Cybersecurity Radar — 2026-04-28

🔴 Critical Alerts

CISA Adds Four New Vulnerabilities to Known Exploited Vulnerabilities Catalog

CISA added four actively exploited vulnerabilities to its KEV catalog on April 25, 2026, affecting products widely deployed in enterprise and government environments:

• SimpleHelp remote support software
• Samsung MagicINFO 9 Server
• D-Link DIR-823X series routers (two separate CVEs)

All four flaws carry evidence of active exploitation in the wild. Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities by the CISA-mandated deadline. Organizations using any of these products should apply patches or mitigations immediately.

Recommended action: Check your asset inventory for affected products immediately, apply all available patches, and isolate any unpatched devices from sensitive network segments pending remediation.

U.S. Critical Infrastructure Faces Escalating Nation-State Cyberattack Threat

A new analysis published within the past 24 hours by Cyble examines the rising threat of nation-state cyberattacks against U.S. critical infrastructure in 2026. AI is lowering barriers to sophisticated attacks while simultaneously expanding the attack surface through rapid adoption of AI-enabled government services. The report notes that nation-state actors have demonstrated capability to penetrate the highest levels of U.S. government communications infrastructure.

Recommended action: Critical infrastructure operators should audit OT/ICS-facing network interfaces, implement zero-trust segmentation, and review incident response plans for nation-state intrusion scenarios.

1 sources

cyble.com

cyble.com

Threat Landscape

Q1 2026 Ransomware Report: AI-Generated Malware, Fragmentation, Nation-State Blending

ReliaQuest published its Ransomware and Cyber Extortion in Q1 2026 report today (April 27–28, 2026), built on thousands of incidents investigated in 2025. Key findings include:

• Full attack lifecycle documented: social engineering, zero-day exploitation, AI-generated malware, and ransomware fragmentation
• Nation-state infiltration increasingly blurs the line between criminal and geopolitical operations
• Ransomware groups are described as "operating with the efficiency of professional enterprises"
• The report covers the growing trend of AI being used to generate custom malware variants, lowering the skill threshold for attackers

U.S. Public Sector Under Siege: Q1 2026 Threat Intelligence (Trend Micro)

Published approximately three weeks ago and still actively referenced, Trend Micro's U.S. Public Sector Under Siege Q1 2026 intelligence brief highlights:

• AI is lowering the barrier to sophisticated attacks while expanding the attack surface via AI-enabled government services
• Nation-state actors have demonstrated capability to penetrate the highest levels of U.S. government communications
• Ransomware groups are operating with the efficiency of professional enterprises, blending profit motives with geopolitical objectives

Sectors at risk: Defense contractors, federal agencies, state and local government entities.

CYFIRMA Weekly Intelligence Report: Ransomware Trends (April 24, 2026)

CYFIRMA's most recent weekly intelligence report, dated April 24, 2026, highlights current ransomware trends and insights gathered from ongoing monitoring. While full details require direct access to the report, CYFIRMA continues to track the ransomware-of-the-week and associated group activity. This report is consistent with broader industry observations of ransomware volumes holding at an elevated "new normal" baseline into 2026.

Vulnerabilities & Patches

CVEs Added to CISA KEV — SimpleHelp, Samsung, D-Link (April 25, 2026)

Four newly catalogued exploited vulnerabilities from CISA's April 25, 2026 KEV update:

Specific CVE IDs and CVSS scores were not available in the retrieved data at time of publication — verify full details directly on the CISA KEV catalog.

Microsoft SharePoint Zero-Day CVE-2026-32201 — CISA Deadline: April 28, 2026

Microsoft patched CVE-2026-32201, an actively exploited SharePoint zero-day, as part of its April 2026 Patch Tuesday release covering 163 total CVEs (8 Critical, 154 Important). Today is the CISA-mandated remediation deadline for FCEB agencies. Any organization that has not yet applied this patch is critically overdue.

• Product: Microsoft SharePoint
• CVE: CVE-2026-32201
• Status: Exploited in the wild; CISA KEV listed

Chrome Zero-Day CVE-2026-5281 — Fourth Chrome Zero-Day Fixed in 2026

Chrome's CVE-2026-5281, a flaw in the Dawn graphics component, was patched as part of a 21-vulnerability Chrome update. This represents the fourth zero-day addressed in Chrome in 2026 and was actively exploited prior to the patch release.

• CVE: CVE-2026-5281
• Component: Dawn (WebGPU implementation)
• Status: Patch released; update Chrome immediately

Breaches & Incidents

University of Mississippi Medical Center — Ransomware Shuts Down 35 Clinics Statewide

A ransomware attack on the University of Mississippi Medical Center (UMMC) forced the closure of all 35 clinic locations statewide and led to the cancellation of scheduled appointments and elective surgeries. The incident, documented in the CSIS Significant Cyber Incidents tracker (updated within the past 24 hours), illustrates the real-world patient safety implications of healthcare ransomware attacks.

• Scope: All 35 UMMC clinic locations statewide
• Impact: Appointment cancellations, elective surgeries postponed
• Response status: Not specified in available data; verify directly with UMMC

April 2026 Data Breach Tracker — 15+ Major Incidents Ongoing

SharkStriker's April 2026 data breach tracker, updated on an ongoing basis, currently documents more than 15 major confirmed incidents for the month. This tracker is updated weekly as new breach details emerge throughout April. Organizations should review the full list to assess third-party supplier exposure.

Industry & Policy

Microsoft Copilot Now Removable via Enterprise Policy

BleepingComputer reports (within the past 24 hours) that IT administrators can now uninstall the AI-powered Copilot digital assistant from enterprise devices using a new policy setting, which became broadly available following the April 2026 Patch Tuesday release. This provides enterprise security teams greater control over the AI attack surface on managed endpoints.

Nation-State/Criminal Convergence Reshaping Cyber Risk Framework

Ongoing industry analysis reinforces a significant structural shift: the distinction between nation-state attacks and criminal ransomware activity is collapsing in practice. As noted by security researchers, "Ransomware gangs operating with state approval can simultaneously pursue profit and geopolitical objectives, as seen with Russian groups targeting defense contractors." This convergence is forcing organizations to treat all ransomware incidents as potential intelligence or espionage operations, not purely financial threats.

What to Watch

• April 28 CISA deadline: Today is the final day for FCEB agencies to remediate CVE-2026-32201 (Microsoft SharePoint zero-day). Any organization still unpatched faces immediate risk — patch now or apply workarounds.
• AI-generated malware acceleration: The Q1 2026 ransomware report flags AI-generated malware as an emergent, increasingly accessible threat vector. Expect signature-based defenses to face mounting pressure as malware uniqueness increases per campaign.
• D-Link and Samsung device exposure: The newly KEV-listed D-Link DIR-823X and Samsung MagicINFO flaws targeting network-edge and digital signage infrastructure suggest threat actors are broadening their initial-access playbooks beyond traditional enterprise software — patch or segment these devices urgently.

Reader Action Items

1. Patch or isolate immediately: Apply patches for the four newly CISA KEV-listed products — SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X routers. If patches are unavailable, isolate affected devices from sensitive network segments. Confirm CVE-2026-32201 (SharePoint) is patched — today's the CISA deadline.

2. Update Chrome across all endpoints: Deploy the Chrome patch addressing CVE-2026-5281 (Dawn zero-day) organization-wide. This is the fourth Chrome zero-day exploited in 2026; browser update cadence should be treated as a top-tier patch priority.

3. Review healthcare and critical infrastructure incident response plans: The UMMC ransomware attack is a reminder that healthcare organizations face catastrophic operational consequences from ransomware. Review and test your IR plan for ransomware scenarios now, with particular attention to clinical continuity procedures and backup restoration timelines.

Cybersecurity Radar is published daily. All claims are sourced from verified research results. Screenshots and external information may be incomplete — verify critical details directly with cited sources.