The Lyceum: Cyber Intelligence Daily — Apr 16, 2026

Today is deadline day for Fortinet's actively-exploited SQL injection flaw — and roughly 2,000 FortiClient EMS servers are still exposed on the internet. Meanwhile, North Korea's fingerprints are now confirmed on the Axios supply-chain attack that led OpenAI to revoke its macOS code-signing certificates, and a joint multi-agency advisory quietly flagged active exploitation of a Cisco SD-WAN authentication bypass that may have been going on since 2023. The thread connecting all three: the things organizations trust most — their endpoint management servers, their software dependencies, their network control planes — are exactly what attackers are targeting.

• CVE-2026-21643 — Fortinet FortiClient EMS 7.4.4: actively exploited, patched in 7.4.5+, CISA KEV deadline expires today (April 16). Unauthenticated SQL injection gives remote attackers admin-level database access to endpoint management infrastructure.
• CVE-2009-0238 — Microsoft Office Excel (2009-era): actively exploited, KEV-added April 14, remediation due April 28. A 17-year-old RCE flaw still finding unpatched machines in the wild.
• CVE-2026-32201 — Microsoft SharePoint Server: actively exploited, patched in April Patch Tuesday, remediation due April 28. Improper input validation enables network spoofing.
• FortiWeb 8.0.2 RCE exploit (EDB-52502) — Public proof-of-concept for Fortinet FortiWeb web application firewall. Lowers exploitation threshold from nation-state to commodity actors; upgrade to 8.0.3+ immediately.
• React Server RCE PoC (EDB-52506) — Proof-of-concept for CVE-2025-55182 affecting React Server Components 19.0.0–19.2.0. Deserialization flaw enables unauthenticated remote code execution on frameworks like Next.js.
• CVE-2026-20127 — Cisco SD-WAN: authentication bypass under active exploitation per a joint advisory. No NVD score yet. Attackers chaining with CVE-2022-20775 for persistent network-wide access.

Most supply-chain attacks steal data. This one went after the digital seal of approval that tells your Mac a piece of software is genuinely from OpenAI.

On March 31, a widely used developer library called Axios — a tool for making HTTP requests that's installed in roughly 80 percent of cloud environments as of April 2026 and downloaded about 100 million times per week in early 2026 — was compromised after attackers gained access to a GitHub account used to publish Axios releases. A GitHub Actions workflow OpenAI uses in its macOS app-signing process automatically pulled and executed the poisoned version (1.14.1). That workflow had access to the certificate and notarization material OpenAI uses to sign ChatGPT Desktop, Codex, Codex-cli, and Atlas for macOS — the cryptographic proof that tells Apple's operating system "this software is legitimate," according to OpenAI's disclosure.

The attack has been attributed to UNC1069, a North Korea-linked group typically focused on cryptocurrency theft. According to SecurityWeek, cybersecurity firm Huntress found evidence of compromise on 135 machines during its investigation, and Wiz observed the malicious version executed in 3 percent of affected environments during its analysis. The root cause, per OpenAI's own post-mortem, was a misconfiguration: the workflow used a floating tag instead of a pinned commit hash and had no minimum release age for new packages — meaning it would automatically pull whatever the latest Axios version happened to be, including a poisoned one.

OpenAI says it found no evidence of compromise to existing software installations. But if you use any OpenAI macOS app, you need to update before May 8 — after that date, apps signed with the old certificate will be blocked by macOS protections, according to BleepingComputer. The underlying vulnerability, CVE-2025-62718, carries a CVSS of 9.9 in the NVD backbone. CISA added a related supply-chain CVE (CVE-2026-33634) to its KEV catalog.

What changes: every engineering team that uses Axios — which is most of them — needs to audit their CI/CD pipelines, lock dependencies to specific commit hashes, and check their SBOMs. The broader lesson is that code-signing infrastructure is now a first-class target, not an afterthought. What to watch: The Hacker News reports UNC1069 has since partnered with financially motivated groups like LAPSUS$ and ShinyHunters and launched a ransomware operation called CipherForce — meaning the credentials harvested from this campaign may fuel attacks for months.

If your organization runs Fortinet FortiClient EMS — the central server that manages endpoint security policies, VPN access, and compliance across your device fleet — today is the day CISA said federal agencies must be patched. The clock has run out on CVE-2026-21643.

The flaw is a SQL injection bug, which means an attacker can slip malicious database commands into a routine web request. The dangerous part: it requires zero authentication. According to Help Net Security, the vulnerability was introduced when FortiClient EMS version 7.4.4 refactored its database layer to support multi-tenant deployments. An HTTP header used to identify which customer a request belongs to gets passed directly into a database query without sanitization — and this happens before any login check. Anyone who can reach the EMS web interface over HTTPS can exploit it.

The blast radius is significant: compromising the EMS hub exposes every connected endpoint's security policies. Belgium's CCB warned that a similar FortiClient EMS flaw — CVE-2023-48788 — was leveraged in ransomware campaigns, and similar targeting is expected here. Greenbone reports roughly 2,000 FortiClient EMS instances remain reachable on the internet as of April 2026, and the product now faces two simultaneously active critical CVEs (CVE-2026-21643 and CVE-2026-35616). The fix: upgrade to FortiClient EMS 7.4.5 or above, per Horizon3.ai.

What to watch: if ransomware incidents tied to FortiClient EMS surface by Friday, April 17, it would indicate threat actors are capitalizing on today's KEV deadline expiration — the same playbook used after CVE-2023-48788. The chaining possibility between the two active CVEs hasn't been publicly ruled out.

A joint advisory from CISA, the NSA, Australia's ASD, Canada's Cyber Centre, New Zealand's NCSC, and the UK's NCSC documents active exploitation of a previously undisclosed authentication bypass in Cisco SD-WAN systems. SD-WAN — Software-Defined Wide Area Network — is the technology that connects branch offices, remote sites, and cloud environments for large enterprises and government agencies. Compromising the SD-WAN controller is roughly equivalent to owning the highway system: you can reroute traffic, intercept communications, and maintain persistence across every connected site.

The advisory describes attackers exploiting CVE-2026-20127 for initial access, then chaining it with CVE-2022-20775 — a four-year-old privilege escalation bug — to reach root-level access. That combination of a fresh zero-day with known-good older tooling is a classic nation-state playbook. Cisco Talos reports the actor (tracked as UAT-8616) had access patterns going back to 2023 and likely used version downgrade techniques to escalate — a patient approach that points to infrastructure-level persistence rather than opportunistic exploitation.

What changes: any organization running Cisco SD-WAN needs to inventory systems, collect artifacts including virtual snapshots and logs, fully patch, and hunt for compromise indicators today. The advisory's composition and an acknowledged contribution from CERT Polska suggest geographic breadth and likely nation-state attribution that hasn't been publicly named yet. What failure looks like: organizations that treat this as a routine patch cycle rather than an active hunt will miss the fact that the advisory describes intrusions potentially dating back years. Note: this surfaced via a government aggregator feed; verify against the official CISA advisory for the most current IOCs.

The scariest attacks now look boring at first glance. In Check Point Research's write-up on "Operation TrueChaos," the dangerous part wasn't a flashy zero-click exploit — it was a software update prompt inside TrueConf, an on-premises video-conferencing platform used by governments and critical infrastructure.

Check Point says CVE-2026-3502 let an attacker controlling an on-premises TrueConf server push arbitrary files to connected endpoints because the client didn't properly verify update integrity. The vendor observed the bug exploited in targeted campaigns against Southeast Asian government entities, where attackers used the poisoned update flow to deploy Havoc — an open-source post-exploitation framework increasingly seen in real intrusions. Check Point assesses with moderate confidence that the campaign links to a Chinese-nexus espionage actor. The TrueConf Windows client fix shipped in version 8.5.3.

What changes: if on-premises management or update services can be turned into distribution channels, a lot of internal-only software should be re-evaluated as high-risk attack surface. The mental model of "internal server equals trusted server" is now demonstrably wrong. What to watch: if TrueConf-style updater abuse shows up in other on-prem products, expect a broader industry reckoning with how internal software distribution is authenticated. Check Point's documentation also highlights that these regional zero-day campaigns often act as proving grounds for techniques that later appear against Western infrastructure.

Xakep.ru published details on the OpenAI certificate revocation ahead of much English-language coverage, emphasizing the technical scope of the Axios compromise and the specific signing materials affected. The Russian outlet highlighted CVE-2025-62718 (the underlying Axios vulnerability, CVSS 9.9) and noted that the revocation affects all OpenAI macOS applications signed before the rotation. The piece provides additional context on the timeline of the compromise that supplements the English-language reporting from BleepingComputer and SecurityWeek. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

CERT-UA's advisory documents an intensifying campaign by the threat cluster UAC-0247 targeting Ukrainian healthcare facilities, municipal authorities, and operators of first-person-view drones used in the conflict. The advisory details a broad toolkit: CHROMELEVATOR for browser credential theft, ZAPIXDESK for WhatsApp data harvesting, RUSTSCAN for reconnaissance, LIGOLO-NG and CHISEL for tunneling, and the AGINGFLY backdoor delivered via trojanized FPV drone software through DLL side-loading. The mixed civilian-and-battlefield targeting pattern — hospitals and drone operators in the same campaign — suggests a deliberate effort to disrupt both humanitarian and military operations simultaneously. The Telegram channel @dsszzi_official flagged the advisory on April 15. Source: CERT-UA Advisory #6288271 — Ukrainian. Limited English-language coverage at time of publication.

A 17-year-old Excel bug back from the dead like a horror franchise villain, North Korea stealing OpenAI's digital signature through a JavaScript library, and a video-conferencing updater that turned Southeast Asian government desktops into malware vending machines.

Somewhere in Krasnodar, a 31-year-old whose ransomware handle was literally "UNKN" is discovering that German bureaucracy is, in fact, thorough enough to find you — just not fast enough to arrest you.

Watch what satisfies your paranoia. Forward what earns it.

If someone on your team patches Fortinet gear, they should be reading this — send it over.