WEEKLY TOP TEN: April 20, 2026, 16:00 GMT
- Ransomware Criminals and Nation-State Actors Exploit Four Old Microsoft Vulnerabilities
CISA added four Microsoft vulnerabilities to its Known Exploited Vulnerabilities catalog, including one patched nearly 14 years ago, after ransomware groups and other threat actors were observed actively weaponizing the flaws. Federal agencies were given a two-week deadline to apply patches. The agency also added two Adobe vulnerabilities on the same day, including a prototype pollution flaw in Acrobat and Reader tracked as CVE-2026-34621, which had been exploited as a zero-day for months before Adobe released a patch over the preceding weekend. - McGraw Hill Confirms Data Breach Tied to Salesforce Misconfiguration
McGraw Hill confirmed unauthorized access to data hosted in a Salesforce environment after ShinyHunters added the education publisher to its dark web leak site and claimed to have stolen 45 million Salesforce records. The company stated that the exposure stemmed from a misconfiguration in Salesforce’s environment affecting multiple organizations, and that no Social Security numbers, financial account data, or student-generated content was compromised. Have I Been Pwned confirmed approximately 13.5 million unique email addresses were included in data distributed publicly, alongside names, physical addresses, and phone numbers. - Cookeville Regional Medical Center Notifies 337,917 Patients of Rhysida Ransomware Breach
Cookeville Regional Medical Center in Tennessee began mailing breach notification letters to 337,917 individuals approximately nine months after a July 2025 ransomware attack. The Rhysida ransomware-as-a-service group claimed responsibility, demanded 10 Bitcoin in ransom, and published data it was unable to sell. Exposed information varies by individual but may include names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account details, medical records, and health insurance data. The incident was reported to HHS in August 2025 with a placeholder figure, and the full file review was completed in March 2026. - Microsoft SharePoint Zero-Day CVE-2026-32201 Patched After Active Exploitation
SecurityWeek’s coverage of the April 2026 Patch Tuesday highlighted the actively exploited SharePoint Server spoofing vulnerability CVE-2026-32201, rated important with a CVSS score of 6.5, which allows unauthorized attackers to view and alter sensitive information via improper input validation. CISA placed the flaw on its KEV list with a federal patching deadline of April 28. Security analysts also flagged 19 additional vulnerabilities as having an exploitability rating of exploitation more likely, urging enterprise administrators to prioritize patching of internet-facing SharePoint servers and privileged workloads. - BlueHammer Windows Zero-Day Signals Deeper Fractures in Microsoft’s Bug Disclosure Process
Dark Reading’s coverage of the BlueHammer exploit release focused on the broader implications for researcher-vendor relations after a disgruntled security researcher using the alias Chaotic Eclipse publicly dropped exploit code for an unpatched Windows privilege escalation flaw on April 2. The flaw, now tracked as CVE-2026-33825, was confirmed as a local privilege escalation combining a time-of-check-to-time-of-use race condition and path confusion that gives attackers access to the Security Account Manager database and ultimately SYSTEM privileges. Analysts warned that the public availability of the exploit sharply reduces the barrier for follow-on attackers, a risk that materialized when Huntress confirmed active in-the-wild exploitation days later. - CISA Orders Federal Agencies to Patch 13-Year-Old Apache ActiveMQ Flaw Under Active Attack
CISA added CVE-2026-34197, a code injection vulnerability hiding in Apache ActiveMQ for 13 years, to its Known Exploited Vulnerabilities catalog and gave federal agencies until April 30 to apply fixes. Attackers can exploit the flaw through the broker’s Jolokia JMX-HTTP bridge to execute arbitrary OS commands, and in some configurations the endpoint requires no credentials. Horizon3.ai researcher Naveen Sunkavally, who used Claude AI to help uncover the bug, noted the flaw is effectively an unauthenticated RCE in older versions. Shadowserver tracked over 8,000 exposed ActiveMQ instances reachable from the public internet, and Fortinet telemetry showed exploitation attempts peaking on April 14. - Exploited Critical Nginx UI Vulnerability CVE-2026-33032 Exposes Thousands of Servers
Hackers began actively exploiting CVE-2026-33032, a critical CVSS 9.8 authentication bypass vulnerability in the Nginx UI web management tool, discovered by Pluto Security researchers in its Model Context Protocol integration. An unauthenticated attacker can chain the flaw with a separate backup download vulnerability to extract credentials and gain full control of Nginx server configurations without any authentication. Pluto Security identified over 2,600 internet-exposed instances via Shodan. A patch was released in version 2.3.4, and organizations running Nginx UI before version 2.3.3 are urged to update immediately given the zero-credential exploitation path available to remote attackers. - Operation PowerOFF Seizes 53 DDoS-for-Hire Domains and Uncovers 3 Million Criminal Accounts
A coordinated law enforcement action across 21 countries on April 13 disrupted the global DDoS-for-hire ecosystem, seizing 53 domains, issuing 25 search warrants, and making four arrests. Authorities sent over 75,000 warning emails to identified users of booter services and uncovered approximately 3 million criminal accounts. Prevention campaigns were also launched targeting young people searching for DDoS attack tools, and over 100 malicious URLs were removed. The action marks the latest phase of the ongoing Operation PowerOFF initiative, which previously dismantled 27 popular booter platforms in December 2024 and took down the RapperBot botnet in August 2025. - Fortinet Releases Emergency Patch for Actively Exploited FortiClient EMS Flaw CVE-2026-35616
Fortinet issued an emergency weekend security update for a critical improper access control vulnerability in FortiClient Enterprise Management Server, tracked as CVE-2026-35616, after confirming it was being actively exploited in the wild. Discovered by Defused, the flaw allows unauthenticated attackers to bypass authentication and authorization controls entirely and execute code via specially crafted API requests. Shadowserver identified over 2,000 exposed FortiClient EMS instances publicly reachable online. The vulnerability follows a separate critical FortiClient EMS flaw, CVE-2026-21643, also discovered by Defused and also actively exploited, which was reported the previous week. - Rockstar Games Breach Traced to Third-Party Analytics Provider Anodot
Rockstar Games confirmed a data breach after ShinyHunters claimed to have accessed the company’s Snowflake cloud storage environment via a compromise of Anodot, a cloud analytics platform. The group issued a ransom deadline of April 14, 2026, which passed without payment, after which stolen data was leaked. Rockstar stated that the incident involved a limited amount of non-material company information and had no impact on players. The breach exposed internal analytics, support ticket metrics, and game economy data, but no player accounts or GTA VI game assets were reportedly accessed.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.