Real-time security advisories and threat alerts from our Security Operations Center.
9Critical
3High
0Medium
0Low
CRITICALVulnerability
1mo ago
RedSun: Unpatched Windows Defender Privilege Escalation PoC (SYSTEM)
A security researcher operating as "Chaotic Eclipse" (GitHub: Nightmare-Eclipse) has published a proof-of-concept exploit named RedSun targeting an unpatched logic flaw in Microsoft Defender. The exploit abuses Defender's cloud-tagged file restoration behavior to overwrite arbitrary files and escalate a standard user to SYSTEM on Windows 10, 11, and Server. Disclosed April 16, 2026; no patch available.
Apache ActiveMQ Input Validation Flaw Added to CISA KEV (13-Year-Old Bug Under Exploitation)
A 13-year-old input validation vulnerability in Apache ActiveMQ Classic (CVE-2026-34197) is under active exploitation and has been added to the CISA Known Exploited Vulnerabilities catalog. CISA has issued a federal patch deadline of April 30, 2026. Unauthenticated remote code execution.
Fortinet FortiWeb SQL Injection Added to CISA KEV Under Active Exploitation
A SQL injection vulnerability in Fortinet FortiWeb was added to the CISA Known Exploited Vulnerabilities catalog on April 13, 2026 based on evidence of active exploitation. Attackers can inject crafted SQL via the administrative surface to read or modify data, with follow-on paths to code execution depending on deployment.
HPE Aruba AOS-CX Unauthenticated Auth Bypass in Web Management (Admin Password Reset)
A critical authentication bypass in the AOS-CX web management interface (CVSS 9.8) lets an unauthenticated remote attacker circumvent access controls and, in some cases, reset the administrator password. Affects CX 4100i, 6000, 6100, 6200, 6300, 6400, 8320, 8325, 8360, 9300, and 10000 series switches. Patched in AOS-CX 10.17.1001, 10.16.1030, 10.13.1161, and 10.10.1180.
HPE Aruba Private 5G Platform: Credential Theft via Platform Vulnerability
A vulnerability in the HPE Aruba Private 5G Platform can be exploited to retrieve stored credentials, enabling attacker impersonation of legitimate platform services. Disclosed in April 2026. Given that private 5G deployments increasingly underpin OT and critical-infrastructure networks, operators should treat patching as urgent.
SharePoint Server Spoofing Zero-Day Exploited in April 2026 Patch Tuesday
A spoofing vulnerability in Microsoft SharePoint Server (CVSS 6.5), likely related to cross-site scripting in the admin surface, was patched in the April 2026 Patch Tuesday release. Microsoft confirmed active exploitation prior to the patch.
Windows TCP/IP Remote Code Execution (Wormable, IPv6 + IPSec)
A TCP/IP stack vulnerability in Windows allows unauthenticated remote code execution without user interaction when IPv6 and IPSec are enabled. CVSS 8.1. Microsoft rates it 'wormable' and strongly recommends immediate patching. Addressed in the April 2026 Patch Tuesday.
Windows IKE Extension Double-Free Enables Unauthenticated Remote Code Execution (CVSS 9.8)
A critical double-free vulnerability in the Windows Internet Key Exchange (IKE) Extension allows unauthenticated remote code execution with no user interaction. CVSS 9.8, low attack complexity. Fixed in Microsoft's April 2026 Patch Tuesday. Any Windows system exposing IKE, including VPN and direct-connect scenarios, should be considered at risk until patched.
A critical unauthenticated remote code execution flaw in Fortinet FortiClient EMS is under active exploitation. CVSS 9.1. Added to the CISA Known Exploited Vulnerabilities catalog on April 6, 2026. This is the second unauthenticated RCE disclosed in FortiClient EMS within weeks.
F5 BIG-IP APM Reclassified as Unauthenticated RCE Under Active Exploitation (CVSS 9.8)
F5 reclassified CVE-2025-53521 in BIG-IP Access Policy Manager from a denial-of-service to an unauthenticated remote code execution vulnerability. CVSS 9.8, exploited in the wild to deploy web shells. Affects APM versions 17.5.0 to 17.5.1, 17.1.0 to 17.1.2, 16.1.0 to 16.1.6, and 15.1.0 to 15.1.10. CISA added the CVE to its KEV catalog with an aggressive patch mandate.
A critical memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway is under active exploitation. Attackers send crafted SAML payloads to retrieve adjacent memory content that frequently includes session tokens and in-flight authentication material. CVSS 9.3. Added to CISA KEV.
Ivanti EPMM Unauthenticated Remote Code Execution via Code Injection
Two critical code-injection flaws in Ivanti Endpoint Manager Mobile (CVE-2026-1281 and CVE-2026-1340) allow unauthenticated attackers to execute arbitrary code via crafted HTTP requests. Exploitation requires no authentication and has been observed in the wild before patches were broadly available.