The Lyceum: Cyber Intelligence Daily — Apr 14, 2026

Today is a patch-or-bleed day. Microsoft shipped its second-largest Patch Tuesday in history — 167 flaws, two zero-days, one already exploited in the wild — while CISA's Known Exploited Vulnerabilities catalog swelled by nine entries, including a Fortinet endpoint management flaw whose federal remediation deadline is April 16. ShinyHunters followed through on its Rockstar Games ransom threat at midnight, leaking 8.1 GB of data that reportedly includes anti-cheat source code and financial records. And a fresh Exploit-DB submission packages a ready-made RCE against unpatched React Server Components, lowering the bar for less sophisticated attackers to join a campaign that Chinese APT groups have been running since December. If your week has a triage queue, this is the day it overflows.

• CVE-2026-21643" target="_blank" rel="noopener noreferrer">CVE-2026-21643 — Fortinet FortiClient EMS 7.4.4: actively exploited unauthenticated SQL injection, CVSS 9.1, CISA KEV deadline April 16. Patch to FortiClient EMS 7.4.5 or later.
• CVE-2026-32201" target="_blank" rel="noopener noreferrer">CVE-2026-32201 — Microsoft SharePoint Server: exploited-in-the-wild XSS/spoofing zero-day, added to CISA KEV with April 28 deadline. Patch via April Patch Tuesday.
• CVE-2026-34621 — Adobe Acrobat and Reader (DC ≤26.001.21367, 24.x ≤24.001.30356): actively exploited RCE via crafted PDF, CVSS 9.6, KEV deadline April 27.
• CVE-2023-21529" target="_blank" rel="noopener noreferrer">CVE-2023-21529 — Microsoft Exchange Server: deserialization RCE (CVSS 8.8), now confirmed weaponized by Storm-1175 for Medusa ransomware delivery. KEV deadline April 27.
• CVE-2025-60710" target="_blank" rel="noopener noreferrer">CVE-2025-60710 — Microsoft Windows: actively exploited, added to KEV with April 27 deadline.
• React Server 19.2.0 RCE PoC — New Exploit-DB submission packages CVE-2025-55182 ("React2Shell") for unauthenticated RCE against default React Server Components configurations. CVSS 10.0, patched versions available since January.
• FortiWeb 8.0.2 RCE PoC — Exploit code for unpatched Fortinet WAF management interface uploaded to Exploit-DB. No CVE or vendor advisory yet — likely a zero-day. Restrict management interface access immediately.

If your organization uses Fortinet FortiClient EMS — the server that manages endpoint security policies, VPN access, and compliance across your device fleet — you have until April 16 to patch it. CISA set a federal remediation deadline of April 16.

CISA added CVE-2026-21643 to its Known Exploited Vulnerabilities catalog on April 13, confirming active exploitation. The vulnerability is an unauthenticated SQL injection — an attacker can slip malicious database commands through the web interface without ever logging in, achieving remote code execution on the server. According to Help Net Security, the flaw was introduced when FortiClient EMS version 7.4.4 refactored its multi-tenant middleware: the HTTP header identifying which tenant a request belongs to gets passed directly into a database query without sanitization, and this happens before any authentication check.

What makes this dangerous beyond the technical details: FortiClient EMS is often the central management server for hospitals, large enterprises, and government agencies. Compromise cascades quickly — owning the EMS server means owning the policies and access controls for every endpoint it manages. Greenbone's analysis reports approximately 2,000 FortiClient EMS instances still exposed on the public internet. WatchTowr CEO Benjamin Harris told Cybersecurity Dive this is "the second unauthenticated vulnerability in FortiClient EMS in a matter of weeks" and urged organizations to "treat this as an emergency response situation."

One vendor wrinkle worth noting: Fortinet's own PSIRT advisory page still shows "Known Exploited: No" — even as CISA's catalog says otherwise. Trust the latest exploitation signal, not the oldest vendor field. Patch to FortiClient EMS 7.4.5 or later immediately. If you can't patch by April 16, take the server offline and audit logs for anomalous SQL-like payloads in HTTP headers.

If you run Windows, SharePoint, or Microsoft Defender — and you do — today's update is not optional.

Microsoft's April 2026 Patch Tuesday addresses 167 vulnerabilities, including eight rated critical and two zero-days. By Dustin Childs' count at the Zero Day Initiative, this is the second-largest monthly release in Microsoft's history. Childs noted that many vulnerability programs, including ZDI, are seeing submission rates essentially triple and suggested AI-assisted bug discovery as a contributing factor. That's good for disclosure and potentially very good for attackers running the same tools.

The zero-day already exploited in the wild is CVE-2026-32201, a SharePoint Server cross-site scripting flaw. According to Computer Weekly, an attacker who lures a user to a compromised SharePoint page can execute JavaScript in the victim's browser, steal session cookies or authentication tokens, and take over accounts — with phishing redirects or ransomware payloads as follow-on options. CISA has already added it to the KEV catalog.

The second zero-day, CVE-2026-33825, is a Microsoft Defender privilege escalation that lets a low-level attacker climb to full SYSTEM control. According to CyberScoop, proof-of-concept exploit code is publicly available — this is the BlueHammer exploit we flagged on April 8, now patched. Also worth immediate triage: CVE-2026-33824, a critical Windows Internet Key Exchange (IKE) RCE with a CVSS of 9.8. Per Security Boulevard, it can be exploited by an unauthenticated attacker sending crafted packets to any Windows machine with IKEv2 enabled — no credentials required.

What failure looks like: roughly 93 of the 167 bugs are privilege-escalation issues, 20 are remote-code-execution defects, and 21 are information-disclosure problems. That mix is a menu for attackers once they get a foothold. Expect a second wave of risk as exploit developers reverse-engineer patches this week. Run Windows Update today. If you manage SharePoint on-premises, that's your first stop.

The April 14 deadline came and went — and ShinyHunters kept their word.

An 8.1 GB dataset reportedly linked to Rockstar Games surfaced today after the hacking group's ransom clock expired at midnight. According to Security Affairs, the leaked files include anti-cheat source code, player analytics, game assets, Zendesk support tickets, and financial information. ShinyHunters claims the total haul is up to 78.6 million records, though that figure remains unverified per Outlook Respawn.

The attack vector is the part that should make every enterprise security team uncomfortable. According to Computing, ShinyHunters did not breach Rockstar's systems or its Snowflake cloud data warehouse directly. Instead, they exploited access through Anodot — a third-party tool companies use to analyze cloud spending and performance. The attackers obtained authentication tokens (digital credentials that software systems use to communicate without repeated logins), and because Rockstar's Snowflake environment trusted those credentials, access appeared legitimate. This type of intrusion can look indistinguishable from normal automated processes.

Rockstar confirmed the breach but called the stolen data "non-material." The real story isn't Rockstar — it's that ShinyHunters is running a systematic campaign through third-party cloud analytics integrations. If your organization uses Snowflake, Anodot, or similar tools with persistent API tokens, audit those trust relationships today. Expect credential-stuffing waves and phishing lures themed around "leaked GTA builds" in the coming days.

A Microsoft Exchange Server vulnerability from 2023 just got a lot more urgent — because it's now confirmed as a ransomware delivery mechanism.

CVE-2023-21529 is a deserialization vulnerability (the server is tricked into treating malicious data as trusted instructions) in Exchange Server with a CVSS of 8.8. According to The Hacker News, Microsoft revealed that a threat actor it tracks as Storm-1175 has been weaponizing this flaw to deliver Medusa ransomware. CISA added it to the KEV catalog with a federal deadline of April 27.

The "authenticated attacker" requirement sounds reassuring — someone needs valid credentials first — but in practice, credential theft is cheap and common, and Exchange servers are high-value targets frequently exposed to the internet. Medusa ransomware has hit healthcare, education, and government targets across the U.S. and Europe over the past twelve months. Storm-1175 is a Microsoft threat actor designation — meaning it's a tracked, active group, not a one-off.

What this changes: if your Exchange Server hasn't been patched since early 2023, you may already be a target. Check your patch level and audit for unusual authentication events. The broader signal from CISA's batch this week — which also included CVE-2009-0238 (an Office RTF parsing bug from 2009) and CVE-2020-9715 (an Adobe Acrobat flaw from 2020) — is that attackers are still feasting on patch debt rather than inventing brand-new exploits.

Xakep.ru reported today on a new DDoS botnet called Masjesu that is aggressively recruiting IoT devices — routers, cameras, and smart appliances that most organizations never patch. The botnet is being used not just for volumetric DDoS attacks but also as a proxy layer, meaning compromised devices relay malicious traffic to evade simple IP-based blocking. IoT botnets are the infrastructure behind the largest DDoS attacks on record; a new one entering the ecosystem during a period of heightened geopolitical tension is worth tracking. No English-language coverage has appeared yet.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru reported yesterday on a ClipBanker variant — malware that silently replaces cryptocurrency wallet addresses in your clipboard when you copy-paste — now masquerading as a legitimate proxy setup utility. The disguise is specifically designed to target security-conscious users who already use proxies, making it a social engineering refinement rather than a technical breakthrough. Additional reporting notes an Android-focused variant initially targeting Russian-speaking users, with global spread considered likely.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru reported today that Google is deploying "Device Bound Session Credentials" (DBSC) in Chrome, which ties session cookies to specific hardware using device-backed cryptographic keys. A stolen cookie replayed from another machine will fail authentication — a targeted countermeasure against infostealer-driven session hijacking, one of the most profitable techniques in the initial access economy. The rollout is gradual via Chrome updates; organizations relying on browser session security in SSO or automation scenarios should test for compatibility.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

A Fortinet server that trusts any HTTP header it receives, a SharePoint page that runs whatever JavaScript an attacker left behind, and a hacking group that treats ransom deadlines like calendar invites — punctual and non-negotiable.

Somewhere, a proxy configuration tool is helpfully swapping your Bitcoin wallet address for someone else's, which is at least more honest than most fintech marketing.

Eyes open, patches applied.

If someone you know runs FortiClient EMS, SharePoint, or opens PDFs for a living — so, everyone — forward this their way.