Progress Software released emergency patches Sunday for two MOVEit Automation flaws. The worst, CVE-2026-4670 (CVSS 9.8), lets remote attackers reach the management interface without logging in - and from there take administrative control. Airbus researchers disclosed both flaws privately and Progress hasn't seen exploitation in the wild, but the comparison with MOVEit's history is uncomfortable: the Cl0p ransomware gang exploited MOVEit Transfer in 2023 to steal data from 2,100 organizations and 62 million individuals. Shodan shows 1,400+ MOVEit Automation instances exposed online, including a dozen linked to US local and state government agencies.
cPanel disclosed a critical authentication bypass on Monday affecting every cPanel and WHM version - including end-of-life builds. CVSS 9.8. The bug let unauthenticated attackers log in as administrators by abusing how the cPanel session daemon writes session files during login. Hosting providers including Namecheap, KnownHost, hosting.com, HostPapa, and InMotion took cPanel and WHM offline globally for hours while patches deployed. Researchers at watchTowr published a working proof-of-concept on April 29. KnownHost reports possible targeted exploitation as early as February 23, 2026 - more than two months before disclosure.
Microsoft released out-of-band security updates for a critical ASP.NET Core Data Protection flaw that lets unauthenticated attackers forge authentication cookies and escalate to SYSTEM privileges. The bug (CVE-2026-40372) is a regression introduced in the April 2026 Patch Tuesday: the Microsoft.AspNetCore.DataProtection 10.0.0 through 10.0.6 NuGet packages compute the HMAC validation tag (the cryptographic signature that proves a cookie has not been tampered with) over the wrong bytes of the payload and then discard the hash in some cases. The broken check means attackers can forge payloads that pass DataProtection's authenticity checks and decrypt previously-protected data in auth cookies, antiforgery tokens, TempData, and OIDC state. Microsoft noticed the flaw only after users reported decryption failures in their apps after installing the .NET 10.0.6 update. Critical operational detail: updating to 10.0.7 stops future forgeries, but any tokens an attacker already got the app to legitimately sign during the vulnerable window (session refresh tokens, API keys, password reset links) remain valid forever unless you rotate the DataProtection key ring. Patching alone is not enough.
Apple released out-of-band iOS and iPadOS updates to fix a Notification Services flaw that kept notifications marked for deletion sitting in internal storage, where they could be pulled off the device later. The bug (CVE-2026-28950) landed after 404 Media reported that the FBI recovered Signal messages from a suspect's iPhone even after the user deleted them and even after Signal itself was uninstalled. The recovered text did not come from Signal's encrypted message store - it came from iPhone's internal notification buffer, which silently preserved incoming notification contents that the app and the OS both thought had been erased. Apple's advisory does not name the FBI case but describes exactly the data-persistence behavior 404 Media documented. Signal's team publicly thanked Apple for the fix. Beyond Signal users, this flaw matters for anyone who assumed that deleting a message or uninstalling an app wiped the underlying notification data from the phone - it did not. Forensic extraction of an unlocked iPhone could have surfaced any sensitive content ever pushed as a notification.
CISA added eight actively-exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on April 20, with federal agencies required to patch three Cisco Catalyst SD-WAN Manager flaws by today, April 23, and the remaining five by May 4. The Cisco trio (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) enable arbitrary file upload with vmanage user privileges, recovery of stored credentials for the DCA user, and unauthenticated disclosure of sensitive configuration data. Cisco confirmed exploitation of the first two in March 2026. The other five cover a wide blast radius: CVE-2025-32975 is a CVSS 10.0 authentication bypass in Quest KACE Systems Management Appliance letting attackers impersonate any user without credentials, exploited in the wild by unknown actors last month per Arctic Wolf. CVE-2023-27351 is the PaperCut NG/MF bypass that Microsoft's Lace Tempest chained into Cl0p and LockBit deployments back in 2023. CVE-2024-27199 is a path traversal in JetBrains TeamCity giving limited admin actions - its sibling CVE-2024-27198 is already on the KEV list. CVE-2025-48700 is a Zimbra XSS that the Ukrainian CERT attributes to UAC-0233/UAC-0250 for stealing mailbox contents, MFA backup codes, and application passwords. CVE-2025-2749 is a Kentico Xperience Staging Sync Server path traversal.
Microsoft has released out-of-band emergency updates to fix two Windows Server issues introduced by the April 2026 Patch Tuesday updates. First issue: some admins experienced failures installing the KB5082063 security update on Windows Server 2025. Second issue: Patch Tuesday cumulative updates caused Windows servers running domain controller roles to enter restart loops due to crashes of the Local Security Authority Subsystem Service (LSASS). The restart loop can also hit newly-set-up domain controllers or existing ones if the server processes authentication requests very early during startup. The Windows Server 2025 OOB update (KB5091157) addresses both issues. OOB updates for other supported Windows Server versions address only the domain controller restart issue. This is the third consecutive year where April Windows Server patches have caused authentication-related breakage, following similar incidents in 2024 and 2025.
Adobe has released an emergency security update (APSB26-43, priority-1) to patch CVE-2026-34621, the Adobe Reader zero-day we reported on April 10 that had been exploited since December 2025 via malicious PDF documents. The flaw has now been classified as a prototype pollution vulnerability leading to arbitrary code execution - more severe than the initial fingerprinting and data theft we described. Adobe confirmed it's worse than just information leakage: the underlying bug can achieve full RCE, not just the reconnaissance stage observed in early exploitation. CVSS was initially scored 9.6 but Adobe revised it down to 8.6 after changing the attack vector from Network to Local. EXPMON researcher Haifei Li, who first disclosed the flaw, was credited by Adobe. All users on Windows and macOS should update immediately - Adobe assigned this patch its highest priority rating.
If you patched FortiClient EMS for CVE-2026-21643 two weeks ago by upgrading to 7.4.5, you're now vulnerable to a new zero-day. CVE-2026-35616 is a CVSS 9.1 pre-authentication API access bypass affecting versions 7.4.5 and 7.4.6 - the exact versions customers upgraded to. Defused Cyber spotted exploitation in the wild starting March 31. Fortinet released an emergency weekend hotfix on Saturday, with watchTowr noting attackers deliberately timed this for the Easter holiday when security teams are at half strength.
Oracle broke its quarterly patch cycle to push an emergency fix for CVE-2026-21992 - a CVSS 9.8 pre-auth RCE in Oracle Identity Manager and Web Services Manager. An unauthenticated attacker with network access over HTTP can take over the entire identity management system. Oracle won't say if it's been exploited, but a nearly identical flaw in the same product (CVE-2025-61757) was added to CISA's KEV catalog just four months ago.
TrustStrike Labs