Stay Ahead of Threats with the Latest Vulnerability Updates for April
Stay up to date on critical cyber risks, Microsoft’s April Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats.
Quick Highlights
- Microsoft Patch Tuesday:
– 165 vulnerabilities disclosed
– 8 rated Critical, 2 are Zero-Day (1 being actively exploited, 1 being publicly disclosed)
- High-Severity Advisories from Major Vendors:
– Adobe: 56 vulnerabilities affecting 11 products, one actively exploited zero-day for Adobe Acrobat
– Cisco: 3 critical-severity flaws, in Cisco Identity Services Engine (ISE), Cisco ISE Passive Identity Connector (ISE-PIC), and Cisco Webex Services
– Fortinet: 2 critical and 1 high-severity flaws in FortiSandbox and FortiAnalyzer
– Ivanti: 2 medium-severity flaws in Ivanti Neurons for ITSM
– SAP: 1 critical and 1 high vulnerabilities in SAP Business Planning and Consolidation, SAP Business Warehouse, SAP ERP and SAP S/4 HANA
– SonicWall: 1 high-severity flaw in SonicWall SMA1000 series appliances
- Top Threats to Watch:
– Phishing‑as‑a‑Service that defeats MFA by design
– Mature platforms (e.g., Venom, EvilTokens, W3LL) are operationalizing AiTM, OAuth device‑code abuse, and token replay to reliably bypass MFA and achieve persistent access at scale.
– Rapid weaponization of zero‑days and N‑days
– Attackers are exploiting critical flaws within hours or days of disclosure—often before patches are widely deployed—dramatically shrinking defender response windows.
– Direct attacks on security controls (EDR/identity)
– Modern ransomware and intrusion campaigns increasingly disable endpoint security and identity telemetry early, blinding defenders before deploying follow‑on payloads.
– Abuse of trusted platforms and supply‑chain trust
– Legitimate tools and services (AI workflow automation, PaaS, software update mechanisms) are being weaponized to blend malicious activity into normal enterprise traffic.
– Expansion of cyber operations into high‑impact environments
– Threat activity is targeting government, critical infrastructure, and civil society through OT exploitation, hack‑for‑hire espionage, and large‑scale web application compromise.
Windows 10 Reaches End of Support
As of October 14, 2025, Microsoft has officially ended support for Windows 10. October 2025’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program.
- What This Means for Your Organization:
– No more security patches or bug fixes for Windows 10 devices
– Increased exposure to vulnerabilities and compliance risks
– Continued support requires either: 1.) Enrolling in Microsoft’s paid ESU program, or 2.) Upgrading to Windows 11
- Upgrading Windows 11
Unlike traditional feature upgrades, Windows 11 25H2 is built on the same servicing branch and code base as Windows 11 24H2, making the transition simpler and lower risk.
Fortress has thoroughly tested Windows 11 25H2 and recommends upgrading all supported devices. To begin the upgrade process, contact our 24/7/365 Security Operations Team or reach out to your client experience manager.
Windows 11 End of Support
As of November 2025, Microsoft has officially ended support for earlier versions of Windows 11 (listed below).
- Windows 11 version 21H2 (All Editions)
- Windows 11 version 22H2 (All Editions)
- Windows 11 version 23H2 (Home & Pro)
We would also like to highlight several upcoming End of Support dates for the following Windows releases:
- Windows 11 version 23H2 (Enterprise & Education) – Support ends November 10, 2026. After this date, these editions will no longer receive security updates or fixes.
- Windows 11 version 24H2 (Home & Pro) – Support ends October 13, 2026. Devices running these editions should be upgraded before this date to remain supported and secure.
Fortress recommends reviewing device inventories ahead of these deadlines to ensure systems are upgraded in advance and remain within a supported lifecycle.
* Some specialized editions of Windows 11 24H2 (e.g. Long Term Support Cycle) will continue to receive extended support through 2029. However, for all other editions we recommend upgrading to Windows 11 25H2.
Windows Server 2016 End of Support
Support for Windows Server 2016 is scheduled to end on January 12, 2027, which is now less than a year away. After this date, Microsoft will no longer provide security updates, bug fixes, or technical support for the platform.
Organizations still running Windows Server 2016 should begin planning upgrade or migration strategies to avoid increased security risk and compliance concerns once support ends.
Fortress recommends reviewing affected systems early to allow sufficient time for testing, upgrades, or workload migration before the end-of-support deadline.
Need help planning your transition?
Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure.
Patch Tuesday Summary
Microsoft April 2026 Patch Tuesday
165 vulnerabilities disclosed, including 8 critical and 2 zero-days. By category:
- 93 Elevation of Privilege
- 21 Information Disclosure
- 20 Remote Code Execution
- 13 Security Feature Bypass
- 10 Denial of Service
- 8 Spoofing
- 2 Tampering
Critical Common Vulnerabilities and Exposures (CVEs)
Windows Zero-Days
| CVE-ID | Details | Severity | Exploited? |
| CVE-2026-32201 | Microsoft SharePoint Server Spoofing Vulnerability | Important | Yes |
| CVE-2026-33825 | Microsoft Defender Elevation of Privilege Vulnerability | Important | No, publicly disclosed. |
Other Critical CVE’s Worth Mentioning
| CVE-ID | Details | Severity | Exploited? |
| CVE-2026-23666 | Denial-of-Service flaw in .NET framework | Critical | No |
| CVE-2026-32190 | Remote Code Execution vulnerability in Microsoft Office | Critical | No |
| CVE-2026-33115 | Remote Code Execution vulnerability in Microsoft Word | Critical | No |
| CVE-2026-33114 | Remote Code Execution vulnerability in Microsoft Word | Critical | No |
| CVE-2026-32157 | Remote Code Execution vulnerability in Remote Desktop Client | Critical | No |
| CVE-2026-33826 | Remote Code Execution vulnerability in Windows Active Directory | Critical | No |
| CVE-2026-33824 | Remote Code Execution vulnerability in Windows Internet Key Exchange (IKE) Service Extensions | Critical | No |
| CVE-2026-33827 | remote code execution vulnerability in Windows TCP/IP | Critical | No |
Microsoft April 2026 Security Update Release
3rd Party Critical CVE’s Worth Mentioning
Adobe Products *
| CVE-ID(s) | Affected Product | Issues | Key Risks |
| CVE-2026-34622 CVE-2026-34626 | Acrobat Reader | 1 Critical, 1 Important | Arbitrary code execution Arbitrary file system read |
| CVE-2026-27283 CVE-2026-27284 CVE-2026-27291 CVE-2026-34627 CVE-2026-34628 CVE-2026-34629 CVE-2026-27238 CVE-2026-27285 CVE-2026-27286 | InDesign | 7 Critical, 2 Important | Arbitrary code execution Application denial-of-service Memory exposure |
| CVE-2026-27287 CVE-2026-34631 | InCopy | 2 Critical | Arbitrary code execution |
| CVE-2026-27288 CVE-2026-34623 CVE-2026-34624 CVE-2026-34625 | Experience Manager (AEM) Screens | 4 Important | Arbitrary code execution |
| CVE-2026-27290 CVE-2026-27292 CVE-2026-27293 CVE-2026-27294 CVE-2026-27295 CVE-2026-27296 CVE-2026-27297 CVE-2026-27298 CVE-2026-27299 CVE-2026-27300 CVE-2026-27301 | FrameMaker | 8 Critical, 3 Important | Arbitrary code execution Arbitrary file system read Memory exposure |
| CVE-2026-27302 CVE-2026-27303 CVE-2026-27243 CVE-2026-27245 CVE-2026-27246 CVE-2026-34615 CVE-2026-34617 CVE-2026-21331 CVE-2026-34614 | Connect | 7 Critical, 2 Important | Arbitrary code execution Privilege escalation |
| CVE-2026-34619 CVE-2026-27304 CVE-2026-27305 CVE-2026-27282 CVE-2026-27306 CVE-2026-27307 CVE-2026-27308 | ColdFusion | 5 Critical, 2 Moderate | Arbitrary file system read Security feature bypass Arbitrary code execution Application denial-of-service |
| CVE-2026-34630 CVE-2026-27310 CVE-2026-27311 CVE-2026-27312 CVE-2026-27313 CVE-2026-27222 | Bridge | 5 Critical, 1 Important | Arbitrary code execution Application denial-of-service |
| CVE-2026-27289 | Photoshop | 1 Critical | Arbitrary code execution |
| CVE-2026-27258 CVE-2026-27259 CVE-2026-27260 | DNG SDK | 3 Important | Application denial-of-service Memory exposure |
| CVE-2026-34618 | Illustrator | 1 Critical | Arbitrary code execution |
| CVE-2026-34621 | Acrobat Reader (2) | 1 Critical | Arbitrary code execution *Actively being exploited in the wild |
Cisco *
| CVE-ID(s) | Affected Product | Description | Severity | Exploited? |
| CVE-2026-20180 CVE-2026-20186 | Cisco Identity Services Engine (ISE) | Multiple could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit these vulnerabilities, the attacker must have at least Read Only Admin credentials. | Critical | No |
| CVE-2026-20147 CVE-2026-20148 | Cisco Identity Services Engine (ISE) Cisco ISE Passive Identity Connector (ISE-PIC) | Multiple vulnerabilities could allow an authenticated, remote attacker to achieve remote code execution or conduct path traversal attacks on an affected device. To exploit these vulnerabilities, the attacker must have valid administrative credentials. | Critical | No |
| CVE-2026-20184 | Cisco Webex Services | A vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed an unauthenticated, remote attacker to impersonate any user within the service. | Critical | No |
Fortinet *
| CVE-ID | Affected Product | Description | Severity | Exploited? |
| CVE-2026-39813 | FortiSandbox | A Path Traversal vulnerability in JRPC API may allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests. | Critical | No |
| CVE-2026-39808 | FortiSandbox | An Improper Neutralization of Special Elements used in an OS Command (‘OS command injection’) vulnerability may allow an unauthenticatedattacker to execute unauthorized code or commands via crafted HTTP requests. | Critical | No |
| CVE-2026-22828 | FortiAnalyzer | A heap-based buffer overflow vulnerability in Cloud oftpddaemon may allow a remote unauthenticatedattacker to execute arbitrary code or commands via specifically crafted requests. Successful exploitation would require a large amount of effort in preparation because of ASLR and network segmentation. | High | No |
Ivanti *
| CVE-ID(s) | Affected Product | Description | Severity | Exploited? |
| CVE-2026-4913 | Ivanti Neurons for ITSM (on-premises and cloud) | Improper protection of an alternate path in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to retainaccess when their account has been disabled. | Medium | No |
| CVE-2026-4914 | Ivanti Neurons for ITSM (on-premises and cloud) | Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to obtain limited information from other user sessions. User interaction is required. | Medium | No |
Ivanti April 2026 Security Update
SAP *
| CVE-ID | Affected Component | Description | Severity | Exploited? |
| CVE-2026-27681 | SAP Business Planning and Consolidation and SAP Business Warehouse | Due to insufficient authorization checks, an authenticated user can execute crafted SQL statements to read, modify, and deletedatabase data. | Critical | No |
| CVE-2026-34256 | SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) | Due to a missing authorization check, an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?characterexecutable ABAP report without authorization. | High | No |
SonicWall *
| CVE-ID | Affected Component | Description | Severity | Exploited? |
| CVE-2026-4112 CVE-2026-4113 CVE-2026-4114 CVE-2026-4116 | SonicWall SMA1000 series appliances | Multiple vulnerabilities allowsa remote attacker to | High | No |
Google Chrome
- Version: 147.0.7727.101/102 (Windows and Mac), 147.0.7727.101 (Linux)
- Release Date: Wednesday, April 15, 2026
- Key Fixes: 5 critical-severity CVE’s, 22 high-severity CVE’s
* Not handled by Fortress SRM.
Threat Intelligence Trends – April 2026
The following resources are grouped by threat type / category.
Phishing‑as‑a‑Service & Credential Theft Platforms
W3LL Unmasked: The takedown of a global phishing-as-a-service ecosystem
Group-IB outlines how years of investigation into the W3LL operation led to the disruption of a sophisticated phishing-as-a-service ecosystem that enabled large-scale business email compromise by bypassing MFA and selling stolen access. The takedown, carried out with international law enforcement, shows how long-running underground marketplaces can industrialize phishing and emphasizes the value of sustained intelligence-led collaboration in dismantling them.
Read more
Meet VENOM: The PhaaS Platform That Neutralizes MFA
Abnormal researchers describe a highly targeted phishing campaign powered by the previously undocumented VENOM phishing‑as‑a‑service platform, which focuses on stealing Microsoft 365 credentials from C‑suite executives. By using QR‑code lures, adversary‑in‑the‑middle and device‑code techniques, and extensive evasion measures, the campaign bypasses MFA and quickly establishes persistent account access.
Read more
Riding the Rails: Threat Actors Abuse Railway.com PaaS as Microsoft 365 Token Attack Infrastructure
Huntress details a large‑scale phishing campaign in which attackers abused Railway’s PaaS infrastructure to host Microsoft 365 device‑code phishing and token replay services, allowing account takeover without stealing passwords or triggering MFA prompts. The activity, attributed to the EvilTokens phishing‑as‑a‑service platform, demonstrates how cloud PaaS providers can be rapidly weaponized to scale OAuth token theft and bypass traditional identity defenses.
Read more
AI-Enabled & Emerging Platform Abuse
The n8n n8mare: How threat actors are misusing AI workflow automation
Cisco Talos researchers detail how attackers are abusing the legitimate n8n automation platform to power phishing campaigns that deliver malware and fingerprint victims via exposed webhook URLs, allowing malicious activity to blend into trusted infrastructure. Observed from late 2025 through early 2026, these campaigns show how AI-enabled workflow tools can be weaponized to bypass traditional email and web security controls.
Read more
ChatGPT Data Leakage via a Hidden Outbound Channel in the Code Execution Runtime
Check Point Research reports a technique that abused a hidden outbound communication channel in ChatGPT’s code execution environment to exfiltrate sensitive data, even when direct network access appeared restricted. The research highlights risks in sandboxed AI runtimes and underscores the need for strict egress controls and continuous monitoring to prevent unintended data leakage in AI-assisted workflows.
Read more
Ransomware & Defense Evasion Tooling
Qilin EDR killer infection chain
Cisco Talos analyzes a sophisticated Qilin ransomware component that uses a malicious, sideloaded msimg32.dll to launch a multi‑stage “EDR killer” capable of disabling more than 300 EDR products across almost every major vendor. The malware employs advanced evasion, in‑memory execution, and vulnerable driver abuse to blind defensive telemetry before ransomware deployment, highlighting a shift toward directly attacking endpoint security controls.
Read more
Zero‑Day Exploitation & Rapid Weaponization
EXPMON Detected Sophisticated Zero-Day Fingerprinting Attack Targeting Adobe Reader Users
Security researcher Haifei Li reports that the EXPMON exploit detection system uncovered a highly sophisticated malicious PDF exploiting a previously unknown Adobe Reader zero-day to steal local files and perform advanced system fingerprinting. The exploit abuses privileged Acrobat JavaScript APIs and can potentially enable follow‑on sandbox escape or remote code execution, demonstrating an active and targeted zero‑day threat against fully up‑to‑date Adobe Reader installations.
Read more
Operation TrueChaos: 0‑Day Exploitation Against Southeast Asian Government Targets
Check Point Research uncovered a zero‑day vulnerability in the TrueConf video conferencing client (CVE‑2026‑3502) that was actively exploited to compromise Southeast Asian government networks by abusing the platform’s trusted on‑premises update mechanism. The campaign delivered post‑exploitation tooling via tampered updates and is attributed with moderate confidence to a Chinese‑nexus threat actor, highlighting the risk of supply‑chain style attacks inside supposedly air‑gapped environments.
Read more
CVE‑2026‑3055: Citrix NetScaler ADC and NetScaler Gateway Out‑of‑Bounds Read
Rapid7 analyzes a critical vulnerability in customer‑managed Citrix NetScaler ADC and Gateway appliances that allows unauthenticated attackers to read sensitive memory when the device is configured as a SAML identity provider. With active exploitation confirmed and a Metasploit module available, Rapid7 recommends immediate patching to prevent session token leakage and follow‑on compromise.
Read more
Marimo OSS Python Notebook RCE: From Disclosure to Exploitation in Under 10 Hours
Sysdig documents how a critical pre‑authentication RCE flaw in the marimo open‑source Python notebook was exploited in the wild less than 10 hours after public disclosure, despite the absence of proof‑of‑concept code. The incident highlights how attackers rapidly weaponize advisory details to gain unauthenticated shell access and steal credentials, sharply narrowing defenders’ patching and response windows.
Read more
Web Application & E‑Commerce Platform Compromise
PolyShell: unrestricted file upload in Magento and Adobe Commerce
Sansec reveals a critical REST API flaw that allows unauthenticated attackers to upload polyglot files disguised as images to Magento and Adobe Commerce stores, enabling remote code execution or account takeover depending on server configuration. With no production patch available and widespread exposure observed, the issue highlights systemic risk in Magento deployments and the urgency of compensating controls and compromise scanning.
Read more
Hack‑for‑Hire, Surveillance & Espionage Operations
Beyond BITTER: MENA Civil Society Targeted in Hack‑for‑Hire Operation Linked to BITTER APT
Lookout details a long‑running hack‑for‑hire espionage campaign tied to the BITTER APT that targets journalists, activists, and civil society across the Middle East using spear‑phishing and mobile spyware rather than zero‑day exploits. The operation shows how commercial surveillance actors leverage social engineering and Android spyware to achieve persistent monitoring of high‑risk individuals.
Read more
Critical Infrastructure & Operational Technology (OT) Attacks
Iranian‑Affiliated Cyber Actors Exploit Programmable Logic Controllers Across U.S. Critical Infrastructure
CISA and partner agencies warn that Iran‑aligned threat actors are actively targeting internet‑exposed PLCs—primarily Rockwell Automation/Allen‑Bradley devices—across U.S. water, energy, and government sectors, causing operational disruptions and financial losses. The advisory urges organizations to remove PLCs from direct internet exposure, hunt for indicators of compromise, and apply mitigations to reduce the risk of further OT exploitation.
Read more
Malvertising & Ad‑Tech Abuse
Analyzing a Live AiTM Attack Targeting Google Accounts via Malvertising
Confiant details a malvertising campaign that delivered an adversary‑in‑the‑middle (AiTM) phishing kit through online ads, enabling attackers to intercept Google account credentials and session tokens in real time. The research shows how sophisticated ad‑based delivery and client‑side evasion techniques can be combined to bypass traditional security controls and compromise accounts without obvious indicators.
Read more
Recommended Actions
Mitigations
- Enforce strong identity protections beyond MFA, including phishing‑resistant MFA, device binding, and strict Conditional Access policies (block device‑code auth where not required).
- Patch internet‑facing systems immediately on disclosure, prioritizing identity, VPN, ADC, notebook, and CMS platforms; assume rapid exploitation.
- Reduce trust in platforms by default: restrict AI workflow tools, PaaS services, and automation platforms to approved tenants and networks only.
- Harden endpoints against EDR evasion, including blocking vulnerable drivers (BYOVD), tightening kernel protections, and monitoring for security tool tampering.
- Remove direct internet exposure from OT/ICS devices and enforce segmentation, gateways, and allow‑listing for management traffic.
Monitoring
- Continuously monitor identity sign‑ins for token‑based and non‑interactive logins, especially from cloud PaaS providers or atypical geolocations.
- Track EDR health telemetry (sensor unloads, driver terminations, ETW suppression) as high‑priority alerts.
- Monitor REST API activity on web and e‑commerce platforms for unauthenticated uploads, abnormal file creation, or executable content in media paths.
- Log and review software update and management channels for unexpected package changes or internal server abuse.
- For OT environments, monitor PLC‑related ports and protocols for unauthorized or external access attempts.
Detection Tips
- Alert on successful MFA logins immediately followed by session reuse, command execution, mailbox access, or token replay activity.
- Detect in‑memory execution, DLL sideloading, and kernel driver loading from non‑standard paths or unsigned sources.
- Hunt for polyglot files (e.g., images containing executable code) in upload directories and CMS media locations.
- Identify rapid attacker dwell time patterns (credential access, reconnaissance, data access within minutes of initial access).
- Correlate user behavior anomalies (new devices registered, OAuth consent grants, device‑code use) with phishing or malvertising lures.
About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering
Why Patching Matters
Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities.
Vigilant Managed Cyber Hygiene
Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management.
- Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications
- Critical patches, OS upgrades, and configuration updates for all devices, on/off network
- 24/7/365 U.S.-based monitoring and real-time reporting for full visibility
Stay Protected. Stay Proactive.
Learn how Fortress SRM can enhance your cybersecurity strategy