Cybersecurity Weekly — Apr 29, 2026

This week's pattern is uncomfortable to look at directly: the things you trust most are the things being weaponized against you. The PDF you opened. The "private" browsing window you used. The password manager package your developers pulled. The firewall that's supposed to be guarding the perimeter. None of these failures are surprising in isolation — what's striking is how cleanly they line up. Attackers have stopped breaking down doors and started compromising the locksmiths.

• CVE-2026-34621 — Adobe Acrobat and Reader (Acrobat DC, Reader DC, Acrobat 2024): patched, actively exploited for ~4 months, prototype-pollution JavaScript flaw enabling full system compromise from opening a malicious PDF. Added to CISA KEV; federal remediation deadline was April 27.
• CVE-2026-6770 — Firefox and Tor Browser (fixed in Firefox 150, ESR 140.10, Tor Browser 15.0.10): patched April 21, IndexedDB ordering flaw allowed persistent fingerprinting that survived Private Browsing and Tor's "New Identity" reset.
• CVE-2026-40372 — ASP.NET Core Data Protection: out-of-band emergency patch April 22, critical, allows unauthenticated attackers to forge authentication cookies and escalate to SYSTEM.
• CVE-2026-20131 — Cisco Secure Firewall Management Center: patched, but exploited as a zero-day by Interlock ransomware for 36 days before disclosure (CVSS 10.0, unauthenticated RCE as root).
• CVE-2026-20133 — Cisco SD-WAN: added to CISA KEV April 21, actively exploited.
• Samsung MagicINFO 9 Server and D-Link DIR-823X — added to CISA KEV April 28; federal remediation deadline May 8.
• Bitwarden npm package compromise — supply chain attack on the password manager's npm distribution, designed to steal developer credentials.

Think about how many PDFs you've opened this week. Invoices, contracts, a research paper, a job applicant's résumé. Now consider that Adobe Acrobat Reader — the software opening most of them — had an actively exploited security hole for at least four months before anyone patched it.

According to TechCrunch, Adobe patched CVE-2026-34621 in mid-April after security researcher Haifei Li discovered a malicious PDF uploaded to his exploit-detection system. The earliest known sample dates to November 28, 2025. Opening a malicious PDF was sufficient — no clicks, no permissions, no warning. SecurityWeek reports that the lures used Russian-language content referencing the country's oil and gas sector, which points toward targeted espionage rather than spam. The exploit also fingerprinted victims first and only delivered the payload to selected targets, which is why most security tools never caught the activity.

CISA added it to the Known Exploited Vulnerabilities catalog on April 13 with a federal remediation deadline of April 27 — a deadline that has now passed. The thing is, enterprise PDF readers are notoriously slow to update, and anyone who opened a suspicious PDF between November and mid-April should treat their endpoint as potentially profiled, not just patched. The signal that tells you which path you're on isn't whether the patch is deployed — it's whether your EDR has hunted for the specific indicators Adobe published.

If you've ever opened a Firefox private window and assumed websites couldn't track you, this week's news is a cold shower.

The security firm Fingerprint discovered that on Firefox, websites could track users even when they were in private mode or using Tor Browser. The flaw, CVE-2026-6770, lives in IndexedDB — a small database websites use to store data locally. As Fingerprint explains it, Firefox stored database names with internal UUID mappings, and when a site listed those databases, the order they came back in stayed identical across sites within the same browser process. The order itself was the fingerprint.

This matters most for the people Tor was built to protect: journalists, activists, dissidents. SecurityWeek confirms the fingerprint persisted through reloads, new private sessions, and even Tor's "New Identity" button — the feature whose entire job is to make linking your old and new sessions impossible. Mozilla shipped the fix in Firefox 150 and ESR 140.10 on April 21, and the Tor Project released Tor Browser 15.0.10.

What's left unresolved is the timeline. IndexedDB has been in Firefox for years. Whether this was ever exploited against high-risk users before Fingerprint's disclosure is genuinely unknown — and given how reproducible the proof-of-concept is, that uncertainty is the whole story. Mozilla also disclosed in a separate blog post that AI-assisted code review helped uncover 271 vulnerabilities patched in this Firefox release, which is its own quiet signal about where defensive tooling is heading.

Here's the scenario every security team dreads: you patch every vulnerability the day it drops, and it didn't matter, amid attackers already inside using a flaw nobody knew existed.

Amazon's threat intelligence team published findings showing that the Interlock ransomware group exploited CVE-2026-20131 — a CVSS 10.0 unauthenticated remote code execution flaw in Cisco Secure Firewall Management Center — for 36 days before Cisco's public disclosure, beginning January 26, 2026. Amazon found this through MadPot, its global honeypot sensor network. The Hacker News reports the bug allowed attackers to bypass authentication and execute Java code as root.

Cisco FMC isn't an obscure product. It's the central console enterprise IT teams use to manage every Cisco firewall in their environment. Whoever controls FMC controls the perimeter. According to AdminByRequest's analysis of Amazon's findings, Interlock operators worked primarily in UTC+3 — consistent with Moscow — and used a double-extortion model that explicitly invoked GDPR in ransom notes to pressure European victims.

The harder lesson sits underneath the technical details. Even a perfect patching program can't protect you during the window between a zero-day's discovery by attackers and its disclosure by defenders. If you run Cisco FMC, the action item isn't just "patch" — it's hunt through logs going back to January 26 using Amazon's published indicators. The signal that tells you which path you're on is whether your team has the historical telemetry to look that far back.

If your company runs web apps, this is the kind of bug that should make every IT person sit up straighter.

BleepingComputer reports that Microsoft pushed out-of-band emergency updates on April 22 for CVE-2026-40372, a critical flaw in ASP.NET Core Data Protection — the cryptographic component that protects authentication cookies, the digital wristbands telling a website "yes, this person already logged in." The flaw lets unauthenticated attackers forge those cookies and escalate to SYSTEM-level access on Windows, which is about as powerful as access gets. The problem emerged after this month's .NET 10.0.6 release.

The wrinkle is that this lives in framework plumbing, not in an obvious admin page. Plenty of teams won't immediately connect "NuGet runtime issue" with "drop everything." But broken authentication plumbing travels far: when the foundation gets it wrong, every app sitting on top of it inherits the flaw. Inventory your runtime versions, prioritize patching, and treat this as a hunt: search login telemetry for forged tokens and unexpected SYSTEM-level actions.

Trend Micro published research this week on a breach at Vercel — the hosting platform that runs a substantial slice of the modern web — in which attackers abused OAuth (the system behind "Log in with GitHub") to access customer environment variables. Environment variables are the digital key rings holding database passwords, API tokens, and signing keys. One platform's compromise becomes a master key to its customers' downstream services.

This is part of a broader convergence. Token theft from deployment platforms, package hijacks on registries like npm and PyPI, OAuth abuse — they're all variations on a theme: attackers have stopped targeting your applications and started targeting the systems that build and deploy them. If your team uses Vercel, the action items are mechanical: rotate every API key, invalidate every long-lived token, audit deploy logs for unfamiliar callbacks. The signal that tells you whether this stays contained is whether companies report follow-on intrusions traced back to leaked Vercel-stored credentials over the next two weeks.

Most ransomware follows a predictable script: encrypt files, demand payment, hand over a working decryption key. The whole business model depends on the key actually working. Check Point Research published an analysis this week of a ransomware strain called VECT that breaks this contract — not by design, but through sloppy engineering.

According to Check Point, VECT was built as standard ransomware, but implementation flaws mean it can behave like a wiper, permanently destroying data rather than encrypting it recoverably. There's no paying your way out of a wiper. The data is just gone.

This matters beyond the technical curiosity. The line between ransomware and destructive cyberattack has been blurring deliberately for years — Russian-linked operations against Ukraine being the obvious case — and now it's blurring accidentally too. The calculus around backups changes when paying the ransom can't restore your data because the malware itself made restoration impossible. Offline, tested backups stop being optional and start being the only thing that works.

While most attention focused on vulnerabilities, BleepingComputer confirmed a quieter story: stolen government data in France was advertised for sale online. Details on scope and victim count are still emerging.

The pattern is what to track. France has been a consistent target throughout 2026 for both criminal and nation-state activity, and a confirmed breach where data is being actively sold sits in a different category than one that stays quiet. The data is now in circulation. It will be used — for downstream phishing built from real internal records, for identity fraud, or potentially for intelligence value. Watch for follow-on phishing campaigns targeting French citizens or government employees in the coming weeks; that's the signal that tells you whether this is a criminal sale or something pointing toward a state buyer.

Russian security publication Xakep reported on April 28 that a Cisco firewall was found infected with a custom backdoor dubbed Firestarter — corroborating Cisco Talos's same-week findings about UAT-4356, but flagging a previously unreported target detail more prominently than English-language coverage. The implant is engineered for long-term, stealthy access on the network perimeter, giving operators an ongoing window into sensitive communications rather than the smash-and-grab profile of typical ransomware. The combination of a network perimeter device and custom tooling suggests a tailored espionage operation, not opportunism.

Source: Xakep.ru — Russian. No English-language coverage of the additional target detail confirmed at time of publication.

Xakep also reported on April 28 that the npm package distributing Bitwarden — the widely used open-source password manager — was compromised in a supply chain attack designed to harvest credentials from developers who pulled the package into their build systems. This fits a pattern from earlier in 2026 (Axios in March, CPUID in April) where attackers compromise the toolchain rather than the target. There's an unsettling recursion here: a tool whose entire purpose is to protect credentials, briefly turned into a tool for stealing them. Developers who depend on Bitwarden's npm distribution should audit recent build logs and verify package integrity.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Russian outlet SecurityLab.ru reported this week that CVE-2026-35414, a vulnerability in OpenSSH, traces to a single comma in the source code that has sat unnoticed for roughly 15 years and allows root access in about 20 minutes. OpenSSH is the secure-shell software running on essentially every Linux server on the internet — administrators use it to remotely access infrastructure. The recommended fix is upgrading to OpenSSH 10.3 immediately. This hasn't broken into English-language press yet, but bugs of this profile typically get weaponized within days of becoming public.

Source: SecurityLab.ru — Russian. No English-language coverage confirmed at time of publication.

This week the PDF on your screen was watching you, the private window wasn't private, and the negotiator you hired to talk down the ransomware gang was on their payroll. Somewhere in Moscow, a developer is realizing a comma they typed in 2010 just got a CVE number. Until next week.

If you know someone whose company runs Cisco FMC, Acrobat, or trusts deleted notifications to actually be deleted — forward this to them.