Cyber Intelligence Daily — Apr 21, 2026

Today's theme is brutally simple: the tools you trust to run your environment have become the fastest way into it. Vercel confirmed an attacker compromised the company via third-party AI tool Context.ai that an employee had connected to its Google Workspace. CISA spent yesterday adding eight actively exploited vulnerabilities to its catalog — three of them in Cisco SD-WAN management software with a Wednesday-evening federal patch deadline still on the clock. And in Ukraine, attackers are dressing phishing emails up as humanitarian aid notices to get into hospitals. The perimeter is no longer the firewall. It's the OAuth consent screen an engineer clicked through last quarter.

• CVE-2026-20122 — Cisco Catalyst SD-WAN Manager: KEV-listed, actively exploited, federal patch deadline Wednesday, April 23. One of three SD-WAN flaws added yesterday; SD-WAN Manager compromise hands attackers centralized control of branch-office connectivity.
• CVE-2026-20128 — Cisco Catalyst SD-WAN Manager: KEV-listed, actively exploited, April 23 deadline. Second of the Cisco trio.
• CVE-2026-20133 — Cisco Catalyst SD-WAN Manager: KEV-listed, actively exploited, April 23 deadline. Third of the Cisco trio.
• CVE-2025-48700 — Synacor Zimbra Collaboration Suite: KEV-listed, actively exploited via cross-site scripting, April 23 deadline. The exploit lives entirely inside the HTML body of a single email — no attachment, no link, no macro.
• CVE-2023-27351 — PaperCut NG/MF: KEV-listed, authentication bypass, May 4 deadline. A three-year-old bug previously tied to Cl0p and LockBit is back on the exploitation charts.
• CVE-2025-2749 — Kentico Xperience: KEV-listed path traversal, May 4 deadline.
• CVE-2025-32975 — Quest KACE Systems Management Appliance: KEV-listed authentication bypass, May 4 deadline. Arctic Wolf observed exploitation against unpatched SMA systems last month.
• CVE-2024-27199 — JetBrains TeamCity: KEV-listed path traversal, May 4 deadline.
• FortiWeb 8.0.2 RCE PoC (EDB 52502) — Public proof-of-concept for an unauthenticated remote code execution bug in Fortinet's web application firewall. Expect integration into scanning toolkits within days.

If your team ships anything on Vercel — and a generous slice of the modern web does — open your dashboard before you finish this paragraph.

Vercel confirmed over the weekend that an attacker compromised the company via third-party AI tool Context.ai that one of its employees had connected to their Google Workspace account. Vercel said the intruder subsequently accessed environment variables — the behind-the-scenes settings where developers store API keys, database passwords, and authentication tokens — that had not been explicitly marked as "sensitive."

The origin story matters. According to Hudson Rock research reported by The Hacker News, a Context.ai employee was compromised with Lumma Stealer — a common infostealing malware — in February 2026. The haul from that single infected laptop reportedly included Google Workspace credentials, keys for Supabase, Datadog, and Authkit, and the "[email protected]" account itself. Two months later, those credentials were used to access Vercel.

A threat actor on BreachForums claims to be selling Vercel source code, GitHub tokens, NPM tokens, and employee records covering 580 people. BleepingComputer reports the poster used the ShinyHunters name, though actors associated with recent ShinyHunters campaigns told BleepingComputer they are not involved. Vercel says it engaged Mandiant, notified law enforcement, and — working with GitHub, Microsoft, npm, and Socket — found no evidence that its published npm packages were compromised.

What changes if this succeeds for the attacker: the blast radius extends well past Vercel. Help Net Security reports Context.ai's Google Workspace OAuth app was authorized by hundreds of users across many organizations — meaning every company whose employee clicked "Allow All" on that same integration is potentially sitting on the same compromise. What failure looks like: a muted follow-up, no downstream Context.ai customer disclosures, and the forum chatter fading. The observable signal pointing the other way is new breach disclosures from Context.ai customers over the next two weeks. Watch your OAuth consent screens.

CISA's Known Exploited Vulnerabilities catalog — the government's running list of bugs being used against real targets right now — got eight additions yesterday. The federal patching deadline for the three most urgent entries is Wednesday, April 23.

The Cisco trio (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) affects Catalyst SD-WAN Manager, the software large enterprises use to orchestrate connectivity across dozens or hundreds of branch offices from a central console. Compromising SD-WAN Manager is roughly equivalent to getting master keys for every door in the building. The remaining five — PaperCut NG/MF (CVE-2023-27351), JetBrains TeamCity (CVE-2024-27199), Kentico Xperience (CVE-2025-2749), Quest KACE SMA (CVE-2025-32975), and Zimbra Collaboration Suite (CVE-2025-48700) — have a May 4 deadline.

Two entries deserve highlighting. PaperCut's CVE-2023-27351 was linked to Lace Tempest in April 2023 in attacks delivering Cl0p and LockBit ransomware, according to The Hacker News. Three years later, enough unpatched installations remain in the wild that it's worth exploiting again — a direct comment on how print servers get treated in asset inventories.

And the Zimbra flaw is especially mean. Prior Hacker News coverage detailed the attack chain: a phishing email impersonating an internship inquiry delivers obfuscated JavaScript embedded directly in the HTML body — no attachment, no malicious link, no macro. The payload harvests credentials, session tokens, two-factor recovery codes, saved browser passwords, and 90 days of mailbox contents. Standard email security gateways that scan attachments and URLs will miss it entirely.

The decision this forces: non-federal organizations that have been treating KEV deadlines as suggestions need to revisit that posture. The signal that tells you exploitation is broadening: watch for managed service providers issuing emergency maintenance windows for Cisco SD-WAN between now and Wednesday night. If they are, defenders are finding evidence in customer environments — not just in CISA telemetry.

Parallel to the KEV additions, the Interlock ransomware crew has been exploiting CVE-2026-20131 in Cisco Secure Firewall Management Center — the console enterprises use to administer Cisco firewalls — to gain root access before deploying extortion payloads. Our CVE backbone shows this one maturing all the way to KEV-listed ransomware-linked status with a CVSS of 10.0.

The pattern is becoming familiar to the point of cliché: the security appliance is the attack surface. FMC sits in the administrative heart of a defender's network, which means a root compromise there isn't just a foothold — it's a vantage point from which to disable logging, push malicious policies, and stage lateral movement while looking exactly like legitimate administrative traffic.

What changes if this keeps working: Interlock graduates from opportunist to the kind of group other ransomware crews copy. Security-appliance-as-entry-point is a repeatable playbook, and several unrelated campaigns have now validated it in 2026. What failure looks like: Cisco's mitigations land, telemetry from Amazon's threat intelligence team shows Interlock rotating off this technique, and FMC exploitation volumes drop. The signal to watch: emergency out-of-band Cisco advisories for related FMC bugs in the coming weeks. If more drop, the research community has decided this surface is worth scrutiny — and so have attackers.

Law enforcement sent a message to the DDoS-for-hire industry last week, and the message was: we have your email address.

Operation PowerOFF, the multi-year international crackdown coordinated by Europol with participation from 21 countries, dismantled 53 booter service domains, arrested four suspects, and — the headline number — directly contacted more than 75,000 individuals who had paid for DDoS-for-hire services. The Record reports the April 13 wave leaned heavily on customer databases seized from operators in prior phases.

Booter services — sometimes called stressers — let anyone with a credit card rent the ability to knock a website or server offline. Historical PowerOFF phases focused on supply: seize infrastructure, arrest operators. This phase is demand-side deterrence. If you've identified 75,000 customers, you have their transaction records, account histories, and in many cases their IP logs.

What changes if demand-side pressure works: the pipeline from "bored teenager renting a booter" to "developed criminal using serious intrusion tooling" narrows. What failure looks like: customers migrate to Telegram channels, private brokers, and crypto-only marketplaces, and the public booter market gets replaced by something law enforcement can see less of. The observable signal is timing. Xakep's coverage notes that Europol cites roughly 3 million accounts exposed across prior phases — watch the next 60–90 days for DOJ indictments against identified users, which is the historical pattern after PowerOFF phases.

Russian outlet Xakep, citing research from Moscow-based security firm F6, describes a tactic in roughly 300 targeted attacks against Russian banking customers: victims were socially engineered into accepting Android phones that arrived with the LunaSpy trojan already installed, already granted administrator rights, Accessibility service permissions, and background startup privileges. The spyware records audio, streams cameras, captures screens, harvests SMS and contacts, and actively resists removal attempts. The technique sidesteps the two things mobile defenders have gotten best at catching: suspicious install prompts and permission escalation at runtime. If the handset starts compromised, there's nothing for the user to decline. The broader signal — adversaries treating physical devices as pre-positioned footholds rather than targets — matters well beyond this specific malware family. Source: Xakep (Хакер) — Russian. No English-language coverage confirmed at time of publication.

Ukraine's national CERT published a detailed advisory on the UAC-0247 cluster documenting a March–April surge targeting clinical hospitals, emergency services, municipal authorities, and operators of first-person-view drones on the front line. The phishing lure is humanitarian aid notifications. The toolkit is unusually deep for an email-delivered campaign: malicious LNK shortcut files, multi-stage loaders using mshta.exe and PowerShell scheduled tasks, code injection into RuntimeBroker.exe, the AGINGFLY C# backdoor, SILENTLOOP PowerShell persistence with Telegram command-and-control, CHROMELEVATOR for browser credential theft, ZAPIXDESK for WhatsApp data, Ligolo-NG and Chisel tunneling, and XMRIG cryptocurrency mining grafted into modified WireGuard software. The impersonation themes travel well — watch for Western threat intel firms to map UAC-0247 to a named Russian cluster in the coming weeks. Source: CERT-UA Advisory #6288271 — Ukrainian. No English-language coverage confirmed at time of publication.

A separate CERT-UA bulletin documents continued exploitation of CVE-2026-21509 by UAC-0001 — Ukraine's designation for APT28, the GRU's Unit 26165. The advisory explicitly names EU targets as part of the campaign scope, not only Ukrainian government entities. Given how long APT28 has been burning this particular exploit, either patching compliance across European government fleets is worse than assumed, or the crew has meaningfully updated the delivery chain. Either way, if a European government confirms a breach tied to this CVE in the coming weeks, it's a material escalation. Source: CERT-UA Advisory #19542 — Ukrainian. No English-language coverage confirmed at time of publication.

A Lumma Stealer infection at Context.ai, a compromise of Vercel two months later, a humanitarian-aid phishing email loaded with an XMRIG miner bolted onto modified WireGuard, and 75,000 DDoS booter customers opening their inboxes to find a letter from Europol. The security appliance is the attack surface, the AI productivity tool is the perimeter, and the domain controller is rebooting in a loop — everything you installed to protect yourself is now on the org chart of things that can be used against you. Patch what you can, audit what you can't, and don't click "Allow All."

Forward this to the one person on your team who still treats OAuth consent screens like cookie banners.