The Lyceum: Cybersecurity Weekly — Apr 15, 2026

The tools built to protect you keep becoming the attack surface. This week, Fortinet's endpoint management server — the software that enforces security policies across corporate devices — was itself the zero-day being exploited in the wild. Microsoft shipped its second-largest Patch Tuesday ever, with a SharePoint flaw already under attack and proof-of-concept code for a Defender privilege escalation already public. ShinyHunters dumped more than 78.6 million Rockstar Games records after the company refused to pay. And CPUID's official download page — the place IT professionals go to get trusted hardware utilities — served malware for six hours. The recurring lesson: attackers aren't breaking through your defenses so much as becoming them.

• CVE-2026-35616 — FortiClient EMS 7.4.5/7.4.6: actively exploited zero-day, hotfix available (full patch pending), CVSS 9.8. Pre-authentication API bypass allows unauthenticated remote code execution; added to CISA KEV with an emergency patching notice for federal agencies.
• CVE-2026-32201 — SharePoint Server: actively exploited spoofing zero-day, patched in April Patch Tuesday. Enables attackers to conduct spoofing attacks against enterprise SharePoint environments.
• CVE-2026-33825 — Microsoft Defender: publicly disclosed privilege escalation, patched in April Patch Tuesday. Proof-of-concept exploit code ("BlueHammer") already circulating on GitHub.
• CVE-2026-33579 — OpenClaw (before 2026.3.28): critical privilege escalation via /pair approve, CVSS not yet finalized but rated critical. Automated scanning scripts emerged within hours of disclosure; 135,000 instances estimated exposed.
• Adobe Reader/Acrobat zero-day — Actively exploited in the wild; patched in Adobe's April bulletin (61 CVEs across 12 products). Zero Day Initiative called it "the highest priority for this month."
• STX RAT via CPUID supply chain — Remote access trojan delivered through compromised CPU-Z and HWMonitor downloads on CPUID's official site; DLL sideloading chain targeting browser credentials. Over 150 confirmed victims.

The software attackers are exploiting right now is the software companies use to manage their endpoint security — the thing that's supposed to keep everything else safe.

CVE-2026-35616 is a pre-authentication API bypass in FortiClient EMS, Fortinet's enterprise endpoint management server. CVSS 9.8. No password required. An attacker on the internet can send the right kind of crafted request and start running code on your Fortinet server. According to The Hacker News, Fortinet released out-of-band patches, but many organizations are still applying hotfixes while waiting for a full patched release.

WatchTowr's sensors identified exploitation on March 31 — days before Fortinet published its advisory on April 4. WatchTowr CEO Benjamin Harris noted that the Easter weekend timing was "likely not coincidental." He suggested holiday weekends are often when security teams are at reduced staffing, extending detection windows from hours to days.

FortiClient EMS enforces device policy, manages VPN access, and governs compliance across corporate endpoints. A compromised EMS server gives an attacker the ability to manipulate endpoint configurations, push malicious policies, and move laterally into the broader environment. The Shadowserver Foundation identified more than 2,000 publicly accessible instances worldwide. CISA added the flaw to its Known Exploited Vulnerabilities catalog and issued an emergency directive for federal agencies to patch by the agency's specified deadline.

Here's what makes this more than a single incident: CVE-2026-35616 is the second unauthenticated remote code execution vulnerability in FortiClient EMS disclosed within weeks. According to WatchTowr's analysis, CVE-2026-21643, a separate critical flaw in the same product, was actively exploited shortly before this advisory. Two critical, unauthenticated RCEs in the same product in the same month is not bad luck — it's a signal that the codebase has attracted serious attacker attention and may warrant a deeper audit. If your organization runs FortiClient EMS 7.4.5 or 7.4.6, apply the hotfix immediately.

Microsoft's April Patch Tuesday addresses roughly 163 vulnerabilities — the second-largest monthly release in company history — including two zero-days and a wormable TCP/IP remote code execution flaw that hasn't been exploited yet but carries a CVSS of 9.8.

The actively exploited one is CVE-2026-32201, a SharePoint Server spoofing vulnerability. According to Security Affairs, this flaw poses a significant risk to enterprises relying on SharePoint for document management. The second zero-day, CVE-2026-33825, affects Microsoft Defender itself. Tenable's analysis notes that while Microsoft's advisory made no mention of public exploit code, the description appears to match the "BlueHammer" proof-of-concept posted to GitHub on April 3 by a researcher using the alias "Chaotic Eclipse" — who published it after expressing frustration with Microsoft's vulnerability disclosure process.

The scariest patch might be the one that isn't being exploited yet. CVE-2026-33824, a critical flaw in Windows Internet Key Exchange (IKE) service extensions, could allow remote code execution. According to Security Affairs, blocking UDP ports 500 and 4500 can reduce external exposure, but internal attackers may still exploit it for lateral movement.

Zero Day Initiative noted that their incoming vulnerability submission rate has "essentially tripled," speculating the surge is driven by AI-assisted discovery. Amid speculation that AI-assisted discovery is increasing submissions, Patch Tuesdays are getting bigger. Run Windows Update today.

And buried in this update is a quieter deadline: according to ap7i.com's analysis, the original Secure Boot certificates issued in 2011 expire on June 26, 2026 — 72 days from now. Devices that haven't received replacement certificates will lose Secure Boot protection. This month's update adds a status indicator in the Windows Security app so you can check.

The deadline came. Rockstar didn't pay. ShinyHunters kept their word.

The group leaked more than 78.6 million records, a day ahead of their stated deadline. According to TechRadar, the entry point wasn't Rockstar's own systems — it was a vendor. Help Net Security reports that ShinyHunters accessed Rockstar's Snowflake environment through Anodot, a third-party SaaS platform used for cloud cost monitoring, extracting authentication tokens that enabled access without exploiting Snowflake itself.

On April 11, Rockstar told Kotaku that a "limited amount of non-material company information" had been leaked. That's probably accurate — the stolen files appear to center on analytics for GTA Online and Red Dead Online: service performance, support workflows, revenue patterns. No GTA VI source code. No player passwords.

The operational lesson is the one nobody wants to hear: your company's data security is only as strong as the weakest vendor you've handed your cloud credentials to. Anodot has been largely silent. Their incident report — if and when it comes — will determine whether this is an isolated compromise or a broader campaign against their customer base. Expect the leaked records to fuel targeted phishing against Rockstar employees and partners; secondary attacks are the predictable next phase once rich organizational telemetry hits the forums.

Most people still think malware arrives through sketchy pop-ups. In reality, one of the nastiest infection vectors is doing something perfectly reasonable — like downloading a well-known utility from its official website.

Attackers compromised CPUID's infrastructure and replaced download links on the company's official site so users fetching CPU-Z and HWMonitor received malicious files instead. According to The Hacker News, CPUID confirmed the breach affected a "secondary feature (basically a side API)" for roughly six hours on April 9–10. Cyderes' analysis found the attack used DLL sideloading — a malicious cryptbase.dll placed alongside the legitimate executable — triggering a five-stage in-memory unpacking chain. The final payload was STX RAT, a remote access trojan that targeted browser credentials through Chrome's IElevation COM interface, according to The Register.

Breakglass Intelligence, per The Hacker News, assessed this as part of a 10-month campaign dating to July 2025 and attributed it to a Russian-speaking threat actor. Kaspersky identified more than 150 victims, mostly individuals, though organizations in retail, manufacturing, and telecom were also impacted. The attackers reused the same infection chain and C2 domain from a prior fake FileZilla campaign, which reportedly aided detection.

If you downloaded CPU-Z or HWMonitor on April 9 or 10, verify your installer hash against CPUID's official checksums and audit for outbound connections to supp0v3[.]com. The bigger takeaway: "I got it from the real site, so it's fine" is no longer a reliable assumption.

OpenClaw — the most-starred project on GitHub, an AI agent platform that autonomously manages files, calendars, and developer tools — has a critical privilege escalation vulnerability, and roughly 135,000 instances are exposed to the internet.

CVE-2026-33579 affects OpenClaw before version 2026.3.28. According to Blink's analysis, the /pair approve command path fails to forward the caller's security scopes into the core authorization check. An attacker who can reach your OpenClaw instance over the network — no credentials required — can send a crafted request that grants their device full admin-level operator access. Because OpenClaw autonomously manages files and developer tools, this effectively hands an attacker the keys to a developer's local environment: repositories, build artifacts, CI credentials.

According to TechPlanet, roughly 63% of exposed instances are running without any authentication at all (as of April 2026). A DEV Community post documented that a 48-hour gap between the patch release and its NVD listing created a "wildfire window" where automated scanning scripts emerged and began systematically exploiting vulnerable instances.

This is the pattern that makes AI agent infrastructure uniquely dangerous right now: the same "move fast" culture that made OpenClaw the most-starred project on GitHub in three months is the reason many of its deployments lack basic access controls. If your engineering teams deployed OpenClaw, update to 2026.3.28 immediately and review network exposure. Note: this is distinct from the companion CVE-2026-32922 (CVSS 9.9) fixed in version 2026.3.11 — if you patched that one but haven't updated further, you're still vulnerable.

CERT-UA Advisory #21075 documents a campaign by a group tracked as UAC-0255 that impersonates CERT-UA in phishing emails — using the branding, formatting, and urgency of official cybersecurity warnings to deliver malware called AGEWHEEZE. When attackers impersonate the people warning you about attacks, it exploits the trust organizations have built in official security communications. Employees trained to "act immediately on CERT-UA alerts" become the most vulnerable targets. This tactic has historically migrated westward — watch for similar impersonation campaigns targeting CISA, NCSC, or ENISA.

Source: CERT-UA Advisory #21075 — Ukrainian. No English-language coverage confirmed at time of publication.

Xakep.ru reports that Apache patched a remote code execution vulnerability in Apache ActiveMQ Classic that had gone undetected for 13 years. ActiveMQ is a message broker — the plumbing that lets different parts of enterprise software communicate — used widely in banking, healthcare, and logistics. Remote code execution means an attacker can run their own programs on your server without credentials. The fact that this bug survived 13 years of use and security audits is a reminder that "we've been running this for years without problems" is not the same as "this is secure." If your organization runs ActiveMQ Classic, check for the patch immediately.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru detailed a new DDoS botnet called Masjesu that is aggressively recruiting unpatched IoT devices — routers, cameras, and smart appliances — by exploiting weak default passwords and old firmware. The botnet has already amassed thousands of devices and is being offered for hire on cybercrime forums. Unlike headline-grabbing ransomware, IoT botnets are the plumbing behind internet outages that knock banks and news sites offline. Change default router passwords and check for firmware updates — home networks fuel these global attacks.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

A Fortinet server protecting your network while hackers run code on it, a 13-year-old bug hiding in the plumbing of every bank's middleware, and roughly two-thirds (about 63% as of April 2026) of the most popular AI agent on GitHub running with the front door wide open.

The best part of Patch Tuesday is that moment when you realize the security software that's supposed to catch the exploit is the exploit — it's like hiring a locksmith who copies your keys.

Stay patched, stay skeptical.

If someone you know runs Windows, SharePoint, or an AI agent with no authentication — so, everyone — forward this their way.