Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0422

Daily Threat Intelligence Brief - April 22, 2026

April 22, 202618 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

Executive Summary

  • Oracle's April 2026 Critical Patch Update, released yesterday, addresses 241 unique CVEs across 481 patches spanning 28 product families. Seven percent are rated critical and the batch is the largest single Oracle release of the year so far. Regression-validate Database Server, Fusion Middleware, WebLogic, MySQL, E-Business Suite, and GoldenGate changes and prioritize any edge-facing instance before end of week. (Oracle Security Alerts, Tenable)
  • CISA's April 20 KEV batch carries two overlapping federal deadlines. CVE-2026-20133, the unauthenticated sensitive-data disclosure in Cisco Catalyst SD-WAN Manager, has been called out with an accelerated April 23 deadline. The other seven entries (CVE-2026-20122, CVE-2026-20128, CVE-2023-27351 PaperCut, CVE-2024-27199 JetBrains TeamCity, CVE-2025-48700 Zimbra, CVE-2025-2749 Kentico, CVE-2025-32975 Quest KACE) must be remediated by May 11. (CISA Alert, GBHackers)
  • SAP's April Patch Day introduced CVE-2026-27681, a 9.9-severity SQL injection in Business Planning and Consolidation and Business Warehouse that permits arbitrary code execution at low privilege. CVE-2026-34256 in ABAP allows attackers to rewrite eight-character executable programs, enabling stealthy backdoor planting in S/4HANA, ERP, and NetWeaver stacks. (ZeroBot Security, Cybersecurity News)
  • Atlassian's April 21 Security Bulletin resolves 31 high-severity and 7 critical-severity third-party vulnerabilities across Jira, Confluence, Bitbucket, and Bamboo product lines. Patch on the next maintenance window; critical third-party component counts in Atlassian bulletins historically correlate with direct remote code execution primitives. (Atlassian Security Bulletin)
  • The Iranian IRGC-CEC cluster tracked variously as CyberAv3ngers, Shahid Kaveh Group, Storm-0784, Bauxite, and UNC5691 continues its CISA-reported PLC campaign against US critical infrastructure. Censys now counts 5,219 Rockwell/Allen-Bradley PLCs exposed directly to the public internet. Multiple water, wastewater, energy, and government-services operators have reported PLC function disruption since March. (CISA AA26-097A, Censys, Cybersecurity News)
  • Rockstar Games confirmed this month that ShinyHunters accessed "non-material company information" through a third-party breach at Anodot, the cloud-cost analytics platform. The actor claimed 78.6 million records exfiltrated from Rockstar's Snowflake warehouse via stolen Anodot service tokens and listed the dataset at $200,000 after the April 14 ransom deadline expired. (Tom's Hardware, Engadget, The Register)
  • CVE-2026-32211, the missing-authentication information-disclosure flaw in Azure MCP Server (CVSS 9.1), remains without a patch 19 days after disclosure. Any reachable network path to a vulnerable MCP instance leaks configuration data, API keys, auth tokens, and Azure DevOps project data. Microsoft has only issued mitigation guidance. (Windows Forum, TheHackerWire)
  • Trend Micro's Sockpuppeting single-line jailbreak and the Nature Communications large-reasoning-model autonomous-adversary paper both remain unmitigated at the model layer. Anthropic, OpenAI, and AWS Bedrock API gateways that reject non-user terminal messages continue to neutralize Sockpuppeting at the transport layer; Gemini 2.5 Flash exposure remains the highest-risk target. (Trend Micro, Nature Communications)
  • Microsoft's April Patch Tuesday residual exposure still dominates endpoint risk. CVE-2026-32201 (SharePoint spoofing, active exploitation) requires federal remediation by April 28. CVE-2026-33824 (Windows IKE RCE, CVSS 9.8) and CVE-2026-33827 (TCP/IP wormable RCE) remain priority for internet-facing hosts. CVE-2026-33825 (Defender BlueHammer) is still unpatched. (BleepingComputer, CrowdStrike)

Critical Vulnerabilities

Oracle April 2026 Critical Patch Update: 241 CVEs, 481 Patches

Oracle published its April 2026 CPU on April 21, addressing 241 unique CVE records across 481 patches in 28 product families. Roughly 7.1% of the batch is rated critical. The release is the largest 2026 Oracle CPU so far and lands on top of a SAP, Atlassian, Microsoft, and Cisco patch cluster that has pushed defender capacity to its limit in the last 10 days. Prioritize E-Business Suite, Fusion Middleware, WebLogic, GoldenGate, MySQL, and Database Server instances that are either internet-facing or host critical business logic. Regression-validate in staging first; Oracle patch regressions have historically been responsible for production outages during rushed deploys. (Oracle Security Alerts, Tenable)

CVE-2026-20133 (KEV, Accelerated Deadline April 23): Cisco Catalyst SD-WAN Manager

CVE-2026-20133 is the most dangerous of the three Cisco Catalyst SD-WAN Manager KEV entries because it requires no authentication. An attacker with HTTP GET access to a vulnerable instance can pull sensitive network topology and configuration data directly from the management plane. Federal agencies have until tomorrow, April 23, to remediate. Private-sector defenders should treat the accelerated deadline as evidence of ongoing active exploitation and patch to the vendor-published fixed releases before end of day. (Cisco Advisory, GBHackers)

CVE-2026-20122 and CVE-2026-20128 (KEV, Deadline May 11): Cisco Catalyst SD-WAN Manager

CVE-2026-20122 is an arbitrary file overwrite exploitable by any authenticated read-only API account, and CVE-2026-20128 is an information-disclosure flaw that elevates a local account to Data Collection Agent privileges. Cisco PSIRT confirmed active exploitation on both in March before CISA's April 20 KEV addition. Federal deadline is May 11, but the combination of a read-only-account pivot into file overwrite plus an adjacent information disclosure is a textbook chain for privileged persistence on Catalyst fabric. (Cisco Advisory, The Cyber Express)

CVE-2026-27681: SAP Business Planning and Consolidation SQL Injection (CVSS 9.9)

Disclosed in SAP's April Patch Day, CVE-2026-27681 is a SQL injection in BPC and Business Warehouse with low-privilege access requirements that enables arbitrary code execution with near-maximum impact. SAP reports no confirmed in-the-wild exploitation at this time, but the near-10.0 rating and low barrier to entry make rapid patching essential. Organizations running BW, BPC, ERP, S/4HANA, or NetWeaver stacks should apply the April security notes this week. (ZeroBot Security)

CVE-2026-34256: SAP ABAP Program Tampering

CVE-2026-34256 permits an attacker to execute an ABAP program that rewrites existing eight-character executable programs. The primitive supports stealthy tampering with core enterprise business logic and is a credible backdoor implantation vector. Patch alongside CVE-2026-27681 and audit ABAP transport change logs for unexpected changes to eight-character executable names. (Cybersecurity News)

Atlassian April 21 Security Bulletin: 7 Critical Plus 31 High

Yesterday's bulletin covers 31 high-severity and 7 critical-severity third-party vulnerabilities fixed across Jira, Confluence, Bitbucket, and Bamboo. Third-party component risk has produced direct remote-code-execution primitives in Atlassian products in prior quarters. Patch in the next maintenance window and audit for unauthorized API calls to /rest/api/ endpoints since April 1. (Atlassian Security Bulletin)

CVE-2026-32211: Azure MCP Server Missing Authentication (CVSS 9.1, Still Unpatched)

Disclosed April 3, CVE-2026-32211 is a CWE-306 missing-authentication-for-critical-function flaw in Microsoft's @azure-devops/mcp package. Any network-reachable vulnerable instance leaks configuration details, API keys, auth tokens, and Azure DevOps project data to unauthenticated attackers. No patch is available on day 19. Microsoft's current mitigation guidance is network isolation: do not expose MCP Server to untrusted networks, require inbound allow-lists, and pin MCP-origin requests to a single authenticated egress hop. (Windows Forum, TheHackerWire, CVEFeed)

CVE-2025-59536: Claude Code Configuration Injection (CVSS 8.7)

Check Point Research disclosed this configuration-injection flaw in February. Attackers plant a malicious Hook entry in .claude/settings.json inside a project directory. When a developer opens the project in Claude Code, the hook executes with full local user privileges. Organizations with shared engineering monorepos or contractor-facing repos should enforce read-only permissions on .claude/ and audit hook configurations on every pull. (TechRepublic)

CVE-2026-32201: Microsoft SharePoint Spoofing (KEV, Active Exploitation)

April Patch Tuesday zero-day. CISA KEV deadline is April 28. Input-validation weakness enables unauthenticated spoofing over network paths. Patch now, then hunt for spoofed authentication events in SharePoint logs back to April 1. (BleepingComputer, Security Affairs)

CVE-2026-33824: Windows IKE RCE (CVSS 9.8)

Unauthenticated SYSTEM-level RCE over UDP 500 on hosts with IKEv2 enabled. Patch, then block inbound IKE at the perimeter unless the service is load-bearing. VPN concentrators and branch routers are primary targets. (CrowdStrike)

CVE-2026-33827: Windows TCP/IP RCE (CVSS 8.1, Wormable Class)

Race-condition RCE in the TCP/IP stack, exploitable by unauthenticated attackers. Patch, then restrict high-risk inbound protocols including SMB at the edge until coverage is validated. (Tenable)

CVE-2026-33825 "BlueHammer" (Still Unpatched)

Microsoft has not shipped a fix for the Defender race-condition SYSTEM escalation. Apply ASR rules and vendor-published mitigations until a patch lands. Companion exploits "RedSun" (update-pipeline pivot) and "UnDefend" (definition-update DoS) remain in the same unmitigated cluster. (CrowdStrike)

CVE-2026-41058 and CVE-2026-41056: WWBN AVideo (CVSS 8.1 each)

Two high-severity flaws in the open-source AVideo streaming platform were disclosed yesterday. Self-hosted AVideo installations, common in niche video and community streaming environments, should apply the upstream fix immediately and audit admin-console logs for unauthenticated access. (TheHackerWire CVE-2026-41058)

AI Security Threats

Azure MCP Server Exposure and the Broader MCP Disclosure Stack

Anthropic's Model Context Protocol has crossed 150 million downloads, with OX Security's research identifying up to 200,000 potentially vulnerable MCP servers and at least 10 high- and critical-severity CVEs across tools including Cursor, VS Code, Claude Code, and Gemini-CLI. OX Security researchers compromised 9 of 11 MCP marketplaces during testing. Anthropic has declined to change the architecture, classifying the behavior as expected and pushing mitigation responsibility to developers. CVE-2026-32211 on Azure MCP Server sits on top of that systemic architectural exposure as a concrete, unpatched, CVSS 9.1 information disclosure. Defenders must treat every STDIO MCP launch as a privileged subprocess and every remote MCP server as a network-exposed API gateway with an opaque auth model. (TechRepublic, Adversa AI)

Resource-Amplification Attacks Against MCP-Enabled Agents

April MCP security research details a class of attacks in which a malicious MCP server steers connected LLM agents into prolonged tool-calling chains. The attacker inflates per-query cost by up to 658x while evading standard defenses with sub-3% detection rates. The primary control surfaces are per-session tool-call budgets, recursion depth caps, and cost alarms on token spend. Organizations running LangChain, LlamaIndex, Claude Code, or Cursor integrations with third-party MCP servers should set hard budget caps and instrument per-server token telemetry this week. (Adversa AI)

Sockpuppeting Jailbreak: Single-Line Bypass Across 11 LLMs

Trend Micro's Sockpuppeting research showed a single-line assistant-prefill attack bypasses safety guardrails in GPT-4o, Claude 4 Sonnet, Gemini 2.5 Flash, and eight additional production models. Gemini 2.5 Flash exhibited the highest attack success rate at 15.7%. Vendors whose API gateways reject non-user terminal messages (OpenAI, Anthropic, and AWS Bedrock) block the vector at the transport layer; self-hosted or direct SDK integrations remain exposed. Defenders running chat interfaces on Gemini 2.5 Flash should enforce server-side message-role validation. (Trend Micro, Cybersecurity News)

Large Reasoning Models as Autonomous Jailbreak Agents

The recent Nature Communications paper shows that large reasoning models, used as adversary agents in closed-loop multi-turn conversations, achieve a 97.14% overall jailbreak success rate against nine widely deployed target LLMs. The finding collapses the economics of human-driven red teaming: instead of one tester per session, a single adversary model can run thousands of parallel attack campaigns at inference cost. Every in-production guardrail should be re-evaluated against automated multi-turn adversarial suites rather than static test sets. (Nature Communications)

Indirect Prompt Injection in Production RAG

Prompt injection continues to sit at the top of the 2025 OWASP LLM risk list and has matured into a continuously exploited attack class in 2026. Indirect prompt injection (malicious instructions planted in documents, URLs, or tool outputs that the model processes automatically) is the dominant stealthy variant. Unit 42's prompt-fuzzing research and OWASP's LLM01:2025 continue to document widespread evasion including roleplay dynamics at 89.6% success rates, long-context many-shot attacks, and character-injection techniques such as emoji smuggling and bidirectional text. Audit RAG pipelines for untrusted-content fan-out and insert content-origin tagging into every retrieval chain. (OWASP Gen AI, Unit 42, Getastra)

State of AI and API Security 1H 2026

The 1H 2026 State of AI and API Security Report documents agentic security workloads moving into production at enterprise scale. Third-party-mediated API breach rates in the last twelve months materially track the Verizon 2025 DBIR finding that third-party involvement now factors into 30% of all breaches, up from roughly 15% in the prior reporting year. (Security Boulevard, Verizon 2025 DBIR)

Shadow GenAI Use on Corporate Endpoints

Verizon's 2025 DBIR reports that 14% of employees use GenAI tools on corporate devices, and 72% of those users access GenAI services with personal email or no authenticated system at all. Infostealer malware compromised 30% of corporate devices and 46% of unmanaged devices holding corporate credentials in the DBIR dataset. The combination creates a high-volume, low-friction pathway for corporate secrets, source code, and customer data to exit the enterprise boundary through LLM chat interfaces, with no enterprise logging. (Keepnet Labs, SpyCloud)

Threat Actor Activity

Iranian IRGC-CEC (CyberAv3ngers, Shahid Kaveh, Storm-0784, Bauxite, UNC5691)

CISA joint advisory AA26-097A (April 7) attributes ongoing disruption of Rockwell Automation/Allen-Bradley PLCs across US water, wastewater, energy, government services, defense industrial base, and federal contractor environments to the IRGC-CEC cluster. Censys telemetry shows 5,219 Rockwell/Allen-Bradley PLCs exposed directly to the public internet. Observed TTPs include malicious project-file modification and manipulation of data on HMI and supervisory displays. Disconnect PLCs from the internet; where offline operation is infeasible, enforce segment-level VPN with deny-by-default access control lists and Rockwell's hardening guidance. (CISA AA26-097A, Censys, Security Affairs)

Russian APT28 (Forest Blizzard, Pawn Storm)

APT28 continues its two-track campaign. The FrostArmada router DNS-hijack operation, publicly disrupted by NCSC, Microsoft Threat Intelligence, and Lumen Black Lotus Labs this month, used compromised SOHO routers in 120 countries to redirect Microsoft 365 authentication traffic through AitM proxies. Separately, a spear-phishing campaign targeting Ukraine and NATO allies deploys PRISMEX, a previously undocumented malware suite. Hunt for SOHO-router DNS tampering in telemetry and elevate phishing sensitivity for Ukraine-adjacent recipients. (The Hacker News APT28)

North Korean APT37 (ScarCruft)

APT37 has moved to a Facebook-based initial access pattern, adding targets as friends, establishing rapport, then delivering a payload that installs the RokRAT remote access trojan. Security-awareness programs should include Facebook-delivered lures alongside LinkedIn and email in Q2 phishing training. (The Hacker News APT28)

China-Nexus Storm-1175

Storm-1175 continues to chain PaperCut, Ivanti Connect Secure, ConnectWise ScreenConnect, Microsoft Exchange, and VMware ESXi vulnerabilities to deploy Medusa ransomware in under 24 hours from initial access. The PaperCut and JetBrains CISA KEV additions on April 20 directly pattern-match Storm-1175's known playbook. Audit any environment running those products for lateral movement indicators from March forward. (BleepingComputer Medusa)

China-Nexus APT41 (Double Dragon)

Despite prior DOJ indictments, APT41 operations have continued unabated through 2026, with joint CISA-and-allies advisories documenting sustained long-term access campaigns against global critical infrastructure networks. (SOCRadar Top APTs)

ShinyHunters

ShinyHunters has now claimed credit for the Rockstar Games breach, exfiltrating a reported 78.6 million records from Rockstar's Snowflake data warehouse through stolen Anodot authentication tokens. The actor listed the dataset at $200,000 after Rockstar declined to pay by the April 14 ransom deadline. Historical ShinyHunters targets include Microsoft, Ticketmaster, Cisco, AT&T, and Wattpad. The Anodot-Snowflake pivot pattern (third-party analytics tool token abuse into linked data warehouses) is the most urgent generalized lesson: audit every non-production service principal with read access to production data warehouses. (Tom's Hardware, The Register)

Ransomware and Data Breaches

Organization Actor / Family Date Impact
Rockstar Games ShinyHunters 2026-04-13 78.6M records exfiltrated via Anodot-Snowflake token abuse
Signature Healthcare Anubis ransomware 2026-04-14 ER on diversion, ambulances rerouted, IT systems impacted
Booking.com Third-party breach 2026-04-12 Reservation PII exposed across global customer base
Basic-Fit Unknown 2026-04-10 200K NL member PII, 1M member bank details exposed
ChipSoft (NL Healthcare) Unknown ransomware 2026-04-07 Hospital EHR vendor offline, patient-record systems impacted
Spring Lake Park Schools Unknown ransomware 2026-04-13 District IT systems shut down, remote learning disrupted

Source links: SharkStriker April 2026 Data Breaches, Bitdefender Threat Debrief, PKWARE 2026 Data Breaches.

Storm-1175 Medusa Ransomware Velocity

Microsoft's Storm-1175 attribution for Medusa affiliate activity documents full-environment encryption within 24 hours of initial access using chained PaperCut, Ivanti Connect Secure, ConnectWise ScreenConnect, Microsoft Exchange, and VMware ESXi exploits. Detection windows shorter than 24 hours require real-time EDR on all three layers (edge appliance, identity plane, hypervisor) plus high-confidence behavioral alerts on ScreenConnect remote-session creation. (BleepingComputer Medusa)

2025 DBIR Context

Ransomware was present in 44% of breaches in the 2025 DBIR dataset (the largest ever, at 22,000 incidents and 12,000 confirmed breaches). Median ransom payout fell to $115K and 64% of victims refused to pay, a meaningful improvement in enterprise posture. Stolen credentials (22%) and exploited vulnerabilities (20%) remain the dominant initial access vectors. Third-party breach involvement doubled to 30%. Espionage-related breaches rose 163% year over year to 17% of incidents. (Keepnet Labs)

Recommended Actions

Immediate (Next 24 to 48 Hours)

Priority Action Owner
P0 Patch Cisco Catalyst SD-WAN Manager (CVE-2026-20133) before April 23 federal deadline Network Operations
P0 Apply April Oracle CPU to any internet-facing E-Business Suite, WebLogic, Fusion Middleware instance Database / App Ops
P0 Apply SAP CVE-2026-27681 and CVE-2026-34256 fixes in BW, BPC, ERP, S/4HANA, NetWeaver SAP Basis
P0 Apply Microsoft CVE-2026-32201 SharePoint fix before April 28 KEV deadline Collaboration Ops
P0 Network-isolate Azure MCP Server pending CVE-2026-32211 vendor patch AI Platform / IAM
P1 Apply Atlassian April 21 bulletin (7 critical third-party, 31 high) DevOps
P1 Disconnect Rockwell/Allen-Bradley PLCs from the public internet OT / ICS Operations
P1 Audit service principals with read access to Snowflake, Databricks, BigQuery warehouses Data Security

Short-Term (Next 1 to 2 Weeks)

  1. Complete CISA April 20 KEV remediation for all eight entries by May 11 federal deadline. CVEs: 2026-20122, 2026-20128, 2026-20133, 2023-27351, 2024-27199, 2025-48700, 2025-2749, 2025-32975. (CISA Alert)
  2. Apply Windows April Patch Tuesday cumulative update across all managed Windows hosts. Prioritize CVE-2026-33824 (IKE) and CVE-2026-33827 (TCP/IP) on internet-facing systems; deploy ASR rules for unpatched CVE-2026-33825 Defender BlueHammer.
  3. Establish per-session tool-call budgets, recursion depth caps, and token-spend alarms on every production MCP-connected agent.
  4. Instrument server-side message-role validation on Gemini 2.5 Flash chat deployments to neutralize Sockpuppeting.
  5. Inventory every third-party analytics, cost-monitoring, and observability tool with service-principal access to production data warehouses. Rotate tokens on a 30-day schedule minimum.
  6. Rebuild LLM guardrail regression suites to include automated multi-turn adversarial agents rather than static prompt lists.

Strategic (Next Quarter)

  • Treat every MCP STDIO launch as a privileged subprocess and every remote MCP server as an opaque network-exposed API gateway. Enforce mandatory auth, per-server rate limits, tool-call budgets, and per-session token ceilings in the agent runtime.
  • Align third-party risk programs with the 2025 DBIR finding that third-party involvement factors into 30% of breaches. Contractually require analytics, observability, and support-desk vendors to rotate authentication tokens on a defined cadence and expose rotation telemetry.
  • Establish GenAI acceptable-use policy, enterprise-managed LLM access, and DLP telemetry on all corporate endpoints. 72% of shadow GenAI usage currently authenticates with personal email or no identity control at all.
  • Plan OT security modernization against the CISA AA26-097A threat model. The IRGC-CEC PLC campaign, 5,219 exposed Rockwell/Allen-Bradley devices, and the observed willingness to cause operational disruption shift PLC exposure from posture risk to imminent material risk.

Sources