Coverage: April 28 – May 1, 2026 · 5 areas: CVEs & Exploits, AI & Supply Chain, Threat Actors, Dark Web, AI News
Incomplete fix for CVE-2026-21510 (exploited by APT28) left a zero-click authentication coercion gap via auto-parsed LNK files. Malicious LNK causes Windows Shell to automatically initiate an SMB connection, leaking the victim's Net-NTLMv2 hash with no user interaction required. Hash can be relayed or cracked offline for lateral movement. Added to CISA KEV April 29, 2026; federal patch deadline May 12.
Race condition (TOCTOU) in Windows Defender's file remediation logic allows local privilege escalation. Attacker places a file triggering a Defender scan, uses an oplock to pause remediation mid-flight, then redirects the file path via NTFS junction to System32 — causing Defender to overwrite a system binary with attacker-controlled content as SYSTEM. Proof-of-concept "BlueHammer" was publicly released before the patch. Two companion techniques (RedSun, UnDefend) disclosed April 16 with live exploitation observed. CVSS 7.8.
Three-CVE chain in the SimpleHelp RMM platform actively exploited by DragonForce ransomware for MSP supply-chain attacks. CVE-2024-57726 (CVSS 9.9) provides privilege escalation without authentication. CVE-2024-57728 (CVSS 7.2) enables zip-slip arbitrary file upload for remote code execution. CVE-2024-57727 provides path traversal for reconnaissance. DragonForce uses the MSP foothold to pivot to all downstream customer environments. CISA KEV federal deadline: May 8, 2026.
Path traversal in Samsung MagicINFO digital signage server (CVSS 8.8) allows unauthenticated attackers to write arbitrary files as system authority. Actively exploited by Mirai botnet variants for persistence and DDoS staging. Added to CISA KEV with federal patch deadline May 8, 2026.
Command injection via POST to /goform/set_prohibiting endpoint in the D-Link DIR-823X router. End-of-life device — no patch will ever be issued. The "Tuxnokill" Mirai botnet variant is actively deploying via this vulnerability. CISA KEV federal deadline: May 8, 2026. CVSS 7.5.
Maximum-severity RCE in Google Gemini CLI and the run-gemini-cli GitHub Action. In headless/CI mode, Gemini CLI automatically trusted any workspace folder for loading configuration and environment variables — without review, sandboxing, or user approval. An attacker who could place content in a repository workspace (via pull request) could plant a malicious .gemini/ config that the agent silently executed on the host system before any sandbox initialized. The --yolo flag also bypassed all tool allowlists. Impact: CI/CD secrets theft, supply-chain pivot, and lateral movement via GitHub Actions environment variables.
Cursor's AI agent does not validate .git/hooks or nested bare repository content during autonomous Git operations. An attacker embeds a malicious bare repository with a poisoned pre-commit hook inside a legitimate-looking public repository. When Cursor's agent runs a Git operation inside that embedded context (triggered by Cursor Rules), the hook fires automatically — no user prompt, no warning. Result: attacker code execution directly on the developer's machine. Patched in Cursor 2.5 (disclosed April 28, 2026). No in-the-wild exploitation confirmed yet.
OX Security disclosed a systemic architectural weakness in Anthropic's MCP SDK enabling arbitrary command execution across any MCP implementation. Attack paths: unauthenticated command injection via MCP STDIO, zero-click prompt injection leading to STDIO config rewrite, and MCP marketplace supply-chain attacks. Ten CVEs assigned across LangChain, LangFlow, Flowise (CVE-2026-40933), LiteLLM, LettaAI, LangBot, and others. Anthropic declined to change the protocol architecture — the core SDK risk remains unfixed. 7,000+ public MCP servers, 150M+ downloads affected.
SSRF in LMDeploy's vision-language module exploited 12 hours 31 minutes after advisory publication — no public PoC required. The load_image() function fetches arbitrary URLs without validating private IP ranges. Observed attack chain: AWS IMDS metadata theft → Redis port scan → OOB DNS exfiltration → internal network sweep (MySQL 3306, Redis 6379, HTTP 8080). Attacker IP 103.116.72.119 used the inference endpoint as a generic SSRF proxy to map and enumerate internal networks. CVSS 7.5.
Authentication bypass in nginx-ui's MCP integration. The /mcp_message endpoint — which handles all destructive tool invocations — is missing the AuthRequired() middleware applied to its paired /mcp endpoint. Default IP whitelist is empty and configured fail-open (empty = allow all). Two-step exploit: GET /mcp to establish session, then POST /mcp_message with no credentials to invoke any of 12 MCP tools including nginx_config_add (auto-reloads nginx). Post-exploitation: admin JWT theft, JwtSecret extraction, persistent forged tokens. Chainable with CVE-2026-27944 (CVSS 9.8) for full unauthenticated takeover. ~2,689 instances on Shodan. VulnCheck KEV listed April 13, 2026. CVSS 9.8.
Russian APT28 (Fancy Bear / Sofacy) exploited CVE-2026-21510 against Ukraine and EU government targets, directly triggering the April 29 CISA KEV emergency addition of CVE-2026-32202 (the incomplete fix). CERT-UA confirmed the campaign began with spear-phishing impersonating Ukraine's hydro-meteorological center. TTPs: LNK weaponization, SmartScreen bypass chain (CVE-2026-21513 + CVE-2026-21510), NTLM credential coercion for lateral movement into government and critical infrastructure networks.
NightSpire ransomware group exploits CVE-2024-55591 (critical FortiOS/FortiProxy authentication bypass granting super-admin privileges) for initial access. Lateral movement via PowerShell, PsExec, and WMI (living-off-the-land binaries). 74 confirmed victims in Q1 2026, 175 total since emergence across 28 industries. Focus sectors: enterprise technology, manufacturing, government. Double extortion model — data is exfiltrated before encryption and published when ransom negotiations fail.
Home security company ADT suffered a breach detected April 20, 2026. ShinyHunters executed a vishing (voice phishing) attack against an ADT employee, compromising their Okta SSO credentials to access Salesforce systems. ShinyHunters claims 10M records; HaveIBeenPwned independently counts 5.5M unique emails. Data exposed: names, phone numbers, addresses, and partial SSN/Tax IDs. No payment card data or home security systems were affected. ShinyHunters published the data after ransom negotiations failed. The attack vector highlights the ongoing effectiveness of voice social engineering against SSO gatekeepers.
Zero-trust headless mode in Google Gemini CLI auto-trusted workspace configurations, enabling full RCE before sandbox initialization. Affects all versions prior to 0.39.1. Patched in npm 0.39.1 and GitHub Action v0.1.22. Active since at least April 29, 2026.
Malicious bare repo with poisoned pre-commit hook executes silently during Cursor AI Git operations. No user interaction required. Patched in Cursor 2.5.
Systemic STDIO command injection flaw in Anthropic MCP SDK affecting LangChain, LangFlow, Flowise, LiteLLM, and 7,000+ public servers. No core SDK fix from Anthropic — mitigate via isolation and per-framework patches.
SSRF in vision-language load_image() enables AWS IMDS theft and internal network enumeration. Exploited within hours of disclosure — no PoC needed. Patched in 0.12.3.
Missing AuthRequired() middleware on /mcp_message endpoint allows unauthenticated MCP tool invocation on 2,689+ publicly exposed nginx-ui instances. Actively exploited as of April 13, 2026. Patched in v2.3.4.
The EU AI Act's most substantive obligations activate in 90 days. High-risk AI system operators must have completed conformity assessments, data governance frameworks, transparency documentation, and human oversight mechanisms by August 2, 2026. Article 50 transparency obligations — including AI disclosure to users and deepfake labeling — also activate simultaneously. Organizations operating AI systems in EU jurisdictions should treat this as an imminent compliance deadline, not a future roadmap item.
IBM's 2026 X-Force Threat Index reports a 44% increase in attacks exploiting public-facing applications, largely attributed to missing authentication controls and AI-enabled vulnerability discovery that reduces time-from-advisory-to-exploit. The report also notes a 49% increase in active ransomware groups year-over-year, and specifically calls out North Korean IT worker schemes using AI for synthetic identity creation to infiltrate enterprise hiring pipelines. AI is now shortening attacker reconnaissance, exploitation, and evasion timelines across all threat actor tiers.
Multiple AI-native offensive tools have emerged in active threat actor toolsets. LAMEHUG malware makes live LLM API calls to generate dynamic commands on each execution. PROMPTFLUX regenerates its own source code on every run to evade static signature detection. HexStrike AI orchestrates over 150 existing attack tools via LLM-driven decision logic. Security researchers also note LLM-assisted exploit code generation from CVE advisories is now achievable in under 15 minutes — meaning the window between public CVE disclosure and weaponized exploits continues to compress significantly.