Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0430

Daily Threat Intelligence Brief - April 30, 2026

April 30, 202613 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

Executive Summary

  • A "by design" remote code execution flaw in the Model Context Protocol (MCP) places an estimated 200,000 publicly reachable AI agent servers and 150 million package downloads at risk across LangChain, LangFlow, LiteLLM, Flowise, LettaAI, and LangBot. Anthropic has declined to alter the protocol, calling the behavior "expected."
  • CVE-2026-42208, a pre-authentication SQL injection in LiteLLM proxy versions 1.81.16 to 1.83.6 (CVSS 9.3), was weaponized within 36 hours of disclosure and is now being used to siphon database contents, virtual keys, and upstream provider API credentials.
  • CISA added CVE-2026-39987, a critical pre-auth RCE in the Marimo Python notebook framework (all versions before 1.12.1), to the Known Exploited Vulnerabilities catalog on April 23.
  • Carnival Corporation confirmed a ransomware breach exposing 8.7 million Holland America Line records. The same actor reportedly compromised 40+ organizations, including Mytheresa, Pitney Bowes, Canada Life, Hallmark, and Inditex.
  • Vercel disclosed a supply-chain incident on April 19 traced to a compromise of third-party tool Context.ai, with attackers claiming theft of access keys, source code, and database data.
  • Joint US, UK, and allied advisory warns that Iranian-affiliated APT groups are actively exploiting internet-facing OT in US energy, water, transportation, and telecom sectors via Rockwell/Allen-Bradley PLC and HMI/SCADA manipulation.
  • Microsoft Defender continues to absorb three actively exploited zero-days (BlueHammer, RedSun, UnDefend) with two still unpatched as of this brief.
  • Rituals (NL cosmetics) confirmed a breach affecting up to 41 million members; Vimeo customer data exposed via Anodot third-party compromise.

Critical Vulnerabilities

CVE-2026-39987: Marimo Pre-Auth RCE (CISA KEV, April 23)

A critical pre-authentication remote code execution flaw in the Marimo reactive notebook framework affects every version prior to 1.12.1. CISA added the issue to the KEV catalog on April 23, 2026, with a federal patch deadline in mid-May. Because Marimo is widely embedded in data-science and AI agent toolchains, exposed instances often sit behind otherwise-trusted developer endpoints.

Action: upgrade to Marimo 1.12.1 or later, audit notebook host network exposure, and review process telemetry for unexpected child processes spawned from notebook workers.

Source: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

CVE-2026-42208: LiteLLM Pre-Auth SQL Injection (CVSS 9.3)

A pre-authentication SQL injection in the LiteLLM proxy API key verification path affects versions 1.81.16 through 1.83.6. Researchers documented active exploitation within 36 hours of public disclosure. Successful exploitation exposes the database backing the proxy, including virtual keys, environment-bound provider credentials, and tenant data, effectively compromising every upstream LLM API the proxy is configured to broker.

Action: upgrade LiteLLM immediately, rotate every upstream provider key the proxy has touched, and inspect proxy logs for anomalous key-verification traffic prior to the patch.

Source: https://www.abhs.in/blog/litellm-cve-2026-42208-sql-injection-ai-gateway-api-keys-exploited-2026

CVE-2026-32202: Windows Shell Zero-Day (CISA KEV, April 28)

CISA added a Windows Shell zero-day to the KEV catalog on April 28 after confirming exploitation in the wild. Federal agencies must patch by May 12, 2026. The flaw enables local privilege escalation when paired with a phishing or LOLBin foothold and was included in Microsoft's April Patch Tuesday set of 164 fixes.

Action: deploy April cumulative updates, prioritize endpoints in privileged user populations, and hunt for unusual ShellExecute and verb-handler invocations.

Source: https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-windows-flaw-exploited-in-zero-day-attacks/

CVE-2026-32201: SharePoint Server Spoofing (KEV, deadline April 28)

A spoofing flaw in Microsoft SharePoint Server (typically manifested as cross-site scripting) is being abused in the wild. CISA's federal due date was April 28, 2026, making this brief a final reminder for laggards. Spoofed SharePoint pages have historically been used by APTs to harvest credentials inside trusted intranet contexts.

Action: confirm April updates are deployed across all SharePoint farms; validate that ULS logs are flowing to a SIEM and inspect for anomalous SiteCollection and Webhook activity.

Source: https://www.securityweek.com/microsoft-patches-exploited-sharepoint-zero-day-and-160-other-vulnerabilities/

CVE-2026-35616: Fortinet FortiClient EMS Zero-Day

Fortinet shipped emergency hotfixes for an actively exploited FortiClient EMS flaw earlier this month. The vulnerability allows remote attackers to compromise the management server that pushes endpoint policy, which can be pivoted into an enterprise-wide attack.

Action: apply the FortiClient EMS hotfix, restrict the EMS management plane to a hardened admin VLAN, and review agent push history for unauthorized policy changes.

Source: https://www.helpnetsecurity.com/2026/04/04/forticlient-ems-zero-day-cve-2026-35616/

CVE-2026-27681: SAP BPC and BW SQL Injection (CVSS 9.9)

An ABAP-level SQL injection in SAP Business Planning and Consolidation and Business Warehouse allows a low-privileged user to upload a file containing arbitrary SQL that the platform then executes. Given the role SAP plays in financial close and forecasting, exploitation can directly tamper with reported financials.

Action: apply SAP April patch bundle, audit for non-admin users with file upload rights to BPC and BW, and review change logs for unexpected ABAP imports.

Source: https://thehackernews.com/2026/04/april-patch-tuesday-fixes-critical.html

Cisco Catalyst SD-WAN Manager (CVE-2026-20122, 20128, 20133)

CISA added three Catalyst SD-WAN Manager flaws to the KEV catalog after Cisco confirmed in-the-wild exploitation in March. The most severe enables incorrect privileged API use to upload or overwrite arbitrary files on the controller, giving attackers an authoritative push position over downstream WAN edges.

Action: upgrade Catalyst SD-WAN Manager, restrict the API plane to management-only networks, and review file system change events on controllers.

Source: https://thecyberexpress.com/cisa-kev-catalog-vulnerabilities/

Additional CISA KEV Additions (April 20)

CISA also added CVE-2023-27351 (PaperCut NG/MF), CVE-2024-27199 (JetBrains TeamCity), CVE-2025-2749 (Kentico Xperience), CVE-2025-32975 (Quest KACE SMA, CVSS 10.0), and CVE-2025-48700 (Zimbra Collaboration Suite). The Quest KACE flaw is especially notable for its perfect CVSS score and the privileged endpoint-management role KACE plays in many SMB and mid-market estates.

Source: https://thehackernews.com/2026/04/cisa-adds-8-exploited-flaws-to-kev-sets.html

AI Security Threats

The Model Context Protocol vulnerability disclosed by OX Security and amplified by Cloud Security Alliance research is the dominant AI security story of the week, and arguably of the quarter. Researchers identified an unsafe-default in how MCP configuration is parsed over the STDIO transport. Any process command passed to the MCP STDIO interface executes on the host even when it does not initialize a valid MCP server. Because the vulnerability lives in the official Anthropic SDK across Python, TypeScript, Java, and Rust, every downstream agent framework that consumes those SDKs inherits the exposure.

The blast radius is large. OX Security and follow-up reporting count more than 7,000 publicly reachable MCP servers, an estimated 150 million SDK downloads, and roughly 200,000 vulnerable instances in active use. Confirmed downstream impact spans LiteLLM, LangChain, LangFlow, Flowise, LettaAI, and LangBot. Because MCP servers commonly run with broad host permissions to read files, call tools, and broker LLM credentials, RCE on an MCP host typically yields the keys to every agent and every connected SaaS the agent talks to. Anthropic has so far declined to change the protocol, characterizing the behavior as "expected." Defenders should not wait for an upstream fix.

This episode lands on top of an already turbulent month. CVE-2026-42208 in LiteLLM demonstrated a recurring pattern: AI gateways concentrate provider credentials, then ship behind under-tested API surfaces. The 36-hour exploitation window between disclosure and weaponization underscores how aggressively threat actors are now targeting inference proxies. A separately reported Adversa AI study of public MCP servers found 43 percent vulnerable to one or more configuration or injection attacks, and 341 malicious "skills" planted across community marketplaces, indicating that the supply-chain risk is not theoretical.

Prompt injection remains the OWASP LLM01 risk and is, by every metric in circulation, getting worse rather than better. Industry data referenced this month shows roughly 73 percent of production AI deployments vulnerable to prompt injection, and jailbreaks first proven on GPT-class models transferring to Claude-class models in 64 percent of tests. The UK National Cyber Security Centre's December 2025 position that prompt injection "may be a problem that is never fully fixed" is increasingly the operating assumption inside major SOCs. Multi-turn jailbreaks, multimodal payloads (images, QR codes, steganographic content), and indirect injection through retrieval-augmented documents have all matured into reliable techniques.

Real-world impact is no longer hypothetical. In March 2026, a Meta employee posted a routine technical question on an internal forum; within two hours, internal alerts triggered after sensitive user and company data was surfaced to a broader internal audience than intended through an LLM-mediated workflow. Banking-sector reporting this month flagged unpatched MCP-style flaws as a systemic risk because of how readily inference back-ends can be weaponized as a credential-harvesting layer once compromised.

For Krypteia clients shipping or operating agentic AI: assume MCP and any STDIO-style local tool transport is hostile; sandbox every agent process; treat every external configuration source as untrusted input; cap egress; and rotate provider keys held by gateways on a fast cadence. Provenance of community-distributed skills, plugins, and tools should be checked and pinned. Where possible, run an isolation boundary between the LLM-facing surface and any tool that touches secrets or production systems.

Threat Actor Activity

Iranian-affiliated APT groups are conducting an "ongoing cyber exploitation" campaign against US critical infrastructure, per the joint advisory issued April 7, 2026. Targeting focuses on internet-facing operational technology, with confirmed exploitation of Rockwell Automation and Allen-Bradley programmable logic controllers. Sectors named include energy, water and wastewater, transportation, telecommunications, the defense industrial base, federal contractors, and government mission-support providers. Reported impact includes PLC disruption, project-file tampering, and manipulation of HMI and SCADA displays leading to operational downtime and financial loss.

Russia-linked APT28 (Forest Blizzard), and its sub-cluster Storm-2754, continues the FrostArmada campaign documented by Microsoft Threat Intelligence and Lumen Black Lotus Labs. The campaign hijacks insecure MikroTik and TP-Link SOHO routers for use as relay infrastructure in DNS hijacking and credential-collection operations. More than 200 organizations and over 5,000 consumer devices have been linked to the malicious DNS infrastructure to date.

Chinese state-aligned activity continues to focus on US government communications. Salt Typhoon retains deep, persistent access in multiple US federal targets and has been linked to compromise of US House Committee staff email, per recent reporting from Trend Micro and others. Public-sector defenders should expect continued long-dwell, low-noise tradecraft from this cluster.

Source: https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors Source: https://thehackernews.com/2026/04/russian-state-linked-apt28-exploits.html

Ransomware and Data Breaches

Victim Sector Actor / Vector Impact
Carnival / Holland Am. Travel / Cruise Ransomware (cluster, 40+ orgs) 8.7M records exposed
Rituals Cosmetics Retail Membership DB compromise Up to 41M customer records
Vercel DevOps platform Supply chain via Context.ai Access keys, source, deploy credentials claimed
Booking.com Travel Data breach (April 12 notice) PII, reservations, contact data
Vimeo Media / SaaS Anodot third-party breach Emails, video metadata
BePrime Cybersecurity Admin account, no MFA 12.6 GB, 1,858 network devices
Autovista Automotive data Ransomware EU and AU outages across Eurotax, Schwacke
Frost Bank Financial Everest ransomware listing Unauthorized access reported
Seiko USA Consumer goods Shopify backend compromise Order history, shipping, account data
Rockstar Games Gaming ShinyHunters extortion Data theft claimed
Trend Detail
Affiliate migration RansomHub absorbing former LockBit and BlackCat affiliates
Third-party as primary risk Anodot, Context.ai breaches cascaded into Vimeo and Vercel
MFA failures BePrime root cause: admin accounts without MFA on critical surface
OT-targeted extortion Autovista outage shows operational-data SaaS as a high-leverage target

Source: https://sharkstriker.com/blog/april-2026-data-breaches/ Source: https://www.kaseya.com/?post_type=post&p=27751 Source: https://www.dbdigest.com/2026/04/

Recommended Actions

Immediate (within 24 to 72 hours)

  • Patch or isolate all Marimo notebook hosts to 1.12.1 or later. Treat exposed instances as compromised until proven otherwise.
  • Upgrade LiteLLM proxy out of the 1.81.16 to 1.83.6 range, rotate every upstream provider API key the proxy has held, and review proxy logs for anomalous key-verification traffic.
  • Inventory MCP server deployments. Disable public network exposure, sandbox processes, and treat any external configuration input as untrusted.
  • Confirm April Microsoft cumulative updates are applied across SharePoint, Windows clients, and Defender estate. Hunt for evidence of BlueHammer, RedSun, or UnDefend tooling.
  • Apply Fortinet FortiClient EMS hotfix, restrict the EMS management plane, and review agent policy push history.

Short-Term (within 30 days)

  • Apply Cisco Catalyst SD-WAN Manager updates and audit controller file system changes; add detection for unexpected privileged API calls.
  • Deploy SAP April patch bundle, audit BPC and BW upload privileges, and review ABAP change history.
  • Rotate Vercel deployment keys and audit any tooling that integrates Context.ai. Validate third-party SaaS inventory and revoke unused integrations.
  • For ICS and OT operators in energy, water, transport, and telecom: harden internet-facing PLCs, segment HMI and SCADA, and review project-file integrity.
  • Replace or harden SOHO routers in remote-worker fleets; baseline DNS resolvers and alert on unauthorized changes.

Strategic (within 90 days)

  • Treat AI gateways and MCP servers as Tier 0 assets equivalent to identity providers. Apply privileged access management, secrets vaulting, and dedicated logging.
  • Build an AI supply-chain SBOM that captures SDK versions (MCP, LangChain, LiteLLM, LangFlow, Flowise) and pinned community plugins or skills, and feed it into vulnerability management.
  • Establish prompt injection and jailbreak red-team cadence with multi-turn, multimodal, and indirect-injection scenarios; track regression against an internal benchmark.
  • Mandate MFA on every administrative surface, with phishing-resistant factors on identity, cloud console, and CI/CD.
  • Reassess third-party risk programs in light of Anodot, Context.ai, and similar incidents; require breach-notification SLAs and credential-rotation playbooks from critical vendors.

Sources