Cyber Intelligence Daily — Apr 26, 2026

It's a Sunday, and the threat landscape is doing what it always does on Sundays: quietly compounding. CISA's KEV catalog picked up four more actively exploited flaws on Thursday, the Microsoft Defender exploit chain just got a confirmed timeline that started six days before Patch Tuesday, and a Fortinet SSO bypass has surfaced that defeats the patches organizations applied to fix the previous SSO bypass. None of these stories are individually catastrophic. Read together, they describe a week in which defenders kept losing time — to PoCs published faster, to patches that didn't fully evict attackers, and to advisories that haven't yet crossed into English-language press.

• CVE-2024-57726 — SimpleHelp remote support: actively exploited, KEV-listed Thursday, federal patch deadline May 8. Privilege escalation flaw in a tool IT teams use to reach into endpoints across an organization.
• CVE-2024-57728 — SimpleHelp remote support: actively exploited, KEV-listed alongside CVE-2024-57726. Path traversal that chains with the authorization bug above.
• CVE-2024-7399 — Samsung MagicINFO 9 Server: actively exploited, KEV-listed Thursday, deadline May 8. Path traversal in digital signage management — the third MagicINFO entry to land in KEV in roughly a year.
• CVE-2025-29635 — D-Link DIR-823X: actively exploited, KEV-listed, deadline May 8. Command injection being scooped up by a Mirai variant tracked as "tuxnokill."
• CVE-2026-39987 — Marimo reactive Python notebook: escalated from no-known-exploitation to operational, KEV deadline May 7. Data science environments tend to hold cloud credentials and model weights.
• CVE-2026-25262 — Qualcomm Snapdragon firmware: disclosed by Kaspersky, no NVD score yet. Firmware-level flaw that cannot be patched on existing hardware.
• Tomcat / sudo / NTLM PoCs — fresh proof-of-concept code circulating for CVE-2025-24813 (Apache Tomcat RCE), CVE-2025-32463 (sudo chroot LPE to root), and CVE-2025-33073 (Windows NTLM reflection SMB). Lowers the bar for opportunistic exploitation considerably.

If your IT team uses SimpleHelp — the remote-support platform administrators use to take control of employee computers — Thursday's CISA KEV update should be on top of your queue.

CISA added four flaws to its Known Exploited Vulnerabilities catalog on April 24, including two SimpleHelp bugs (CVE-2024-57726 and CVE-2024-57728), a Samsung MagicINFO 9 Server path traversal, and a D-Link DIR-823X command injection. KEV additions only happen when CISA has telemetry showing real-world exploitation — not theoretical risk.

The SimpleHelp pair is the dangerous one. CVE-2024-57726 is a missing-authorization flaw; CVE-2024-57728 is a path traversal. Chained, they let an attacker bypass access checks and then read or write resources they shouldn't be able to touch — which in a remote-support tool means session tokens, configuration files, and the trust relationships SimpleHelp uses to reach into customer environments. This is the class of tool ransomware crews favor: one compromised SimpleHelp instance can be a key to dozens of downstream networks.

If this succeeds as an attack model, expect SimpleHelp to follow the trajectory of ConnectWise ScreenConnect last year — a remote-support platform that became a preferred ransomware staging ground amid many MSPs running it unpatched. The signal that we're on that path is incident reports naming SimpleHelp as the initial access vector in ransomware disclosures over the next 30 days. If we don't see that, it means either patching moved fast enough or attackers are sitting on access quietly.

Federal agencies have until May 8. Treat that as a ceiling. Update to SimpleHelp 5.5.8 or later before the workweek starts.

This one has been moving quietly through the advisory feeds, and the detail buried in the CISA write-up is the part that matters.

CVE-2026-24858 lets anyone with a FortiCloud account and a registered device log into separate devices registered to other users in FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer — provided FortiCloud single sign-on is enabled. Read that twice. Not a privileged account. Not an admin token. Any FortiCloud account with a registered device, pivoting cross-tenant into other organizations' gear.

The compounding detail, per the CISA-sourced advisory: organizations that already patched the two earlier FortiCloud SSO bypasses (CVE-2025-59718 and CVE-2025-59719) are still exposed to this one. That's the second time in six months Fortinet has shipped a fix for an SSO flaw that didn't fully close the underlying design issue.

If this succeeds as an attack model, MSSPs and shared-Fortinet environments become the prize — one foothold yields lateral movement across customer estates. The signal to watch: post-patch forensic findings of unexpected admin accounts, unfamiliar API keys, or VPN sessions that predate the fix. CISA is explicit that patching alone may not evict an attacker — check for indicators of compromise on every internet-accessible Fortinet device, not just the unpatched ones.

Active in-the-wild exploitation has not been publicly confirmed as of this writing, but the patch is available. Apply it, then hunt.

The Microsoft Defender zero-day saga has been building for two weeks. Xakep's April 21 technical write-up — citing Huntress telemetry and still not synthesized in English-language press — adds the timeline that changes how you should think about it.

According to Huntress, exploitation of BlueHammer (CVE-2026-33825) in real attacks began on April 10. RedSun and UnDefend exploitation started April 16. Patch Tuesday landed April 14. That's a six-day window where attackers had BlueHammer and defenders did not have a fix — and a two-day window between the patch and the next stage of the chain being deployed against unpatched estates.

The forensic detail is the part worth sitting with. Huntress found the exploits on a Windows host compromised through a hijacked SSLVPN user, and before deploying privilege escalation, the operator manually ran whoami /priv, cmdkey /list, and net group. Manual reconnaissance before privilege escalation is a hallmark of targeted human intrusion, not commodity malware. Someone is using the antivirus as a stepping stone, by hand.

If this succeeds as a tradecraft pattern, expect the "endpoint protection as privilege escalation surface" trend to accelerate — defenders have spent a decade hardening user-mode applications, and the security agent has become the soft target underneath. The signal to watch: whether subsequent IR reports name Defender (or CrowdStrike, SentinelOne, etc.) as the LPE vector in named ransomware intrusions over the next quarter. If they do, the threat-model conversation about EDR shifts from "did you deploy it" to "did you isolate it."

April 14 patches cover BlueHammer. RedSun and UnDefend PoCs are public, which means the quiet patching window is closed.

Toronto Police announced arrests Wednesday in Project Lighthouse — the first SMS blaster prosecution in Canadian history. The coverage has focused on the smishing angle. The number that deserves more attention is in the official Toronto Police Service release: more than 13 million network disruptions were recorded, and those disruptions could temporarily prevent affected devices from connecting to legitimate cellular networks, including limiting access to 911 for periods ranging from seconds to several minutes.

This isn't a phishing story. This is a public safety infrastructure story.

The device is a portable rogue base station — small enough to fit in a backpack or a car trunk, per The Globe and Mail's reporting on how Telus helped police triangulate it. It impersonates legitimate cell towers, forces nearby phones to connect, and pushes fraudulent text messages directly to the device. Since the messages never traverse the carrier network, telecom spam filters are completely blind to them. Your carrier cannot block what it never sees.

If this succeeds as a criminal model — and the devices have already been detected in the UK and New Zealand — the obvious follow-on is that every major metropolitan police force in North America should now be asking whether one is operating in their jurisdiction undetected. The signal: how quickly other CERTs and police services publish similar arrests or seizures. If it's months of silence, that means the detection capability simply doesn't exist outside Toronto's coordination with Telus. If multiple jurisdictions announce within 60 days, it means the playbook has spread.

The unsettling implication is that the cellular network's authentication has been broken at the physical layer for a decade, and the only thing keeping it from being abused at scale is that the hardware was hard to acquire. That's no longer true.

Most threat-actor stories run West-to-East: a Russian or Chinese group hits a Western target, and Western press covers it. Xakep reported Friday on a campaign running the other direction — a threat group called Geo Likho has conducted more than 200 documented attacks against Russian aviation and water transport sectors, with TTPs suggesting specific knowledge of Russian aviation systems. The intelligence value is the targeting pattern: a group that has spent this much effort mapping Russian transport infrastructure has built a capability that can be redirected. Western threat intel teams have had effectively zero visibility into it, because nobody publishes in English. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Kaspersky researchers disclosed CVE-2026-25262, a vulnerability in Qualcomm Snapdragon chipsets that lives at the firmware layer — below Android, in the code that runs when the chip first powers on. Because it's hardware firmware rather than software, it cannot be patched on existing devices. Snapdragon powers most Android flagships and an increasing share of Windows-on-ARM laptops. If exploited, an attacker who reaches the firmware layer survives factory resets, OS reinstalls, and every other remediation a user might attempt. No NVD score yet; watch for Qualcomm's official advisory in the coming days. Source: Xakep.ru, citing Kaspersky — Russian. No English-language coverage confirmed at time of publication.

CERT-UA published a detailed advisory on UAC-0247, documenting an intensifying March–April campaign against Ukrainian clinical hospitals, emergency services, municipal bodies, and operators of first-person-view drones in the defense sector. The toolkit is the noteworthy part: CHROMELEVATOR for browser credential extraction, ZAPIXDESK for WhatsApp data theft, RUSTSCAN for reconnaissance, LIGOLO-NG and CHISEL for tunneling, and a trojanized FPV drone software package using DLL side-loading to deploy the AGINGFLY backdoor — distributed via Signal. CERT-UA's mitigation guidance (restrict LNK/HTA/JavaScript execution, limit mshta.exe and PowerShell) is operationally useful for any defender, not just Ukrainian ones. Source: CERT-UA Article 6288271 — Ukrainian. No English-language coverage confirmed at time of publication.

A backpack-sized rogue cell tower triggering 13 million 911 disruptions across Toronto; an attacker manually typing whoami /priv into a Defender-exploited host while a human on the other end watches; a Snapdragon flaw etched permanently into a billion phones that will outlive their warranties.

The week's lesson is that the antivirus, the cell tower, and the help-desk tool are now all the attack surface — which leaves roughly nothing that isn't.

Stay suspicious of anything that's supposed to protect you.

Forward this to the friend who still thinks "patched" means "safe."