Skip to content
Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0405

Daily Threat Intelligence Brief - April 5, 2026

FortiClient EMS zero-day exploitation expands (CVE-2026-35616), Dgraph scores CVSS 10.0 (CVE-2026-33976), OpenClaw CVSS 9.9 with 135K exposed instances, RSAC 2026 confirms agentic AI as top attack surface, Q1 ransomware hits 2,165 victims.

April 5, 2026·8 min read
ctivulnerabilitieszero-dayransomwareai-securityagentic-airsac-2026

Executive Summary

  • FortiClient EMS exploitation expanding (CVE-2026-35616): CVSS 9.1 zero-day first exploited March 31, emergency hotfix released April 4. Pre-auth API bypass to arbitrary code execution on EMS servers
  • Dgraph database (CVE-2026-33976): CVSS 10.0 maximum severity, critical flaw in widely-used graph database
  • OpenClaw (CVSS 9.9): Privilege escalation from low-privilege tokens to admin with RCE. 135,000+ internet-facing instances detected
  • RSAC 2026 key finding: AI agent activity indistinguishable from human activity in default logging. 85% of enterprises piloting AI agents, only 5% in production with security controls
  • Q1 2026 ransomware: 2,165 victims across three months. 808 victims in March alone (19% jump from February). Annualizes to 8,660, an 18.5% increase over 2025
  • Persistent prompt injection: Manufacturing company procurement agent manipulated over three weeks through seemingly helpful clarifications
  • Non-human identities: Outnumber human identities by 100:1 at enterprises, decentralized with excessive permissions rarely audited

Critical Vulnerabilities

CVE-2026-35616: FortiClient EMS Zero-Day (ACTIVELY EXPLOITED)

Pre-authentication API access bypass in FortiClient EMS 7.4.5-7.4.6. Unauthenticated remote attackers can send specially crafted API requests to bypass all authentication and authorization checks, gaining full control over endpoint management operations. No privileges, user interaction, or elevated access required.

  • CVSS: 9.1 (Critical)
  • CWE: CWE-284 (Improper Access Control)
  • First exploitation: March 31, 2026
  • Hotfix: Released April 4 for 7.4.5 and 7.4.6. Full fix expected in 7.4.7
  • Action: Apply hotfix immediately. Audit for indicators of compromise dating back to March 31

CVE-2026-33976: Dgraph Database (CVSS 10.0)

Critical vulnerability in Dgraph, the open-source distributed graph database. Maximum severity rating.

  • CVSS: 10.0 (Critical, maximum)
  • Action: Audit Dgraph deployments and patch immediately

CVE-2026-33105: Azure Kubernetes Service (CVSS 10.0)

Improper authorization in Microsoft AKS allows unauthenticated network-based privilege escalation. Scope is "Changed," meaning lateral impact beyond the initial access boundary.

  • CVSS: 10.0 (Critical)
  • Status: Patch available via Azure Update Manager
  • Action: Apply patches, review AKS network policies

CVE-2026-34938: PraisonAI Sandbox Bypass (CVSS 10.0)

Complete bypass of PraisonAI's three-layer AI agent sandbox, achieving arbitrary OS command execution on the host.

  • CVSS: 10.0 (Critical)
  • Impact: Host compromise from within AI agent sandbox

CVE-2026-5281: Chrome Zero-Day (4th of 2026)

Use-after-free in Dawn WebGPU. CISA KEV listed April 1, federal deadline April 15.

  • Patch: Chrome 146.0.7680.177/178
  • Scope: All Chromium browsers (Edge, Opera, Vivaldi, Brave)

CISA KEV Status

CVE Product Added Deadline
CVE-2026-5281 Chrome (Dawn) April 1 April 15
CVE-2026-3502 TrueConf Client April 2 April 16
CVE-2026-35616 FortiClient EMS Pending Expected soon

AI Security Threats

RSAC 2026: Agentic AI Dominates the Security Conversation

The conference in San Francisco confirmed agentic AI as the defining security challenge of 2026. Key findings:

  • LLM and GenAI protection is now the #1 security priority for the first time, displacing cloud security
  • AI agent activity looks identical to human activity in most default logging configurations. SOC teams cannot distinguish agent-initiated actions from human actions
  • 85% of enterprises have AI agent pilots, but only 5% are in production with proper security controls
  • Attack surfaces expanding faster than detection and response can keep up, driven by AI-enabled adversaries probing at scale and speed
  • AI coding assistants flagged as a major vulnerability source. Experts warned against allowing agentic AI to operate without human supervision

OpenClaw: CVSS 9.9 with 135,000 Exposed Instances

A privilege escalation vulnerability in OpenClaw allows low-privilege tokens to escalate to admin with remote code execution. Over 135,000 internet-facing instances detected. This is one of the most exposed AI infrastructure vulnerabilities documented this year.

  • CVSS: 9.9 (Critical)
  • Exposure: 135,000+ internet-facing instances
  • Action: Patch immediately, restrict network access

Persistent Prompt Injection: Three-Week Manufacturing Attack

Research on persistent prompt injection showed that agents with long conversation histories are significantly more vulnerable to manipulation. A real-world case involved a manufacturing company's procurement agent being manipulated over three weeks through seemingly helpful clarifications that gradually shifted the agent's behavior.

  • Significance: Shows prompt injection is not just a single-shot attack. Long-running agents accumulate vulnerability over time
  • Defense gap: Most prompt injection defenses focus on single-turn attacks, not multi-turn persistence

Chrome Gemini Live Panel Hijack (CVE-2026-0628)

Unit 42 discovered malicious Chrome extensions could hijack the privileged Gemini Live AI assistant panel, gaining access to camera and microphone. The attack exploits the elevated privileges granted to Google's built-in AI features.

MCP Tool Security: Silent Chat History Exfiltration

Security researchers demonstrated a malicious MCP tool that could silently collect a user's entire chat history without detection, highlighting the trust assumptions in Model Context Protocol integrations.

CrewAI: Four Chained CVEs

Four CVEs in CrewAI allow chaining prompt injection into RCE, SSRF, and file read. The AI agent framework's tool-use capabilities become the attack surface when prompt injection is the entry point.

AI Coding Assistants as Vulnerability Factories

RSAC experts warned that AI coding assistants are introducing vulnerabilities faster than human review can catch them. Combined with the 35 CVEs from AI-generated code in March (up from 6 in January), AI-assisted development is creating systemic risk.

Threat Actor Activity

FortiClient EMS Exploitation Campaign

Exploitation attempts against CVE-2026-35616 were first recorded on March 31, 2026, five days before Fortinet's emergency hotfix. The pre-auth nature of the vulnerability makes it attractive for initial access brokers and ransomware operators targeting enterprise endpoints.

DarkSword iOS Campaigns (Ongoing)

Apple's emergency iOS 18.7.7 patches continue to be relevant as DarkSword exploitation campaigns are observed in Saudi Arabia, Turkey, Malaysia, and Ukraine. Both commercial surveillance vendors and state-backed actors are using the 6-flaw chain for full device takeover.

APT28 (Russia): Office Exploitation

Ongoing targeting of government and military entities using CVE-2026-21509 (Microsoft Office) in multi-stage stealth attack chains.

North Korea: Axios npm Supply Chain

North Korean actors hijacked the Axios npm package, inserting malware into a tool downloaded tens of millions of times weekly. Part of the broader supply chain attack pattern dominating Q1 2026.

Ransomware & Data Breaches

Q1 2026 Ransomware Metrics

Metric Value
Q1 2026 total victims 2,165
March 2026 victims 808 (19% jump from February)
Active ransomware groups 65 distinct operators in March
Annualized 2026 pace 8,660 (18.5% increase over 2025)
Weekly average 168 victims across 43 countries

Notable Incidents

Target Operator Details
EU Commission TeamPCP 340GB via Trivy supply chain; 29+ entities
Mercor Lapsus$ $10B AI startup; LiteLLM supply chain cascade
Nissan Everest Full scope under investigation
fareastfamelineddb TheGentlemen Discovered April 1

Supply Chain Attack Pattern

Three major supply chain attacks in one week (Trivy, LiteLLM, Axios) represents a systemic shift. Supply chain compromise is now the dominant APT playbook for 2026, targeting trusted update channels rather than direct exploitation.

Recommended Actions

Immediate (24-48 hours)

  1. Patch FortiClient EMS: CVE-2026-35616 actively exploited since March 31. Apply hotfix, audit logs for unauthorized API access
  2. Patch Chrome: CVE-2026-5281 federal deadline April 15. All Chromium browsers
  3. Audit OpenClaw: CVSS 9.9 with 135K exposed instances. Restrict network access, upgrade
  4. Review Dgraph: CVE-2026-33976 (CVSS 10.0). Patch or isolate immediately

Short-Term (This Week)

  1. Audit AI agent framework sandboxes: PraisonAI (CVSS 10.0), CrewAI (4 CVEs), OpenClaw all had critical vulns this week
  2. Review Chrome extension permissions: CVE-2026-0628 allows Gemini Live hijack for camera/mic access
  3. Assess MCP tool trust: Audit all Model Context Protocol integrations for data exfiltration risk
  4. Prepare for Patch Tuesday: April 14, expected 80-100+ Microsoft vulnerabilities

Strategic

  1. Deploy AI agent telemetry: RSAC confirmed agent activity is invisible in default logging. Implement agent-specific audit trails
  2. Address non-human identity sprawl: 100:1 ratio, decentralized, rarely audited. Implement lifecycle management
  3. Review AI coding assistant output: 35 CVEs from AI-generated code in March, trend accelerating
  4. Plan Secure Boot certificate rotation: Certificates expire June 26, 2026

Sources

ΛKrypteia Sec Research·April 5, 2026