Threat Intel Bi-Weekly + AI Vulnerability Monitor

An unauthenticated attacker can trigger remote code execution in the Windows IKEv2 service without user interaction. The vulnerability requires no privileges and is network-exploitable — CVSS 9.8. Affects all currently supported Windows Server versions. PoC circulating in private exploit markets as of April 22.

A SharePoint Server zero-day is being actively exploited in the wild. CISA added this to the Known Exploited Vulnerabilities catalog with a mandatory federal remediation deadline of April 28, 2026. Attackers are leveraging the flaw for authenticated RCE on on-premises SharePoint farms. Cloud SharePoint Online customers are not affected — patched server-side by Microsoft.

CISA added four actively exploited vulnerabilities to the KEV catalog on April 24. Samsung MagicINFO Server RCE (CVE-2025-4632, CVSS 9.8) is the most severe — unauthenticated attackers can write files and execute commands. SimpleHelp RMM path traversal (CVSS 7.5) is being leveraged for persistent access. D-Link DIR-823X firmware has a command injection flaw exploited by Mirai-variant botnets.

Security researchers disclosed 10 CVEs targeting the Model Context Protocol (MCP) — the standard used by Claude, Cursor, Windsurf, and dozens of AI agent frameworks. The flaws allow unauthenticated code execution, tool poisoning, and data exfiltration across 7,000+ MCP servers with 150M+ aggregate downloads. Anthropic acknowledged the findings but stated the issues are "by design" and declined to issue a patch at the protocol level, placing remediation responsibility on individual server implementers.

The official Azure MCP Server has a critical auth bypass flaw (CVSS 9.1) that allows unauthenticated actors to invoke MCP tools with full Azure API access. An attacker with network access to the MCP server can issue arbitrary Azure control-plane commands — creating resources, exfiltrating secrets, and potentially escalating to tenant-level access. The flaw exists due to missing token validation in the MCP tool dispatch handler.

GitGuardian researchers identified three simultaneous supply chain campaigns hitting npm, PyPI, and Docker Hub over a 48-hour window. The CanisterSprawl and TeamPCP campaigns deploy worm-propagation logic that copies malicious payloads to other packages in the developer's local environment. Infected packages include typosquats of popular AI/ML utilities. The Docker Hub campaign injects a reverse shell into base images used in CI/CD pipelines.

Qilin ransomware group claimed responsibility for an attack on Schweitzer Engineering Laboratories (SEL) on April 20, 2026. SEL produces protection relays and automation systems used in power grids globally. The attack is significant because it targets OT-adjacent engineering assets, not just corporate IT. Qilin has been increasingly targeting critical infrastructure and defense-adjacent firms as a deliberate escalation strategy.

PRC-linked Salt Typhoon remains active and expanding. TrendMicro confirmed the campaign has now breached 200+ organizations, including US public sector and telecom providers, with congressional staff email inboxes reportedly accessed. The group is maintaining long-term persistent access rather than destructive payloads — consistent with intelligence-collection objectives. The primary entry vector continues to be edge devices (routers, VPN appliances) with unpatched vulnerabilities.

A massive credential compilation of 3.2 billion records — including plaintext passwords and linked phone numbers — was circulated on dark web forums in April 2026. The dataset aggregates credentials from multiple prior breaches plus newly exfiltrated data. Phone numbers linked to accounts make this particularly dangerous for SIM-swap attacks and MFA bypass via SMS. The dump is indexed and searchable, making automated credential-stuffing attacks trivial.

The Vercel breach first reported the week of April 17 has expanded in scope. ShinyHunters claim to have broader access than initially disclosed and are actively selling datasets on BreachForums. The breach is linked to the OAuth supply chain compromise via Context.ai, which allowed Lumma Stealer to extract session tokens from developer accounts. Developers using Vercel for deployment pipelines should assume environment variables and deployment tokens may be compromised.

A zero-click prompt injection vulnerability in Windsurf allows an attacker to trigger remote code execution by embedding malicious instructions in a file or repository the developer opens. The AI assistant's context window processes the injected prompt and executes arbitrary shell commands without user confirmation. No proof-of-concept is publicly available, but the attack surface (any opened repository) is extremely broad.

A server-side request forgery (SSRF) vulnerability in LMDeploy's API gateway was exploited in the wild just 13 hours after public disclosure — one of the fastest exploitation timelines observed in 2026. Attackers used the SSRF to reach AWS IMDSv1 metadata endpoints and exfiltrate instance credentials from self-hosted LLM deployments. Patch version 0.12.3 is available.

The ssh-mcp package — used to expose SSH capabilities to AI agents via MCP — has an unpatched command injection flaw (CVSS 8.5). Malicious tool inputs can break out of the intended SSH command context and execute arbitrary shell commands on the MCP host. No patch is available. The maintainer has been notified.

A path traversal vulnerability in Ollama's model serving API allows an authenticated user to read arbitrary files on the server host. The flaw is in the model file loading endpoint where path normalization is insufficient. CVSS 6.3 — medium severity, but in enterprise deployments where Ollama serves multiple users or is behind an API gateway, the impact is elevated.