Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0423

Daily Threat Intelligence Brief - April 23, 2026

April 23, 202617 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

Executive Summary

  • CISA's April 22 KEV addition elevates CVE-2026-33825 (Microsoft Defender "BlueHammer") from publicly disclosed to actively exploited. The local privilege-escalation flaw, leaked on GitHub on April 3 by a disgruntled researcher, now carries a Federal Civilian Executive Branch remediation deadline. Local administrators on Defender-managed endpoints can elevate to SYSTEM via insufficient granularity of access control. The GitHub proof-of-concept is weaponized and circulating. (CISA Alert, The Hacker News)
  • Microsoft released an out-of-band security update on April 22 addressing CVE-2026-40372, a CVSS 9.1 privilege-escalation flaw in ASP.NET Core. An attacker who compromises a low-privilege service account on an ASP.NET Core host can escalate to the process-owner identity, which frequently runs as IIS AppPool or a managed service account with broad domain access. Patch every ASP.NET Core 6, 8, and 9 deployment this week. (The Hacker News)
  • Forescout Research Vedere Labs disclosed BRIDGE:BREAK, a cluster of 22 vulnerabilities in Lantronix EDS and Silex SX-500/SX-600 series serial-to-IP converters. The flaws allow attackers to hijack the devices, tamper with serialized control-plane data, and pivot from IT into OT environments. Devices are widely deployed in energy, utilities, manufacturing, and maritime sectors. Most affected units are not field-upgradable without physical access. (Forescout Research, The Hacker News)
  • Today, April 23, is the CISA accelerated federal deadline for CVE-2026-20133, the unauthenticated sensitive-information disclosure in Cisco Catalyst SD-WAN Manager. Private-sector defenders who have not yet patched are outside the federal window and are assumed by the vendor to be under opportunistic scan pressure. Pair the patch with a post-patch hunt for anomalous GET access to the vManage management plane back to April 1. (CISA Alert, GBHackers)
  • ShinyHunters extended its Salesforce extortion campaign to commercial real estate giant Marcus and Millichap on April 12. The actor claims 30 million Salesforce records containing internal deal pipelines, agent credentials, and client personally identifiable information. The attack chain mirrors the Anodot-Snowflake token abuse pattern used against Rockstar Games earlier this month: third-party SaaS integrators, harvested OAuth tokens, and bulk exfiltration via legitimate API paths. (DeXpose)
  • France Titres, the national French civil identity documents processor, confirmed a breach affecting 19 million citizen records. Exposed data includes identity document numbers, biometric metadata, and supporting-document scans. France CNIL has opened an investigation and CERT-FR is coordinating incident response. This is the largest European public-sector breach of 2026 so far. (SC Media)
  • Azure MCP Server CVE-2026-32211 (missing authentication, CVSS 9.1) reaches day 20 unpatched. Microsoft has still issued only mitigation guidance. Any reachable network path to a vulnerable instance leaks Azure DevOps project data, API keys, and auth tokens to unauthenticated callers. Treat every Azure MCP Server deployment as a zero-trust network-isolation problem until Microsoft ships a fix. (Windows Forum, TheHackerWire)
  • A new Python sandbox escape was disclosed in the Terrarium library. The flaw allows arbitrary code execution from inside what developers believed was an isolated interpreter. Terrarium is embedded in several LLM code-execution tools and agentic frameworks. Audit your agent stack for Terrarium dependency and pin to a non-vulnerable release or remove the dependency entirely. (The Hacker News)
  • Iranian IRGC-CEC actors continue PLC manipulation attacks on US critical infrastructure. CISA's April advisory remains the controlling reference. Censys tracks 5,219 publicly exposed Rockwell/Allen-Bradley PLCs in the US. OT defenders should enforce network segmentation boundaries and verify that PLC programming ports are not reachable from IT subnets. (CISA AA26-097A, Infosecurity Magazine)
  • Week 16 of 2026 closed with 166 ransomware victims across 42 countries claimed by 36 distinct extortion operators. Healthcare continues to account for disproportionate impact: Signature Healthcare Brockton Hospital diverted ambulances after an Anubis ransomware event, and Gritman Medical Center (Idaho) and Moscow clinics suffered clinical-systems outages. (Data Breaches Digest)

Critical Vulnerabilities

CVE-2026-33825 (KEV, April 22): Microsoft Defender BlueHammer

CISA added CVE-2026-33825 to the Known Exploited Vulnerabilities catalog on April 22. The flaw, dubbed BlueHammer after the April 3 GitHub disclosure, is an insufficient-granularity-of-access-control bug in Microsoft Defender that allows a local authorized attacker to elevate privileges to SYSTEM. The researcher who published the proof-of-concept framed the disclosure as retaliation for an unresolved bug bounty dispute. Exploit code has been circulating for nearly three weeks. Patch via April Patch Tuesday cumulative updates, validate Defender platform version is current, and hunt endpoint event logs for unusual Defender service handle manipulations back to April 1. (CISA Alert, The Hacker News)

CVE-2026-40372: ASP.NET Core Privilege Escalation (CVSS 9.1, Out-of-Band)

Microsoft shipped an out-of-band advisory on April 22 for CVE-2026-40372, a privilege-escalation flaw in ASP.NET Core. A low-privilege attacker on an affected host can escalate to the ASP.NET Core worker process identity. On IIS-hosted workloads that identity is typically an IIS AppPool account with access to connection strings, managed certificates, and domain-joined resources. The out-of-band timing and 9.1 CVSS indicate Microsoft expects rapid weaponization. Patch ASP.NET Core runtime on every IIS and Kestrel host immediately. (The Hacker News)

BRIDGE:BREAK: 22 Vulnerabilities in Lantronix and Silex Serial-to-IP Converters

Forescout's Vedere Labs published BRIDGE:BREAK on April 22, disclosing 22 separate vulnerabilities across Lantronix EDS and Silex SX-500/SX-600 device families. The most severe entries permit unauthenticated device hijack, command injection over the serial channel, and tampering with control data in transit. These converters sit at the IT/OT boundary in energy substations, water-treatment plants, manufacturing lines, shipping terminals, and medical-device networks. Most devices are not field-upgradable without physical access. Recommend immediate inventory, network segmentation, and vendor coordination for firmware scheduling. (The Hacker News)

CVE-2026-20133: Cisco Catalyst SD-WAN Manager (KEV, Deadline Today)

Today is the CISA accelerated federal deadline for CVE-2026-20133. The unauthenticated sensitive-information disclosure in Cisco Catalyst SD-WAN Manager (vManage) lets any HTTP GET-capable attacker pull network topology, routing, and configuration data directly from the management plane. The accelerated deadline confirms active exploitation in the wild. Organizations that have not yet patched should apply Cisco's fixed release today and hunt vManage logs for anomalous /dataservice or /template endpoint access. (Cisco Advisory, GBHackers)

Terrarium Python Sandbox: Arbitrary Code Execution

A critical vulnerability was disclosed in Terrarium, a Python-based sandbox library used by several LLM code-execution tools and agentic frameworks. The flaw permits arbitrary code execution from inside what developers expected to be an isolated Python interpreter. Any agent or application using Terrarium to run untrusted model-generated code should be treated as compromised-capable until Terrarium is patched or removed. Audit Python dependency trees for Terrarium and substitute with a hardened sandbox such as gVisor, Firecracker microVMs, or seccomp-confined subprocess execution. (The Hacker News)

CVE-2026-35616: Fortinet FortiClient EMS Access Control (CVSS 9.1)

FortiClient EMS 7.4.5 and 7.4.6 contain an improper access control flaw permitting pre-authentication API access and privilege escalation. Exploitation has been confirmed in the wild since the April 6 KEV addition, which carried an April 9 federal remediation deadline. Any FortiClient EMS instance not yet upgraded to 7.4.7 or the hotfix release should be considered actively targeted. watchTowr Labs has published technical analysis. (The Hacker News, watchTowr, NVD)

CVE-2026-32211: Azure MCP Server Missing Authentication (CVSS 9.1, Day 20 Unpatched)

Disclosed April 3, CVE-2026-32211 is a CWE-306 missing-authentication-for-critical-function flaw in Microsoft's @azure-devops/mcp package. Any network-reachable vulnerable instance leaks configuration details, API keys, auth tokens, and Azure DevOps project data to unauthenticated callers. Day 20 without a patch. Microsoft recommends network isolation: do not expose MCP Server to untrusted networks, require inbound allow-lists, pin MCP-origin requests to a single authenticated egress hop, and rotate any secrets that transited a vulnerable instance in the last 30 days. (Windows Forum, TheHackerWire)

CVE-2026-32201: SharePoint Server Spoofing (KEV, Active Exploitation)

Remediation deadline April 28. Input-validation weakness in Microsoft SharePoint Server permits unauthenticated spoofing over network paths. Patch via April Patch Tuesday, then hunt authentication-event logs for anomalous SharePoint sessions back to April 1. (Security Affairs)

CVE-2026-33824: Windows IKE Service RCE (CVSS 9.8)

Critical remote code execution in the Windows IKE service extensions. Unauthenticated attackers reaching UDP 500 or 4500 can execute code on affected systems. Priority patch for any VPN concentrator or IKE-listening endpoint exposed to the internet. (BleepingComputer)

CVE-2026-33827: Windows TCP/IP Stack Race Condition (CVSS 8.1)

A race condition in the Windows TCP/IP stack that permits unauthenticated remote code execution. Wormable on internet-facing Windows hosts. Patch priority tier above most other April CVEs for exposed endpoints. (BleepingComputer)

AI Security Threats

The agentic-AI attack surface continues to escalate faster than vendor response cycles. Industry research from the first half of 2026 puts agentic AI as the number-one attack vector identified by 48 percent of surveyed security professionals, with a median breach window of 22 seconds once an attacker lands on a vulnerable agent. Three themes dominate the April landscape.

Theme One: Tool Poisoning and MCP Abuse

Model Context Protocol servers have become the highest-leverage agentic pivot point. An attacker who compromises a single MCP server can influence every agent downstream of it. Tool poisoning is the attack of choice: the attacker modifies an MCP tool's description string so the model misinterprets what the tool does. The agent believes it is calling a search function, but the tool is exfiltrating data. Authentication misconfiguration remains the single largest enterprise failure mode. CVE-2026-32211 (Azure MCP Server) is the canonical example: a missing-authentication flaw in a Microsoft-published MCP server that leaks secrets to unauthenticated callers. (Adversa AI, Kiteworks)

Defenders should enforce three controls on every MCP server: strong mutual TLS at the transport layer, schema-pinned tool descriptions that cannot be modified at runtime, and least-privilege tool access (email summarization agents must not have write access, document analysis agents must not have network access).

Theme Two: Zero-Click Prompt Injection in Productivity Suites

EchoLeak, the 2026 zero-click prompt injection vulnerability in Microsoft 365 Copilot, remains the archetype. A malicious document arrives in a user's mailbox or shared drive, the user never opens it, and Copilot ingests it during a routine summarization request. Hidden instructions in the document cause Copilot to silently exfiltrate enterprise data through legitimate Copilot-callable APIs. The OWASP LLM Top 10 ranks prompt injection as the number-one application risk for 2026. (OWASP, Airia)

Mitigations: input validation at ingest, output filtering on agent-callable APIs, dual-control on high-sensitivity data retrieval, and mandatory human-in-the-loop approval for any agent action that crosses a trust boundary.

Theme Three: CI/CD Pipeline Prompt Injection

CVE-2025-53773 (GitHub Copilot remote code execution via pull request description prompt injection, CVSS 9.6) remains the template for CI/CD attacks. Malicious instructions embedded in a pull request description are read by a Copilot-assisted review agent and transformed into tool-call instructions that execute code on the build runner. Related vectors affect Cursor, Claude Code, and any IDE agent with access to repository content and tool-execution primitives. CVE-2025-59536 (Claude Code configuration injection, CVSS 8.7) is the file-system analog: a malicious .claude/settings.json entry executes on project open. (OWASP)

Defenders with shared engineering monorepos or contractor-facing repositories should enforce read-only permissions on agent configuration files (.claude/, .cursor/, .copilot/), sign configuration files as build artifacts, and require pull-request-description linting before any AI-assisted review runs.

Theme Four: Supply Chain and OpenClaw

The OpenClaw supply chain compromise and parallel Copilot-integration incidents continue to drive disclosures through April. Attackers are targeting the model-to-integration seam: published agent libraries, LangChain/LlamaIndex tool adapters, and community MCP servers. At minimum, pin agent-framework dependencies to specific commit hashes, require signed releases for any tool integration deployed to production, and red team every new tool addition before it reaches a production agent. (Cyberdesserts)

Research and Detection Tooling

Aqua Security launched Agentic Response on April 22, converting runtime intelligence into automated containment action when an agent violates policy. Google Cloud previewed its RSAC 2026 agentic AI defense program. Adversa AI's monthly MCP security roundup added 11 new CVEs and four new attack patterns to its April catalog. (Manila Times, Google Cloud, Adversa AI)

Threat Actor Activity

ShinyHunters and the Scattered Lapsus Alliance

ShinyHunters operates through an alliance variously branded as Scattered Lapsus ShinyHunters (SLSH) and Trinity of Chaos. The group's 2026 modus operandi is vishing-driven Salesforce compromise via stolen OAuth tokens from third-party SaaS integrators (Anodot, Gainsight, and others). April target list includes Rockstar Games (78.6 million records confirmed), Marcus and Millichap (30 million Salesforce records claimed April 12), and an unconfirmed list of additional Fortune 500 extortion targets in the SLSH Telegram channel. The group is developing ShinySp1d3r, a ransomware-as-a-service offering positioned as an alternative to LockBit and DragonForce. Executive harassment and family-contact extortion are now standard tactics. (DeXpose, Krebs on Security, Resecurity)

Iran IRGC-CEC: Bauxite, CyberAv3ngers, Storm-0784

The Iranian IRGC-CEC cluster tracked by multiple vendors under different names continues its CISA-reported campaign against US critical infrastructure operational technology. April activity includes direct manipulation of project files on Rockwell/Allen-Bradley PLCs, tampering with HMI and SCADA displays, and disruption of PLC function in multiple water, wastewater, energy, and government-services environments. The April 7 joint advisory from FBI, CISA, NSA, EPA, DOE, and CNMF is the controlling reference. (CISA AA26-097A, Infosecurity Magazine, Trellix)

Anubis Ransomware

Anubis claimed the April healthcare attack on Signature Healthcare Brockton Hospital, which forced ambulance diversion and delayed patient care. The group's 2026 playbook emphasizes mid-market hospital systems, local-government agencies, and industrial manufacturers. Double extortion with clinical-systems disruption is standard. (Data Breaches Digest)

Nation-State AI Malware Assembly Lines

Dark Reading reported a nation-state actor integrating LLMs into a continuous malware variant-generation pipeline. The actor uses model-assisted code transformation to produce functionally equivalent payloads that evade signature-based detection at scale. The report does not name the actor; operational signatures are consistent with Russian or Chinese APT tradecraft. (Dark Reading)

Ransomware and Data Breaches

Week 16 of 2026 (April 6 to 12) closed with 166 ransomware victims claimed across 42 countries by 36 distinct extortion operators. Healthcare, government, and financial services accounted for the highest disruption impact.

Victim Actor Records or Impact Sector
France Titres Unknown 19,000,000 citizen records Government
Marcus and Millichap ShinyHunters 30,000,000 Salesforce records Real Estate
Rockstar Games ShinyHunters 78,600,000 records Entertainment
SongTrivia Inc. Unknown 2,900,000 user records Entertainment
Booking.com Unknown Reservation details exposed Travel
Signature Healthcare Brockton Anubis ER diverted, clinical outage Healthcare
Gritman Medical Center Unknown Clinical systems outage Healthcare
ChipSoft Unknown Public services disrupted Healthcare Tech

Sources: (SC Media, SharkStriker, Data Breaches Digest, DeXpose)

Ransomware Operator Activity (April 2026)

Operator Notable Targets Tactics
ShinyHunters Rockstar, Marcus and Millichap Vishing, SaaS OAuth abuse
Anubis Signature Healthcare Double extortion, clinical disrupt
Scattered Lapsus Undisclosed F500 Vishing, executive harassment
BlackFog-tracked 42 countries, 36 operators Mixed: RaaS, lone-wolf, nation

Sources: (BlackFog, Krebs on Security)

Recommended Actions

Immediate (Today and Tomorrow)

  1. Patch CVE-2026-20133 on all Cisco Catalyst SD-WAN Manager deployments. Federal deadline is today.
  2. Apply Microsoft's out-of-band CVE-2026-40372 ASP.NET Core update to every IIS and Kestrel host.
  3. Confirm April Patch Tuesday coverage for CVE-2026-33825 (Defender BlueHammer) and hunt endpoint logs for anomalous Defender service handle activity back to April 1.
  4. Inventory Lantronix EDS and Silex SX-500/SX-600 serial-to-IP converters. Isolate exposed devices pending BRIDGE:BREAK vendor firmware availability.
  5. Verify FortiClient EMS is on 7.4.7 or hotfixed. Older builds are actively exploited.
  6. Audit Python dependency trees for the Terrarium sandbox. Replace or pin to a non-vulnerable release.
  7. For any agent stack using Azure MCP Server: enforce network isolation, inbound allow-lists, and rotate secrets that transited a vulnerable instance in the last 30 days.

Short-Term (Next 7 to 14 Days)

  1. Apply April Patch Tuesday coverage for CVE-2026-33824 (Windows IKE) and CVE-2026-33827 (TCP/IP) on any internet-facing host.
  2. Remediate CVE-2026-32201 (SharePoint spoofing) before the April 28 federal deadline.
  3. Complete SAP April Patch Day rollout for CVE-2026-27681 (ABAP SQL injection, CVSS 9.9) and CVE-2026-34256 (ABAP program tampering).
  4. Close out the CISA April 20 KEV batch: CVE-2026-20122, CVE-2026-20128, CVE-2023-27351 (PaperCut), CVE-2024-27199 (TeamCity), CVE-2025-48700 (Zimbra), CVE-2025-2749 (Kentico), CVE-2025-32975 (Quest KACE). May 11 deadline.
  5. Apply the Atlassian April 21 security bulletin covering 7 critical plus 31 high-severity third-party vulnerabilities across Jira, Confluence, Bitbucket, and Bamboo.
  6. Complete Oracle April 2026 Critical Patch Update rollout (241 CVEs, 481 patches). Prioritize E-Business Suite, Fusion Middleware, WebLogic, GoldenGate, MySQL, Database Server.
  7. Review third-party SaaS integrator access to Salesforce, Snowflake, and similar data warehouses. Rotate any OAuth tokens issued to Anodot, Gainsight, or any integrator that does not have documented cryptographic key custody. Assume ShinyHunters has token-level persistence in other integrator environments.

Strategic (Next 30 to 90 Days)

  1. Build an MCP server inventory and governance program. Every MCP server in production requires documented authentication, transport encryption, tool-schema pinning, and least-privilege access enforcement.
  2. Stand up an agentic-AI red team capability. Treat tool poisoning, zero-click prompt injection, and agent-tool supply chain compromise as first-class threat vectors.
  3. Implement CI/CD-aware prompt injection controls: sign agent configuration files (.claude/, .cursor/, .copilot/) as build artifacts, lint pull request descriptions before AI review, and gate AI-assisted agent tool execution behind human-in-the-loop approval for cross-trust-boundary actions.
  4. Develop OT/ICS response plans for Iranian IRGC-CEC PLC manipulation scenarios. Assume the adversary is already inside your IT network and can pivot to OT through misconfigured gateways. Enforce segmentation, monitor programming-port traffic, and rehearse PLC integrity verification drills.
  5. Establish a vishing defense program for executive assistants and service-desk personnel. ShinyHunters, Scattered Spider, and the SLSH alliance all rely on phone-based social engineering as the primary initial access vector.
  6. Review SaaS integrator due diligence processes. Third-party OAuth token theft from companies like Anodot is the dominant 2026 data-warehouse breach pattern.

Sources