Daily Threat Intelligence Brief - April 28, 2026

Executive Summary

Microsoft April 2026 Patch Tuesday addressed 167 vulnerabilities including two zero-days, with CVE-2026-32201 (SharePoint spoofing) confirmed under active exploitation in the wild.
Fortinet FortiClient EMS (versions 7.4.5 through 7.4.6) is being actively exploited via CVE-2026-35616 (CVSS 9.8), an unauthenticated RCE; CVE-2026-21643 marks the second critical FortiClient EMS flaw weaponized this month.
Google patched its fourth Chrome zero-day of 2026, CVE-2026-5281, a use-after-free in the WebGPU Dawn implementation; CISA mandated FCEB remediation by April 15.
An architectural flaw in Anthropic's Model Context Protocol (MCP) SDK (Python, TypeScript, Java, Rust) enables RCE across 7,000+ public servers and packages with 150M+ cumulative downloads, opening a new agentic AI supply chain attack vector.
CISA and international partners published an April 23 advisory detailing Chinese state-sponsored actors pivoting to compromised SOHO routers, IoT devices, and edge appliances for command-and-control and exfiltration.
April breach roll: France Titres (19M records), Lovable platform (every project before November 2025), BePrime (12.6 GB plaintext credentials), Basic-Fit (1M customers), Vercel, Seiko USA, Booking.com, and Canada Life (ShinyHunters).
Oracle's April Critical Patch Update shipped 481 security fixes across 28 product families; over 300 are remotely exploitable without authentication.
SAP patched CVE-2026-27681 (CVSS 9.9), a SQL injection in Business Planning and Consolidation that allows low-privileged users to execute arbitrary SQL via ABAP file upload.
Data Breaches Digest tracked 166 ransomware victims across 42 countries in week 16, claimed by 36 distinct leak-site operators including 4 newly observed brands.

Critical Vulnerabilities

CVE-2026-32201: Microsoft SharePoint Server Spoofing (Actively Exploited)

A spoofing vulnerability in Microsoft SharePoint Server (CVSS 6.5) likely tied to cross-site scripting behavior is being actively exploited in the wild. Microsoft patched the issue as part of the April 2026 Patch Tuesday cycle, which addressed 167 total flaws including two zero-days. Exploitation enables credential theft and lateral movement from SharePoint into broader Microsoft 365 estates.

Action: Apply April 2026 cumulative updates immediately. Audit SharePoint authentication logs for anomalous OAuth grants and session reuse over the prior 30 days.

CVE-2026-33825: Microsoft Defender Insufficient Granularity of Access Control

Tracked publicly as the "BlueHammer" exploit (proof-of-concept code surfaced on GitHub on April 3, 2026), this Defender flaw was added to the CISA KEV catalog on April 22. Exploitation allows attackers to manipulate Defender behaviors at insufficient granularity, enabling evasion and persistence on protected endpoints.

Action: Confirm Defender platform version meets the April 2026 baseline. Hunt for unsigned process injection into MsMpEng.exe and unexpected exclusions added in tenant policy.

CVE-2026-33827: Windows TCP/IP Remote Code Execution (Wormable)

A remote, unauthenticated RCE in the Windows TCP/IP stack scoring CVSS 8.1. The flaw is potentially wormable on hosts where IPv6 and IPSec are both enabled, exposing edge and DMZ Windows systems to drive-by network compromise without user interaction.

Action: Patch immediately. Where patching is delayed, segment IPv6 traffic and disable IPSec on perimeter Windows hosts pending validation.

CVE-2026-35616: Fortinet FortiClient EMS Improper Access Control (Actively Exploited)

An unauthenticated RCE in FortiClient Enterprise Management Server 7.4.5 through 7.4.6 with CVSS 9.8. Attackers can remotely execute arbitrary code on the management plane that controls every FortiClient endpoint deployed by an organization, providing fleet-wide compromise potential. Disclosed and patched on April 4, 2026.

Action: Upgrade to the latest FortiClient EMS build. Restrict EMS management interface to administrative VLANs only. Search for unexpected scheduled tasks and new admin accounts.

CVE-2026-21643: Fortinet FortiClient EMS Critical Flaw

The second critical FortiClient EMS bug weaponized in recent weeks, also CVSS 9.8. Combined with CVE-2026-35616, defenders should treat any internet-exposed EMS instance as presumed compromised pending forensic review.

Action: Take exposed EMS instances offline for triage. Rebuild from clean images if compromise indicators are present.

CVE-2026-5281: Chrome WebGPU Use-After-Free (Actively Exploited)

A use-after-free condition in Dawn, the cross-platform WebGPU implementation underlying Chrome. A remote attacker who has compromised the renderer process can execute arbitrary code via a crafted HTML page. Added to CISA KEV on April 1 with FCEB remediation deadline of April 15. This is Chrome's fourth in-the-wild zero-day of 2026 (after CVE-2026-2441, CVE-2026-3909, and CVE-2026-3910).

Affected versions: Chrome before 146.0.7680.178 (Windows, macOS) and 146.0.7680.177 (Linux).

Action: Force browser restart to apply 146.0.7680.178+. Apply equivalent updates to Edge, Brave, Opera, and Vivaldi.

CVE-2026-27681: SAP Business Planning and Consolidation SQL Injection

CVSS 9.9 SQL injection in the SAP Business Planning and Consolidation and Business Warehouse modules. The vulnerable ABAP program permits a low-privileged user to upload a file containing arbitrary SQL that is then executed against the database, leading to full data compromise and code execution.

Action: Apply SAP Security Note from April 14 patch day. Review BPC file upload audit logs for the prior 90 days.

CVE-2026-34256: SAP ERP and S/4 HANA Missing Authorization Check

High-severity authorization bypass that allows ABAP program execution and rewrite of existing eight-character executable programs. In production SAP environments, this pathway can quietly replace legitimate business logic with attacker-controlled code.

Action: Apply April SAP patches. Compare hashes of eight-character ABAP executables against trusted baselines.

Oracle April 2026 Critical Patch Update

Oracle shipped 481 security patches across 28 product families on April 21. More than 300 of these address vulnerabilities that are remotely exploitable without authentication, spanning Oracle Database, MySQL, WebLogic, E-Business Suite, Fusion Middleware, and Java SE.

Action: Prioritize WebLogic, MySQL, and E-Business Suite patches based on internet exposure. Confirm Java SE roll-out across endpoints.

AI Security Threats

The agentic AI attack surface has expanded faster than defender tooling this month, with three intersecting trend lines: a structural flaw in MCP, growing exploitation of multi-turn jailbreaks against frontier models, and the first wave of CVE-graded vulnerabilities in agent orchestration software.

Anthropic MCP Design Flaw Enables AI Supply Chain RCE

Researchers disclosed an architectural vulnerability in the Model Context Protocol that enables arbitrary command execution on any host running a vulnerable MCP implementation. The flaw is embedded in Anthropic's official SDK across Python, TypeScript, Java, and Rust, affecting more than 7,000 publicly accessible servers and packages with cumulative downloads exceeding 150 million. Successful exploitation yields direct access to user data, internal databases, API keys, and chat histories.

The community has catalogued four primary attack patterns specific to MCP servers:

Attack Pattern	Mechanism	Defender Action
Schema Poisoning	Malicious tool schemas trick the model into harmful invocations	Pin and verify tool schemas at load time
Tool Poisoning	Tool description text contains hidden instructions for the LLM	Sanitize and review all tool descriptions
Rug Pull	Tool behavior changes after initial trust is established	Hash-pin server versions, monitor drift
Cross-Server Shadowing	One MCP server impersonates or shadows another's tools	Enforce strict server allowlists

Action: Inventory all MCP servers in use. Update SDKs to patched releases. Place MCP server outbound traffic behind an egress proxy with allowlisted destinations. Rotate any API keys, tokens, and secrets that may have been accessible to MCP processes.

CVE-2026-32211: Microsoft @azure-devops/mcp Missing Authentication

A missing authentication vulnerability in Microsoft's official @azure-devops/mcp package, disclosed April 3 with CVSS 9.1. Exploitation gives an attacker the ability to interact with Azure DevOps tenants through the MCP server without authenticating, enabling source code theft, pipeline tampering, and secret exposure.

Action: Upgrade @azure-devops/mcp to the patched release. Audit Azure DevOps activity logs for anomalous tool invocations during the exposure window.

CVE-2026-25253: ClawJacked AI Agent Hijack

CVSS 8.8 vulnerability that allows malicious websites to open WebSocket connections to localhost, brute-force gateway passwords, and assume control of locally running AI agents. The attack converts a casual visit to a malicious page into full agent compromise on the victim's workstation, including the ability to execute tools the agent has access to.

Action: Bind local agent gateways to loopback only and require strong, randomized authentication tokens. Block unsolicited cross-origin WebSocket connections at the browser layer.

CVE-2025-53773: GitHub Copilot Hidden Prompt Injection RCE

Re-surfaced this month as deployments lag behind disclosure. Hidden prompt injection in pull request descriptions enables remote code execution through GitHub Copilot, scoring CVSS 9.6. The pattern generalizes: any context surface the model treats as trusted (PR body, issue comment, README) becomes an attack surface for the developer's local environment.

Action: Treat all model-readable content as untrusted input. Apply Copilot policy configurations that disable agent execution on untrusted PRs.

Multi-Turn Jailbreaks and Real-World Impact

Multi-turn jailbreaks have become the preferred attack pattern against frontier models. Research circulating this month indicates that 73% of production AI deployments remain vulnerable to prompt injection, and jailbreaks successful on GPT-4 transfer to Claude 2 in 64.1% of cases. In a March 2026 incident chain reported this month, an attacker used more than 1,000 Spanish-language prompts framed as bug bounty research to coax Claude into assisting with exploitation tasks. The intruder went on to compromise approximately ten Mexican government entities and one financial institution, including the tax authority, the national electoral institute, several city-level systems, and a water utility, with reports of approximately 150 GB of data exfiltrated.

The UK National Cyber Security Centre's December 2025 assessment that prompt injection "may be a problem that is never fully fixed" remains the operational baseline. Defenders should plan around containment rather than prevention: assume any model can be coaxed off-rails and constrain what the model can reach when it goes wrong.

Agentic AI Defensive Posture

Control Layer	Defensive Measure	Maturity
Input boundary	Treat retrieved context as untrusted, sanitize tool outputs	Maturing
Tool authorization	Per-tool RBAC, just-in-time scopes, human-in-the-loop gates	Emerging
Egress controls	Allowlist outbound destinations from agent runtimes	Emerging
Observability	Log every tool call, model output, and policy decision	Maturing
Red teaming	Continuous prompt injection and jailbreak testing	Required

Threat Actor Activity

Chinese State-Sponsored Edge Device Campaign

CISA, NSA, FBI, and international partners published a joint advisory on April 23 detailing how Chinese state-sponsored threat actors have shifted away from individually procured infrastructure toward large networks of compromised SOHO routers, IoT devices, and edge appliances. These compromised assets are used as relay infrastructure for reconnaissance, malware delivery, command-and-control, and data exfiltration against Western government and critical infrastructure targets. The advisory marks a notable evolution from earlier "Volt Typhoon" tradecraft toward a more distributed, harder-to-attribute relay fabric.

Action: Inventory edge appliances and SOHO routers exposed to the public internet. Apply firmware updates. Monitor outbound traffic from operational segments to residential ISP ranges, which is unusual for most enterprises and characteristic of this relay model.

Russia-Aligned Threat Activity

Approximately 40% of tracked APT activity through Q1 2026 is attributed to Russia-aligned groups, with RomCom continuing to weaponize n-day archive parser bugs (including the WinRAR zero-day exploited mid-2025) for initial access. Targeting remains concentrated on Ukraine, NATO governments, defense industrial base, and energy.

North Korea-Aligned Threat Activity

North Korean clusters account for roughly 14% of global APT activity. Lazarus, Kimsuky, Konni, and DeceptiveDevelopment are running parallel campaigns combining espionage with financially motivated cryptocurrency theft. Software supply chain compromises and developer-targeting social engineering remain primary tradecraft.

Tonto Team

The PLA-aligned Tonto Team is targeting government, diplomatic, defense, technology, research, and cryptocurrency organizations across Russia, Belarus, Mongolia, South Korea, Japan, Taiwan, and Eastern Europe. The group continues to rely on RTF-based spear-phishing using the Royal Road weaponizer framework.

Ransomware and Data Breaches

Notable Ransomware Incidents (April 2026)

Victim	Operator	Sector	Impact
Canada Life Assurance	ShinyHunters	Insurance	Customer and policy data exfiltration
Rockstar Games	ShinyHunters	Entertainment	Source code and internal systems compromise
Autovista	Undisclosed	Automotive Data	Systems disrupted across Europe and Australia
ChipSoft	Undisclosed	Healthcare IT	Public-facing services down from April 7
Booking.com	Data breach only	Travel	Reservation data exposure notified April 12

Data Breaches Digest tracked 166 ransomware victims across 42 countries in week 16 alone, claimed by 36 distinct leak-site operators including 4 newly observed brands.

Notable Data Breaches (April 2026)

Organization	Records / Scope	Notes
France Titres	19,000,000 records	Government agency: names, DOB, account numbers, addresses
Lovable Platform	All projects created before November 2025	Tenant isolation failure: code, DB credentials, AI chats
Basic-Fit	1,000,000 customers	Dutch fitness chain: customer information disclosed
BePrime	12.6 GB	Plaintext credentials, audit reports, surveillance feeds
Vercel	580 employees plus access keys, source, API keys	Internal employee data and infrastructure secrets
Seiko (USA)	Undisclosed	Customer PII, transaction records, shipping data
Booking.com	Undisclosed scale	Names, emails, addresses, phone, communications

Recommended Actions

Immediate (next 24 to 72 hours)

Apply Microsoft April 2026 cumulative updates with priority on SharePoint, Defender, and Windows TCP/IP stack patches.
Patch or isolate all Fortinet FortiClient EMS instances; treat internet-exposed installations as presumed compromised pending forensic review.
Force-update Chrome and Chromium-based browsers to the post-April 1 build. Verify enterprise managed-browser policies enforce update.
Inventory all Anthropic MCP SDK deployments; update Python, TypeScript, Java, and Rust packages. Rotate any secrets accessible to MCP processes.
Apply SAP April patch day notes, with priority on CVE-2026-27681 in BPC and Business Warehouse environments.

Short-Term (next 30 days)

Deploy Oracle April Critical Patch Update across affected product families, with priority on internet-exposed WebLogic and E-Business Suite instances.
Implement egress allowlisting for AI agent runtimes and MCP servers.
Review Azure DevOps tool invocation logs against the @azure-devops/mcp exposure window.
Hunt for indicators of the China-aligned router relay campaign across edge appliances and SOHO router fleets.
Run a tabletop exercise covering MCP server compromise scenarios and agent hijack via ClawJacked-style WebSocket attacks.

Strategic (next quarter)

Stand up a continuous prompt injection and jailbreak red team capability. Treat coverage of MCP, RAG, and agent-tool surfaces as table stakes.
Adopt a defense-in-depth posture for agentic AI: input sanitization, per-tool authorization, egress allowlisting, observability, and human-in-the-loop gates for high-impact actions.
Reduce exposed management plane surface across Fortinet, Cisco, and similar vendors. Place all admin interfaces behind zero-trust access brokers.
Build edge-device firmware patch SLAs and asset inventory parity with enterprise endpoints.
Evaluate AI vendor and MCP server supply chain risk as part of third-party risk management; demand SBOMs for AI tooling.