Cybersecurity Radar — 2026-04-18

🔴 Critical Alerts

Three Microsoft Defender Zero-Days Actively Exploited — Two Still Unpatched

Active exploitation of three Microsoft Defender vulnerabilities has been confirmed since April 10, 2026. The flaws enable privilege escalation and denial-of-service attacks. A researcher who published a proof-of-concept exploit for the first zero-day (a local privilege escalation vulnerability) returned days later with two additional exploits — all three are now confirmed exploited in the wild. Affected organizations are advised to isolate impacted systems and apply mitigations immediately pending Microsoft patches.

Recommended actions: Isolate systems running affected Microsoft Defender versions, monitor for privilege escalation activity, and apply patches as soon as Microsoft releases them.

Windows Domain Controllers Crashing After April 2026 Patch Tuesday Updates

Microsoft has warned that some Windows domain controllers are entering restart loops after installing the April 2026 security updates — a significant operational risk for enterprise environments. Organizations are advised to test updates in staging environments before broad deployment and monitor for instability after applying the April patches. Check Microsoft's support channels for workarounds.

Threat Landscape

U.S. Public Sector Under Siege: AI-Enabled Attacks and Nation-State Pressure

Trend Micro's Q1 2026 threat intelligence report finds the U.S. public sector facing intensifying pressure from multiple fronts. AI is lowering the barrier to sophisticated attacks while simultaneously expanding the attack surface through rapid adoption of AI-enabled government services. Nation-state actors have demonstrated the ability to penetrate the highest levels of U.S. government communications, and ransomware groups are now operating "with the efficiency of professional enterprises." The report highlights a convergence of criminal and geopolitical threat actors targeting federal and state systems.

Ransomware Reaches "Elevated New Normal" Into 2026

GuidePoint Security reports that ransomware attack volumes have stabilized at elevated levels heading into 2026, effectively reshaping baseline risk expectations for organizations. While attack frequency has plateaued, the threat is no less severe — financially motivated attacks are increasingly intersecting with geopolitical conflict and disruptive intent, according to Emsisoft's State of Ransomware Q1 2026 report. Groups like Storm-1175 continue to run high-velocity Medusa ransomware campaigns, weaponizing recently disclosed vulnerabilities for initial access and data exfiltration.

APT28 and Nation-State Actors Escalate Targeting of Government and Military

Russian threat group APT28 has been identified targeting government and military entities by exploiting Microsoft Office vulnerabilities, according to Cyber Express reporting on 2026 threat trends. Telecom networks — documented as a strategic surveillance layer — saw 444 security incidents and 90 ransomware attacks in 2025 alone. The line between state-sponsored and criminal actors continues to blur, with ransomware gangs operating under state approval simultaneously pursuing financial and geopolitical objectives.

Vulnerabilities & Patches

Three Microsoft Defender Zero-Days (CVEs Pending / Unpatched)

Three zero-day vulnerabilities in Microsoft Defender have been actively exploited since April 10, 2026. Two of the three remain unpatched as of April 17. The flaws enable local privilege escalation and denial-of-service. Proof-of-concept exploits are publicly available. Severity is critical given active in-the-wild exploitation. Action: Apply patches immediately upon release; isolate affected systems in the interim.

NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions

NIST has announced significant changes to its CVE enrichment program, effective April 15, 2026, following a 263% surge in vulnerability submissions since 2020. Going forward, NIST will prioritize enrichment of CVEs appearing in CISA's Known Exploited Vulnerabilities (KEV) catalog and those affecting federal software. Thousands of other CVEs are being shifted to "Not Scheduled" status — meaning organizations relying on NVD enrichment for risk prioritization will need to adjust their workflows.

Action: Security teams should not rely solely on NVD enrichment for vulnerability prioritization. Cross-reference CISA KEV and vendor advisories directly.

CVE-2026-32201 — Microsoft SharePoint Zero-Day (Actively Exploited)

Microsoft's April 2026 Patch Tuesday addressed CVE-2026-32201, an actively exploited zero-day in SharePoint that prompted CISA to mandate remediation by April 28, 2026 for federal civilian agencies. This was part of the second-largest Microsoft Patch Tuesday ever by CVE count, addressing 163–169 vulnerabilities (figures vary slightly by source), with 8 rated Critical and the remainder Important. Action: Federal agencies must patch by April 28; all organizations should prioritize immediately.

Breaches & Incidents

66% of Global IT Leaders Report Up to Two Breaches in the Past Year

Armis's 2026 Cyberwarfare Report reveals that despite 79% of global IT leaders claiming preparedness, 66% experienced up to two breaches in the past year — an increase over the prior year. Nation-state attacks are now operating at "machine speed," outpacing traditional detection and response timelines. The finding underscores the gap between perceived and actual security posture across industries globally.

Critical Infrastructure Breaches Decline 25% But Threat Deepens

The Waterfall Threat Report 2026 documents that publicly recorded cyber breaches with physical consequences across heavy industry and critical infrastructure fell 25% to 57 incidents in 2025, down from 76 in 2024. However, Waterfall attributes this largely to temporary factors — warning that a deeper shift toward nation-state attacks on critical infrastructure is underway beneath the surface statistics.

Industry & Policy

NIST Overhauls CVE Prioritization — New Criteria Take Effect April 15, 2026

NIST's revised CVE enrichment prioritization criteria went into effect April 15, 2026. Under the new framework, the National Vulnerability Database will focus analytical resources on CVEs in CISA's KEV catalog and those affecting federal software, effectively deprioritizing thousands of other vulnerabilities. This is a significant operational change for security teams who use NVD data to drive patching decisions.

Anthropic's Claude Mythos AI Discovers Thousands of Zero-Day Vulnerabilities

Anthropic's specialized cybersecurity AI model, Claude Mythos Preview, has already discovered thousands of high-severity zero-day vulnerabilities across every major operating system and web browser, including a now-patched 27-year-old bug in OpenBSD, a 16-year-old flaw in FFmpeg, and a memory-corrupting vulnerability in a memory-safe virtual machine monitor. Due to concerns about potential misuse of its capabilities, Anthropic has opted not to make the model generally available.

Ransomware Groups Blur Line Between Criminal and State Actor

SecurityWeek's Cyber Insights 2026 analysis highlights that the distinction between nation-state attacks and criminal ransomware activity is collapsing in practice. Ransomware gangs operating with state approval are simultaneously pursuing profit and geopolitical objectives — a pattern documented in Russian groups targeting defense contractors. Organizations governed by CMMC or similar frameworks face a threat environment where attribution and motive are increasingly irrelevant to defense strategy.

What to Watch

• Unpatched Microsoft Defender zero-days: With two of three actively exploited Defender flaws still awaiting patches, watch for Microsoft to release out-of-band updates. Exploitation is live and PoC code is public — escalation risk is high.
• CISA KEV April 27/28 deadlines: Federal civilian agencies face mandatory patch deadlines for multiple flaws by April 27–28 (Fortinet, Exchange, and SharePoint CVEs). Private sector organizations should treat these deadlines as urgent guidance.
• NIST NVD enrichment gap widening: As thousands of CVEs go unenriched, vulnerability management programs that rely heavily on NVD severity scores may develop blind spots. Watch for third-party enrichment vendors to fill the gap — and adjust your own triage workflows now.

Reader Action Items

1. Patch or isolate Microsoft Defender now. Three zero-days are actively exploited, two remain unpatched. Review your Defender deployment posture, apply any available mitigations, and monitor for privilege escalation and DoS indicators. Check Microsoft's security advisories daily for emergency patches.

2. Verify April Patch Tuesday deployment — especially SharePoint and domain controllers. CVE-2026-32201 (SharePoint) has a CISA mandate deadline of April 28 for federal agencies. All organizations should prioritize it. If you have deployed April updates broadly, check for domain controller restart loop issues and test rollback procedures.

3. Audit your CVE enrichment pipeline. With NIST's new prioritization criteria now in effect, your NVD-based vulnerability scoring may be missing context for non-KEV flaws. Cross-reference CISA KEV directly, supplement with vendor advisories, and consider third-party threat intelligence feeds to maintain full coverage.