NIST’s NVD program aimed to analyze all CVEs to add details — such as severity scores and product lists that mostly assisted cybersecurity professionals prioritize and mitigate vulnerabilities.
Continue Reading
vulnerability was discovered in Nginx UI, a web-based management interface for the Nginx web server in march.
Continue Reading
Summary: Microsoft released its April 2026 Patch Tuesday addressing 165 security vulnerabilities across Windows, Office, SharePoint, Microsoft Defender, .NET Framework, Azure, SQL Server and other components.
The April release brings in relevant update and significant accessibility improvements, display and hardware enhancements, and several quality-of-life additions across Settings and File Explorer.
The first of the two zero-days is CVE-2026-32201, a spoofing vulnerability leading to cross-site scripting (XSS) in Microsoft SharePoint Server.The issue stems from an input validation failure that lets an attacker inject malicious scripts through improperly sanisised input fields.
Elevation of privilege (EoP) vulnerabilities accounted for 57.1% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities and remote code execution (RCE) vulnerabilities at 12.3% each.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2026-04-14 |
| No. of Vulnerability | 165 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
This is the second-largest Patch Tuesday release in Microsoft’s history. The update includes two zero-day vulnerabilities one actively exploited in the wild (SharePoint spoofing) and one publicly disclosed (Microsoft Defender privilege escalation linked to the BlueHammer exploit).
Here are the CVE addresses for Microsoft April 2026:
Breakdown of April 2026 Vulnerabilities
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Internet Key Exchange (IKE) Service Extensions RCE | CVE-2026-33824 | Windows IKE Service | Critical | 9.8 |
| Windows TCP/IP Remote Code Execution (Wormable via IPv6) | CVE-2026-33827 | Windows TCP/IP Stack | Critical | 9.8 |
| Windows Active DirectoryRemote Code Execution | CVE-2026-33826 | Windows Active Directory | Critical | 9.1 |
| Remote Desktop Client Remote Code Execution | CVE-2026-32157 | Remote Desktop Client | High | 8.8 |
| Microsoft Office Remote Code Execution (Preview Pane) | CVE-2026-32190 | Microsoft Office | High | 8.4 |
| Microsoft Word Remote Code Execution (Preview Pane) | CVE-2026-33114 | Microsoft Word | High | 8.4 |
| Microsoft Word Remote Code Execution (Preview Pane) | CVE-2026-33115 | Microsoft Word | High | 8.4 |
Technical Summary
This month’s Patch Tuesday is largely driven by Elevation of Privilege vulnerabilities, which make up a significant portion of the fixes and can be leveraged by attackers after initial access to escalate privileges and move laterally.
The release also includes several critical remote code execution issues in core Windows components. Notably, vulnerabilities such as those affecting the Windows IKE service and TCP/IP stack demonstrate the risk of unauthenticated or low-interaction exploitation, particularly in network-exposed scenarios. Other issues in Office, Word, and Remote Desktop highlight continued risk from user-driven attack vectors such as malicious documents and crafted connection files.
The update also addresses zero-day vulnerabilities, including one actively exploited and another publicly disclosed prior to patching, increasing the urgency for remediation.
Key vulnerabilities in this cycle show a mix of attack paths from preview pane-based document exploitation to wormable network flaws and Active Directory-based code execution through authenticated access.
This combination of network-level and user-interaction-based risks, along with the volume of privilege escalation issues, makes this a high-priority update cycle. Organizations should prioritize testing and deployment to reduce exposure across both endpoint and infrastructure layers.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2026-33824 | Windows IKE Service Extensions | Unauthenticated attacker can send crafted UDP packets to IKEv2-enabled systems (UDP 500/4500), achieving full remote code execution with no prior access required | Remote Code Execution |
| CVE-2026-32190 | Microsoft Office | Exploitation via preview pane allows execution of malicious payload without explicit user interaction beyond viewing file | Remote Code Execution |
| CVE-2026-33114 / 33115 | Microsoft Word | Malicious document processed via preview triggers RCE; commonly used in phishing delivery chains | Remote Code Execution |
| CVE-2026-32157 | Remote Desktop Client | RCE triggered when user connects using a crafted RDP file; attack surface includes lateral movement scenarios | Remote Code Execution |
| CVE-2026-33827 | Windows TCP/IP Stack | Race condition in IPv6/IPsec stack enables unauthenticated wormable RCE across enterprise networks | Remote Code Execution |
| CVE-2026-33826 | Windows Active Directory | Authenticated attacker executes code via crafted RPC calls within domain; high likelihood of privilege chaining | Remote Code Execution |
Key Affected Products and Services
April 2026 updates address vulnerabilities across:
Kernel, TCP/IP stack, Active Directory, IKE Service, BitLocker, NTFS, SMB, and Remote Desktop components are impacted, including critical RCE and privilege escalation vulnerabilities.
Word, Excel, and PowerPoint are affected by multiple remote code execution vulnerabilities, including cases exploitable through the preview pane.
SharePoint Server (2016, 2019, Subscription Edition) is impacted, including an actively exploited zero-day vulnerability requiring immediate attention.
A publicly disclosed elevation of privilege vulnerability is addressed through updates to the Antimalware Platform.
.NET and related developer components, including Visual Studio, are affected by denial of service and privilege escalation vulnerabilities.
Azure components such as Logic Apps and monitoring agents include vulnerabilities related to information disclosure and privilege escalation.
Multiple vulnerabilities affecting SQL Server components, including privilege escalation and remote code execution risks, are addressed.
Remediation:
Here are some recommendations
Conclusion:
April 2026 Patch Tuesday addresses a significant number of vulnerabilities across Windows and related Microsoft products, including an actively exploited issue, multiple critical remote code execution flaws, and a high volume of privilege escalation vulnerabilities. Given the breadth of affected components and the potential for attack chaining, organizations should prioritize timely testing and deployment of updates, especially for critical and externally exposed systems.
References:
Threat Actors impersonating as Linux Foundation leader in an active social engineering campaign targeting open source developers via Slack.
Now, a fresh Open Source Security Foundation (OpenSSF) advisory warns unknown attackers are using a similar approach to target other open source developers.
The human connection has been leveraged to target software.
The attackers interacted via Slack or social media platform LinkedIn, posing as company owners/representatives, job recruiters, or podcast hosts, and tried to lure developers into downloading malware mimicking as a videoconferencing software update, a type of phishing campaign.
Crafting of attack via social engineering
First step, attackers began with a scheming social engineering ploy
They joined Slack workspaces linked to the Linux Foundation’s TODO Group and then imitated a trusted community figure and sent direct messages to developers which looked like any legitimate invite – complete with a Google Sites link, fake email address and exclusive “access key” – to test a purported AI tool for predicting open source contribution acceptance.
Second step, once a victim clicked, they landed on a phishing page impersonating a Slack workspace invitation, prompting them to enter their email and a verification code. Instructions came in form to install what was described as a “Google certificate” from attackers side.
This was basically a malicious root certificate that allowed attackers the ability to intercept and read encrypted traffic – a devastating breach of privacy and security.
The attack module is sophisticated did not end there.
Consecutively on macOS, a script silently downloaded and executed a binary called “gapi,” potentially opening the door to full system compromise.
Windows users faced a browser-based certificate installation, equally effective at undermining secure communications. The attackers’ use of trusted infrastructure such as Google Sites allowed them to evade basic security checks and blend in with legitimate traffic.
Changing attack scenario in social engineering
Now open sources developers have become prime targets, with recent campaigns also hitting maintainers of projects like Fastify, Lodash, and Node.js.
Posing as the Linux Foundation leader, the attacker described how an AI tool can analyze open source project dynamics and predict which code contributions .
The attack was first brought to public attention on April 7, 2026, posted to the OpenSSF Siren mailing list by Christopher “CRob” Robinson, Chief Technology Officer and Chief Security Architect at the Open Source Security Foundation (OpenSSF).
Focus Shift from code repositories to human connections
Attackers now confidently targeting not only code repositories and networks that expanded over trust, but exploiting the personal trust networks that underpin open source collaboration. The expansion of open source ecosystem reminds to be more vigilant as attackers are evolving tactics and developers must now defend code and connections both.
The OpenSSF advisory :
The OpenSSF urges heightened vigilance: always verify identities through separate channels, never install certificates from untrusted sources, and treat unexpected security prompts with skepticism. If compromise is suspected, immediate network isolation and credential rotation are critical.
Sources: Social engineering attacks on open source developers are escalating – Help Net Security
Rowhammer attacks can be exploited to enable privilege escalation
Continue Reading
Emergency Patch Issued by Fortinet for FortiClient for Vulnerability
Continue Reading
CVE-2026-20160, Vulnerability in CISCO’s smart software manager may allows attackers to gain complete control over the affected system without needing authentication which is gaining prior access to exploit the system. The CVSS severity score of 9.8 out of 10, indicating its high risk level.
Authentication and access controls play a crucial role in web application and system security. What can happen?
CISCO’s Smart Software Manager Flaw
In this case the vulnerability exposure allowed unauthorized access, as attackers do not need login credentials when a hacker can execute arbitrary commands on the operating system. Further escalating by creating crafted request to the service’s API. The vulnerability impacted certain versions of the Cisco SSM On-Prem environments, particularly software releases from 9-202502 to 9-202510.
Remediation for organizations
Organizations can prevent authentication bypass through regular patching, multi-factor authentication, encryption, and strong password policies.
The vulnerability did not impact CISCO’s smart software newly released version 9-202601 includes a patch that fixes the flaw.
Cisco advises to upgrade to version 9-202601 immediately, as there are no current workarounds or temporary mitigations to block potential attacks.
For IT teams notes include devices meet the necessary memory and hardware specifications before proceeding with the update.
Key findings from CVE-2026-20160 Vulnerability
The vulnerability was discovered internally by Cisco’s Technical Assistance Center (TAC) team and they found no immediate exploitations in the wild
With the disclosure can motivate hackers to reverse-engineer the patch and search for vulnerable systems. Following Cisco’s guidelines and maintaining up-to-date security measures will be essential in mitigating risks associated and stop any kind of data breaches.
Conclusion:
Research shows that, making timely patching critical for authentication security is essential and failing to do that can lead to data breaches.
The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory.
Sources: Cisco Smart Software Manager On-Prem Arbitrary Command Execution Vulnerability
vulnerability in the Smart Slider 3 WordPress plugin
Continue Reading
SOPHOS Report Find Leadership Gap in Cyber security Domain and CISO’s Role cannot be undermined.
Continue Reading
PTC has issued an urgent advisory regarding a critical Windchill and FlexPLM vulnerability that exposes affected systems to Remote Code Execution (RCE). The flaw, identified as CVE-2026-4681, has been classified as a code injection vulnerability (CWE-94) and carries a CVSS v3.1 base score of 10.0 and CVSS v4 score of 9.3.
Vulnerability details:
The company says that it has not found any evidence that the vulnerability is being exploited against PTC customers. However, PTC published a set of specific indicators of compromise (IoCs) that include a user agent string and files.
The flaw affects a broad range of Windchill PDMLink and FlexPLM releases, specifically:
Remediation: PTC is actively developing and releasing security patches for all supported Windchill versions to address the identified vulnerability
Immediate Mitigation Steps
PTC has issued specific guidance to reduce the risk until official security patches are released. These steps include:
For Apache HTTP Server
<LocationMatch “^.*servlet/(WindchillGW|WindchillAuthGW)/com.ptc.wvs.server.publish.Publish(?:;[^/]*)?/.*$”>
Require all denied
For Microsoft IIS
PTC advises applying the same workaround steps to File Server or Replica Server configurations and notes that older Windchill releases may require adjusted procedures.
Additional Protection Measures
For organizations unable to immediately implement mitigations, PTC recommends temporarily shutting down Windchill or FlexPLM services or disconnecting systems from the public Internet.
PTC has also committed to 24×7 customer support for all users affected by this critical vulnerability. For PTC cloud-hosted customer.
Indicators of Compromise
Advisory for security Teams to monitor for specific signs that may indicate exploitation of the Windchill vulnerability or FlexPLM vulnerability:
Network and User-Agent Patterns
File System Indicators
The presence of these files indicates that a potential attacker may have prepared the system for Remote Code Execution.
Log and Error Patterns
PTC strongly urges customers to report any identified
Log and Error Patterns
Source: https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability?srsltid=AfmBOooLDdBNS2lOeRasqrbyOfjfVKyhJH6Z_wfzqO93k3cqVQcSueEv
Recent Comments