CISA added CVE-2026-33825 to its Known Exploited Vulnerabilities catalog on April 23 with a May 7 federal patch deadline. The flaw, nicknamed BlueHammer, is a race condition in Windows Defender's file-remediation logic that lets an unprivileged local attacker overwrite arbitrary files on disk and escalate to SYSTEM on fully-patched Windows 10 and Windows 11 hosts. It was patched in Microsoft's April 8 Patch Tuesday but a working proof-of-concept had already been published to GitHub by a researcher called 'Chaotic Eclipse' on April 7, before the fix shipped. Huntress Labs saw in-the-wild exploitation from April 10, with attackers also picking up two sibling Defender zero-days the same researcher leaked: RedSun (another local privilege escalation) and UnDefend (a denial-of-service that blocks Defender from pulling security definition updates, effectively disarming the EDR). Those two still have no Microsoft patch. The combination - a working privilege-escalation path plus an unpatched technique to silently cripple Defender itself - makes this a priority hunt, not just a priority patch.
Wordfence has seen more than 170 live exploit attempts against CVE-2026-3844, a critical unauthenticated arbitrary file upload in the Breeze Cache WordPress plugin from Cloudways. Breeze has roughly 400,000 active installations, making this one of the larger exposure events of the month. The flaw lives in the fetch_gravatar_from_remote function, which fetches avatar images from an arbitrary remote URL and saves them locally without validating the downloaded file's MIME type - so an attacker can point it at a .php payload and drop a webshell directly into a web-accessible directory. The attack is only possible when the 'Host Files Locally - Gravatars' add-on is enabled, which is not the default, but any site that turned it on for performance reasons is wide open. Cloudways shipped the fix as Breeze 2.4.5 earlier this week; as of publication only about 138,000 of the 400,000 installations had downloaded the patched version, leaving hundreds of thousands of sites exposed to a pre-auth RCE with 9.8 CVSS.
Shadowserver data shows 1,300+ internet-exposed Microsoft SharePoint servers remain unpatched against CVE-2026-32201, a spoofing flaw Microsoft confirmed as a zero-day and CISA added to its Known Exploited Vulnerabilities catalog the same day the fix dropped in April Patch Tuesday. Fewer than 200 systems have been patched since the update shipped last week. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. An unauthenticated attacker can perform network spoofing through improper input validation in a low-complexity attack that needs no user interaction, letting them view sensitive information and modify data, though not affect availability. Microsoft has not described the exploitation technique or attributed the attacks to a specific group, which is unusual for a zero-day and hints at an ongoing investigation. CISA ordered federal agencies to patch by April 28 under Binding Operational Directive 22-01, and given ongoing in-the-wild abuse, private-sector operators should treat that as their own deadline. SharePoint's habit of holding cached Office 365 tokens, SharePoint-signed refresh tokens, and IP on sensitive business processes makes any compromise a serious lateral-movement foothold, not a minor information disclosure.
CISA added a Cisco Catalyst SD-WAN Manager information disclosure flaw to its Known Exploited Vulnerabilities catalog on Monday, ordering federal agencies to patch by Friday, April 24 - an unusually aggressive 4-day deadline that reflects confirmed active exploitation. CVE-2026-20133 is an unauthenticated remote flaw in the SD-WAN Manager (formerly vManage) API, caused by insufficient file system access restrictions. An attacker can access the API and read sensitive information from the underlying operating system - including credentials that enable follow-on attacks. Cisco patched it in late February alongside two other SD-WAN Manager flaws (CVE-2026-20128 and CVE-2026-20122, both also added to KEV this week and confirmed exploited in the wild). Catalyst SD-WAN Manager is used to centrally manage up to 6,000 SD-WAN devices from one dashboard, making it a high-value target. Oddly, Cisco's PSIRT still says they have no evidence of public exploitation - contradicting CISA. CISA is treating its own intelligence as authoritative and has issued Emergency Directive 26-03 plus a Hunt & Hardening Guide for Cisco SD-WAN. Over the past several years CISA has tagged 91 Cisco vulnerabilities as exploited in the wild, six used by ransomware operations.
Day-after follow-up to our April 18 coverage: Shadowserver has published telemetry showing 6,400+ Apache ActiveMQ servers exposed online are still vulnerable to CVE-2026-34197, the 13-year-old code injection flaw CISA added to KEV last week with an April 30 federal patch deadline. Geographic breakdown: Asia leads with 2,925 vulnerable servers, North America follows at 1,409, Europe at 1,334. Horizon3's Naveen Sunkavally (who discovered the flaw using the Claude AI assistant as his research tool) is urging admins to treat this as high priority, noting ActiveMQ has been a repeated target for real-world attackers - CVE-2016-3088 and CVE-2023-46604 are both on KEV, with the latter used as a zero-day by the TellYouThePass ransomware gang. The Apache maintainers patched the flaw on March 30 in ActiveMQ Classic 6.2.3 and 5.19.4. Horizon3 recommends searching broker logs for suspicious connections using the internal VM transport protocol with the brokerConfig=xbean:http:// query parameter as an indicator of exploitation.
CISA added eight actively-exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on April 20, with federal agencies required to patch three Cisco Catalyst SD-WAN Manager flaws by today, April 23, and the remaining five by May 4. The Cisco trio (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) enable arbitrary file upload with vmanage user privileges, recovery of stored credentials for the DCA user, and unauthenticated disclosure of sensitive configuration data. Cisco confirmed exploitation of the first two in March 2026. The other five cover a wide blast radius: CVE-2025-32975 is a CVSS 10.0 authentication bypass in Quest KACE Systems Management Appliance letting attackers impersonate any user without credentials, exploited in the wild by unknown actors last month per Arctic Wolf. CVE-2023-27351 is the PaperCut NG/MF bypass that Microsoft's Lace Tempest chained into Cl0p and LockBit deployments back in 2023. CVE-2024-27199 is a path traversal in JetBrains TeamCity giving limited admin actions - its sibling CVE-2024-27198 is already on the KEV list. CVE-2025-48700 is a Zimbra XSS that the Ukrainian CERT attributes to UAC-0233/UAC-0250 for stealing mailbox contents, MFA backup codes, and application passwords. CVE-2025-2749 is a Kentico Xperience Staging Sync Server path traversal.
A critical code injection flaw in Apache ActiveMQ Classic has been under active exploitation in the wild, and CISA added it to the Known Exploited Vulnerabilities catalog on April 16 with a federal patch deadline of April 30. The flaw, tracked as CVE-2026-34197 (CVSS 8.8), has been 'hiding in plain sight' for 13 years according to Horizon3.ai researcher Naveen Sunkavally. The vulnerability is in the Jolokia JMX-HTTP bridge exposed at /api/jolokia/. An attacker can send crafted HTTP requests with a malicious discovery URI that forces the broker to load a remote Spring XML configuration. Because Spring initializes beans before validation, attackers execute arbitrary OS commands via Runtime.exec() - effectively turning a messaging broker into a remote command runner. Fortinet FortiGuard Labs telemetry shows exploitation attempts peaking on April 14, 2026. SAFE Security reports threat actors actively scanning for exposed Jolokia management endpoints.
A CVSS 9.8 authentication bypass in nginx-ui, the popular open-source web management interface for Nginx servers, is being actively exploited in the wild. The flaw, codenamed MCPwn by Pluto Security, exists because the /mcp_message endpoint added for Model Context Protocol (AI integration) support only checks IP whitelisting - and the default whitelist is empty, meaning it allows all connections. One unauthenticated HTTP POST request lets an attacker invoke all MCP tools: rewrite Nginx config files, reload the server, intercept all traffic, and harvest admin credentials. Attackers chain it with CVE-2026-27944 (exposed encryption keys via the backup API) to extract the node_secret needed for full MCP access. Recorded Future flagged active exploitation and assigned a risk score of 94/100. Shodan shows 2,600 publicly exposed instances, mostly in China, the US, Indonesia, and Germany. Pluto Security's key lesson: AI integration endpoints expose the same capabilities as the core application but often skip its security controls.
Just days after Microsoft patched BlueHammer (CVE-2026-33825) in Tuesday's Patch Tuesday, the same researcher 'Chaotic Eclipse' (aka Nightmare-Eclipse) has released a second Microsoft Defender local privilege escalation zero-day called RedSun. The exploit works on fully-patched Windows 10, Windows 11, and Windows Server systems with Windows Defender enabled, even after installing this week's April updates. The flaw abuses Defender's cloud file rollback behavior: when Defender detects a file with a 'cloud tag' it tries to restore it to its original location without validating the target path. The exploit uses NTFS junctions and opportunistic locks to redirect the write to C:\Windows\System32, overwriting system files like TieringEngineService.exe to gain SYSTEM privileges. Huntress Labs is reporting all three recently-leaked Windows Defender zero-days (BlueHammer, RedSun, and UnDefend) are now being exploited in the wild. The researcher has threatened to drop more severe RCE exploits in protest of how Microsoft handled their disclosure process. No patch available for RedSun yet. Working PoC code is public on GitHub.
Adobe has released an emergency security update (APSB26-43, priority-1) to patch CVE-2026-34621, the Adobe Reader zero-day we reported on April 10 that had been exploited since December 2025 via malicious PDF documents. The flaw has now been classified as a prototype pollution vulnerability leading to arbitrary code execution - more severe than the initial fingerprinting and data theft we described. Adobe confirmed it's worse than just information leakage: the underlying bug can achieve full RCE, not just the reconnaissance stage observed in early exploitation. CVSS was initially scored 9.6 but Adobe revised it down to 8.6 after changing the attack vector from Network to Local. EXPMON researcher Haifei Li, who first disclosed the flaw, was credited by Adobe. All users on Windows and macOS should update immediately - Adobe assigned this patch its highest priority rating.
TrustStrike Labs