Daily Threat Intelligence Brief - April 21, 2026

Executive Summary

Oracle's April 2026 Critical Patch Update is live today, delivering 483 new security fixes across Database Server, Fusion Middleware, MySQL, E-Business Suite, GoldenGate, Blockchain Platform, and Java SE. Four of eight Database patches are remotely exploitable without authentication, and GoldenGate alone ships 10 fixes including seven unauthenticated remote flaws. (Oracle Security Alerts)
CISA added eight actively exploited vulnerabilities to the KEV Catalog on April 20 with a federal remediation deadline of May 11, 2026. The batch includes three Cisco Catalyst SD-WAN Manager CVEs (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133), PaperCut NG/MF CVE-2023-27351, JetBrains TeamCity CVE-2024-27199, Kentico Xperience CVE-2025-2749, Quest KACE CVE-2025-32975, and Zimbra CVE-2025-48700. (CISA Alert, The Hacker News)
NCSC, Microsoft Threat Intelligence, and Lumen's Black Lotus Labs publicly disrupted APT28's FrostArmada campaign this month. The GRU Unit 26165 operation hijacked DNS on 18,000+ MikroTik and TP-Link SOHO routers across 120 countries to redirect Microsoft 365 authentication traffic through attacker-controlled AitM proxies. (The Hacker News, BleepingComputer, NCSC)
Microsoft attributes a new wave of Medusa ransomware deployments to China-nexus cluster Storm-1175, which chains zero-day and n-day exploits across PaperCut, Ivanti Connect Secure, ConnectWise ScreenConnect, Microsoft Exchange, and VMware ESXi to move from initial access to full encryption in under 24 hours. (BleepingComputer, The Hacker News)
Trend Micro published the "Sockpuppeting" jailbreak, a single-line assistant-prefill attack that bypasses safety guardrails in 11 major LLMs including GPT-4o, Claude 4 Sonnet, and Gemini 2.5 Flash. Gemini 2.5 Flash was the most vulnerable target at a 15.7% attack success rate; OpenAI, Anthropic, and AWS Bedrock APIs rejecting non-user terminal messages neutralize the technique entirely. (Trend Micro, Cybersecurity News)
Nature Communications published research showing large reasoning models can act as autonomous jailbreak agents, systematically bypassing safety mechanisms in nine widely deployed target LLMs with a 97.14% overall success rate across multi-turn adversarial conversations. The finding reframes red teaming as an adversary-model arms race rather than a human-labor problem. (Nature Communications)
Anthropic MCP's 150M-download architectural RCE remains unpatched on day seven. Defenders must continue treating STDIO launches as privileged subprocesses until the SDKs change. (OX Security, Infosecurity Magazine)
CitrixBleed 3 (CVE-2026-3055, CVE-2026-4368) exposure remains high three weeks past CISA's April 2 deadline, and the unpatched BlueHammer chain in Windows Defender (CVE-2026-33825, "RedSun", "UnDefend") continues to offer SYSTEM-level local escalation and definition-update denial. (Picus Security, Field Effect)
NIST's revised CVE enrichment prioritization took effect on April 15, routing triage capacity toward KEV-adjacent, widely deployed, and high-severity records first. The change is a response to a 263% rise in CVE submissions since 2020 and means defenders will see enrichment gaps on less prominent records. (The Hacker News)

Critical Vulnerabilities

Oracle April 2026 Critical Patch Update: 483 Fixes

Today's Oracle CPU is the largest of 2026 so far, shipping 483 new security patches. Highlights: Oracle Database Server 19.3 through 23.26.1 receives eight fixes, half remotely exploitable without authentication. Oracle GoldenGate ships 10 fixes with seven unauthenticated remote flaws. Oracle Blockchain Platform adds six patches, four of them unauthenticated remote. Oracle Adapter for Eclipse RDF4J ships two unauthenticated remote fixes. Autonomous Health Framework adds one. DBAs should begin regression validation immediately and prioritize any edge-facing Fusion Middleware, WebLogic, and GoldenGate deployments. (Oracle Security Alerts)

CVE-2026-20122, CVE-2026-20128, CVE-2026-20133: Cisco Catalyst SD-WAN Manager (KEV)

All three SD-WAN Manager flaws landed on CISA KEV yesterday. CVE-2026-20122 is an arbitrary file overwrite exploitable by any authenticated account holding read-only API access. CVE-2026-20128 is an information disclosure that elevates a local account to Data Collection Agent user privileges. CVE-2026-20133 is the dangerous outlier: unauthenticated HTTP GET access to sensitive network data, no credentials required. Cisco PSIRT confirmed active exploitation in March on CVE-2026-20128 and CVE-2026-20122, and CISA's addition brings CVE-2026-20133 into the exploited set. Federal deadline is May 11. (Cisco Advisory, SOCRadar, Help Net Security)

CVE-2025-48700: Synacor Zimbra Collaboration Suite (KEV)

CISA added CVE-2025-48700 yesterday after observing in-the-wild exploitation. Zimbra environments tend to sit at the edge and act as a pivot into internal mail infrastructure; audit public-facing ZCS instances, apply Zimbra's latest patched release, and hunt for webshell artifacts in /opt/zimbra/jetty/webapps/. (CISA Alert)

CVE-2023-27351: PaperCut NG/MF Authentication Bypass (KEV)

An improper authentication flaw in the SecurityRequestFilter class that was used by Clop and LockBit in 2023 has returned to active exploitation by Storm-1175. CISA added it yesterday with a May 11 deadline. Upgrade PaperCut, restrict management interfaces to trusted network segments, and review audit logs for unauthenticated admin-console access. (CISA Alert)

CVE-2024-27199: JetBrains TeamCity Authentication Bypass (KEV)

A path traversal based authentication bypass that Storm-1175 and multiple ransomware affiliates are reusing against exposed build servers. TeamCity compromise is a classic supply-chain foothold; after patching, rotate build tokens, inspect recent build plans, and verify artifact signing has not been bypassed. (CISA Alert)

CVE-2025-2749: Kentico Xperience, CVE-2025-32975: Quest KACE Systems Management (KEV)

Both products are commonly internet-exposed in mid-market environments. Kentico is a CMS compromise vector; Quest KACE manages endpoints and can be weaponized for lateral mass deployment. Patch, revoke API tokens, and review scheduled task definitions for tampering. (CISA Alert)

CVE-2026-32201: Microsoft SharePoint Spoofing (KEV)

Active exploitation continues. The cumulative update from April Patch Tuesday is mandatory; audit SharePoint authentication events back to April 1 for identity spoofing indicators. (Security Affairs, Tenable)

CVE-2026-33824: Windows IKE RCE (CVSS 9.8)

Network-accessible, unauthenticated SYSTEM RCE over UDP 500. Exposed VPN concentrators and branch routers are the first-order targets; patch and block inbound IKE at the edge unless the service is essential. (CrowdStrike, ZDI)

CVE-2026-33827: Windows TCP/IP RCE Race Condition (CVSS 9.8)

Wormable-class unauthenticated RCE in the TCP/IP stack. Patch, then restrict inbound SMB and other high-risk protocols at the perimeter until coverage is validated. (Cybersecurity News)

CVE-2026-33825: Windows Defender "BlueHammer" (Still Unpatched)

Microsoft has not shipped a fix. "BlueHammer" grants SYSTEM via a race condition in Defender remediation logic; companion exploits "RedSun" pivot into the update pipeline and "UnDefend" triggers denial of service on definition updates. Deploy Microsoft ASR rules and the vendor-published mitigations until a patch ships. (Field Effect, Picus Security)

CVE-2026-3055 and CVE-2026-4368: Citrix NetScaler "CitrixBleed 3"

Out-of-bounds reads in the SAML IdP path leak administrative session tokens from unauthenticated remote requests. CISA's April 2 federal deadline is three weeks past; watchTowr telemetry still shows tens of thousands of exposed appliances. Complete remediation requires both CVE patches because each targets a distinct overread primitive. (Picus Security, Rapid7)

CVE-2026-20147: Cisco Identity Services Engine RCE (CVSS 9.9)

Authenticated administrator RCE with no workaround. Patch trains: ISE 3.1 to Patch 11, 3.2 to Patch 10, 3.3 to Patch 10, 3.4 to Patch 6, 3.5 to Patch 3. Failed exploitation can crash single-node ISE deployments and break NAC enforcement enterprise-wide. (Cisco Advisory, Cybersecurity News)

CVE-2026-35616, CVE-2026-21643: Fortinet FortiClient EMS (KEV)

Pre-authentication access bypass and unauthenticated SQL injection in FortiClient EMS remain on the active-exploitation list. Patch, rotate EMS admin credentials, and hunt for unauthenticated API traffic to /api/v1/. (The Hacker News, CyberScoop)

CVE-2026-34197: Apache ActiveMQ (KEV)

CISA KEV addition from April 16 with a federal deadline of April 30. FortiGuard Labs observed an exploitation spike on April 14. Upgrade ActiveMQ and restrict OpenWire (TCP 61616) to trusted producers. (CISA Alert, The Hacker News)

CVE-2026-34621: Adobe Acrobat Reader (Exploited)

Active in the wild. Push Adobe's emergency update via MDM, disable JavaScript in Reader, and alert on unusual child processes spawned by AcroRd32.exe. (The Hacker News)

AI Security Threats

AI and agentic security research produced three landmark artifacts in the past 72 hours: a single-line jailbreak that compromises nearly every commercial frontier model, peer-reviewed evidence that large reasoning models can act as autonomous adversaries, and continuing unpatched systemic flaws in the MCP and agent-framework ecosystem that give any prompt injection enterprise-grade blast radius.

Sockpuppeting: One-Line Jailbreak of 11 LLMs

Trend Micro disclosed "Sockpuppeting," a black-box jailbreak that weaponizes the legitimate assistant-prefill API feature. Attackers inject a compliant prefix such as "Sure, here is how to do it," into the assistant-role message, and the model's self-consistency drive completes the harmful content. The technique bypasses safety guardrails in GPT-4o, Claude 4 Sonnet, Gemini 2.5 Flash, DeepSeek, Qwen, Kimi, and five other production LLMs. Gemini 2.5 Flash was the most vulnerable at a 15.7% attack success rate; GPT-4o-mini was the most resistant at 0.5%. The strongest defense is message-ordering validation: AWS Bedrock, OpenAI's API, and Anthropic's Claude 4.6 all reject requests where the terminal message is not role=user, eliminating the entire attack surface. (Trend Micro, Cybersecurity News, GBHackers)

Large Reasoning Models as Autonomous Jailbreak Agents

Nature Communications published research evaluating DeepSeek-R1, Gemini 2.5 Flash, Grok 3 Mini, and Qwen3 235B as autonomous adversaries. The LRMs planned and executed persuasive multi-turn attacks against nine widely used target LLMs, achieving a 97.14% overall jailbreak success rate across model combinations. The implication is structural: adversarial red teaming is no longer labor-bound. Defenders must assume a steady stream of novel, model-generated attack chains and invest in input provenance checks, behavioral anomaly detection, and continuous eval harnesses that run on every deployment. (Nature Communications)

Anthropic MCP 150M-Download Architectural RCE

OX Security's April 15 disclosure is in its seventh day without a vendor fix. The STDIO transport launches any command passed to the interface regardless of whether the MCP server initializes successfully. The affected SDKs, in Python, TypeScript, Java, and Rust, account for 150M+ downloads, 200+ open-source projects, 7,000 public servers, and up to 200,000 instances in the wild. Anthropic has labeled the behavior "expected," placing responsibility with deployers. Wrap every MCP launch in a process supervisor that enforces command allow-listing and restrict stdin to vetted inputs until the SDKs ship hardened transports. (OX Security, Infosecurity Magazine)

CrewAI Four-CVE Chain, LangChain and LangGraph Secret Exposure

CrewAI's default Code Interpreter remains an unpatched prompt-injection-to-RCE path in production agents. CVE-2025-68664 ("LangGrinch", CVSS 9.3) enables deserialization-based extraction of API keys from LangChain Core. CVE-2026-34070 (CVSS 7.5) adds path traversal. CVE-2025-67644 (CVSS 7.3) is SQL injection in LangGraph's SQLite checkpoint implementation. Rotate every credential that passed through these frameworks and upgrade immediately. (Practical DevSecOps, The Hacker News)

MCP Sampling Abuse, Tool Poisoning, Windsurf Zero-Click

Unit 42 published new research on MCP Sampling abuse: attackers piggyback on the sampling primitive to force clients to re-enter privileged tools. Invariant Labs' Tool Poisoning Attack and CyberArk's Full-Schema Poisoning extend the surface well beyond STDIO. Windsurf remains uniquely vulnerable to zero-interaction exploitation under CVE-2026-30615, where Cursor, VS Code, Claude Code, and Gemini-CLI require at least one tool approval. Disable auto-approval, pin MCP servers to signed releases, and audit installed integrations for suspicious manifests. (Unit 42, Practical DevSecOps)

Anthropic Git MCP Server RCE Chain

Three CVEs in Anthropic's Git MCP server (CVE-2025-68145, CVE-2025-68143, CVE-2025-68144) chain via path-validation bypass, unrestricted git_init, and argument injection to achieve RCE through prompt injection. Any agent with filesystem and Git reach through these servers should be considered exploitable until upgraded. (Practical DevSecOps)

Context Window Poisoning in 128K+ Deployments

Context poisoning is emerging as the most under-defended operational vulnerability in production LLMs. Attackers embed instructions deep inside large documents (contracts, RFPs, support tickets) so retrieval-driven agents execute them well after ingestion. Countermeasures: instruction-defense prompts, content-origin metadata, output constraints, retrieval sanitization, and continuous context-integrity monitoring. (BizTech Magazine, Vectra AI)

OpenAI Atlas Browser Hardening

OpenAI published a progress report on hardening ChatGPT Atlas against prompt injection. The company describes a mix of content-origin tagging, tool-call confirmation prompts, and adversarial training, acknowledging that browsing agents represent the sharpest near-term attack surface. Atlas deployments should run inside least-privilege containers with no access to long-lived enterprise credentials. (OpenAI)

Agent Governance and Defender Posture

Microsoft's Agent Governance Toolkit (released April 2) remains the most accessible open-source runtime control for scoped agent identities, tool-call approval, and audit logging. The gap between the 83% of organizations planning agentic AI deployment and the 29% that feel prepared to secure it is the single most exploitable condition in the market. Close it with scoped identities, approval workflows, and audit trails before expanding agent tool access. (Microsoft Open Source, OWASP Gen AI)

Threat Actor Activity

APT28 / Forest Blizzard: FrostArmada Campaign Disrupted

NCSC, Microsoft Threat Intelligence, Lumen's Black Lotus Labs, and international law enforcement jointly disclosed and disrupted APT28's FrostArmada campaign on April 7 through April 8. The operation, active since at least May 2025, compromised more than 18,000 MikroTik and TP-Link SOHO routers across 120 countries at its December 2025 peak. Attackers modified DNS settings on each router to redirect Microsoft 365 authentication traffic through an adversary-in-the-middle node that captured and exfiltrated credentials. Targets concentrated on foreign ministries, law enforcement, and third-party cloud providers across North Africa, Central America, Southeast Asia, and Europe. Attribution rests with GRU Unit 26165 (the 85th Main Special Service Centre) with high confidence. Defensive actions: inventory edge routing, rotate Microsoft 365 credentials for any user whose DNS path is uncertain, and deploy DNS over HTTPS or DNS over TLS with validated resolvers. (The Hacker News, NCSC, BleepingComputer, SC Media)

Storm-1175: Chinese-Nexus Medusa Ransomware Operator

Microsoft attributes a wave of rapid Medusa ransomware intrusions to Storm-1175, a China-based financially motivated group that weaponizes zero-day and n-day vulnerabilities sometimes within 24 hours of initial access. Documented exploitation includes CVE-2026-23760 (SmarterMail), CVE-2025-10035 (GoAnywhere MFT), CVE-2023-27351 and CVE-2023-27350 (PaperCut), CVE-2023-21529 (Microsoft Exchange), CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure and Policy Secure), CVE-2024-1709 (ConnectWise ScreenConnect), and VMware ESXi authentication bypass. Targets skew to healthcare, education, and finance in Australia, the UK, and the US. The 24-hour dwell time forces defenders to treat every unpatched internet-exposed system as a potential pre-positioned foothold. (BleepingComputer, The Hacker News, SecurityWeek)

Iranian APT: OT Hands-On Access Continues

CISA's AA26-097A joint advisory remains active. Iran-affiliated operators persist in hands-on-keyboard manipulation of Rockwell Automation and Allen-Bradley PLCs across US water, energy, and transportation sectors. Tradecraft has shifted from data collection to direct control-action issuance and HMI tampering, following the pattern previously associated with Sandworm. Handala Hack and other MOIS-linked personas continue to stage disruptive operations attributable to the February 28 "Electronic Operations Room." (CISA AA26-097A, SC Media, Unit 42)

Criminal Clusters in the April Window

ShinyHunters: Continues Salesforce-focused extortion. Threatened to release 30M+ records from Marcus & Millichap on April 12, claimed Rockstar Games, and published 2.1M Amtrak records. (DeXpose)
Qilin: Barracuda's April SOC Threat Radar places Qilin as the highest-volume ransomware crew of the month, with vulnerable-endpoint entry points and mass file modification. (Barracuda)
Anubis: Tied to the April 6 Signature Healthcare Brockton Hospital outage that diverted ambulances. (SharkStriker)
Interlock: Recorded Future tied this cluster to March exploitation of Cisco FMC CVE-2026-24858 with follow-on dwell into April. (Recorded Future)

Ransomware & Data Breaches

Victim	Sector	Impact	Attribution
Marcus & Millichap	Real Estate	30M+ Salesforce records threatened for leak	ShinyHunters
Rockstar Games	Gaming	Intrusion under investigation, scope TBD	ShinyHunters
Booking.com	Travel	PII, reservations, phone, addresses exposed	Unspecified
Amtrak	Transportation	2.1M customer records published	ShinyHunters
Basic-Fit	Fitness	200K Dutch members, 1M bank detail records	Unspecified
Winona County	Government	Network taken offline, National Guard assisting	Unspecified
ChipSoft	Healthcare IT	80% of Dutch hospitals disrupted	Unspecified
Brockton Hospital	Healthcare	ER diversion, ambulances rerouted	Anubis
McGraw-Hill	Education	13.5M email records from Salesforce misconfiguration	Unspecified
SongTrivia	Consumer Apps	2.9M accounts with auth tokens and hashes	Unspecified

Ransomware Family	Observed Activity (April 2026)	Sector Focus
Qilin	Highest Barracuda SOC volume	SMB, mixed
Medusa	Storm-1175 deploys inside 24 hours via zero-days	Healthcare, education
ShinyHunters	Salesforce data theft and extortion	Enterprise SaaS
Anubis	Hospital targeting, operational disruption	Healthcare
Interlock	Cisco FMC pivots and lateral movement	Enterprise, network edge
Akira	VPN and edge-device entry	Manufacturing, legal
LockBit	Reduced volume, persistent niche targeting	Mid-market enterprise

Recommended Actions

Immediate (next 24 hours)

Pull the Oracle CPU April 2026 advisory, map exposure, and begin staged deployment for Database, Fusion Middleware, GoldenGate, MySQL, and Java SE. Prioritize unauthenticated remote fixes. (Oracle Security Alerts)
Patch the three Cisco Catalyst SD-WAN Manager CVEs (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) and restrict management-plane access. Assume compromise on any instance with public HTTP reachability. (Cisco Advisory)
Upgrade Zimbra (CVE-2025-48700), PaperCut NG/MF (CVE-2023-27351), JetBrains TeamCity (CVE-2024-27199), Kentico Xperience (CVE-2025-2749), and Quest KACE (CVE-2025-32975) ahead of the May 11 CISA deadline. Hunt for webshells and rotate service tokens. (CISA Alert)
Validate Citrix NetScaler remediation against both CVE-2026-3055 and CVE-2026-4368; rotate SAML IdP session secrets if exposure occurred before April 2. (Picus Security)
Apply the April Microsoft cumulative update for CVE-2026-32201, CVE-2026-33824, and CVE-2026-33827, then deploy BlueHammer mitigations until Microsoft ships a patch. (BleepingComputer)

Short-Term (this week)

Inventory every Anthropic MCP server and wrap STDIO launches in a process supervisor that enforces command allow-listing until SDK hardening ships. (OX Security)
Add message-ordering validation to any gateway fronting an LLM API (reject requests whose terminal message is not role=user) to neutralize Sockpuppeting and similar prefill jailbreaks. (Trend Micro)
Audit CrewAI deployments for default Code Interpreter configurations; disable on untrusted inputs and enforce egress filtering. (Practical DevSecOps)
Upgrade LangChain, LangGraph, and LangSmith; rotate API keys that may have been resident in memory during the vulnerable window. (The Hacker News)
Patch Fortinet FortiSandbox, FortiClient EMS, and FortiGuard appliances against CVE-2026-39808, CVE-2026-39813, CVE-2026-35616, and CVE-2026-21643. (The Hacker News)
Inventory SOHO routers used by remote workers for MikroTik and TP-Link models; upgrade firmware and rotate Microsoft 365 credentials for users whose home routing path is unverified. (NCSC)
Hunt for Iranian APT indicators in OT environments, especially Rockwell and Allen-Bradley PLCs, HMI configuration changes, and anomalous SCADA tag writes. (CISA AA26-097A)
Run Salesforce configuration audits focused on guest user permissions, Aura endpoints, and unmanaged packages to pre-empt the ShinyHunters campaign. (SharkStriker)

Strategic (this quarter)

Stand up an AI and agentic security program aligned to OWASP LLM Top 10 and the Gen AI and Agentic Red Teaming framework. Adopt Microsoft's Agent Governance Toolkit or equivalent runtime primitives: scoped agent identities, tool-call approval flows, and audit logging. (OWASP Gen AI, Microsoft Open Source)
Operationalize continuous adversarial eval harnesses that run on every model or prompt deployment. The Nature Communications LRM-as-attacker finding means human red teaming cannot keep pace; assume automated adversary generation and plan accordingly. (Nature Communications)
Treat MCP servers, tool descriptions, and sampling responses as untrusted inputs. Require signed manifests, pinned versions, and provenance checks before installation. (Unit 42)
Segment IT from OT rigorously, enforce allow-listed egress from control networks, and deploy purpose-built OT monitoring. The Iranian APT campaign shows that "internet-facing OT" is no longer an acceptable deployment pattern. (SC Media)
Red-team SaaS tenant configurations (Salesforce, Workday, ServiceNow, Microsoft 365) assuming a determined extortion group already has valid credentials. ShinyHunters is consistently compromising data via misconfiguration rather than true exploitation. (DeXpose)
Build a healthcare resilience playbook for EMR and clinical-systems outages that assumes multi-day downtime. ChipSoft, Brockton, and repeated hospital diversions across Q1 and Q2 2026 show that single-vendor dependence is now a patient-safety risk. (STAT News)