Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0424

Daily Threat Intelligence Brief - April 24, 2026

April 24, 202613 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

Executive Summary

  • Microsoft April 2026 Patch Tuesday addressed 163 CVEs including actively exploited SharePoint spoofing flaw CVE-2026-32201, with over 1,300 internet-facing SharePoint servers still unpatched as of this week.
  • Three Microsoft Defender zero-days, publicly dubbed BlueHammer, RedSun, and UnDefend, are being actively exploited in the wild. RedSun and UnDefend remain unpatched, leaving even fully updated systems exposed.
  • CISA added CVE-2026-33825 (Microsoft Defender elevation of privilege) to the Known Exploited Vulnerabilities catalog on April 22, with a federal remediation deadline of May 6.
  • Fortinet confirmed in-the-wild exploitation of FortiClient EMS flaws CVE-2026-35616 and CVE-2026-21643 (both CVSS 9.8), alongside two newly disclosed FortiSandbox RCEs CVE-2026-39808 and CVE-2026-39813.
  • Iranian-affiliated APT actors have disrupted internet-facing PLCs across US water, energy, and government sectors since March 2026, per a joint CISA, FBI, NSA advisory issued April 7.
  • France's national identity document agency ANTS confirmed a breach on April 22 exposing approximately 19 million citizen records including names, dates of birth, and contact details.
  • The Everest extortion group claims 3.4 million Citizens Bank records, while ShinyHunters continues its Salesforce-centric extortion campaign targeting Marcus and Millichap (30M+ records) and Rockstar Games.
  • AI agentic attack surface continues to expand: researchers disclosed new prompt injection and sandbox-escape paths in Google Antigravity and OpenClaw this month, and a Chrome Gemini Live flaw (CVE-2026-0628) permits malicious extensions to hijack the AI assistant.
  • EchoLeak-style zero-click prompt injection against Microsoft 365 Copilot and CVE-2025-53773 (GitHub Copilot, CVSS 9.6) remain the highest impact agentic AI exposures enterprises need to model in threat assessments.

Critical Vulnerabilities

CVE-2026-32201: Microsoft SharePoint Server Spoofing (Actively Exploited)

A spoofing flaw in Microsoft SharePoint Server with a CVSS 3.1 score of 6.5. Microsoft confirmed in-the-wild exploitation at patch release. The vulnerability allows unauthenticated remote attackers to perform spoofing through improper input validation in SharePoint Office integrations, enabling credential theft and session abuse against internal collaboration workflows. BleepingComputer reported on April 22 that over 1,300 internet-exposed SharePoint servers remain unpatched and continue to be targeted.

  • Affected: On-premises SharePoint Server Subscription Edition, 2019, 2016
  • Action: Apply the April 2026 cumulative security update immediately. Validate authentication logs for anomalous spoofed session claims.
  • Source: Tenable analysis, BleepingComputer exposure report

CVE-2026-33825: Microsoft Defender Elevation of Privilege (KEV as of April 22)

An insufficient granularity of access control vulnerability in the Microsoft Defender anti-malware platform with a CVSS score of 7.8. A local authenticated attacker can escalate to SYSTEM by abusing Defender's internal remediation and update mechanisms. CISA added the flaw to the Known Exploited Vulnerabilities catalog on April 22, 2026 with a federal remediation deadline of May 6, 2026.

  • Affected: Windows 10, Windows 11, Windows Server 2019, 2022, 2025, Microsoft Defender for Endpoint
  • Action: Ensure the April 2026 platform update (1.425.x or later) is distributed. Verify Defender telemetry for unexpected service restarts.
  • Source: CISA KEV update April 22

CVE-2026-33824: Windows IKE Extensions RCE (CVSS 9.8)

Critical remote code execution in the Windows Internet Key Exchange (IKE) Service Extensions. An unauthenticated attacker on the network path can trigger code execution by sending crafted IKEv2 packets. Any Windows host exposing IKE on port 500 or 4500 is a direct target, including VPN concentrators and RRAS endpoints.

  • Affected: Windows Server 2019 through 2025, Windows 10, Windows 11 with IKEv2 enabled
  • Action: Patch immediately. Until patched, restrict UDP 500 and 4500 to known VPN peers and rotate pre-shared keys.
  • Source: CrowdStrike April Patch Tuesday analysis

CVE-2026-33827: Windows TCP/IP Race Condition RCE (CVSS 8.1)

Unauthenticated remote code execution in the Windows TCP/IP stack resulting from a race condition. Exploitation requires winning a network-level race but targets a core OS component with the broadest possible exposure, making any internet-facing Windows host a potential victim.

  • Affected: Windows 10, Windows 11, Windows Server 2016 through 2025
  • Action: Deploy the April cumulative update. Reduce exposure of non-essential services on public interfaces.
  • Source: CrowdStrike April Patch Tuesday analysis

CVE-2026-35616 and CVE-2026-21643: Fortinet FortiClient EMS (CVSS 9.8, Actively Exploited)

Two critical flaws in Fortinet FortiClient Enterprise Management Server versions 7.4.5 through 7.4.6. CVE-2026-35616 is an improper access control defect permitting unauthenticated RCE through crafted HTTP requests. CVE-2026-21643 is a second active-exploitation flaw in the same product family. Both have been observed in opportunistic attacks against exposed management consoles.

  • Affected: FortiClient EMS 7.4.5 and 7.4.6
  • Action: Upgrade to the fixed FortiClient EMS build. Remove EMS admin consoles from internet exposure.
  • Source: Greenbone advisory

CVE-2026-39808 and CVE-2026-39813: Fortinet FortiSandbox (CVSS 9.8)

Newly disclosed critical vulnerabilities in FortiSandbox. CVE-2026-39813 is a path traversal allowing privilege escalation through crafted HTTP requests, affecting FortiSandbox 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8. CVE-2026-39808 is an improper neutralization flaw enabling unauthenticated RCE against FortiSandbox 4.4.x.

  • Affected: FortiSandbox 4.4.0 through 4.4.8, 5.0.0 through 5.0.5
  • Action: Apply the April 15 Fortinet PSIRT updates. Restrict management access and review sandbox submission queues.
  • Source: Fortinet RCE analysis

Cisco Catalyst SD-WAN Manager: CVE-2026-20122, CVE-2026-20128, CVE-2026-20133

Three vulnerabilities in Cisco Catalyst SD-WAN Manager added to the CISA KEV catalog on April 20, 2026. Federal agencies were directed to remediate by April 23. Details indicate attacker-controlled SD-WAN configuration changes are feasible under specific exploitation chains. Given the control-plane position of the fabric controller, exploitation can cascade across the WAN.

Historical KEV Additions: PaperCut, JetBrains TeamCity, Kentico, Quest KACE, Zimbra

CISA's April 20 update also folded older flaws newly observed in campaigns: CVE-2023-27351 (PaperCut NG/MF), CVE-2024-27199 (JetBrains TeamCity path traversal), CVE-2025-2749 (Kentico Xperience), CVE-2025-32975 (Quest KACE), and CVE-2025-48700 (Zimbra XSS). UAC-0233, a Ukraine-focused threat cluster, is actively pairing CVE-2025-48700 with CVE-2025-66376 against Zimbra Collaboration Suite. Lace Tempest has been observed reusing CVE-2023-27351 in intrusions that deliver Cl0p and LockBit ransomware.

AI Security Threats

Agentic AI is dominating April's offensive security narrative. Researchers are moving from theoretical prompt injection proofs of concept to working exploits that touch identity, code execution, and data egress simultaneously.

Microsoft Defender BlueHammer, RedSun, UnDefend Family

Three zero-days affecting Microsoft Defender were publicly disclosed and exploited in April 2026. All three abuse Defender's internal remediation and update mechanisms to escalate privilege and weaken endpoint protections. CVE-2026-33825 (BlueHammer) was patched on Patch Tuesday and added to CISA KEV on April 22. RedSun and UnDefend remain unpatched. Attackers are using the trio to blind EDR before pivoting, a pattern that inverts the defender advantage on fully managed fleets.

Google Antigravity: Prompt Injection and Forced Descent

Pillar Security disclosed a prompt injection vulnerability inside Google's Antigravity agentic development platform. Separately, Mindgard published a distinct vulnerability class called Forced Descent that abuses Antigravity's global configuration architecture: an attacker-authored repository containing malicious configuration rules can achieve code execution against any developer who opens it. This is a practical supply-chain vector against AI-assisted IDE users.

OpenClaw and ClawJacked

Barracuda reported tens of thousands of internet-facing OpenClaw agent instances exposed through default bindings and misconfiguration. The most severe bug, ClawJacked, lets a malicious website silently hijack a locally running OpenClaw agent, then brute-force gateway credentials from the victim's browser context. Because OpenClaw agents are trusted by local tooling, compromise produces broad lateral reach into developer and operator environments.

CVE-2026-0628: Chrome Gemini Live Hijack

Palo Alto Unit 42 disclosed a high-severity flaw in Chrome's Gemini Live panel permitting malicious extensions to hijack the privileged AI assistant and reach the host camera and microphone. The exposure is particularly acute in BYOD fleets where extension controls are soft.

CVE-2025-53773 and EchoLeak (Carry-over High Risk)

CVE-2025-53773 remains the benchmark for agentic IDE risk: hidden prompt injection inside a pull request description enables remote code execution through GitHub Copilot at CVSS 9.6. EchoLeak, discovered in Microsoft 365 Copilot, demonstrated a zero-click prompt injection chain that silently exfiltrates enterprise data without user interaction. Both remain the most cited enterprise scenarios for AI-native red teams.

Detection Gap

Independent research continues to estimate that commercial prompt injection detection catches only about 23 percent of sophisticated attempts. Defenders should not treat detection alone as a control. Enforce least privilege on agent identities, constrain tool invocation, and separate instruction channels from untrusted data channels wherever feasible.

Threat Actor Activity

Iranian APT Targeting US Critical Infrastructure PLCs

Since at least March 2026, Iranian-affiliated actors have disrupted programmable logic controllers across US water and wastewater systems, energy sector operators, and government services. CISA, FBI, and NSA published joint advisory AA26-097A on April 7 confirming ongoing exploitation of internet-facing Rockwell Automation and Allen-Bradley PLCs. Operators have observed manipulation of project files on engineering workstations and HMI and SCADA data tampering, causing operational and financial impact. Attribution context points to CyberAv3ngers (also tracked as Shahid Kaveh Group), an IRGC Cyber Electronic Command subordinate unit.

UAC-0233 Zimbra Campaigns Against Ukrainian Entities

UAC-0233 continues exploiting CVE-2025-48700 and CVE-2025-66376 against Zimbra Collaboration Suite instances serving Ukrainian government and critical sector targets, an operation running since September 2025.

Lace Tempest Reuse of Older Managed Services Flaws

Lace Tempest remains operational and is reusing CVE-2023-27351 in intrusions that terminate in Cl0p and LockBit ransomware deployment, a reminder that KEV age does not reduce defender urgency.

ShinyHunters Salesforce Extortion

ShinyHunters continues a multi-victim Salesforce-centric data theft campaign that now includes Marcus and Millichap (30M+ records claimed), Rockstar Games, and adjacent firms. Initial access is consistent with OAuth or delegated-integration abuse rather than core Salesforce product vulnerabilities.

Ransomware and Data Breaches

April 2026 Major Incidents

Date Victim Actor Records or Impact Sector
2026-04-22 France Titres (ANTS) Unattributed 19,000,000 citizen ID records Government
2026-04-22 Citizens Bank Everest 3,400,000 records claimed Financial
2026-04-13 Spring Lake Park School (MN) Unattributed Systems offline, classes cut Education
2026-04-12 Marcus and Millichap ShinyHunters 30,000,000+ Salesforce recs Real Estate
2026-04-12 Booking.com Unattributed Reservation PII exposed Travel
2026-04-07 ChipSoft Unattributed Public services disrupted Healthcare IT
2026-04-05 Signature Healthcare Brockton Anubis ER diverted, care delayed Healthcare
2026-04-04 Rockstar Games ShinyHunters Scope under investigation Gaming
2026-04-02 SongTrivia Inc. Unattributed 2,900,000 user accounts Entertainment

Notable Context

Incident Significance
France ANTS breach National identity data at a G7 government, forum-advertised sample lines up with 19M-record claim
Citizens Bank extortion Everest joins tier-one US financial extortion targeting, echoing the 2025 regional bank playbook
Signature Healthcare (MA) Second US hospital ambulance divert of the quarter traceable to ransomware
ShinyHunters Salesforce arc Extortion campaign now crosses real estate, gaming, travel, indicating broad integration-token abuse

Recommended Actions

Immediate (Within 24 to 72 Hours)

  1. Patch Microsoft April 2026 cumulative updates across Windows and SharePoint estates. Prioritize CVE-2026-32201, CVE-2026-33824, CVE-2026-33827, and CVE-2026-33825.
  2. Identify every internet-exposed SharePoint Server and validate the April patch is applied. If patching is not possible today, place the server behind authenticated reverse-proxy controls.
  3. Apply Fortinet PSIRT updates for FortiClient EMS (CVE-2026-35616, CVE-2026-21643) and FortiSandbox (CVE-2026-39808, CVE-2026-39813). Remove management interfaces from public exposure.
  4. Remediate Cisco Catalyst SD-WAN Manager CVEs (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) and audit recent configuration changes for signs of tampering.
  5. Disable or tightly scope unused Microsoft Defender tenant APIs until RedSun and UnDefend receive fixes. Monitor for Defender service restarts and policy changes.

Short-Term (Within Two Weeks)

  1. Review all CISA KEV additions from April 13, 20, and 22, and reconcile against internal asset inventory. Set remediation tickets tracking to the federal BOD 22-01 deadlines.
  2. For OT-heavy environments, implement the CISA PLC hardening measures from AA26-097A: change default credentials, segment OT from IT, remove PLCs from the internet, enable multi-factor authentication on engineering workstations.
  3. Threat-hunt for ShinyHunters tradecraft across Salesforce and associated OAuth integrations. Audit connected apps, token scopes, and recent export activity.
  4. Baseline Copilot and agentic tooling exposure. Identify which internal chatbots, code assistants, and SaaS copilots can reach sensitive data or invoke privileged tools. Apply output filtering and allowlist-constrained tool invocation.

Strategic (Quarter Horizon)

  1. Build a prompt injection and agent abuse testing regime. Treat AI agents as identity-holding services and subject them to the same red team cadence as privileged workloads.
  2. Separate instruction channels from untrusted data. Architect retrieval augmented systems so that tool-calling privileges are not reachable through document content.
  3. Invest in EDR resilience. Assume the Microsoft Defender zero-day class is reproducible against any single-vendor endpoint strategy and plan for secondary telemetry sources.
  4. Expand ransomware preparedness drills to include healthcare-style ambulance divert scenarios and government ID data exposure scenarios. Both materialized this month.

Sources