Daily Threat Intelligence Brief - April 20, 2026

Executive Summary

Oracle is scheduled to ship its quarterly Critical Patch Update on April 21, 2026, delivering 483 security patches across the entire product stack including Database, Fusion Middleware, MySQL, E-Business Suite, Blockchain Platform, and Java SE. Staging windows and regression tests should be reserved now. (Oracle Security Alerts)
Cisco Identity Services Engine received emergency fixes for CVE-2026-20147 (CVSS 9.9) and CVE-2026-20148, plus three additional Webex and ISE criticals (CVE-2026-20184, CVE-2026-20180, CVE-2026-20186). No workarounds exist and patched trains are mandatory. (The Hacker News, Cisco Advisory)
Citrix NetScaler ADC and Gateway continue to be exploited through CVE-2026-3055 and CVE-2026-4368, dubbed "CitrixBleed 3", with tens of thousands of appliances still exposed more than three weeks after CISA's April 2 federal deadline. (Picus Security, Rapid7)
Microsoft's April Patch Tuesday remains the dominant exploitation target: CVE-2026-32201 (SharePoint spoofing) is now on CISA KEV, and CVE-2026-33824 (Windows IKE, CVSS 9.8) joins CVE-2026-33827 (TCP/IP RCE) and the unpatched "BlueHammer" chain on defenders' priority list. (Security Affairs, BleepingComputer)
OX Security's disclosure that Anthropic's Model Context Protocol SDKs (Python, TypeScript, Java, Rust) carry an architectural RCE reaching 150M+ downloads has entered its sixth day without a vendor fix. Anthropic has publicly labeled the STDIO launch behavior "expected," leaving responsibility with deployers. (Infosecurity Magazine, OX Security)
Four chained CVEs in CrewAI convert prompt injection into remote code execution, server-side request forgery, and arbitrary file read, affecting default Code Interpreter configurations that many production agents still run. (Practical DevSecOps)
Iran-linked operators continue active exploitation of internet-facing Rockwell Automation and Allen-Bradley PLCs across US water, energy, and transportation sectors, with CISA reporting hands-on interaction with SCADA and HMI interfaces rather than data theft. (SC Media, Infosecurity Magazine)
ShinyHunters expanded its spree by threatening to leak 30M+ Salesforce records exfiltrated from real-estate brokerage Marcus & Millichap, while Qilin ransomware continues to dominate incident volume across SMB victims. (DeXpose, Barracuda)
Healthcare disruption is intensifying: ChipSoft, provider of electronic patient records for roughly 80% of Dutch hospitals, remains partially offline after an April 7 ransomware incident, and Brockton Hospital in Massachusetts turned away cancer patients on April 6. (SharkStriker, STAT News)

Critical Vulnerabilities

CVE-2026-20147: Cisco Identity Services Engine RCE (CVSS 9.9)

An authenticated remote attacker with administrator credentials can execute arbitrary commands on ISE and ISE-PIC appliances by sending a crafted HTTP request. In single-node deployments, failed exploitation can crash the ISE node, blocking all downstream NAC enforcement and effectively locking endpoints out of the network. Upgrade matrix: ISE 3.1 to Patch 11, 3.2 to Patch 10, 3.3 to Patch 10, 3.4 to Patch 6, and 3.5 to Patch 3. No workaround exists. (Cybersecurity News, Cisco Advisory)

CVE-2026-20184, CVE-2026-20180, CVE-2026-20186: Cisco Webex and ISE Impersonation

Three additional critical flaws allow administrator impersonation and code execution across the Webex and ISE families. Combined with CVE-2026-20147, these flip any stolen helpdesk credential into a full compromise of authentication infrastructure. Prioritize alongside the ISE patch wave. (Cibersafety)

CVE-2026-3055 and CVE-2026-4368: Citrix NetScaler "CitrixBleed 3" (CVSS 9.3)

An out-of-bounds read in the SAML Identity Provider path leaks administrative session tokens and memory contents from unauthenticated remote requests. CISA added the CVEs to KEV on March 24 with a federal deadline of April 2, yet watchTowr telemetry from April 18 still shows tens of thousands of exposed appliances. The bug covers at least two distinct overread primitives across different endpoints, so partial patching is not sufficient. (The Hacker News, Citrix Bulletin)

CVE-2026-32201: Microsoft SharePoint Server Spoofing (KEV)

The actively exploited zero-day from April Patch Tuesday was added to CISA KEV on April 14. Attackers are abusing the flaw to impersonate trusted users in internet-facing SharePoint farms; audit authentication events back to April 1 and apply the cumulative update. (CISA Alert, Tenable)

CVE-2026-33824: Windows Internet Key Exchange (IKE) RCE (CVSS 9.8)

A critical pre-authentication RCE in the Windows IKE service, exploitable over UDP 500 without user interaction. Attackers who can reach the IKE service across a VPN concentrator, branch router, or exposed domain controller can obtain SYSTEM-level execution. Patch immediately and restrict IKE exposure where possible. (CrowdStrike, ZDI)

CVE-2026-33827: Windows TCP/IP Race Condition RCE (CVSS 9.8)

A network-level race condition in the TCP/IP stack allows unauthenticated remote code execution. Wormable-class vulnerability given the lack of preconditions; apply patches and block inbound SMB and other high-risk protocols at the edge. (Cybersecurity News)

CVE-2026-33825: Windows Defender "BlueHammer" Race Condition (Unpatched)

Still without an official Microsoft fix. A leaked proof-of-concept grants SYSTEM via a race condition in Defender's file remediation logic, with follow-on exploits "UnDefend" and "RedSun" targeting the update channel and cloud-tag handling. Deploy Microsoft's ASR rules and mitigations from Picus Security and CrowdStrike until a patch ships. (Picus Security, Security Boulevard)

CVE-2026-35616: Fortinet FortiClient EMS (CVSS 9.1, Exploited)

Pre-authentication API access bypass leading to privilege escalation, added to CISA KEV after out-of-band fixes. Hunt for unauthenticated API traffic to /api/v1/ on EMS servers and rotate management credentials. (The Hacker News)

CVE-2026-34197: Apache ActiveMQ Classic (CVSS 8.8, KEV)

CISA added this to KEV on April 16 with a federal remediation deadline of April 30. FortiGuard Labs measured a spike in exploitation on April 14; upgrade ActiveMQ and restrict OpenWire (TCP 61616) to trusted producers. (CISA Alert, The Hacker News)

CVE-2026-39808 and CVE-2026-39813: Fortinet FortiSandbox

Two FortiSandbox authentication-bypass and code-execution flaws with a public PoC from April 18 now actively being adapted by red teams. Isolate management interfaces and apply Fortinet's advisory. (Security Boulevard)

CVE-2026-21643: Fortinet FortiClient EMS SQL Injection (KEV)

Unauthenticated SQLi enabling remote administrative command execution. CISA flagged the CVE on April 13; patching and credential rotation are non-negotiable. (Cybersecurity News)

CVE-2026-34621: Adobe Acrobat Reader (CVSS 8.6, Exploited)

Active exploitation continues in the wild. Deploy Adobe's emergency update through MDM, disable JavaScript in Reader, and alert on unusual child processes spawned by AcroRd32.exe. (The Hacker News)

Oracle Critical Patch Update (April 21, 2026)

Oracle's quarterly CPU ships tomorrow and is expected to address 483 new security patches across Database Server, Fusion Middleware, MySQL, E-Business Suite, Blockchain Platform, and Java SE. Multiple flaws are remotely exploitable without authentication. DBAs should schedule change windows, regression suites, and rollback checkpoints today. (Oracle Security Alerts)

AI Security Threats

AI and agentic systems are generating a disproportionate share of this quarter's novel vulnerability classes, and April 2026 has continued the pattern with systemic flaws in foundational libraries, chained exploits in agent frameworks, and expanded CISA involvement. The common theme: when agents are granted credentials, filesystem access, or network reach, the blast radius of a single prompt injection or malicious tool description approaches that of a full administrative compromise.

Anthropic MCP 150M-Download Architectural RCE

OX Security's April 15 disclosure remains unpatched six days later. The flaw is not a coding bug but a design choice in the STDIO transport that launches any command passed to the interface regardless of whether the server initializes successfully. The result is arbitrary command execution on more than 200 open-source projects, 7,000+ publicly accessible servers, and up to 200,000 vulnerable instances. Anthropic told researchers the behavior is "expected." Until the SDKs change, defenders must treat MCP deployments as privileged subprocesses and restrict the commands and arguments they can receive from untrusted clients. (OX Security, Infosecurity Magazine)

CrewAI Four-CVE Exploit Chain

Researchers have published a chain of four CVEs in CrewAI that converts a single prompt injection into full remote code execution, server-side request forgery, and arbitrary file read. The chain abuses the default Code Interpreter configuration and targets the agent's internal task broker. Any production deployment running CrewAI with default tool settings and internet-exposed prompts should be treated as exploitable. Mitigation priorities: pin CrewAI to the current patched release, disable Code Interpreter for untrusted inputs, and enforce egress filtering to block SSRF pivoting. (Practical DevSecOps)

LangChain and LangGraph Secret Exposure

CVE-2025-68664 ("LangGrinch", CVSS 9.3) enables deserialization-based extraction of API keys and environment secrets from LangChain Core. CVE-2026-34070 (CVSS 7.5) adds a path traversal in LangChain that reads arbitrary files without validation. CVE-2025-67644 (CVSS 7.3) is an SQL injection in the LangGraph SQLite checkpoint implementation. Any AI application that stores agent state, customer records, or third-party tokens in these frameworks should audit exposure. (The Hacker News, SC Media)

MCP Sampling and Tool Poisoning Research

Unit 42 published a new research track April 14 covering MCP Sampling abuse: attackers piggyback on the sampling primitive to force an AI client to re-enter a privileged tool or reveal context it would otherwise refuse. Combined with Invariant Labs' Tool Poisoning Attack and CyberArk's Full-Schema Poisoning, the attack surface for MCP extends well beyond the STDIO transport. Treat every tool description, parameter schema, and sampled reply as untrusted input. (Unit 42, Authzed Timeline)

Windsurf Zero-Click MCP Injection (CVE-2026-30615)

Cursor, VS Code, Claude Code, and Gemini-CLI are confirmed vulnerable to MCP-based prompt injection, but Windsurf is uniquely vulnerable to zero-interaction exploitation. Disable auto-approval for tool calls, restrict MCP servers to signed and pinned sources, and audit previously installed integrations for suspicious manifests. (Practical DevSecOps)

Anthropic Git MCP Server RCE Chain

Three CVEs in Anthropic's Git MCP server (CVE-2025-68145, CVE-2025-68143, CVE-2025-68144) chain together to achieve RCE via prompt injection through path validation bypass, unrestricted git_init, and argument injection. Any agent with filesystem and Git access through these servers should be considered exploitable until upgraded. (Practical DevSecOps)

Context Window Poisoning in Long-Context Systems

Context window poisoning is emerging as one of the most under-defended operational vulnerabilities in production LLM deployments. Attackers embed instructions deep within 128K+ token documents (legal contracts, RFPs, support tickets) to hijack generation once the agent retrieves them. Countermeasures include instruction-defense prompts, content-origin metadata, output constraints, and retrieval sanitization. (BizTech Magazine, Vectra AI)

Agent Governance Toolkit and Defender Posture

Microsoft released the open-source Agent Governance Toolkit on April 2 to provide runtime security primitives for AI agents: scoped identities, tool-call approval flows, and audit logging for frameworks that lack native controls. This is a direct response to Cisco's State of AI Security 2026 finding that 83% of organizations plan to deploy agentic AI but only 29% feel ready to do so securely. The gap between ambition and readiness is the most exploitable condition in the market right now. (Microsoft Open Source, OWASP Gen AI)

Threat Actor Activity

Iran-affiliated APT operators are the headline story for April: CISA's AA26-097A advisory, co-signed by FBI, NSA, EPA, DOE, and US Cyber Command, describes persistent hands-on access to Rockwell Automation and Allen-Bradley PLCs deployed in US energy, water, transportation, and telecommunications. The operators have been observed manipulating project files, altering HMI and SCADA displays, and exercising direct control actions rather than exfiltrating data. This is the kind of infrastructure-manipulation tradecraft previously associated with Sandworm, now demonstrated against US targets. (CISA AA26-097A, Trellix)

Chinese state-sponsored activity remains elevated against telecommunications and managed service provider networks per a joint advisory released earlier this quarter. The focus is credential harvesting, traffic interception, and long-dwell access supporting espionage collection. (CISA News)

Criminal clusters in the mid-April window:

ShinyHunters: Threatened to dump 30M+ Salesforce records from Marcus & Millichap on April 12, claimed responsibility for the Rockstar Games intrusion, and released 2.1M Amtrak records. The group is targeting Salesforce misconfigurations at scale. (DeXpose)
Qilin: Barracuda's April SOC Threat Radar identifies Qilin as the most active ransomware crew of the month, with observed tradecraft including vulnerable endpoint entry points, mass file modification, and suspicious execution activity. (Barracuda)
Interlock: Recorded Future tied this group to a March exploitation campaign against Cisco FMC via CVE-2026-24858, with dwell time still visible in April incident response engagements. (Recorded Future)

Ransomware & Data Breaches

Victim	Sector	Impact	Attribution
Marcus & Millichap	Real Estate	Threat to leak 30M+ Salesforce records	ShinyHunters
Rockstar Games	Gaming	Intrusion under investigation, scope TBD	ShinyHunters
Booking.com	Travel	Reservation details, PII, phone, addresses exposed	Unspecified criminal
Amtrak	Transportation	2.1M customer records published	ShinyHunters
McGraw-Hill	Education	13.5M email records from Salesforce misconfiguration	Unspecified criminal
ChipSoft	Healthcare IT	80% of Dutch hospitals disrupted, portals offline	Unspecified ransomware
Brockton Hospital	Healthcare	Cancer patients turned away during outage	Unspecified criminal
SongTrivia	Consumer Apps	2.9M accounts with auth tokens, hashes, PII	Unspecified ransomware

Ransomware Family	Observed Activity (April 2026)	Sector Focus
Qilin	Highest volume of Barracuda SOC incidents	SMB, mixed
ShinyHunters	Salesforce-based data theft and extortion	Enterprise SaaS customers
Interlock	Cisco FMC zero-day pivots and lateral movement	Enterprise, network edge
Akira	Continued VPN and edge-device entry	Manufacturing, legal
LockBit	Reduced volume but persistent niche targeting	Mid-market enterprise

Recommended Actions

Immediate (next 24 hours)

Stage Oracle CPU April 2026 patches today; be ready to begin deployment after release on April 21. (Oracle CPU Advisory)
Apply Cisco ISE patches for CVE-2026-20147 and companion CVEs; no workarounds exist. (Cisco Advisory)
Validate Citrix NetScaler appliances are fully remediated against CVE-2026-3055 and CVE-2026-4368; rotate any SAML IdP session secrets. (Picus Security)
Verify Microsoft April Patch Tuesday coverage for CVE-2026-32201, CVE-2026-33824, CVE-2026-33827, and deploy BlueHammer mitigations until Microsoft ships a fix. (BleepingComputer)
Patch Apache ActiveMQ before the April 30 CISA deadline and restrict OpenWire exposure. (CISA Alert)

Short-Term (this week)

Inventory every Anthropic MCP server running inside the organization, wrap launches in a process supervisor that rejects unexpected commands, and restrict stdin to a vetted allow-list until SDKs update. (OX Security)
Audit CrewAI deployments for default Code Interpreter configurations and disable on untrusted inputs; enforce egress filtering to contain SSRF. (Practical DevSecOps)
Upgrade LangChain, LangGraph, and LangSmith to the latest patched releases and rotate API keys that may have been resident in memory. (The Hacker News)
Confirm Fortinet FortiSandbox, FortiClient EMS, and FortiGuard appliances are patched against CVE-2026-39808, CVE-2026-39813, CVE-2026-35616, and CVE-2026-21643. (The Hacker News)
Hunt for Iranian APT indicators across OT environments, especially Rockwell and Allen-Bradley PLCs, HMI configuration changes, and anomalous SCADA tag writes. (CISA AA26-097A)
Run Salesforce configuration audits, focusing on guest user permissions, Aura endpoints, and unmanaged packages, to pre-empt the ShinyHunters campaign. (SharkStriker)

Strategic (this quarter)

Establish an AI and agentic security program aligned to OWASP LLM Top 10 and the Gen AI and Agentic Red Teaming framework. Build scoped agent identities, tool-call approval workflows, and audit trails using the Microsoft Agent Governance Toolkit or equivalent controls. (OWASP Gen AI, Microsoft Open Source)
Treat MCP servers, tool descriptions, and sampling responses as untrusted inputs subject to the same assurance model as third-party code. Require signed manifests and pinned versions before installation. (Unit 42)
Segment IT from OT strictly, enforce allow-listed egress from control networks, and deploy purpose-built OT monitoring to detect HMI and PLC tampering. The Iranian APT campaign shows that "internet-facing OT" is no longer an acceptable deployment pattern. (SC Media)
Red-team SaaS tenant configurations (Salesforce, Workday, ServiceNow, Microsoft 365) assuming a determined extortion group has valid credentials. ShinyHunters is consistently compromising data via misconfiguration rather than true exploitation. (DeXpose)
Build a healthcare resilience playbook for EMR provider outages (ChipSoft, Epic, Cerner) that assumes multi-day downtime; patient safety cannot depend on one vendor's cloud. (STAT News)