The April 2026 Security Update Review
Monthly patch roundup focused on Adobe and Microsoft; particular priority given to an active Reader exploit and multiple elevation-of-privilege vulnerabilities in Windows components and SQL Server.
Comparing 26 June 2026 with the previous day 19 June 2026.
Monthly patch roundup focused on Adobe and Microsoft; particular priority given to an active Reader exploit and multiple elevation-of-privilege vulnerabilities in Windows components and SQL Server.
First documented exploitation of CVE-2026-12569 in Windchill demonstrates that threat actors are operationalizing PTC products as targets immediately after patches became available,German authorities have also previously warned about this vulnerability and a related CVE-2026-4681.
DirtyClone is the third variant in a series of Linux kernel flaws in the DirtyFrag family caused by incomplete flag propagation during packet cloning; each patch closed one code path while leaving others open.
Authenticated users with limited permissions can remove Admin accounts from an organization through a missing role hierarchy check in the bulk-delete API.
Turla continuously develops new .NET backdoors such as STOCKSTAY for targeted state-sponsored espionage against Ukraine and entities with Italy-related interests , signals escalating Russian-Ukrainian cyber-warfare with relevance to European critical infrastructure.
Russian state actors are conducting systematic social-engineering campaigns against messaging services, indicating operationalization of credential-harvesting as a geopolitical weapon.
Russian intelligence expands its Signal phishing campaign to specifically target backup recovery keys, which provide unlimited access to restored accounts and complete message history.
A double-free vulnerability in Windows IKEv2 enables unauthenticated remote code execution via crafted packets.
The vulnerability allows authenticated users to retrieve billing data from any organization without explicit authorization,a control loss over sensitive business data in the multi-organization model.
The vulnerability is already actively exploited for web shell deployment; it is the first PTC product vulnerability added to CISA's KEV catalog and signals rapid weaponization of newly disclosed flaws by threat actors.
May release covers 52 Adobe CVEs and numerous Microsoft patches with Adobe Commerce and Connect highest priority; no active wild exploitations reported.
The vulnerability allows authenticated users to inject arbitrary key-value pairs into webhook and SIEM payloads, undermining the reliability of security events and their interpretation in downstream systems.
An obsolete but still-signed Windows kernel driver can be abused as an attack vector in BYOVD scenarios to manipulate privileged processes like lsass.exe and extract credentials.
Node.js ignores CWE-427 risks on Windows systems through flawed module resolution logic that allows non-admin users to plant malicious modules under C:\node_modules, compromising installed applications.
HTML content in PDF rendering contexts can leak information about the rendering server via <img> tags with remote URLs or be exploited as an SSRF vector in the local network.
The vulnerability enables denial-of-service attacks against HMI and configuration functions via malformed network requests over exposed interfaces, causing critical downtime in production environments.
A vulnerability in PKCS#7 signature verification allows forged digital signatures to be accepted by failing to correctly bind the signer identity to the signature, affecting trust chains in Windows, Active Directory, and Office environments.
BSI warns of multiple vulnerabilities in widely deployed browsers with critical impact on code execution and denial-of-service capability.
BSI warns of multiple critical vulnerabilities in Microsoft Edge enabling remote code execution and security bypass; specific CVE numbers not provided.
The BSI warning indicates multiple patchable vulnerabilities, but without specific CVE numbers or exploit status this is a generic browser security notice without immediate escalation potential.
The Miasma campaign demonstrates a new escalation: attackers abuse compromised developer credentials to inject malware-laden packages via trusted npm registry and GitHub workflows, compromising downstream developers.
A popular Chrome extension with ten million installations was potentially compromised with a backdoor, pointing to an active supply-chain attack scenario.
BSI warning on multiple unspecified vulnerabilities in Chrome/Edge without concrete CVE numbers or exploitation details , typically aggregation of multiple CVEs from regular browser updates.
Authenticated attackers can exploit multiple vulnerabilities to manipulate critical password and management data or disclose sensitive information.
The Cisco SD-WAN vulnerability is already being actively exploited in the wild and enables attackers to gain root access to critical network devices.
No changes in this category.
No changes in this category.
FortiBleed is an active, Russian-speaking attack campaign targeting 86,644+ FortiGate devices globally, enabled by weak credential-management practices (default accounts, factory passwords), indicating direct perimeter compromise.
FortiBleed involves actively compromised systems with exposed VPN credentials from 73,000 devices globally and requires immediate password reset and access review for all Fortinet VPN users.
The BSI emergency notification at 2:30 AM underscores the severity of the vulnerability and indicates imminent exploitation or threat; this is a rare sign of acute danger in German government alert systems.
FortiBleed campaign demonstrates active exploitation of Fortinet devices by eCrime and Russian ransomware groups for lateral movement into Active Directory environments via MSP and telecom providers.
CISA has identified active credential exposure in production Fortinet devices and is urging hardening measures, indicating ongoing exploitation documented outside standard CVE channels.
BSI issues warning of multiple undisclosed vulnerabilities in Chrome and Edge without CVE details; details remain embargoed until stable patch release.
FortiBleed leak exposes VPN credentials for 73,000 Fortinet devices,a direct threat to organizations deploying FortiGate and FortiClient.
Gentlemen RaaS actively develops multiple EDR killer techniques to disable endpoint detection and response systems and thereby conceal ransomware attacks.
ClickOnce abuse allows threat actors to leverage legitimate Windows installation mechanisms for malware distribution and persistence while avoiding traditional detection signatures.
The Gentlemen group operates a mature, standardized EDR-killer ecosystem (GentleKiller framework) targeting over 400 security processes and leveraging BYOVD techniques with signed drivers,indicating organized, technically sophisticated ransomware infrastructure.