Cybersecurity Radar — 2026-04-11

🔴 Critical Alerts

BlueHammer: Unpatched Windows Zero-Day Exploit Code Now Public

A disgruntled security researcher has publicly released a proof-of-concept exploit for an unpatched Windows local privilege escalation (LPE) vulnerability dubbed BlueHammer. The flaw combines a time-of-check to time-of-use (TOCTOU) vulnerability with a path confusion weakness, allowing attackers to gain SYSTEM-level or elevated administrator permissions on affected systems. With exploit code now freely circulating, the risk to unpatched Windows environments is immediate and critical — no CVE patch is currently available from Microsoft.

Who's affected: All Windows systems where the underlying TOCTOU/path confusion flaw is present and unpatched. Recommended action: Apply least-privilege principles, monitor for unusual privilege escalation activity, and watch Microsoft's security advisories for an emergency patch.

Snowflake Customers Targeted in Active Data Theft Campaign via Third-Party Breach

More than a dozen Snowflake customers have suffered data theft attacks after a SaaS integration provider was breached and authentication tokens stolen. BleepingComputer confirmed the supply-chain-style attack on April 7, 2026. The incident echoes prior Snowflake-adjacent compromises and highlights the persistent risk of third-party SaaS integrations as an attack vector.

Who's affected: Organizations using the unnamed SaaS integration provider connected to Snowflake environments. Severity: High — authentication tokens were stolen, enabling unauthorized access to customer data. Recommended action: Audit all third-party SaaS integrations with access to Snowflake environments; rotate authentication tokens immediately; review access logs for unauthorized activity.

Threat Landscape

China-Linked Actors Shrink Zero-Day Exploitation Windows in Global Ransomware Campaigns

Microsoft has flagged China-based hackers leveraging a "rapid attack" strategy — exploiting newly disclosed vulnerabilities within an exceptionally short window after public disclosure. According to Microsoft's analysis, the time to patch known flaws is shrinking while adversaries' ability to weaponize zero-days continues to expand. These threat actors are deploying ransomware against targets globally, increasing pressure on security teams to patch faster than ever before.

Key 2026 Cybersecurity Trends: Ransomware, AI, and Perimeter Defense Failures

A fresh PKWARE analysis (published 2 days ago) identifies the most significant cybersecurity trends of 2026 so far. Key themes include continued ransomware innovation, AI-accelerated attacks, and failures in perimeter defense. The analysis underscores that attackers are capitalizing on misconfigured or unpatched internet-facing systems as the primary initial access vector — consistent with patterns seen in recent Storm-1175 Medusa ransomware campaigns and other financially motivated threat actor activity.

2 sources

pkware.com

2026 Data Breaches: Cybersecurity Incidents - PKWARE®

pkware.com

pkware.com

Marimo Python Notebook RCE Exploited Within 10 Hours of Disclosure

The Hacker News reports (published ~1 day ago) that a critical vulnerability in Marimo, an open-source Python notebook used in data science, was actively exploited within just 10 hours of public disclosure. Tracked as CVE-2026-39987 (CVSS 9.3), the pre-authenticated remote code execution flaw affects all versions of Marimo prior to and including 0.20.4. The Sysdig threat research team identified the exploitation in the wild. This incident illustrates the increasingly narrow window organizations have between disclosure and active exploitation.

Vulnerabilities & Patches

CVE-2026-39987 — Critical RCE in Marimo Python Notebook (CVSS 9.3)

• Product affected: Marimo open-source Python notebook, all versions ≤ 0.20.4
• Type: Pre-authenticated remote code execution
• Exploitation status: Actively exploited in the wild within 10 hours of disclosure
• Recommended action: Update to the latest patched version of Marimo immediately. Organizations using Marimo for data science and analysis pipelines should treat this as an emergency update.

BlueHammer — Unpatched Windows LPE (No CVE/Patch Available Yet)

• Product affected: Microsoft Windows (specific versions pending Microsoft advisory)
• Type: Local privilege escalation via TOCTOU + path confusion
• Exploitation status: Proof-of-concept exploit code publicly available; no patch issued
• Recommended action: Restrict local user privileges, monitor for anomalous privilege escalation, apply application control policies, and await Microsoft emergency advisory.

Previously Covered — Fortinet CVE-2026-35616 (CVSS 9.1) Still Warrants Attention

While covered in prior issues, FortiClient EMS vulnerability CVE-2026-35616 remains actively exploited and organizations that have not applied the emergency hotfix should do so immediately. The authentication bypass flaw in FortiClient EMS 7.4.5–7.4.6 has been exploited since at least March 31, 2026. A full patch is pending; an emergency hotfix is available.

Breaches & Incidents

Snowflake Third-Party Supply Chain Attack — 12+ Organizations Compromised

As noted in Critical Alerts above, more than a dozen companies have confirmed data theft following a breach at an unnamed SaaS integration provider. Authentication tokens were stolen from the integration layer, granting attackers access to downstream Snowflake customer environments. The incident was confirmed on April 7, 2026. Response status: investigation ongoing; Snowflake has confirmed it is aware of "unusual activity."

Signature Healthcare (Brockton Hospital) Cyberattack — Day 3+

Signature Healthcare's Brockton Hospital in Massachusetts continues to operate with electronic systems down following a cyberattack that entered its third day as of April 8, 2026. Services have been canceled or modified as the hospital manages the incident. No ransomware group has publicly claimed responsibility at time of writing. The attack is part of a broader pattern of ransomware campaigns targeting U.S. healthcare providers.

Industry & Policy

CSIS Significant Cyber Incidents Timeline Updated

The Center for Strategic and International Studies (CSIS) has updated its living document tracking significant cyber incidents since 2006, with the latest update reflecting incidents through early April 2026. The timeline focuses on state-sponsored actions, espionage campaigns, and cyberattacks causing losses exceeding $1 million — a useful reference for geopolitical threat context.

Waterfall Security: Ransomware Slowdown Masks Nation-State Shift Toward Critical Infrastructure

The Waterfall Threat Report 2026 (published approximately 2 weeks ago — included for contextual framing) finds that while ransomware volume shows a surface-level slowdown, there is a deeper and more dangerous trend: nation-state actors are increasingly targeting operational technology (OT) and critical infrastructure. The report contextualizes the current threat landscape in which financially motivated and geopolitically motivated attacks are increasingly difficult to distinguish.

What to Watch

• BlueHammer patch timeline: Watch Microsoft's Security Response Center for an emergency out-of-band patch. Given the public availability of exploit code, a patch could arrive earlier than the next Patch Tuesday cycle — but attackers will move fast in the interim.
• Snowflake third-party investigation expanding: The number of confirmed victims in the SaaS integration provider breach is likely to grow as forensic investigations continue. Organizations with any Snowflake-connected third-party integrations should be on high alert.
• Rapid zero-day exploitation acceleration: The 10-hour exploitation window for CVE-2026-39987 (Marimo) and Microsoft's warnings about China-linked actors shrinking patch windows signal a structural shift — mean time to exploitation is approaching zero for high-value vulnerabilities.

Reader Action Items

1. Patch or mitigate BlueHammer now: Apply least-privilege access controls, restrict local administrator rights, and deploy application control policies on all Windows endpoints immediately. Monitor Microsoft advisories closely for an emergency patch — treat this as an active threat until a fix is available.

2. Audit Snowflake third-party integrations: Review all SaaS tools with access to your Snowflake environment. Rotate authentication tokens, audit access logs for the past 30 days, and verify that no unauthorized data exports occurred. Apply the principle of least-privilege to all integration service accounts.

3. Update Marimo and all Python data science tooling: If your organization uses Marimo notebooks (version ≤ 0.20.4), update immediately to the latest patched release. Conduct a broader audit of open-source data science tooling for recent high-severity CVEs — this class of software is increasingly being targeted due to its privileged access to data pipelines.