Daily Threat Intelligence Brief - April 19, 2026

Executive Summary

Microsoft's April Patch Tuesday addressed 167 to 168 vulnerabilities including two zero-days, with CVE-2026-32201 (SharePoint Server spoofing) confirmed under active exploitation. (BleepingComputer)
A leaked proof-of-concept dubbed "BlueHammer" weaponizes a Windows Defender race condition (CVE-2026-33825), enabling SYSTEM-level code execution from an unprivileged account. (Picus Security)
Fortinet shipped out-of-band fixes for CVE-2026-35616 in FortiClient EMS (CVSS 9.1), a pre-authentication API bypass already seen in the wild. (The Hacker News)
McGraw-Hill confirmed a Salesforce misconfiguration breach exposing 13.5 million unique email records with names, phone numbers, and addresses. (Cybersecurity News)
CISA and partner agencies warn that Iran-affiliated actors continue active exploitation of internet-facing Rockwell Automation and Allen-Bradley PLCs across US energy, water, and government facilities. (CISA AA26-097A)
OX Security disclosed an architectural RCE in Anthropic's Model Context Protocol SDKs (Python, TypeScript, Java, Rust) impacting deployments with 150M+ downloads, plus a zero-click MCP injection in Windsurf (CVE-2026-30615). (OX Security)
ShinyHunters published 2.1 million Amtrak customer records and claimed responsibility for a Rockstar Games intrusion, while Booking.com notified customers of reservation data exposure on April 12. (SharkStriker)
Operation PowerOFF dismantled 53 booter domains and arrested four operators tied to a DDoS-for-hire service used by 75,000+ cybercriminals. (Security Boulevard)
A new public PoC dropped April 18 for FortiSandbox CVE-2026-39808, raising urgency for sandboxed-detonation users. (Security Boulevard)

Critical Vulnerabilities

CVE-2026-32201: Microsoft SharePoint Server Spoofing (Actively Exploited)

The standout zero-day from April Patch Tuesday. The flaw allows attackers to conduct spoofing attacks against SharePoint environments and is being leveraged in targeted intrusions. Apply the cumulative SharePoint update immediately and audit recent authentication events on any internet-facing farms. (The Hacker News, Tenable)

CVE-2026-33827: Windows TCP/IP Remote Code Execution (CVSS 9.8)

A pre-authentication network-level RCE in the Windows TCP/IP stack. Exploitation in certain configurations does not require user interaction, making this a wormable candidate. Patch all supported Windows Server and client SKUs; restrict inbound IP traffic on segments not yet remediated. (Cybersecurity News, Windows News)

CVE-2026-33826: Windows Active Directory RCE (Critical)

Improper input validation in Active Directory permits an authenticated low-privilege attacker to execute arbitrary code over an adjacent network without user interaction. Exposed staff accounts on flat networks are the highest risk. (Cybersecurity News)

CVE-2026-33825: Windows Defender "BlueHammer" Race Condition (Public PoC)

Disclosed April 7 with a fully functional exploit released by researchers using the aliases "Chaotic Eclipse" and "Nightmare-Eclipse" after a dispute with MSRC. The race condition in Defender's file remediation logic allows an unprivileged user to overwrite arbitrary files and obtain SYSTEM. Companion exploits "UnDefend" and "RedSun" have since appeared, targeting Defender's update mechanism and cloud-tagged file handling. (Security Boulevard, The Hacker News)

CVE-2026-34621: Adobe Acrobat Reader (CVSS 8.6, Actively Exploited)

Adobe pushed an emergency update for an Acrobat Reader flaw under active exploitation in the wild. Mitigations: disable JavaScript in Reader, deploy the patch via SCCM/MDM, and watch for unusual child processes spawned by AcroRd32.exe. (The Hacker News)

CVE-2026-35616: Fortinet FortiClient EMS (CVSS 9.1, Actively Exploited)

A pre-authentication API access bypass leading to privilege escalation. Fortinet released out-of-band patches; CISA added the CVE to KEV the same week. EDR telemetry should look for unauthenticated API calls to /api/v1/ endpoints. (The Hacker News)

CVE-2026-34197: Apache ActiveMQ Classic (CVSS 8.8)

CISA added this to KEV with a federal remediation deadline of April 30, 2026. FortiGuard Labs observed dozens of exploitation attempts peaking April 14. Upgrade to a patched ActiveMQ release and restrict OpenWire (port 61616) access. (CISA Alert, The Hacker News)

CVE-2026-21643: Fortinet SQL Injection (Unauthenticated)

CISA flagged this SQLi as actively exploited; no authentication is required to execute administrative commands remotely. Patch Fortinet appliances on the affected branches and rotate any credentials potentially extractable via the database. (Cybersecurity News)

CVE-2026-3502: TrueConf Unverified Code Download

Missing integrity checks let attackers serve modified updates. CISA added this to KEV April 2 with a remediation deadline of April 16. Force endpoints to the latest TrueConf build and pin update channels through approved infrastructure. (Cybersecurity News)

CVE-2026-39808: Fortinet FortiSandbox (PoC Released April 18)

A working proof-of-concept was published yesterday for a critical FortiSandbox flaw, accelerating the exploitation timeline. Customers using FortiSandbox for malware detonation should apply available mitigations and isolate management interfaces. (Security Boulevard)

AI Security Threats

Architectural RCE in Anthropic's Model Context Protocol

OX Security researchers disclosed a systemic remote code execution vulnerability in Anthropic's official MCP SDKs across Python, TypeScript, Java, and Rust, reaching deployments with more than 150 million combined downloads. The flaw is described as an architectural design decision rather than a coding mistake, granting attackers access to user data, internal databases, API keys, and chat history wherever a vulnerable MCP server is reachable. (OX Security)

Zero-Click MCP Injection in Windsurf (CVE-2026-30615)

Cursor, VS Code, Windsurf, Claude Code, and Gemini-CLI are all confirmed vulnerable to MCP-based prompt injection. Windsurf is the only IDE where exploitation requires zero user interaction, making it the priority target for current campaigns. Developers should restrict MCP servers to trusted sources, audit installed integrations, and disable auto-approval for tool calls. (Practical DevSecOps)

Anthropic Git MCP Server RCE Chain

Three CVEs in Anthropic's Git MCP server (CVE-2025-68145, CVE-2025-68143, CVE-2025-68144) chain together to achieve remote code execution via prompt injection: path validation bypass, unrestricted git_init, and argument injection. Any agent with filesystem and Git access through these servers should be considered exploitable until upgraded. (Practical DevSecOps)

Prompt Injection Remains OWASP LLM01

Researchers continue to record extraordinary success rates for prompt injection. A widely cited 2025 dataset documented 461,640 submissions with success rates between 50% and 84% depending on technique. The UK's National Cyber Security Centre warned in December 2025 that prompt injection "may be a problem that is never fully fixed," because it stems from how LLMs interpret natural language. (OWASP Gen AI, Securance)

AI Agent Traps and the Hijacked Browser Agent

Google DeepMind researchers and independent teams have catalogued an attack class dubbed "AI Agent Traps." Six distinct attack patterns abuse agents that browse the web, allowing adversaries to manipulate, deceive, and weaponize visiting agents to promote products, exfiltrate data, or amplify content at scale. Tool misuse and privilege escalation lead reported incidents (520 cases), while memory poisoning and supply chain attacks carry the highest severity per incident. (SecurityWeek, Stellar Cyber)

IBM Launches Agentic Attack Defenses

IBM announced new cybersecurity measures on April 15 specifically to help enterprises confront agentic attacks. The company notes that adversaries are weaponizing frontier models to accelerate every phase of the attack lifecycle, dramatically lowering the time, cost, and expertise required for sophisticated intrusions. (IBM Newsroom)

Threat Snapshot: Agentic AI Risk Matrix

Risk Category	Reported Incidents	Severity Profile
Tool misuse / priv esc	520	Moderate, high frequency
Prompt injection (direct)	410	Moderate, scalable
Indirect prompt injection	285	High, hard to detect
Memory poisoning	70	High, persistent
Supply chain (MCP, plugins)	55	Critical, cascading

Source: aggregated from Stellar Cyber, OWASP Agentic AI, and Adversa AI April 2026 roundups. (Adversa AI, OWASP Agentic AI)

Threat Actor Activity

Iran-Affiliated Actors Targeting US OT (CISA AA26-097A)

Since at least March 2026, Iran-affiliated APTs have disrupted programmable logic controllers across US Government Services, Water and Wastewater, and Energy facilities. Targeted PLCs include Rockwell Automation and Allen-Bradley devices left exposed to the public internet. Some victims experienced operational disruption and direct financial loss. Defenders should remove PLCs from direct internet exposure, enforce non-default credentials, and monitor for Modbus and EtherNet/IP traffic from foreign infrastructure. (CISA AA26-097A, Infosecurity Magazine)

Salt Typhoon: Congressional Email Targeting

Salt Typhoon, attributed to China's Ministry of State Security, achieved persistent access to US House Committee staff email accounts focused on China policy and national security oversight. The group continues to use GhostSpider and Masol RAT backdoors and has been active against telecom carriers globally. (TechCrunch, Tenable)

Volt Typhoon Subgroups Deploy ImpWaferRing

April reporting describes Volt Typhoon subgroups distributing custom malware "ImpWaferRing" to siphon metadata from US fiber-optic networks. The group continues to abuse SOHO routers as proxies and lean on living-off-the-land techniques on compromised Fortinet appliances. (Eclypsium, MixMode)

APT41 Probes Epic Systems EHR Platforms

Chengdu-based APT41 is reportedly scanning US healthcare providers in California for zero-days in Epic Systems EHR deployments. Healthcare CISOs should validate Epic patch levels, audit Hyperspace and Chronicles administrative access, and watch for anomalous Citrix or VPN sessions originating from Asian Pacific infrastructure. (RH-ISAC)

APT36 Industrializes Malware via AI

APT36 became the first documented nation-state actor to operate AI as a "malware assembly line," producing polymorphic variants at machine speed. Defenders relying on signature-only detection are losing ground; behavioral and identity-centric detections should be prioritized. (Cyble)

Ransomware and Data Breaches

Top Confirmed April 2026 Incidents

Victim	Sector	Records / Impact	Actor	Date
McGraw-Hill	Education	13.5M users, Salesforce misconfig	Unknown	2026-04-XX
Amtrak	Transportation	2.1M customer records	ShinyHunters	2026-04-XX
SongTrivia Inc.	Gaming / SaaS	2.917M accounts, creds + tokens	Unknown forum	2026-04-XX
Basic-Fit	Fitness	~1M customer records	Unknown	2026-04-XX
Booking.com	Travel	Reservation PII (full scope TBD)	Unknown	2026-04-12
Rockstar Games	Gaming	Scope under investigation	ShinyHunters	2026-04-XX
ChipSoft	Healthcare IT	Public services disrupted	Unknown	2026-04-07
Middlesex Cty	Government	Town and public safety systems	Unknown	2026-04-01
Fiverr	Marketplace	Customer files indexed by Google	N/A (exposure)	2026-04-18

Sources: (SharkStriker, Cybersecurity News, Privacy Guides)

Ransomware Volume

In the first week of April 2026, researchers tracked 168 ransomware victims across 43 countries, claimed by 31 distinct data-leak operators. SafePay, ShinyHunters, INC_RANSOM, DragonForce, and LAMASHTU were among the most active brands on April 17. (SharkStriker, Security Boulevard)

Law Enforcement: Operation PowerOFF

An international takedown seized 53 booter and stresser domains and arrested four operators tied to commercial DDoS infrastructure used by more than 75,000 customers. Expect short-term displacement to alternative services rather than a sustained drop in attack volume. (Security Boulevard)

Recommended Actions

Immediate (next 24 to 72 hours)

Patch Microsoft April 2026 cumulative updates, prioritizing SharePoint (CVE-2026-32201), Windows TCP/IP (CVE-2026-33827), and Active Directory (CVE-2026-33826).
Apply Fortinet out-of-band fixes for FortiClient EMS (CVE-2026-35616) and validate FortiSandbox exposure ahead of widespread CVE-2026-39808 exploitation.
Roll out Adobe Reader updates for CVE-2026-34621 across all managed endpoints.
Hunt for Defender bypass indicators tied to BlueHammer, UnDefend, and RedSun. Ensure tamper protection is enforced and EDR telemetry is forwarded off host.
Disable or strictly restrict any Anthropic MCP server deployments until upgrades are validated. Audit Cursor, VS Code, Windsurf, Claude Code, and Gemini-CLI MCP integrations for untrusted sources.

Short-Term (next 1 to 2 weeks)

Meet CISA KEV deadlines for CVE-2026-34197 (Apache ActiveMQ, due April 30) and remediate CVE-2026-21643 (Fortinet SQLi) and CVE-2026-3502 (TrueConf).
Pull internet-exposed PLCs behind VPN or reverse proxy, enforce unique credentials, and run a Modbus / EtherNet/IP egress baseline per CISA AA26-097A.
For SharePoint, AD, and Defender CVEs: assume compromise where patching lagged the exploit window, and run targeted threat hunts against Kerberos abuse, abnormal SharePoint workflow accounts, and Defender service tampering events.
Notify customers and reset secrets affected by the McGraw-Hill, Amtrak, SongTrivia, Basic-Fit, and Booking.com breaches if your organization shares any user populations.

Strategic

Treat MCP and other agentic tool ecosystems as production attack surface. Establish a Model Context Protocol governance policy: signed servers, allow-listed tools, sandboxed execution, scoped credentials, and continuous review.
Build an internal "AI agent change board" that gates new tool integrations the same way you gate third-party SaaS.
Update ICS / OT detection programs to assume Iranian and Chinese pre-positioning. Validate logical segmentation between IT and OT, and rehearse manual operations playbooks for water, power, and transport functions.
Adopt the OWASP Agentic AI top 10 and the Coalition for Secure AI MCP taxonomy as the baseline for AI risk assessments. (OWASP Agentic AI, OASIS)
Refresh tabletop scenarios to include AI-accelerated adversaries (APT36-style polymorphic generation, prompt-injected coding agents, and zero-click MCP exploitation).