Critical Vulnerability in Nginx UI WebServer Allow Attackers to Takeover
vulnerability was discovered in Nginx UI, a web-based management interface for the Nginx web server in march.
Continue ReadingAttackers
Microsoft April 2026 Patch Tuesday- Fixes 165 Flaws including 2 Zero-Days
Summary: Microsoft released its April 2026 Patch Tuesday addressing 165 security vulnerabilities across Windows, Office, SharePoint, Microsoft Defender, .NET Framework, Azure, SQL Server and other components.
The April release brings in relevant update and significant accessibility improvements, display and hardware enhancements, and several quality-of-life additions across Settings and File Explorer.
The first of the two zero-days is CVE-2026-32201, a spoofing vulnerability leading to cross-site scripting (XSS) in Microsoft SharePoint Server.The issue stems from an input validation failure that lets an attacker inject malicious scripts through improperly sanisised input fields.
Elevation of privilege (EoP) vulnerabilities accounted for 57.1% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities and remote code execution (RCE) vulnerabilities at 12.3% each.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2026-04-14 |
| No. of Vulnerability | 165 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
This is the second-largest Patch Tuesday release in Microsoft’s history. The update includes two zero-day vulnerabilities one actively exploited in the wild (SharePoint spoofing) and one publicly disclosed (Microsoft Defender privilege escalation linked to the BlueHammer exploit).
Here are the CVE addresses for Microsoft April 2026:
- 165 Microsoft CVEs
- 82 Non Microsoft CVEs
Breakdown of April 2026 Vulnerabilities
- 93 Elevation of Privilege (EoP)
- 20 Remote Code Execution
- 21 Information Disclosure
- 10 Denial of Service (DoS)
- 9 Spoofing
- 13 Security Feature Bypass
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Internet Key Exchange (IKE) Service Extensions RCE | CVE-2026-33824 | Windows IKE Service | Critical | 9.8 |
| Windows TCP/IP Remote Code Execution (Wormable via IPv6) | CVE-2026-33827 | Windows TCP/IP Stack | Critical | 9.8 |
| Windows Active DirectoryRemote Code Execution | CVE-2026-33826 | Windows Active Directory | Critical | 9.1 |
| Remote Desktop Client Remote Code Execution | CVE-2026-32157 | Remote Desktop Client | High | 8.8 |
| Microsoft Office Remote Code Execution (Preview Pane) | CVE-2026-32190 | Microsoft Office | High | 8.4 |
| Microsoft Word Remote Code Execution (Preview Pane) | CVE-2026-33114 | Microsoft Word | High | 8.4 |
| Microsoft Word Remote Code Execution (Preview Pane) | CVE-2026-33115 | Microsoft Word | High | 8.4 |
Technical Summary
This month’s Patch Tuesday is largely driven by Elevation of Privilege vulnerabilities, which make up a significant portion of the fixes and can be leveraged by attackers after initial access to escalate privileges and move laterally.
The release also includes several critical remote code execution issues in core Windows components. Notably, vulnerabilities such as those affecting the Windows IKE service and TCP/IP stack demonstrate the risk of unauthenticated or low-interaction exploitation, particularly in network-exposed scenarios. Other issues in Office, Word, and Remote Desktop highlight continued risk from user-driven attack vectors such as malicious documents and crafted connection files.
The update also addresses zero-day vulnerabilities, including one actively exploited and another publicly disclosed prior to patching, increasing the urgency for remediation.
Key vulnerabilities in this cycle show a mix of attack paths from preview pane-based document exploitation to wormable network flaws and Active Directory-based code execution through authenticated access.
This combination of network-level and user-interaction-based risks, along with the volume of privilege escalation issues, makes this a high-priority update cycle. Organizations should prioritize testing and deployment to reduce exposure across both endpoint and infrastructure layers.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2026-33824 | Windows IKE Service Extensions | Unauthenticated attacker can send crafted UDP packets to IKEv2-enabled systems (UDP 500/4500), achieving full remote code execution with no prior access required | Remote Code Execution |
| CVE-2026-32190 | Microsoft Office | Exploitation via preview pane allows execution of malicious payload without explicit user interaction beyond viewing file | Remote Code Execution |
| CVE-2026-33114 / 33115 | Microsoft Word | Malicious document processed via preview triggers RCE; commonly used in phishing delivery chains | Remote Code Execution |
| CVE-2026-32157 | Remote Desktop Client | RCE triggered when user connects using a crafted RDP file; attack surface includes lateral movement scenarios | Remote Code Execution |
| CVE-2026-33827 | Windows TCP/IP Stack | Race condition in IPv6/IPsec stack enables unauthenticated wormable RCE across enterprise networks | Remote Code Execution |
| CVE-2026-33826 | Windows Active Directory | Authenticated attacker executes code via crafted RPC calls within domain; high likelihood of privilege chaining | Remote Code Execution |
Key Affected Products and Services
April 2026 updates address vulnerabilities across:
- Windows Core Components
Kernel, TCP/IP stack, Active Directory, IKE Service, BitLocker, NTFS, SMB, and Remote Desktop components are impacted, including critical RCE and privilege escalation vulnerabilities.
- Microsoft Office Suite
Word, Excel, and PowerPoint are affected by multiple remote code execution vulnerabilities, including cases exploitable through the preview pane.
- SharePoint & Collaboration
SharePoint Server (2016, 2019, Subscription Edition) is impacted, including an actively exploited zero-day vulnerability requiring immediate attention.
- Microsoft Defender
A publicly disclosed elevation of privilege vulnerability is addressed through updates to the Antimalware Platform.
- .NET Framework & Developer Tools
.NET and related developer components, including Visual Studio, are affected by denial of service and privilege escalation vulnerabilities.
- Azure & Cloud Services
Azure components such as Logic Apps and monitoring agents include vulnerabilities related to information disclosure and privilege escalation.
- SQL Server
Multiple vulnerabilities affecting SQL Server components, including privilege escalation and remote code execution risks, are addressed.
Remediation:
- Apply April 2026 security updates on all Windows systems as a priority
Here are some recommendations
- Prioritize patching internet-facing and critical services, particularly SharePoint and core Windows components.
- Ensure Microsoft Defender and other security components are updated to the latest platform versions.
- Review network exposure and apply temporary mitigations where patching may be delayed.
- Monitor for suspicious activity, especially related to privilege escalation, remote code execution, and authentication anomalies.
- Validate that systems are aligned with ongoing platform security updates, including Secure Boot-related changes.
Conclusion:
April 2026 Patch Tuesday addresses a significant number of vulnerabilities across Windows and related Microsoft products, including an actively exploited issue, multiple critical remote code execution flaws, and a high volume of privilege escalation vulnerabilities. Given the breadth of affected components and the potential for attack chaining, organizations should prioritize timely testing and deployment of updates, especially for critical and externally exposed systems.
References:
- https://msrc.microsoft.com/update-guide/en-us/releaseNote/2026-Apr
- https://www.tenable.com/blog/microsofts-april-2026-patch-tuesday-addresses-163-cves-cve-2026-32201
- https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/
New Rowhammer Attack Enabled GPUBreach via GDDR6 Bit-Flips to Escalate Privileges
Rowhammer attacks can be exploited to enable privilege escalation
Continue Reading
Emergency Patch Issued by Fortinet in Latest FortiClient Vulnerabilities
Emergency Patch Issued by Fortinet for FortiClient for Vulnerability
Continue Reading
CISCO Vulnerability Allows RCE in its Smart Software Manager on-Premise
CVE-2026-20160, Vulnerability in CISCO’s smart software manager may allows attackers to gain complete control over the affected system without needing authentication which is gaining prior access to exploit the system. The CVSS severity score of 9.8 out of 10, indicating its high risk level.
Authentication and access controls play a crucial role in web application and system security. What can happen?
- Data theft
- System compromise
- Privilege escalation
CISCO’s Smart Software Manager Flaw
In this case the vulnerability exposure allowed unauthorized access, as attackers do not need login credentials when a hacker can execute arbitrary commands on the operating system. Further escalating by creating crafted request to the service’s API. The vulnerability impacted certain versions of the Cisco SSM On-Prem environments, particularly software releases from 9-202502 to 9-202510.
Remediation for organizations
Organizations can prevent authentication bypass through regular patching, multi-factor authentication, encryption, and strong password policies.
The vulnerability did not impact CISCO’s smart software newly released version 9-202601 includes a patch that fixes the flaw.
Cisco advises to upgrade to version 9-202601 immediately, as there are no current workarounds or temporary mitigations to block potential attacks.
For IT teams notes include devices meet the necessary memory and hardware specifications before proceeding with the update.
Key findings from CVE-2026-20160 Vulnerability
The vulnerability was discovered internally by Cisco’s Technical Assistance Center (TAC) team and they found no immediate exploitations in the wild
With the disclosure can motivate hackers to reverse-engineer the patch and search for vulnerable systems. Following Cisco’s guidelines and maintaining up-to-date security measures will be essential in mitigating risks associated and stop any kind of data breaches.
Conclusion:
Research shows that, making timely patching critical for authentication security is essential and failing to do that can lead to data breaches.
The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory.
Sources: Cisco Smart Software Manager On-Prem Arbitrary Command Execution Vulnerability
Enterprise Security at Risk as Critical Flaw Found in OpenAI’s Codex
Codex Enabled GitHub Token Theft
Continue Reading
Scanners Turn Attack Vector as TrivyScanner Hijacked via GitHub Actions Tags
Attackers Targeted SSH keys, Cloud Tokens & API secrets in CI/CD Pipelines; Highlights Securing CI/CD Pipelines
In latest vulnerability discovery Aqua Security revealed HackerBot-claw bot hijacked 75 of 76 GitHub Actions tags for its Trivy vulnerability scanner. The HackerBot-claw first distributed credential-stealing malware through the widely used security tool for the second time in a one month.
Malicious code rode alongside legitimate scans, targeting SSH keys, cloud tokens and API secrets in CI/CD pipelines. Security researcher Paul McCarty was the first to warn publicly that Trivy version 0.69.4 had been backdoored, with malicious container images and GitHub releases published to users.
Attack module on Trivy
When it comes to workflow it has been observed that more then 10,000 GitHub workflow files rely on trivy-action. Attackers can leverage this pipeline and pull versions during the attack window which are affected and carry sensitive credentials exfiltrated.
Attackers compromised the GitHub Action by modifying its code and retroactively updating version tags to reference a malicious commit. This permitted data used in CI/CD workflows to be printed in GitHub Actions build logs and finally leaking credentials.
A self-propagating npm worm compromised 47 packages, extending the blast radius into the broader JavaScript ecosystem.
Aqua Security disclosed in a GitHub Discussion that the incident stemmed from incomplete containment of an earlier March 1 breach involving a hackerbot-claw bot.
- Attackers swapped the entrypoint.sh in Trivy’s GitHub Actions with a 204-line script that prepended credential-stealing code before the legitimate scanner.
- Lines 4 through 105 contained the infostealer payload, while lines 106 through 204 ran Trivy as normal.
- This made difficult to detect during routine scans.
TeamPCP preserved normal scan functionality to avoid triggering CI/CD failures as detection now will require cryptographic verification of commit signatures .
For defenders, traditional CI/CD monitoring, which watches for build failures or unexpected output, can no longer catch supply-chain compromises that deliberately maintain normal behavior.
Organizations relying on Trivy or similar open-source security tools are facing attacks from the very scanners meant to protect their pipelines can become the attack vector. Only cryptographic provenance checks can distinguish legitimate releases from poisoned ones.
As per security researchers once inside a pipeline, the malicious script scanned memory regions of the GitHub Actions Runner.
Github Compromise
The attack appears to have been accomplished via the compromise of the cx-plugins-releases (GitHub ID 225848595) service account, as that is the identity involved in publishing the malicious tags.
Credentials exfiltrated during the initial incident were used last week in a new supply chain attack that targeted not only the Trivy package but also trivy-action and setup-trivy, Trivy’s maintainers have confirmed in a March 21 advisory.
Key Findings b Wiz Research
- According to Wiz, the attack appears to have been carried out via the compromise of the “cx-plugins-releases” service account, with the attackers with malicious container images and GitHub releases published to users.
- The second stage extension is activated and the malicious payload checks whether the victim has credentials from cloud service providers such as GitHub, AWS, Google Cloud, and Microsoft Azure.
- When credentials if they are detected, it proceeds to fetch a next-stage payload from the same domain (“checkmarx[.]zone”).
“The payload attempts execution via npx, bunx, pnpx, or yarn dlx. This covers major JavaScript package managers,” Wiz researchers Rami McCarthy, James Haughom, and Benjamin Read said. “The retrieved package contains a comprehensive credential stealer.
Harvested credentials are then encrypted, using the keys as elsewhere in this campaign, and exfiltrated to ‘checkmarx[.]zone/vsx’ as tpcp.tar.gz.”
Conclusion: Aqua Security urged affected users to “treat all pipeline secrets as compromised and rotate immediately.”
Organizations that ran any version of trivy-action, setup-trivy, or Trivy v0.69.4 during the attack window should audit their CI/CD logs for unexpected network connections to scan.aquasecurtiy[.]org and check whether any tpcp-docs repositories were created under their GitHub accounts.
With three major tag-hijacking incidents in 12 months, Wiz security researcher Rami McCarthy recommended that organizations “pin GitHub Actions to full SHA hashes, not version tags.”
CVE-2026-33409-Parse Server Authentication Bypass via partial authData; Successful exploitation Lead to Creating Valid User Session
Parse Server Authentication Bypass via partial authData; Successful exploitation Lead to Creating Valid User Session
Continue Reading
CISA added FileZen CVE-2026-25108 to its KEV Catalog; Patch Now
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-25108 to its Known Exploited Vulnerabilities (KEV) catalog, that is being exploited in the wild.
Findings from CISA also confirmed about the flaw, that it affects Soliton Systems K.K. FileZen, a file transfer product. It has been included in KEV, sensing urgency for organizations still running vulnerable versions of the product.
“Soliton Systems K.K FileZen contains an OS command injection vulnerability when a user logs-in to the affected product and sends a specially crafted HTTP request,” CISA said.
Key Findings from FileZen CVE-2026-25108 vulnerability added in CISA’s KEV list
The primary reason after evaluation by threat researcher’s were –
FileZen CVE-2026-25108 is an OS command injection vulnerability. According to NVD, when the FileZen Antivirus Check Option is enabled, a logged-in user can send a specially crafted HTTP request and execute arbitrary operating system commands. In such scenario an attacker with valid access could potentially run commands on the underlying server, creating serious risk to confidentiality, integrity, and availability.
- The vulnerability carries a CVSS v4 score of 8.7 (High) from JPCERT/CC, and NVD also lists a CVSS v3.1 score of 8.8 (High).
- Being a high-severity, actively exploited flaw tied to direct command execution and class of bug occurs when an application improperly handles input that ends up being interpreted by the operating system as a command.
- For attackers it becomes easy to manipulate server behavior and potentially execute arbitrary commands
Why CISA added FileZen CVE-2026-25108 to its KEV
- The vulnerability is not unauthenticated and any exploitation by attackers will requires a user to be logged in and it’s still not safe.
- What we witnessed in case of many real-world attacks always begins with stolen credentials or weak passwords or previously compromised accounts of less privileged.
- Any availability of any valid account could escalate the flaw like FileZen CVE-2026-25108 can pave way for an deeper compromise in future.
- This is exactly why CISA’s KEV addition matters so much. A KEV listing means the issue has moved beyond theoretical risk and into confirmed real-world exploitation.
Impact of the Vulnerability as assessed by vendor JVN (Japan Vulnerability Notes)
JVN states that if a user logs in to the affected product and sends a specially crafted HTTP request, an arbitrary OS command may be executed.
Soliton similarly says there is a possibility that a remote third party could execute arbitrary OS commands within FileZen.
The practical impact of that can be severe. Depending on server configuration and user privileges, successful exploitation could allow an attacker to:
- Run unauthorized commands on the server
- Manipulate files or processes
- Establish persistence
- Access sensitive transferred data
- Use the compromised FileZen environment as a pivot point into internal systems
Technical Analysis of CVE-2026-25108
OS command injection occurs when an application transmits unsafe data-such as cookies, form fields, or HTTP headers-to an operating system shell. In the case of FileZen, the vulnerability manifests during the file processing phase when the Antivirus Check Option is active. The system’s internal logic processes HTTP requests in a manner that allows an attacker to append shell commands to legitimate parameters.
Remediation & understanding why it is essential to integrate with threat intelligence monitoring platform
Organizations utilizing these versions must prioritize the transition to version 5.0.11 or later. When vendor platform Soliton indicated that simply disabling the Antivirus Check Option may reduce the immediate attack surface but does not replace the requirement for a full firmware update.
As per vendor’s suggestion a resetting of password for all users if an organization suspects a compromise. Integration with cyber threat intelligence platform will provide early warning indicators of exploitation as cyber threat intelligence platforms collect data from various sources to provide early warning indicators of exploitation.
CISA has set a deadline of March 17, 2026, for Federal Civilian Executive Branch (FCEB) agencies to remediate CVE-2026-25108. This mandate specifically applies to federal agencies, it serves as a stark reminder for private sector organizations. The inclusion in the KEV catalog implies that the vulnerability is being used in the wild, likely by state-sponsored actors or organized cybercriminal groups.
Sources; CVE-2026-25108 CISA Confirms Active Exploitation of FileZen
Chrome Security Updates by Google Released For Actively Exploited Zero-Day 2026
Chrome update released to patch a zero-day vulnerability that has been exploited in the wild.
Continue Reading