts for webshells, new admin accounts, and DB query anomalies.

3. Supply-chain/DevOps exposure is rising: Trivy (CVE-2026-33634), Langflow, n8n, and Livewire all landed on KEV. CI/CD runners and low-code automation platforms deserve the same scrutiny as production edge devices.

4. Acrobat + legacy Office back on KEV suggests continued document-lure campaigns. Reconfirm mail-gateway policy and EDR coverage on endpoints that still open legacy formats.

This Week's Hard Stops

Apr 27: CVE-2012-1854, CVE-2025-60710, CVE-2023-21529, CVE-2023-36424, CVE-2020-9715, CVE-2026-34621
Apr 28: CVE-2009-0238, CVE-2026-32201
Apr 30: CVE-2026-34197 (ActiveMQ)

Overdue items (Fortinet EMS ×2, Ivanti EPMM, TrueConf, Dawn, Cisco FMC) should be escalated as exceptions with compensating controls documented.

---

*Source availability: CISA KEV feed only this run. No additional vendor advisory or threat-intel feeds were ingested; recommend corroborating exploitation claims against vendor PSIRTs before external comms.*