Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-04-28April 28, 2026

Cyber Threats Daily — 2026-04-28

TITLE: KEV surge: Cisco SD-WAN Manager triple-add, fresh D-Link & Samsung exploitation, ransomware-linked PaperCut and TeamCity flaws

---

Top of the Stack: Active Exploitation

CISA's KEV catalog has been unusually active over the past five weeks, with several entries already past their remediation deadlines as of today (2026-04-28). SOC teams running any of the products below should treat patching as overdue, not pending.

  • CVE-2025-29635 (D-Link DIR-823X command injection) and CVE-2024-7399 (Samsung MagicINFO 9 Server path traversal) were added 2026-04-24 with federal remediation due 2026-05-08; both are unauthenticated server-side flaws on widely deployed edge/signage gear.
  • CVE-2024-57728 and CVE-2024-57726 in SimpleHelp (path traversal + missing authorization) were co-added 2026-04-24, mirroring the chained exploitation pattern previously seen against MSP remote-support tooling — pair them in detections.
  • CVE-2023-27351 (PaperCut NG/MF authentication bypass) and CVE-2024-27199 (JetBrains TeamCity path traversal) are both flagged with known ransomware use; remediation due 2026-05-04. If you somehow still haven't patched these in 2026, assume compromise and hunt.

Cisco Catalyst SD-WAN Manager: Triple Hit

A coordinated 2026-04-20 KEV batch added three Cisco Catalyst SD-WAN Manager bugs, all with a tight 2026-04-23 deadline (now five days expired):

  • CVE-2026-20122 — incorrect use of privileged APIs, enabling privilege abuse.
  • CVE-2026-20133 — exposure of sensitive information to unauthorized actors.
  • CVE-2026-20128 — passwords stored in a recoverable format, turning any read primitive into a credential harvest.

Treat any SD-WAN Manager not patched by the 23rd as in-scope for incident review; rotate stored credentials regardless of patch status given CVE-2026-20128's nature. Separately, CVE-2026-20131 (Cisco Secure FMC / Security Cloud Control deserialization) carries a known ransomware use tag with a deadline that lapsed 2026-03-22.

Microsoft Patch Backlog Catch-Up

CISA worked through a notable backlog of Microsoft bugs in mid-April:

  • CVE-2026-32201 (SharePoint Server improper input validation) and CVE-2026-20963 (SharePoint deserialization) extend the long-running pattern of SharePoint being a reliable initial-access target — both deadlines have passed.
  • CVE-2023-21529 (Exchange Server deserialization) carries known ransomware use; if your Exchange estate isn't on current CU + SU, this is your prompt.
  • CVE-2026-33825 (Microsoft Defender insufficient access-control granularity, due 2026-05-06) is unusual: an EDR product itself appearing in KEV warrants verifying tamper-protection posture and reviewing Defender configuration drift.
  • CVE-2025-60710 (Windows link-following) and CVE-2023-36424 (Windows OOB read) round out the Windows additions; deadline 2026-04-27 already lapsed.
  • Legacy Office adds CVE-2009-0238 (Office RCE) and CVE-2012-1854 (VBA insecure library loading) — telling you that someone, somewhere is still running 2009-vintage Office in a federal-adjacent environment.

Edge, Identity, and Remote Access

  • CVE-2026-21643 (Fortinet FortiClient EMS SQL injection, due 2026-04-16) and CVE-2026-35616 (FortiClient EMS improper access control, due 2026-04-09) are both past deadline; chain potential between auth-bypass and SQLi makes EMS a high-priority hardening target.
  • CVE-2026-1340 (Ivanti EPMM code injection, due 2026-04-11) continues Ivanti's unbroken streak of mobile-management appliances showing up in KEV — assume mobile fleet exposure if unpatched.
  • CVE-2026-3055 (Citrix NetScaler OOB read) and CVE-2025-53521 (F5 BIG-IP stack buffer overflow) both lapsed in late March; load-balancer/ADC compromise remains a top initial-access vector.
  • CVE-2025-32975 (Quest KACE SMA improper authentication, due 2026-05-04) gives attackers a path into endpoint-management infrastructure — review KACE exposure and admin auth logs.

Web Apps & CMS

A cluster of code-injection / path-traversal bugs in mid-tier web stacks landed in KEV between 2026-03-20 and 2026-04-20:

  • CVE-2025-2749 (Kentico Xperience path traversal), CVE-2025-32432 (Craft CMS code injection), and CVE-2025-54068 (Laravel Livewire code injection) all enable RCE against public-facing CMS/framework deployments — prioritize internet-exposed instances.
  • CVE-2025-48700 and CVE-2025-66376 are both Zimbra Collaboration Suite XSS flaws; Zimbra remains a reliable phishing/credential-theft target where patching lags.
  • CVE-2026-34197 (Apache ActiveMQ improper input validation, due 2026-04-30) — patch this week to stay ahead of the deadline; ActiveMQ has a track record of post-disclosure mass exploitation.

AI/Dev Toolchain — A New KEV Theme

Three KEV additions this cycle target the AI and dev-supply-chain stack, which is worth flagging as a trend:

  • CVE-2026-39987 (Marimo notebook RCE, due 2026-05-07) and CVE-2026-33017 (Langflow code injection) hit AI/ML developer tooling now showing up in enterprise environments, often deployed without the hardening applied to traditional web apps.
  • CVE-2026-33634 (Aquasecurity Trivy embedded malicious code) is a supply-chain compromise of a security scanner — review Trivy versions, image digests, and any artifacts produced by affected scanners.

Apple, Browser, and Misc.

  • Apple multi-product trio CVE-2025-43510, CVE-2025-43520, and CVE-2025-31277 (improper locking and buffer overflows) lapsed 2026-04-03; ensure macOS/iOS fleets are on current builds.
  • CVE-2026-5281 (Google Dawn use-after-free) affects Chromium's WebGPU implementation — browser fleet patch verification recommended.
  • CVE-2026-3502 (TrueConf Client missing integrity check on code download) is a classic update-channel hijack risk for organizations using the conferencing client.

Analyst Bottom Line

The dominant signal this cycle is deadline slippage: roughly a third of recent KEV entries have passed their remediation dates, with Cisco SD-WAN Manager, Fortinet EMS, Ivanti EPMM, and Microsoft SharePoint/Exchange concentrated in the overdue bucket. If you triage on one thing today, run an exposure check across those four product families and validate patch state against the CVEs called out above.