Daily Threat Intelligence Brief - April 29, 2026
Executive Summary
- CISA added two actively exploited flaws to the KEV catalog on April 28, 2026: CVE-2026-32202 (Windows Shell spoofing/NTLM coercion via LNK) and CVE-2024-1708 (ConnectWise ScreenConnect path traversal). FCEB agencies must patch both by May 19, 2026.
- Microsoft's CVE-2026-32202 is now confirmed under active exploitation more than two weeks after its silent April 14 patch. The flaw is an incomplete fix for CVE-2026-21510 already weaponized by APT28 (Fancy Bear) in prior LNK chains.
- Cisco Catalyst SD-WAN Manager CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 remain under active exploitation following CISA's April 21 KEV addition. Federal patch deadline expired April 24.
- The Anthropic Model Context Protocol (MCP) architectural STDIO flaw now spans 14+ CVEs and 30+ RCE issues across Python, TypeScript, Java, and Rust SDKs, with up to 200,000 vulnerable instances (OX Security). Anthropic has classified the behavior as expected by design.
- Robinhood confirmed on April 28, 2026 that attackers abused its account creation flow to inject HTML into device name fields, sending SPF/DKIM-valid phishing emails from noreply@robinhood.com. Gmail "dot trick" alias enumeration enabled mass targeting of existing customers.
- ADT confirmed a major breach exposing 5.5 million customer records (names, addresses, partial SSNs). Initial access traced to a vishing-driven SSO compromise of an employee Okta account; ShinyHunters posted 11 GB of archived data on a leak site.
- Vercel disclosed a security incident on April 19, 2026 traced to a February Lumma Stealer compromise at Context.ai. A pre-granted "Allow All" Google Workspace OAuth token enabled lateral movement to non-sensitive environment variables; ShinyHunters demanded $2 million.
- LayerZero attributed the April 18 KelpDAO exploit (approximately $290 million in losses) to North Korea's TraderTraitor subgroup of Lazarus, which is also running a new macOS-focused "Mach-O Man" ClickFix campaign against fintech and crypto executives.
- Iran-linked APT activity targeting Rockwell Automation/Allen-Bradley PLCs continues across U.S. water, energy, and government facilities (CISA AA26-097A). Volt Typhoon and Salt Typhoon pre-positioning campaigns also remain active inside U.S. critical infrastructure and telecoms.
- Ransomware ecosystem volume remains elevated: Qilin and DragonForce accounted for 21% of weekly volume in week 16. April 28 victim postings include ACFA Calgary (TheGentlemen), Al Gosaibi GTB (Bashe), Alexandria Petroleum (Bashe), Avalon Flooring (DragonForce), and Notre Dame Campinas (TheGentlemen).
Critical Vulnerabilities
CVE-2026-32202: Microsoft Windows Shell NTLM Coercion (Actively Exploited, Newly KEV)
A spoofing vulnerability in Windows Shell (CVSS 4.3) that operates as a zero-click authentication coercion. Auto-parsed LNK shortcuts trigger SMB connections to attacker-controlled servers without user interaction, leaking NTLM hashes for offline cracking and relay. Microsoft patched the flaw silently on April 14, 2026 and only confirmed in-the-wild abuse on April 28 alongside CISA's KEV addition. The vulnerability is an incomplete patch for CVE-2026-21510, previously chained with CVE-2026-21513 by APT28 (Fancy Bear) to bypass Windows Mark-of-the-Web.
Action: Apply April 2026 cumulative updates immediately. Block outbound SMB (TCP 445) at the perimeter. Disable NTLM where feasible, enforce SMB signing, and hunt for outbound 445 connections to unknown destinations during the prior 30 days.
CVE-2024-1708: ConnectWise ScreenConnect Path Traversal (Newly KEV April 28)
A path traversal vulnerability in ConnectWise ScreenConnect 23.9.7 and earlier (CVSS 8.4) that, chained with the CVE-2024-1709 authentication bypass, enables remote code execution and webshell deployment. Earlier in April, Microsoft attributed exploitation to China-based Storm-1175 deploying Medusa ransomware. CISA added the flaw to KEV on April 28, 2026 with an FCEB patch deadline of May 19.
Action: Confirm ScreenConnect is on 23.9.8 or later. Audit user databases for unauthorized accounts and review ScreenConnect-initiated processes for the past 90 days. Hunt for Medusa precursor activity such as PsExec staging and Defender exclusion changes.
CVE-2026-20133, CVE-2026-20128, CVE-2026-20122: Cisco Catalyst SD-WAN Manager (Actively Exploited)
A trio of vulnerabilities in Cisco Catalyst SD-WAN Manager (formerly vManage) added to KEV on April 21, 2026. CVE-2026-20133 is an information disclosure flaw allowing unauthenticated remote attackers to access sensitive routing and credential data. CVE-2026-20128 and CVE-2026-20122 are companion bugs confirmed exploited by Cisco in early March. The campaign builds on CVE-2026-20127, an authentication bypass exploited as a zero-day since at least 2023 to inject rogue peers.
Action: Apply Cisco fixes. Restrict vManage management plane to administrative VLANs and bastion hosts. Review SD-WAN peer lists, controller logs, and template changes per CISA Emergency Directive 26-03 hunt guidance.
CVE-2026-35616: Fortinet FortiClient EMS RCE (Active Exploitation Continuing)
The FortiClient Enterprise Management Server unauthenticated RCE (CVSS 9.8) added to KEV earlier in April remains under active exploitation. EMS controls every FortiClient endpoint deployed by an organization, so a single exposed instance equates to fleet-wide compromise potential. CVE-2026-21643 was weaponized in parallel.
Action: Upgrade to the latest EMS build. Move EMS management interfaces off the public internet and treat any internet-exposed instance as presumed compromised. Trigger forensic review and rebuild candidates from clean images.
CVE-2026-1281 and CVE-2026-1340: Ivanti EPMM Pre-Auth RCE (Mass Exploitation)
Two pre-authentication RCE vulnerabilities in Ivanti Endpoint Manager Mobile that grant full control of mobile device management infrastructure. Unit 42, watchTowr, and Rapid7 have all observed mass automated exploitation, with attackers chaining to a /slt second-stage script that drops webshells, cryptominers, and persistent backdoors. Approximately 1,600 EPMM instances remain internet-exposed across the United States, Germany, Australia, and Canada.
Action: Apply Ivanti's January 2026 RPM 12.x patches immediately. Take exposed EPMM instances offline for triage. Enrolled mobile devices should be considered subject to MDM-mediated push if compromise is confirmed.
CVE-2026-32201: Microsoft SharePoint Server Spoofing (Continuing Exploitation)
The April 2026 SharePoint spoofing zero-day (CVSS 6.5) remains under active exploitation. Attackers chain credential theft from SharePoint into broader Microsoft 365 lateral movement.
Action: Apply April 2026 cumulative updates. Audit OAuth grants and session reuse; enforce conditional access for SharePoint admins.
CVE-2026-20700: Apple dyld Memory Corruption (Continuing Targeted Exploitation)
A memory-corruption flaw in dyld (Apple's dynamic linker) used in a sophisticated infection chain alongside CVE-2025-14174 and CVE-2025-43529 against iOS versions prior to iOS 26. Discovered by the Google Threat Intelligence Group and assessed as commercial spyware tooling.
Action: Update to iOS 26.3, iPadOS 26.3, macOS Tahoe 26.3, watchOS 26.3, tvOS 26.3, and visionOS 26.3. Enable Lockdown Mode for executives and high-risk profiles.
CVE-2026-27681: SAP Business Planning and Consolidation SQL Injection
An ABAP SQL injection (CVSS 9.9) in SAP BPC and Business Warehouse that allows a low-privileged user to upload an SQL payload to be executed against the database, leading to full data and code compromise.
Action: Apply SAP April Security Note. Audit BPC file upload logs and ABAP authorization profiles for the past 90 days.
Oracle April 2026 Critical Patch Update
Oracle shipped 481 security patches across 28 product families on April 21, addressing 241 unique CVEs. More than 300 are remotely exploitable without authentication. Critical-rated entries include CVE-2025-6965, CVE-2025-68615, CVE-2026-25968, CVE-2025-48913, CVE-2025-12543, CVE-2024-5535, CVE-2025-55130, and CVE-2025-58050 with CVSS scores of 9.8, 9.6, and 9.1.
Action: Prioritize WebLogic, MySQL, E-Business Suite, and Java SE patches based on internet exposure and authentication posture.
AI Security Threats
The agentic AI threat surface continues to expand faster than enterprise defenses, with this week marking several material developments across protocol design, supply chain integrity, and runtime abuse.
MCP Protocol Architectural Flaw at Scale
OX Security's continuing analysis of the Anthropic Model Context Protocol now totals more than 14 published CVEs and 30+ remote code execution paths across MCP SDKs in Python, TypeScript, Java, and Rust. The root cause sits in the protocol's STDIO transport, which allows an AI agent to launch a local program by specifying a shell command that flows directly into a privileged operating-system call.
OX Security's latest tally puts up to 200,000 vulnerable MCP instances in the wild, with monthly SDK downloads exceeding 97 million by early 2026 and cumulative downloads of affected packages above 150 million. After five months of disclosure, Anthropic has confirmed the STDIO execution behavior is intentional and assigned sanitization responsibility to downstream developers. Defenders should treat MCP-exposed surfaces as the AI equivalent of unauthenticated RPC.
A parallel BlueRock Security review of more than 7,000 MCP servers found 36.7% potentially vulnerable to server-side request forgery (SSRF), opening cloud metadata theft and lateral movement paths inside agent-hosting accounts.
Robinhood Account Creation HTML Injection
The Robinhood incident confirmed on April 28, 2026 illustrates how AI-era account creation flows extend the prompt-injection mental model to traditional input handling. Attackers exploited Gmail's "dot trick" alias behavior to register Robinhood accounts mapped to the email inbox of existing customers, then injected raw HTML containing phishing links into the device name field used in "recent login" notification emails. Because the messages originated from noreply@robinhood.com and rendered the unsanitized HTML, every SPF and DKIM control passed.
This pattern will continue to surface as agents and tools render user-controlled fields back into outbound communications. Output sanitization at notification and dashboard boundaries is now table-stakes.
Vercel Context.ai Supply Chain Compromise
Vercel's April 19 incident traces back to a February 2026 Lumma Stealer infection at Context.ai. A Vercel employee had previously granted the Context.ai AI Office Suite "Allow All" permissions on their Vercel-tied Google Workspace account; the attacker leveraged the surviving OAuth token to impersonate the employee, pivot into Vercel's environment, and decrypt non-sensitive environment variables. ShinyHunters subsequently demanded $2 million for the stolen data.
The attack chain validates a recurring pattern: lone-employee adoption of agentic AI tools, combined with broad OAuth scopes, becomes an unmanaged third-party entry point. Centralized OAuth governance, scope-of-least-privilege enforcement, and continuous audit of third-party AI integrations are now baseline controls.
Agentic AI Risk Telemetry
Industry telemetry from late April 2026 continues to confirm scale:
- 88% of enterprises reported at least one AI-agent security incident in 2026, with non-human identity sprawl named the top vulnerability.
- 73% of production AI deployments tested vulnerable to prompt injection during third-party assessment.
- Multi-turn jailbreaks remain the dominant attack pattern against frontier models, with cross-model transferability above 60% in research benchmarks.
- The OpenClaw skill marketplace surfaced over 820 confirmed malicious skills out of 10,700 total during the ClawHavoc supply-chain campaign uncovered earlier in 2026.
Defensive Implications
For organizations integrating MCP, agent platforms, or third-party AI tools, the April 28 to 29 disclosures reinforce the following priorities: enumerate every OAuth grant by employees to AI vendors, gate MCP servers behind policy-as-code controls (SSRF allowlisting, STDIO sandboxing, outbound network restrictions), sanitize user input rendered by any LLM-mediated workflow, and maintain a runtime allowlist for tool execution that does not rely solely on prompt-time guardrails.
Threat Actor Activity
TraderTraitor (Lazarus subgroup, DPRK)
LayerZero's incident response identified TraderTraitor as the actor behind the April 18, 2026 KelpDAO exploit, with approximately $290 million in cryptocurrency drained from cross-chain restaking flows. The same Lazarus-aligned cluster is running the "Mach-O Man" macOS campaign, using the ClickFix social engineering pattern (a fake browser error that prompts the victim to paste a curl-piped install command into Terminal) to compromise fintech and crypto executives via routine business email pretexts.
Storm-1175 (China)
Microsoft attributed April 2026 exploitation of CVE-2024-1708 and CVE-2024-1709 in ConnectWise ScreenConnect to Storm-1175, a China-based actor delivering Medusa ransomware. Initial access via ScreenConnect chains has consistently been followed by webshell installation, lateral movement, and double-extortion ransomware deployment.
APT28 (Fancy Bear, Russia)
CVE-2026-32202 is the in-the-wild incomplete-patch successor to CVE-2026-21510, a vulnerability previously weaponized by APT28 in LNK chains targeting European government and defense organizations. APT28 historical TTPs (NTLM relay, weaponized shortcut payloads, DLL search-order hijacking) should be loaded into hunt logic for organizations exposed to the new flaw.
Iran-affiliated APTs (Operational Technology Targeting)
Per CISA AA26-097A, Iran-affiliated actors continue to disrupt programmable logic controllers across U.S. water and wastewater systems, energy sectors, and government services facilities. Targeted devices include Rockwell Automation/Allen-Bradley PLCs accessible from the public internet via default credentials and outdated firmware. Defense industrial base, transportation, and telecommunications operators are also priority targets.
Volt Typhoon and Salt Typhoon (China)
Volt Typhoon pre-positioning inside U.S. critical infrastructure remains active. Salt Typhoon, attributed to breaches of multiple major U.S. telecoms and lawful-intercept systems, has been linked by the FBI to compromises of at least 200 companies across 80 countries (August 2025 attribution holds in 2026 reporting). Both campaigns continue to inform CISA SOHO router and edge appliance advisories.
ShinyHunters (Cybercrime Brokerage)
ShinyHunters claimed both the ADT breach (5.5M records, 11 GB archive) and the Vercel Context.ai-mediated breach in April 2026, demonstrating continued operation as a high-volume access broker and extortion operator. April activity also included claimed responsibility for prior Canada Life and Booking.com data sets.
Ransomware and Data Breaches
Active Ransomware Operators (Week 17)
| Operator | Recent Activity | Notable Victim Posts (Apr 28) |
|---|---|---|
| Qilin | Top group; ~21% weekly share with DragonForce | Multiple sectors, global |
| DragonForce | Top group; absorbed RansomHub affiliates | Andrew T Johnson, AOTCO, Avalon Floor |
| TheGentlemen | 9 confirmed posts in recent week | ACFA Calgary, Notre Dame Campinas |
| Bashe | Middle East and energy targeting | Al Gosaibi GTB, Al Rawdah, Alexandria |
| Medusa | Storm-1175 chain via ScreenConnect | Multiple managed service victims |
Notable Breaches (April 28 to 29, 2026)
| Organization | Records / Impact | Initial Access Vector |
|---|---|---|
| ADT | 5.5M customers (HIBP count) | Vishing of employee Okta SSO account |
| Robinhood | Phishing campaign | Account creation HTML injection |
| Vercel | Env vars, OAuth lateral | Context.ai Lumma Stealer; OAuth token reuse |
| KelpDAO | ~$290M crypto loss | TraderTraitor (Lazarus) protocol exploit |
| Autovista | Data and ops outage | Ransomware affecting Eurotax, Glass's |
| Notre Dame Campinas | Education sector posting | TheGentlemen leak site |
Weekly Ecosystem Metrics
| Metric | Latest Value | Trend |
|---|---|---|
| Reported victims (weekly) | 185 (week 8 to 15) | Up 5.7% |
| Distinct leak-site brands | 36 (week 16) | 4 new brands |
| Top operators combined share | Qilin + DragonForce ~21% | Stable |
Recommended Actions
Immediate (Within 24 Hours)
- Apply April 2026 Windows cumulative updates and explicitly verify CVE-2026-32202 remediation across the fleet. Hunt for outbound SMB (TCP 445) connections to non-corporate destinations in the past 30 days.
- Confirm ConnectWise ScreenConnect is at 23.9.8 or later. Audit ScreenConnect user databases for unauthorized accounts and review parent-child process telemetry for the past 90 days.
- Verify Cisco Catalyst SD-WAN Manager patches for CVE-2026-20133, CVE-2026-20128, CVE-2026-20122. Restrict vManage to bastion access only.
- Inventory employee OAuth grants to third-party AI tools (Context.ai, Lovable, Cursor, Copilot variants). Revoke "Allow All" Workspace and 365 scopes. Enforce admin-managed OAuth governance moving forward.
- Treat any internet-exposed Fortinet FortiClient EMS or Ivanti EPMM as presumed compromised pending triage.
Short-Term (Within 7 Days)
- Block outbound SMB and force NTLM-disabled posture on endpoints where possible. Where NTLM is required, enforce SMB signing and EPA.
- Hunt for ClickFix indicators on macOS executive endpoints (terminal history, recent curl-piped installs, unsigned dyld load events).
- Stand up policy-as-code controls in front of any internal MCP server: STDIO sandboxing, SSRF allowlists, outbound egress controls, tool-execution allowlists.
- Sanitize user-controlled fields rendered into transactional emails, dashboards, and notifications. Apply equally to AI-generated outputs.
- Patch SAP April Security Notes, complete Oracle April CPU rollout for WebLogic, MySQL, and Java SE.
Strategic (30 to 90 Days)
- Reframe AI agent governance under non-human identity (NHI) controls: every agent, MCP server, and OAuth integration should have a unique credential, least-privilege scope, lifecycle expiration, and continuous audit.
- Build runtime allowlists for tool execution that survive prompt-time guardrail bypass. Treat prompt injection as a permanent design assumption.
- Map operational technology exposure: PLC inventories, internet-facing ICS interfaces, and vendor remote access. Align with CISA AA26-097A guidance for water, energy, and government facilities.
- Exercise tabletop scenarios for telecom and SOHO router compromise (Volt Typhoon, Salt Typhoon patterns) and AI vendor supply chain compromise (Vercel Context.ai pattern).
- Validate detection coverage for Lumma Stealer, ClickFix initial access, and Medusa precursor activity across endpoint and identity telemetry.
Sources
- CISA Adds Two Known Exploited Vulnerabilities to Catalog (April 28, 2026)
- CISA Adds Eight Known Exploited Vulnerabilities to Catalog (April 20, 2026)
- Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 (The Hacker News)
- CISA, Microsoft warn of active exploitation of Windows Shell CVE-2026-32202 (Help Net Security)
- CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV (The Hacker News)
- CISA flags new SD-WAN flaw as actively exploited in attacks (BleepingComputer)
- CISA flags Cisco Catalyst SD-WAN Manager CVE-2026-20133 as exploited (Help Net Security)
- Fortinet customers confront actively exploited zero-day CVE-2026-35616 (CyberScoop)
- Critical Vulnerabilities in Ivanti EPMM Exploited (Unit 42)
- Apple discloses first actively exploited zero-day of 2026 (CyberScoop)
- Microsoft Patch Tuesday April 2026 (Cybersecurity News)
- Oracle Critical Patch Update Advisory April 2026
- SAP Security Patch Day April 2026
- 'By Design' Flaw in MCP Could Enable Widespread AI Supply Chain Attacks (SecurityWeek)
- Critical MCP Security Flaw Exposes 200,000 AI Agent Servers to Takeover (AI2Work)
- MCP Security in 2026: Real CVEs, Exploit Chains, and Policy-as-Code Defenses (policyascode.dev)
- The Vercel Breach: OAuth Supply Chain Attack (Trend Micro)
- Vercel April 2026 security incident (Vercel Knowledge Base)
- Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials (The Hacker News)
- Robinhood Vulnerability Exploited for Phishing Attacks (SecurityWeek)
- Robinhood account creation flaw abused to send phishing emails (BleepingComputer)
- ADT Confirms Major Data Breach Exposing Millions (TechRepublic)
- North Korean hackers tied to $290M crypto heist (UPI / LayerZero)
- Lazarus Group Mach-O Man macOS attack vector (CoinDesk)
- Iranian-Affiliated Cyber Actors Exploit PLCs Across US Critical Infrastructure (CISA AA26-097A)
- U.S. Public Sector Under Siege: Threat Intelligence for Q1 2026 (Trend Micro)
- Weekly Ransomware Trends April 2026: Qilin and DragonForce (Ransom-DB)
- Ransomware Activity Tracker 2026 (PurpleOps)
- April 2026 Data Breaches (SharkStriker)
- Recent Data Breaches in 2026 (BreachSense)
- Top Agentic AI Security Threats in Late 2026 (Stellar Cyber)
- AI Agent Security Vulnerabilities 2026: 88% of Enterprises Already Breached