VulnerabilityManagement

Security Flaw in LMDeploy Exploited in 12 hours is CVE-2026-33626

CVE-2026-33626 vulnerbility in LLMDeploy

Enterprise Cyber Security Mapping up Structural Reset with AI Security

AI usage in recent Cyber security events triggering AI-enabled threats

Surge in CVE Volume lead NIST to Prioritizes NVD Program

NIST’s NVD program aimed to analyze all CVEs to add details — such as severity scores and product lists that mostly assisted cybersecurity professionals prioritize and mitigate vulnerabilities.

Apache ActiveMQ Vulnerability CVE-2026-34197 Exploited in the Wild

CVE-2026-34197, an Apache ActiveMQ flaw

Microsoft April 2026 Patch Tuesday- Fixes 165 Flaws including 2 Zero-Days

Summary: Microsoft released its April 2026 Patch Tuesday addressing 165 security vulnerabilities across Windows, Office, SharePoint, Microsoft Defender, .NET Framework, Azure, SQL Server and other components.

The April release brings in relevant update and significant accessibility improvements, display and hardware enhancements, and several quality-of-life additions across Settings and File Explorer.

The first of the two zero-days is CVE-2026-32201, a spoofing vulnerability leading to cross-site scripting (XSS) in Microsoft SharePoint Server.The issue stems from an input validation failure that lets an attacker inject malicious scripts through improperly sanisised input fields.

Elevation of privilege (EoP) vulnerabilities accounted for 57.1% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities and remote code execution (RCE) vulnerabilities at 12.3% each.

OEM	Microsoft
Severity	Critical
Date of Announcement	2026-04-14
No. of Vulnerability	165
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

This is the second-largest Patch Tuesday release in Microsoft’s history. The update includes two zero-day vulnerabilities one actively exploited in the wild (SharePoint spoofing) and one publicly disclosed (Microsoft Defender privilege escalation linked to the BlueHammer exploit).

Here are the CVE addresses for Microsoft April 2026:

165 Microsoft CVEs
82 Non Microsoft CVEs

Breakdown of April 2026 Vulnerabilities

93 Elevation of Privilege (EoP)
20 Remote Code Execution
21 Information Disclosure
10 Denial of Service (DoS)
9 Spoofing
13 Security Feature Bypass

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Windows Internet Key Exchange (IKE) Service Extensions RCE	CVE-2026-33824	Windows IKE Service	Critical	9.8
Windows TCP/IP Remote Code Execution (Wormable via IPv6)	CVE-2026-33827	Windows TCP/IP Stack	Critical	9.8
Windows Active DirectoryRemote Code Execution	CVE-2026-33826	Windows Active Directory	Critical	9.1
Remote Desktop Client Remote Code Execution	CVE-2026-32157	Remote Desktop Client	High	8.8
Microsoft Office Remote Code Execution (Preview Pane)	CVE-2026-32190	Microsoft Office	High	8.4
Microsoft Word Remote Code Execution (Preview Pane)	CVE-2026-33114	Microsoft Word	High	8.4
Microsoft Word Remote Code Execution (Preview Pane)	CVE-2026-33115	Microsoft Word	High	8.4

Technical Summary

This month’s Patch Tuesday is largely driven by Elevation of Privilege vulnerabilities, which make up a significant portion of the fixes and can be leveraged by attackers after initial access to escalate privileges and move laterally.

The release also includes several critical remote code execution issues in core Windows components. Notably, vulnerabilities such as those affecting the Windows IKE service and TCP/IP stack demonstrate the risk of unauthenticated or low-interaction exploitation, particularly in network-exposed scenarios. Other issues in Office, Word, and Remote Desktop highlight continued risk from user-driven attack vectors such as malicious documents and crafted connection files.

The update also addresses zero-day vulnerabilities, including one actively exploited and another publicly disclosed prior to patching, increasing the urgency for remediation.

Key vulnerabilities in this cycle show a mix of attack paths from preview pane-based document exploitation to wormable network flaws and Active Directory-based code execution through authenticated access.

This combination of network-level and user-interaction-based risks, along with the volume of privilege escalation issues, makes this a high-priority update cycle. Organizations should prioritize testing and deployment to reduce exposure across both endpoint and infrastructure layers.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2026-33824	Windows IKE Service Extensions	Unauthenticated attacker can send crafted UDP packets to IKEv2-enabled systems (UDP 500/4500), achieving full remote code execution with no prior access required	Remote Code Execution
CVE-2026-32190	Microsoft Office	Exploitation via preview pane allows execution of malicious payload without explicit user interaction beyond viewing file	Remote Code Execution
CVE-2026-33114 / 33115	Microsoft Word	Malicious document processed via preview triggers RCE; commonly used in phishing delivery chains	Remote Code Execution
CVE-2026-32157	Remote Desktop Client	RCE triggered when user connects using a crafted RDP file; attack surface includes lateral movement scenarios	Remote Code Execution
CVE-2026-33827	Windows TCP/IP Stack	Race condition in IPv6/IPsec stack enables unauthenticated wormable RCE across enterprise networks	Remote Code Execution
CVE-2026-33826	Windows Active Directory	Authenticated attacker executes code via crafted RPC calls within domain; high likelihood of privilege chaining	Remote Code Execution

Key Affected Products and Services

April 2026 updates address vulnerabilities across:

Windows Core Components

Kernel, TCP/IP stack, Active Directory, IKE Service, BitLocker, NTFS, SMB, and Remote Desktop components are impacted, including critical RCE and privilege escalation vulnerabilities.

Microsoft Office Suite

Word, Excel, and PowerPoint are affected by multiple remote code execution vulnerabilities, including cases exploitable through the preview pane.

SharePoint & Collaboration

SharePoint Server (2016, 2019, Subscription Edition) is impacted, including an actively exploited zero-day vulnerability requiring immediate attention.

Microsoft Defender

A publicly disclosed elevation of privilege vulnerability is addressed through updates to the Antimalware Platform.

.NET Framework & Developer Tools

.NET and related developer components, including Visual Studio, are affected by denial of service and privilege escalation vulnerabilities.

Azure & Cloud Services

Azure components such as Logic Apps and monitoring agents include vulnerabilities related to information disclosure and privilege escalation.

SQL Server

Multiple vulnerabilities affecting SQL Server components, including privilege escalation and remote code execution risks, are addressed.

Remediation:

Apply April 2026 security updates on all Windows systems as a priority

Here are some recommendations

Prioritize patching internet-facing and critical services, particularly SharePoint and core Windows components.
Ensure Microsoft Defender and other security components are updated to the latest platform versions.
Review network exposure and apply temporary mitigations where patching may be delayed.
Monitor for suspicious activity, especially related to privilege escalation, remote code execution, and authentication anomalies.
Validate that systems are aligned with ongoing platform security updates, including Secure Boot-related changes.

Conclusion:
April 2026 Patch Tuesday addresses a significant number of vulnerabilities across Windows and related Microsoft products, including an actively exploited issue, multiple critical remote code execution flaws, and a high volume of privilege escalation vulnerabilities. Given the breadth of affected components and the potential for attack chaining, organizations should prioritize timely testing and deployment of updates, especially for critical and externally exposed systems.

References:

https://msrc.microsoft.com/update-guide/en-us/releaseNote/2026-Apr
https://www.tenable.com/blog/microsofts-april-2026-patch-tuesday-addresses-163-cves-cve-2026-32201
https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/

Vulnerable ABAP Program Patched by SAP in April Security Updates

SAP security patch day saw the release of 19 new security notes on April 14th. There is 1 update to previously released security note. The update addresses several severe flaws, including critical SQL injection, denial of service (DoS) and code injection vulnerabilities.

Vulnerability Details:

[CVE-2026-27681] SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse is most critical with CVSS score 9.9. This flaw may allow attackers to run arbitrary database queries, potentially compromising sensitive information and system integrity.

SAP also released a security note that addresses a high-severity missing authorization check in ERP and S/4 HANA. Tracked as CVE-2026-34256, is missing authorization check in SAP ERP and SAP S/4 HANA. With a CVSS score of 7.1, this vulnerability could enable unauthorized users to perform restricted actions in both private cloud and on‑premise deployments

Further it could be exploited to execute an ABAP program and rewrite existing eight‑character executable programs.

[CVE-2025-64775] Denial of Service Vulnerability in SAP BusinessObjects Business Intelligence Platform, the criticality is medium

[CVE-2026-34264] Information Disclosure vulnerability in SAP Human Capital Management for SAP S/4HANA, medium criticality

Key inputs:

Of the remaining security notes, 16 (15 new and 1 updated) deal with medium-severity vulnerabilities that could lead to information disclosure.

The vulnerabilities may trigger denial-of-service (DoS), XSS attacks, code injection, redirection to malicious content or code execution in the victim’s browser.

Patching:

The flaws were patched in BusinessObjects, Business Analytics, Content Management, S/4HANA, Supplier Relationship Management, NetWeaver, HANA Cockpit and HANA Database Explorer, Material Master Application and S4CORE.

The two remaining notes address low-severity code injection bugs in NetWeaver and Landscape Transformation.

Refer to

Dec 2025 Security Advisory SAP Security Patch Released, Critical RCE Fixed & DoS Vulnerabilities

Conclusion: SAP strongly recommends that the customer visits the support portal and applies patches on priority to protect their SAP landscape.

Sources: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2026.html

Sources: https://www.securityweek.com/sap-patches-critical-abap-vulnerability/

Emergency Patch Issued by Fortinet in Latest FortiClient Vulnerabilities

Emergency Patch Issued by Fortinet for FortiClient for Vulnerability

CISCO Vulnerability Allows RCE in its Smart Software Manager on-Premise

CVE-2026-20160, Vulnerability in CISCO’s smart software manager may allows attackers to gain complete control over the affected system without needing authentication which is gaining prior access to exploit the system. The CVSS severity score of 9.8 out of 10, indicating its high risk level.

Authentication and access controls play a crucial role in web application and system security. What can happen?

Data theft
System compromise
Privilege escalation

CISCO’s Smart Software Manager Flaw

In this case the vulnerability exposure allowed unauthorized access, as attackers do not need login credentials when a hacker can execute arbitrary commands on the operating system. Further escalating by creating crafted request to the service’s API. The vulnerability impacted certain versions of the Cisco SSM On-Prem environments, particularly software releases from 9-202502 to 9-202510.

Remediation for organizations

Organizations can prevent authentication bypass through regular patching, multi-factor authentication, encryption, and strong password policies.

The vulnerability did not impact CISCO’s smart software newly released version 9-202601 includes a patch that fixes the flaw.

Cisco advises to upgrade to version 9-202601 immediately, as there are no current workarounds or temporary mitigations to block potential attacks.

For IT teams notes include devices meet the necessary memory and hardware specifications before proceeding with the update.

Key findings from CVE-2026-20160 Vulnerability

The vulnerability was discovered internally by Cisco’s Technical Assistance Center (TAC) team and they found no immediate exploitations in the wild

With the disclosure can motivate hackers to reverse-engineer the patch and search for vulnerable systems. Following Cisco’s guidelines and maintaining up-to-date security measures will be essential in mitigating risks associated and stop any kind of data breaches.

Conclusion:

Research shows that, making timely patching critical for authentication security is essential and failing to do that can lead to data breaches.

The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory.

Sources: Cisco Smart Software Manager On-Prem Arbitrary Command Execution Vulnerability

File Read Vulnerability in SmartSlider Impacts 500K WordPress Sites

vulnerability in the Smart Slider 3 WordPress plugin

Critical Vulnerability CVE-2026-4681 in Windchill & FlexPLM Exposes Systems to RCE

PTC has issued an urgent advisory regarding a critical Windchill and FlexPLM vulnerability that exposes affected systems to Remote Code Execution (RCE). The flaw, identified as CVE-2026-4681, has been classified as a code injection vulnerability (CWE-94) and carries a CVSS v3.1 base score of 10.0 and CVSS v4 score of 9.3.

Vulnerability details:

The company says that it has not found any evidence that the vulnerability is being exploited against PTC customers. However, PTC published a set of specific indicators of compromise (IoCs) that include a user agent string and files.

The flaw affects a broad range of Windchill PDMLink and FlexPLM releases, specifically:

Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0
FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0

Description

The vulnerability is a Remote Code Execution (RCE) issue that may be exploited through deserialization of untrusted data
CVE-2026-4681 has been reported
- CWE – CWE-94: Improper Control of Generation of Code (‘Code Injection’) (4.19.1)
- Note that CVE.org only supports the latest CVSS scoring calculator (v4). Our Advisory also reflects the score of 10.0 based on the CVSS3.1 calculator.
  - CVSS v3.1 Base Score: 10.0 (Critical)
  - CVSS v4 Base Score: 9.3 (Critical)
At this time, there is no evidence of confirmed exploitation affecting PTC customers

Remediation: PTC is actively developing and releasing security patches for all supported Windchill versions to address the identified vulnerability

Immediate Mitigation Steps

PTC has issued specific guidance to reduce the risk until official security patches are released. These steps include:

For Apache HTTP Server

Create a new configuration file named 90-app-Windchill-Auth.conf under <APACHE_HOME>/conf/conf.d/.
Add the following directive:

<LocationMatch “^.*servlet/(WindchillGW|WindchillAuthGW)/com.ptc.wvs.server.publish.Publish(?:;[^/]*)?/.*$”>
Require all denied

Ensure this file is the last in the configuration sequence and restart the Apache server.

For Microsoft IIS

Verify the presence of the URL Rewrite module; if absent, download and install from the IIS website.
Modify the web.config file to include the rewrite rule as the first tag in <system.webServer>.
Restart IIS using iisreset and confirm the rule is active in IIS Manager.

PTC advises applying the same workaround steps to File Server or Replica Server configurations and notes that older Windchill releases may require adjusted procedures.

Additional Protection Measures

For organizations unable to immediately implement mitigations, PTC recommends temporarily shutting down Windchill or FlexPLM services or disconnecting systems from the public Internet.

PTC has also committed to 24×7 customer support for all users affected by this critical vulnerability. For PTC cloud-hosted customer.

Indicators of Compromise

Advisory for security Teams to monitor for specific signs that may indicate exploitation of the Windchill vulnerability or FlexPLM vulnerability:

Network and User-Agent Patterns

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
Suspicious HTTP requests: run?p= .jsp?p=, run?c= .jsp?c=

File System Indicators

GW.class or payload.bin (SHA256: C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1)
Any dpr_<8-hex-digits>.jsp file
Other class files, including Gen.class, HTTPRequest.class, HTTPResponse.class, IXBCommonStreamer.class, IXBStreamer.class, MethodFeedback.class, MethodResult.class, WTContextUpdate.class, and their Java equivalents

The presence of these files indicates that a potential attacker may have prepared the system for Remote Code Execution.

Log and Error Patterns

Messages referencing GW_READY_OK, ClassNotFoundException for GW Windchill, or HTTP Gateway Exception

PTC strongly urges customers to report any identified