Today’s cybersecurity roundup highlights critical vulnerabilities, active exploitation, and significant security incidents. CISA has added eight newly exploited vulnerabilities to its KEV catalog, setting federal patching deadlines for April 23 and May 4. Meanwhile, Vercel disclosed a security incident originating from a compromised third-party AI tool, and Microsoft’s Patch Tuesday addresses 164 vulnerabilities, including one actively exploited zero-day. Infrastructure attacks and botnet takedowns demonstrate the evolving threat landscape across operational technology and IoT devices.

CISA Adds 8 Exploited Flaws to KEV, Sets Federal Patching Deadlines

USA

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including three Cisco Catalyst SD-WAN Manager flaws, citing evidence of active exploitation. The vulnerabilities span multiple vendors: PaperCut NG/MF (CVE-2023-27351), JetBrains TeamCity (CVE-2024-27199), Kentico Xperience (CVE-2025-2749), Quest KACE SMA (CVE-2025-32975), Synacor Zimbra Collaboration Suite (CVE-2025-48700), and three Cisco SD-WAN Manager issues (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133).

Federal Civilian Executive Branch (FCEB) agencies have been directed to address the three Cisco vulnerabilities by April 23, 2026, and the remaining five by May 4, 2026. CVE-2023-27351 has been attributed to Lace Tempest, a threat actor connected to Cl0p and LockBit ransomware operations, while CVE-2025-32975 (CVSS 10.0) allows attackers to impersonate legitimate users without valid credentials on Quest KACE Systems Management Appliance.

Vercel Discloses Security Incident via Compromised Third-Party AI Tool

USA

Vercel has identified a security incident involving unauthorized access to internal systems, originating from a compromise of Context.ai, a third-party AI tool used by a Vercel employee. The attacker leveraged the compromised Google Workspace OAuth app to take over the employee’s individual Vercel account, then pivoted into Vercel’s environment to enumerate and decrypt non-sensitive environment variables stored without the “sensitive” flag.

The company initially identified a limited subset of affected customers but has since discovered additional compromised accounts through expanded investigation. Vercel has engaged Google Mandiant, other cybersecurity firms, and law enforcement. The company confirmed that npm packages published by Vercel remain uncompromised, with no evidence of supply chain tampering. Affected customers have been notified to rotate potentially exposed credentials and enable multi-factor authentication.

Microsoft Patch Tuesday Addresses 164 Vulnerabilities Including Exploited Zero-Day

USA

Microsoft’s April 2026 security update addresses 164 vulnerabilities, double the number from March 2026, including one exploited zero-day vulnerability (CVE-2026-32201), one previously disclosed zero-day (CVE-2026-33825), and eight Critical-rated issues. The actively exploited vulnerability affects Microsoft SharePoint Server (CVSS 6.5), allowing unauthenticated remote attackers to perform spoofing via improper input validation.

Critical vulnerabilities include Windows TCP/IP (CVE-2026-33827, CVSS 8.1), Windows IKE Service Extensions (CVE-2026-33824, CVSS 9.8), Remote Desktop Client (CVE-2026-32157, CVSS 8.8), Microsoft Office and Word (CVE-2026-32190, CVE-2026-33114, CVE-2026-33115, all CVSS 8.4), Windows Active Directory (CVE-2026-33826, CVSS 8.0), and .NET Framework (CVE-2026-23666, CVSS 7.5). Elevation of privilege vulnerabilities dominate this month’s patches at 57% (93 issues), followed by remote code execution and information disclosure at 12% each.

Cyberattacks Targeting US Infrastructure Escalate Amid Middle East Conflict

GLOBAL

A joint advisory from U.S. agencies warns that cyber activity targeting critical infrastructure has escalated in recent weeks amid the Middle East conflict, highlighting how geopolitical tensions are increasingly manifesting in cyberspace. Attackers are exploiting internet-exposed operational technology (OT) devices across energy, water, and local government systems, with several incidents already causing operational disruption and financial loss.

The advisory notes that widespread use of OT devices and their frequent exposure to the public internet make them attractive targets. In documented cases, attackers have manipulated data on industrial control interfaces and extracted sensitive system files. Organizations are urged to assume they could be targeted and review systems for vulnerabilities, particularly where industrial devices are directly exposed to the internet. Basic mitigations include removing public-facing access, implementing multi-factor authentication, and monitoring for unusual network activity.

Global Operation Disrupts Botnets That Infected Over 3 Million Devices

GLOBAL

A coordinated law enforcement operation across the United States, Germany, and Canada has dismantled infrastructure behind four major botnets that infected more than 3 million IoT devices worldwide, including webcams, routers, and digital video recorders. The compromised devices were used to launch large-scale distributed denial-of-service (DDoS) attacks, with targets including U.S. Department of Defense systems.

The botnets operated on a “cybercrime-as-a-service” model, selling access to compromised devices to other actors while also extorting victims and causing significant financial losses. Authorities report that the networks enabled hundreds of thousands of attacks worldwide. The takedown underscores ongoing risks posed by insecure connected devices, with experts warning that weak passwords and unpatched systems continue to provide entry points for attackers, turning everyday hardware into tools for large-scale disruption.

ZY Media Productions

IT • Music • Technology