Infosec

Enterprise Cyber Security Mapping up Structural Reset with AI Security

AI usage in recent Cyber security events triggering AI-enabled threats

Surge in CVE Volume lead NIST to Prioritizes NVD Program

NIST’s NVD program aimed to analyze all CVEs to add details — such as severity scores and product lists that mostly assisted cybersecurity professionals prioritize and mitigate vulnerabilities.

Microsoft April 2026 Patch Tuesday- Fixes 165 Flaws including 2 Zero-Days

Summary: Microsoft released its April 2026 Patch Tuesday addressing 165 security vulnerabilities across Windows, Office, SharePoint, Microsoft Defender, .NET Framework, Azure, SQL Server and other components.

The April release brings in relevant update and significant accessibility improvements, display and hardware enhancements, and several quality-of-life additions across Settings and File Explorer.

The first of the two zero-days is CVE-2026-32201, a spoofing vulnerability leading to cross-site scripting (XSS) in Microsoft SharePoint Server.The issue stems from an input validation failure that lets an attacker inject malicious scripts through improperly sanisised input fields.

Elevation of privilege (EoP) vulnerabilities accounted for 57.1% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities and remote code execution (RCE) vulnerabilities at 12.3% each.

OEM	Microsoft
Severity	Critical
Date of Announcement	2026-04-14
No. of Vulnerability	165
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

This is the second-largest Patch Tuesday release in Microsoft’s history. The update includes two zero-day vulnerabilities one actively exploited in the wild (SharePoint spoofing) and one publicly disclosed (Microsoft Defender privilege escalation linked to the BlueHammer exploit).

Here are the CVE addresses for Microsoft April 2026:

165 Microsoft CVEs
82 Non Microsoft CVEs

Breakdown of April 2026 Vulnerabilities

93 Elevation of Privilege (EoP)
20 Remote Code Execution
21 Information Disclosure
10 Denial of Service (DoS)
9 Spoofing
13 Security Feature Bypass

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Windows Internet Key Exchange (IKE) Service Extensions RCE	CVE-2026-33824	Windows IKE Service	Critical	9.8
Windows TCP/IP Remote Code Execution (Wormable via IPv6)	CVE-2026-33827	Windows TCP/IP Stack	Critical	9.8
Windows Active DirectoryRemote Code Execution	CVE-2026-33826	Windows Active Directory	Critical	9.1
Remote Desktop Client Remote Code Execution	CVE-2026-32157	Remote Desktop Client	High	8.8
Microsoft Office Remote Code Execution (Preview Pane)	CVE-2026-32190	Microsoft Office	High	8.4
Microsoft Word Remote Code Execution (Preview Pane)	CVE-2026-33114	Microsoft Word	High	8.4
Microsoft Word Remote Code Execution (Preview Pane)	CVE-2026-33115	Microsoft Word	High	8.4

Technical Summary

This month’s Patch Tuesday is largely driven by Elevation of Privilege vulnerabilities, which make up a significant portion of the fixes and can be leveraged by attackers after initial access to escalate privileges and move laterally.

The release also includes several critical remote code execution issues in core Windows components. Notably, vulnerabilities such as those affecting the Windows IKE service and TCP/IP stack demonstrate the risk of unauthenticated or low-interaction exploitation, particularly in network-exposed scenarios. Other issues in Office, Word, and Remote Desktop highlight continued risk from user-driven attack vectors such as malicious documents and crafted connection files.

The update also addresses zero-day vulnerabilities, including one actively exploited and another publicly disclosed prior to patching, increasing the urgency for remediation.

Key vulnerabilities in this cycle show a mix of attack paths from preview pane-based document exploitation to wormable network flaws and Active Directory-based code execution through authenticated access.

This combination of network-level and user-interaction-based risks, along with the volume of privilege escalation issues, makes this a high-priority update cycle. Organizations should prioritize testing and deployment to reduce exposure across both endpoint and infrastructure layers.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2026-33824	Windows IKE Service Extensions	Unauthenticated attacker can send crafted UDP packets to IKEv2-enabled systems (UDP 500/4500), achieving full remote code execution with no prior access required	Remote Code Execution
CVE-2026-32190	Microsoft Office	Exploitation via preview pane allows execution of malicious payload without explicit user interaction beyond viewing file	Remote Code Execution
CVE-2026-33114 / 33115	Microsoft Word	Malicious document processed via preview triggers RCE; commonly used in phishing delivery chains	Remote Code Execution
CVE-2026-32157	Remote Desktop Client	RCE triggered when user connects using a crafted RDP file; attack surface includes lateral movement scenarios	Remote Code Execution
CVE-2026-33827	Windows TCP/IP Stack	Race condition in IPv6/IPsec stack enables unauthenticated wormable RCE across enterprise networks	Remote Code Execution
CVE-2026-33826	Windows Active Directory	Authenticated attacker executes code via crafted RPC calls within domain; high likelihood of privilege chaining	Remote Code Execution

Key Affected Products and Services

April 2026 updates address vulnerabilities across:

Windows Core Components

Kernel, TCP/IP stack, Active Directory, IKE Service, BitLocker, NTFS, SMB, and Remote Desktop components are impacted, including critical RCE and privilege escalation vulnerabilities.

Microsoft Office Suite

Word, Excel, and PowerPoint are affected by multiple remote code execution vulnerabilities, including cases exploitable through the preview pane.

SharePoint & Collaboration

SharePoint Server (2016, 2019, Subscription Edition) is impacted, including an actively exploited zero-day vulnerability requiring immediate attention.

Microsoft Defender

A publicly disclosed elevation of privilege vulnerability is addressed through updates to the Antimalware Platform.

.NET Framework & Developer Tools

.NET and related developer components, including Visual Studio, are affected by denial of service and privilege escalation vulnerabilities.

Azure & Cloud Services

Azure components such as Logic Apps and monitoring agents include vulnerabilities related to information disclosure and privilege escalation.

SQL Server

Multiple vulnerabilities affecting SQL Server components, including privilege escalation and remote code execution risks, are addressed.

Remediation:

Apply April 2026 security updates on all Windows systems as a priority

Here are some recommendations

Prioritize patching internet-facing and critical services, particularly SharePoint and core Windows components.
Ensure Microsoft Defender and other security components are updated to the latest platform versions.
Review network exposure and apply temporary mitigations where patching may be delayed.
Monitor for suspicious activity, especially related to privilege escalation, remote code execution, and authentication anomalies.
Validate that systems are aligned with ongoing platform security updates, including Secure Boot-related changes.

Conclusion:
April 2026 Patch Tuesday addresses a significant number of vulnerabilities across Windows and related Microsoft products, including an actively exploited issue, multiple critical remote code execution flaws, and a high volume of privilege escalation vulnerabilities. Given the breadth of affected components and the potential for attack chaining, organizations should prioritize timely testing and deployment of updates, especially for critical and externally exposed systems.

References:

https://msrc.microsoft.com/update-guide/en-us/releaseNote/2026-Apr
https://www.tenable.com/blog/microsofts-april-2026-patch-tuesday-addresses-163-cves-cve-2026-32201
https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/

Botnets Behind 30Tbps DDoS Attack, Disrupted by DoJ

4 botnets launched Distributed Denial of Service (DDoS) attacks targeting victims around the world.

Critical YARA Vulnerability Exposes Linux Systems – Patch Now

Summary : YARA is an open-source pattern matching engine widely used by malware researchers, SOC teams, and threat intelligence platforms to identify and classify malware using detection rules. It plays a critical role in malware analysis pipelines, endpoint detection systems, and threat hunting operations.

Kamil Frankowicz discovered that a number of YARA’s functions generated memory exceptions when processing specially crafted rules or files. A remote attacker could possibly use these issues to cause YARA to crash, resulting in a denial of service.

OEM	Virus Total / YARA Project (Tool)
Severity	Critical
CVSS Score	9.1
CVEs	CVE-2021-3402, CVE-2021-45429, CVE-2019-19648, CVE-2018-19974, 2018-19975, 2018-19976
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

Ubuntu has released a security advisory addressing multiple vulnerabilities in YARA that could allow attackers to cause denial-of-service conditions, disclose sensitive information, or potentially execute arbitrary code when processing specially crafted files or rules.

These vulnerabilities affect Ubuntu 16.04 LTS, 18.04 LTS, and 20.04 LTS depending on the specific issue. Organizations using YARA in security monitoring systems, malware sandboxes, or automated threat detection workflows should apply the security updates immediately.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score	Fixed Version
Mach-O Parser Overflow Read Vulnerability	CVE-2021-3402	YARA	Critical	9.1	Updated Ubuntu packages
Mach-O File Parsing Out-of-Bounds Access	CVE-2019-19648	YARA	High	7.8	Updated Ubuntu packages

Technical Summary

The most critical vulnerability CVE-2021-3402 exists in the macho.c implementation used by YARA to parse Mach-O files.

The flaw allows specially crafted Mach-O files to trigger overflow reads, which could result in denial of service or potential information disclosure. Given its high CVSS score, this issue represents the most severe risk addressed in this advisory.

Another high-severity vulnerability CVE-2019-19648 affects the macho_parse_file() function. When parsing specially crafted Mach-O files, the function may trigger out-of-bounds memory access, potentially leading to application crashes or execution of malicious code in certain scenarios.

Because YARA is frequently integrated into malware analysis platforms and automated threat detection pipelines, successful exploitation could disrupt security monitoring operations or compromise malware analysis environments.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2021-3402	YARA (Ubuntu 20.04)	Overflow read vulnerability in Mach-O parsing implementation	DoS, potential information disclosure
CVE-2019-19648	YARA (Ubuntu 20.04)	Out-of-bound memory access during Mach-O file parsing	DoS or possible code execution

Additional Vulnerabilities

The advisory also includes several medium-severity vulnerabilities affecting YARA components.

CVE ID	Vulnerability Details	Impact
CVE-2021-45429	Buffer overflow in yr_set_configuration() when parsing crafted rules	Denial of Service
CVE-2018-19976	YARA virtual machine sandbox escape	Possible code execution
CVE-2018-19975	VM sandbox escape vulnerability	Possible code execution
CVE-2018-19974	Virtual machine security bypass	Possible code execution

Potential Consequences

Disruption of malware detection pipelines

Denial of service in security analysis environments

Information disclosure through crafted files

Potential arbitrary code execution in analysis systems

Reduced visibility in SOC threat detection workflows

Remediation

Upgrade affected packages immediately to the patched versions provided by Ubuntu are mentioning below-

Released patches

Ubuntu Release	Package	Fixed Version
Ubuntu 20.04 LTS	libyara3	3.9.0-1ubuntu0.1 esm1
Ubuntu 20.04 LTS	yara	3.9.0-1ubuntu0.1 esm1
Ubuntu 18.04 LTS	libyara3	3.7.1-1ubuntu2+esm1
Ubuntu 18.04 LTS	yara	3.7.1-1ubuntu2+esm1
Ubuntu 16.04 LTS	libyara3	3.4.0+dfsg-2ubuntu0.1 esm1
	python-yara	3.4.0+dfsg-2ubuntu0.1 esm1
	python3-yara	3.4.0+dfsg-2ubuntu0.1 esm1
	yara	3.4.0+dfsg-2ubuntu0.1 esm1

If immediate patching is not possible, apply the following temporary mitigations –

Restrict scanning of untrusted files in automated YARA pipelines.

Limit rule ingestion from untrusted sources.

Monitor malware analysis systems for abnormal crashes.

Limit exposure of YARA-based detection pipelines to untrusted Mach-O or .NET file inputs.

You can follow the recommendations below as the best practice.

Regularly update malware detection tools.

Validate YARA rules before deployment.

Validate and sandbox file inputs before passing them to YARA for analysis.

Implement least-privilege execution environments for YARA scanning processes.

Monitor logs for abnormal process crashes or memory-related errors in YARA.

Conclusion:
Multiple vulnerabilities in YARA could allow attackers to disrupt malware detection processes or compromise analysis environments. The critical vulnerability CVE-2021-3402 and high-severity vulnerability CVE-2019-19648 pose the greatest risk and should be prioritized for remediation.

Organizations using YARA in SOC operations, malware analysis pipelines, or threat intelligence systems should apply the latest Ubuntu security updates immediately to maintain reliable threat detection capabilities.

References: