April 2026 put authentication and management-plane failures at the centre of enterprise risk. Microsoft’s largest-ever Patch Tuesday by CVE count landed alongside a flurry of out-of-band emergency fixes from Fortinet, Adobe, and cPanel, the latter disclosing a zero-day that had been silently exploited for roughly two months before a patch existed. What connects this month’s most urgent issues is not just raw severity scores, but how consistently attackers found ways to sidestep the controls defenders assume are working: authentication gates, sandbox layers, tenant isolation, and credential requirements. For security teams, April compressed the space between disclosure and active attack to near zero, with several of these vulnerabilities moving from advisory publication to observed exploitation within days.
What We'll Cover
Microsoft SharePoint Server Spoofing Zero-Day (CVE-2026-32201)
Overview
Microsoft SharePoint Server is the collaboration and document management backbone of many enterprise environments, and this month it became the top patching priority after an actively exploited spoofing flaw was confirmed in the wild. The vulnerability stems from improper input validation in SharePoint’s network request processing, allowing an unauthenticated attacker to forge requests and manipulate information the platform exposes. An attacker who successfully exploits this flaw can view sensitive data and modify disclosed information, making it especially dangerous for organisations whose SharePoint deployments hold confidential documents, contracts, or internal project data. Modern attackers routinely chain spoofing bugs with other weaknesses, particularly privilege escalation, meaning even a CVSS 6.5 rating understates the operational risk when AI-assisted exploitation tools can automate the next step in minutes.
Severity and Score
Important | CVSS 6.5
Type
Improper Input Validation (CWE-20)
Disclosure
April 8, 2026
Included in the CISA Known Exploited Vulnerabilities catalog
Exploitation Status
Actively exploited. Microsoft confirmed exploitation in the wild at the time of patch release on Patch Tuesday, April 8, 2026. CISA added it to the KEV catalog on April 14, requiring federal agencies to patch by April 28. Patches cover all supported versions of SharePoint, including SharePoint 2016 ahead of its July 2026 end-of-extended-support date.
Mitigation Strategies
Apply Microsoft’s April 2026 Patch Tuesday security updates immediately across all supported SharePoint versions. Internet-facing SharePoint servers should be treated as highest priority. Restrict external access to SharePoint environments wherever possible, and monitor for unusual API or document access patterns that could indicate post-exploitation activity. Review SharePoint logs for anomalous cross-site request patterns or unexpected data modifications.
Windows Internet Key Exchange (IKE) Service Extensions RCE (CVE-2026-33824)
Overview
The Windows Internet Key Exchange service is responsible for negotiating VPN and tunnel connections in enterprise networks, and a double-free memory corruption flaw in its extensions makes it one of April’s most structurally dangerous vulnerabilities. The root cause is a CWE-415 double-free condition in the IKE extension component, where an attacker can send specially crafted UDP packets to a Windows machine with IKEv2 enabled and trigger arbitrary code execution without supplying any credentials. Because IKE sits at the perimeter of many networks, handling VPN negotiation for remote access and site-to-site tunnels, this vulnerability carries wormable characteristics: a single compromised host with IKEv2 enabled could potentially be used to reach others on the same network segment. Microsoft recommends blocking UDP ports 500 and 4500 for systems that do not use IKE as an interim measure.
Severity and Score
Critical | CVSS 9.8
Type
Double Free (CWE-415)
Disclosure
April 8, 2026
Exploitation Status
No confirmed exploitation in the wild at time of publication, though Microsoft has assessed exploitation as possible. The CVSS 9.8 score, unauthenticated attack vector, and proximity to exposed network infrastructure make this a high-priority target for threat actors who were already probing Windows networking stacks in April. IKE has been targeted in prior exploit campaigns, and the public availability of the patch provides researchers with the information needed to reconstruct an attack path.
Mitigation Strategies
Apply the April 2026 Patch Tuesday update immediately for all Windows systems. As a compensating control where patching cannot happen immediately, block inbound UDP traffic on ports 500 and 4500 at the perimeter; for systems that require IKE, restrict inbound traffic on those ports to known peer addresses only. Audit your environment for Windows hosts with IKEv2 enabled that are directly reachable from the internet or from untrusted network segments. Prioritise domain controllers and VPN concentrators first.
Microsoft Defender Elevation of Privilege (CVE-2026-33825)
Overview
Microsoft Defender is the default endpoint protection layer on Windows systems, and a publicly disclosed elevation-of-privilege flaw in April created an unusual urgency: the bug was tied to “BlueHammer,” a proof-of-concept exploit published on GitHub on April 3, 2026, weeks before Microsoft’s patch cycle closed the gap. The flaw lies in insufficient access control granularity within the Defender Antimalware Platform, allowing a local attacker with standard user privileges to escalate to SYSTEM-level access without requiring user interaction. Obtaining SYSTEM privileges is typically the inflection point in an attack, it is sufficient to disable logging, tamper with security tools, and deploy follow-on payloads while leaving minimal forensic trace.
Severity and Score
Important | CVSS 7.8
Type
Insufficient Granularity of Access Control (CWE-1220)
Disclosure
April 8, 2026 (publicly disclosed prior to patch via BlueHammer PoC, April 3, 2026)
Exploitation Status
No confirmed active exploitation at patch release, though the public PoC materially raises the likelihood of near-term weaponisation. Systems with Microsoft Defender disabled are not in a vulnerable state. Microsoft has assessed exploitation as more likely. This flaw is well-suited to use as a second-stage payload after an attacker achieves initial access through another April vulnerability such as CVE-2026-32201.
Mitigation Strategies
The Defender Antimalware Platform updates automatically by default; verify that Microsoft Defender Antimalware Platform version 4.18.26050.3011 or later is present across your endpoint fleet. For environments that enforce manual update approval, expedite deployment of this specific platform update. Confirm Defender is functioning correctly and receiving timely updates, and treat any gap in platform update delivery as a priority remediation item.
Fortinet FortiClient EMS Pre-Auth SQL Injection (CVE-2026-21643)
Overview
FortiClient EMS is Fortinet’s centralised management server for endpoint agents, the platform security teams use to push policies, enforce compliance, and manage device posture across an entire organisation. A middleware refactoring in version 7.4.4 replaced parameterised database queries with raw string interpolation in the multi-tenant HTTP header handling, introducing a pre-authentication SQL injection through the /api/v1/init_consts endpoint. An unauthenticated attacker can send a single crafted HTTP request to the EMS administrative interface and, depending on the deployment, extract admin credentials, endpoint inventory, ZTNA certificates, and security policy data, or chain the SQL injection into OS command execution via PostgreSQL’s superuser privileges. Because FortiClient EMS holds the keys to endpoint security across an entire fleet, compromise here typically translates into the ability to tamper with every managed device’s security configuration.
Severity and Score
Critical | CVSS 9.8
Type
Improper Neutralization of Special Elements in SQL Commands (CWE-89)
Disclosure
February 6, 2026 (active exploitation confirmed and added to CISA KEV on April 13, 2026)
Included in the CISA Known Exploited Vulnerabilities catalog
Exploitation Status
Actively exploited. Defused Cyber detected zero-day exploitation attempts beginning March 24, 2026, well before public reporting. CISA added CVE-2026-21643 to the KEV catalog on April 13 with a remediation deadline of April 16 for federal agencies. The CrowdSec network tracked 51 distinct attacking IPs between April 20–27 alone, and public exploit code and Nuclei detection templates are now freely available, placing unpatched instances at immediate risk.
Mitigation Strategies
Upgrade FortiClient EMS from version 7.4.4 to 7.4.5 or later immediately (7.4.7 is the recommended target). Only multi-tenant deployments running 7.4.4 are affected; single-site deployments are not vulnerable to this specific flaw. If immediate patching is not possible, restrict network access to the EMS administrative interface to trusted internal hosts and take the service offline from internet-facing exposure. Audit the /api/v1/init_consts endpoint in web logs for abnormal Site header values or database error responses that may indicate prior exploitation activity.
Fortinet FortiClient EMS Improper Access Control RCE (CVE-2026-35616)
Overview
In the same product family as CVE-2026-21643, FortiClient EMS versions 7.4.5 and 7.4.6, the very releases that patched the SQL injection above, contained a separate pre-authentication API access bypass that also leads to remote code execution. The flaw is an improper access control condition in the EMS API, where identity assertions are not enforced before processing certain API requests, allowing an unauthenticated attacker to execute unauthorised code or commands via crafted HTTP requests. The timing of this vulnerability is significant: organisations that moved urgently to upgrade from 7.4.4 as a result of CVE-2026-21643 landed in versions that were themselves vulnerable to a different but equally critical unauthenticated RCE. Attackers appear to have been exploiting this as a zero-day during the Easter holiday weekend, a pattern of opportunistic timing that defenders should factor into incident response planning.
Severity and Score
Critical | CVSS 9.1
Type
Improper Access Control (CWE-284)
Disclosure
April 4, 2026
Included in the CISA Known Exploited Vulnerabilities catalog
Exploitation Status
Actively exploited as a zero-day, with Defused Cyber observing exploitation before Fortinet’s advisory. watchTowr Labs also confirmed attack activity beginning March 31, 2026. CISA added the flaw to KEV on April 6, setting a federal remediation deadline of April 9, one of the tightest timelines CISA has issued. It is not publicly confirmed whether the same threat actor exploited both CVE-2026-21643 and CVE-2026-35616, or whether they were used in combination.
Mitigation Strategies
Upgrade FortiClient EMS to version 7.4.7, which addresses both this vulnerability and CVE-2026-21643. Fortinet released a hotfix for 7.4.5 and 7.4.6 while 7.4.7 was in preparation; apply the hotfix immediately if the full upgrade cannot happen at once. Restrict external access to the EMS web interface, and monitor for unexpected API requests or unauthenticated sessions appearing in EMS access logs. Check Fortinet’s official advisory for Indicators of Compromise.
Adobe Acrobat Reader Prototype Pollution Zero-Day (CVE-2026-34621)
Overview
Adobe Acrobat Reader is installed on hundreds of millions of systems, and this zero-day, exploited in the wild since at least November 2025, demonstrates how a JavaScript engine vulnerability in a ubiquitous document viewer becomes a persistent data-theft platform before defenders even know it exists. The flaw is a prototype pollution condition in Acrobat’s JavaScript runtime, where an attacker can manipulate inherited object properties to gain control over application behaviour and execute code in the context of the current user. Opening a specially crafted PDF is sufficient to trigger the exploit chain, which begins by fingerprinting the victim system, uses the util.readFileIntoStream() privileged API to steal local files, and communicates exfiltrated data to an attacker-controlled server via an RSS feed mechanism, while optionally staging a second-stage payload capable of sandbox escape. Analysis of malicious samples found text in Russian related to gas supply disruption, suggesting targeted espionage activity prior to the vulnerability becoming widely known.
Severity and Score
High | CVSS 8.6
Type
Improperly Controlled Modification of Object Prototype Attributes, Prototype Pollution (CWE-1321)
Disclosure
April 11, 2026 (emergency out-of-band patch; exploitation confirmed since at least November 2025)
Included in the CISA Known Exploited Vulnerabilities catalog
Exploitation Status
Actively exploited. Security researcher Haifei Li at EXPMON flagged a suspicious PDF submitted on March 26, 2026 that had only 13/64 detection on VirusTotal. Adobe confirmed exploitation in its advisory, and CISA added the flaw to KEV on April 13 with an April 27 remediation deadline. The long zero-day window, potentially five months, means organisations with comprehensive endpoint logging may be able to identify prior compromise through retrospective analysis.
Mitigation Strategies
Update Adobe Acrobat DC and Acrobat Reader DC to version 26.001.21411 or later on Windows and macOS, or Acrobat 2024 to version 24.001.30362 on Windows. Block HTTP and HTTPS traffic with the “Adobe Synchronizer” string in the User Agent field to disrupt the established command-and-control mechanism. Instruct users not to open PDF files from untrusted sources, and review endpoint detection rules for processes spawned by Acrobat Reader that establish outbound network connections to unexpected hosts.
Apache ActiveMQ Classic Jolokia API RCE (CVE-2026-34197)
Overview
Apache ActiveMQ Classic is widely deployed messaging middleware used across financial services, healthcare, government, and e-commerce environments, and this vulnerability, hidden in plain sight for 13 years, exploits the Jolokia JMX-HTTP management bridge exposed on the web console. The root cause is an overly permissive default Jolokia access policy that grants exec rights to all ActiveMQ MBeans, including BrokerService.addNetworkConnector(). An authenticated attacker can invoke this operation with a crafted URI that triggers the ActiveMQ broker to fetch a remote Spring XML configuration file; because Spring instantiates all beans in the configuration before validation, the attacker achieves arbitrary OS command execution inside the broker’s JVM through Runtime.exec(). On ActiveMQ versions 6.0.0 through 6.1.1, a separate prior vulnerability (CVE-2024-32114) removes the authentication requirement entirely, making the combination effectively an unauthenticated RCE.
Severity and Score
High | CVSS 8.8
Type
Improper Input Validation / Code Injection (CWE-20, CWE-94)
Disclosure
April 7, 2026
Included in the CISA Known Exploited Vulnerabilities catalog
Exploitation Status
Actively exploited. CISA added CVE-2026-34197 to the KEV catalog on April 16, with a federal remediation deadline of April 30. Fortinet FortiGuard Labs telemetry identified dozens of exploitation attempts in the days following disclosure, peaking on April 14. Public proof-of-concept code and Nuclei detection templates are freely available, and Horizon3.ai’s research team notes that default admin:admin credentials are common across many ActiveMQ deployments, substantially lowering the bar for exploitation.
Mitigation Strategies
Upgrade Apache ActiveMQ Classic to version 5.19.4 or 6.2.3, which restrict the Jolokia access policy to disallow exec operations on all MBeans. If patching is not immediately possible, firewall the Jolokia endpoint (/api/jolokia/) so only trusted IP addresses can reach it, and disable Jolokia entirely if JMX management access is not required. Change all default admin:admin credentials immediately. Monitor broker logs for POST requests to /api/jolokia/ containing addNetworkConnector in the body, and for outbound HTTP connections from the ActiveMQ process to unexpected external hosts.
cPanel & WHM Authentication Bypass Zero-Day (CVE-2026-41940)
Overview
cPanel and WHM form the administrative control plane for an estimated 70 million domains, and this critical zero-day, exploited for roughly two months before a patch existed, demonstrates what happens when session handling fails at every security layer simultaneously. The vulnerability is a CRLF injection in the pre-authentication login flow of cpsrvd, the cPanel service daemon, where an attacker can inject carriage-return line-feed characters through a malicious Basic authorisation header into a session file that is written to disk before any authentication check occurs. By injecting properties like user=root, hasroot=1, and tfa_verified=1 directly into the session file, the attacker establishes a fully authenticated root session, bypassing both the password gate and two-factor authentication, without ever touching an authentication code path. On a shared hosting server, root access to WHM is effectively access to every website, database, and mailbox on the host.
Severity and Score
Critical | CVSS 9.8
Type
Improper Neutralization of CRLF Sequences (CWE-93)
Disclosure
April 28, 2026 (zero-day exploitation observed since approximately February 23, 2026)
Included in the CISA Known Exploited Vulnerabilities catalog
Exploitation Status
Actively exploited. Hosting provider KnownHost confirmed exploitation dating back to approximately February 23, 2026, roughly two months before cPanel’s emergency advisory. watchTowr Labs published a technical analysis and proof-of-concept on April 29, and CISA added the vulnerability to the KEV catalog on April 30 with a federal remediation deadline of May 3. Shodan data shows approximately 1.5 million internet-exposed cPanel instances, and the availability of public exploit code means widespread exploitation is expected to accelerate.
Mitigation Strategies
Upgrade cPanel & WHM to the relevant patched version immediately: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5 (use /scripts/upcp –force to force the update). While patching is underway, block inbound traffic on cPanel and WHM ports 2082, 2083, 2086, 2087, 2095, and 2096 at the firewall; note that websites, email, and databases on standard ports continue to operate normally during this block. Run cPanel’s official detection script to check session files for CRLF-injected indicators of compromise, and inspect /var/cpanel/sessions/raw/ for session files containing embedded \r\n characters or unexpected key=value entries injected mid-file. Rotate all administrative credentials after patching.
Cisco Catalyst SD-WAN Manager Information Disclosure (CVE-2026-20133)
Overview
The Cisco Catalyst SD-WAN Manager, the central orchestration interface for enterprise software-defined wide-area networks, exposes a file system traversal path through insufficient access restrictions in its API, allowing an unauthenticated remote attacker to read sensitive files from the underlying operating system. An attacker accesses the exposed API endpoint with crafted HTTP requests and traverses the file system beyond the intended boundary, retrieving configuration files, credentials, logs, and other data stored on the SD-WAN Manager host. This type of information disclosure is rarely an end in itself: credentials and configuration details extracted from an SD-WAN manager can be used to impersonate authorised operators, modify routing policies, or stage a deeper network intrusion. CISA issued Emergency Directive ED-26-03 specifically for Cisco SD-WAN devices this month, reflecting the operational severity of the risk.
Severity and Score
Medium | CVSS 6.5
Type
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Disclosure
February 25, 2026 (added to CISA KEV and confirmed exploited in April 2026)
Included in the CISA Known Exploited Vulnerabilities catalog
Exploitation Status
Actively exploited. Cisco confirmed exploitation in April 2026 and CISA added the vulnerability to the KEV catalog on April 20, issuing Emergency Directive ED-26-03 and mandating remediation for federal civilian agencies by April 24. CVE-2026-20133 was exploited alongside two related SD-WAN Manager vulnerabilities (CVE-2026-20128 and CVE-2026-20122) that Cisco had confirmed as exploited in early March.
Mitigation Strategies
Upgrade Cisco Catalyst SD-WAN Manager to fixed releases in the 20.12, 20.15, or 20.18 branches immediately; versions 20.11, 20.13, 20.14, and 20.16 are vulnerable and have no workaround available. Apply CISA’s supplemental hardening guidance from Emergency Directive ED-26-03 and its accompanying Hunt and Hardening guidance for Cisco SD-WAN devices. Restrict API access to SD-WAN Manager to trusted management network addresses at the firewall level, and enable comprehensive API logging to detect anomalous file-access patterns. Review all SD-WAN Manager API access logs for bulk data retrieval operations or requests to file system endpoints outside of normal operational patterns.
Conclusion
April 2026 will be measured against a consistent pattern that security teams have watched develop across the past twelve months: the window between vulnerability disclosure and active exploitation is no longer measured in weeks. Several of this month’s most serious issues, the cPanel zero-day, both FortiClient EMS flaws, and the Adobe Acrobat Reader bug, were being actively used by attackers before the public was informed a problem existed. Authentication bypasses dominated again: cPanel’s CRLF injection bypassed both passwords and two-factor authentication; the FortiClient EMS flaws let unauthenticated attackers reach management infrastructure that should have sat behind credential gates; and SharePoint’s spoofing bug was being used in the wild before the patch shipped. The Cisco SD-WAN Manager case adds a second dimension, information disclosure as a stepping stone, where credentials extracted from a network orchestration platform enable attacks that look legitimate from the inside.
The volume of critical patches is not the primary concern. What April demonstrated is that enterprise infrastructure is most at risk at its management plane: the control panels, endpoint managers, SD-WAN controllers, and message brokers that security teams assume are too well-protected or too obscure to be targeted first. Attackers have clearly updated that model. Organisations that prioritise these layers, restricting access to management interfaces, enforcing strong credential policies, and treating management-plane exposure as a network boundary, are in a meaningfully better position than those treating these systems as lower risk because they sit one hop behind production infrastructure.
Ready to secure your systems against these risks? Our cybersecurity service can help identify vulnerabilities, close gaps, and strengthen your defences before attackers exploit them.
