Cybersecurity Radar — 2026-04-25

🔴 Critical Alerts

BlueHammer (Microsoft Defender) Zero-Day — New Federal Patching Deadline

CISA has placed U.S. federal agencies on a two-week deadline to patch the BlueHammer zero-day vulnerability in Microsoft Defender — a directive published just 12 hours ago. The flaw allows attackers to access the SAM database, extract NTLM hashes, and escalate to SYSTEM-level privileges. Originally leaked by a "disgruntled researcher" as a proof-of-concept exploit, all three related Defender zero-days are now confirmed as actively exploited in the wild.

Affected: All Windows systems running Microsoft Defender; Federal Civilian Executive Branch (FCEB) agencies under mandatory compliance. Severity: Critical — full SYSTEM privilege escalation possible. Recommended Action: Apply Microsoft's patches immediately. FCEB agencies face a hard deadline. All organizations should prioritize this patch above routine update cycles.

Microsoft Emergency Out-of-Band Patch — Critical ASP.NET Core Flaw

Microsoft has released emergency out-of-band (OOB) security updates to patch a critical privilege escalation vulnerability in ASP.NET Core, published three days ago. The emergency release signals Microsoft's assessment that the flaw poses an elevated and immediate risk, separate from the standard Patch Tuesday cadence.

Affected: Applications and services built on ASP.NET Core. Severity: Critical — privilege escalation. Recommended Action: Apply the emergency patch immediately. Do not wait for the next scheduled update cycle.

Threat Landscape

Phishing Re-emerges as #1 Initial Access Vector in Q1 2026

Cisco Talos' Q1 2026 Incident Response Trends report (published three days ago) reveals that phishing has re-emerged as the most commonly observed initial access method, accounting for over one-third of all engagements where initial access could be determined. This marks a notable shift — phishing had not held the top spot since Q2 2025. The report also highlights persistent attacks targeting the public administration sector.

TTPs: Social engineering via email lures, credential harvesting, malicious attachments. Targeted Sectors: Public administration, government. Recommended Action: Reinforce phishing awareness training; deploy advanced email filtering and anti-spoofing controls.

APT28 Router Exploits and STX RAT Supply Chain Attacks

Malware Patrol's mid-April 2026 security signals digest (published one day ago, covering the April 7–21 period) highlights multiple active threat campaigns:

• STX RAT supply chain attacks — a new remote access trojan distributed through software supply chain compromise vectors.
• APT28 router exploits — the Russian state-sponsored group continues targeting vulnerable network routers for espionage and persistent access.
• Payroll phishing campaigns — targeted lures impersonating HR/payroll systems to harvest employee credentials.

Threat Actors: APT28 (Russian GRU-linked), unattributed STX RAT operators. TTPs: Supply chain poisoning, router exploitation, spear-phishing. Targeted Sectors: Government, enterprise, critical infrastructure.

CSIS Significant Cyber Incidents Tracker — Updated

The Center for Strategic and International Studies (CSIS) updated its living timeline of significant cyber incidents (updated one day ago). The tracker, which documents state actions, espionage, and major cyberattacks with losses exceeding $1 million, continues to reflect an elevated tempo of nation-state activity globally.

Vulnerabilities & Patches

BlueHammer — Microsoft Defender Local Privilege Escalation (CVE-2026-33825 / Multiple)

Three related Microsoft Defender zero-days — collectively dubbed BlueHammer — have been exploited since at least April 10, 2026. The primary flaw enables local privilege escalation to SYSTEM via SAM database access and NTLM hash extraction. Two of the three vulnerabilities were unpatched for an extended window after public PoC disclosure.

• CVE: CVE-2026-33825 (and related siblings)
• CVSS: Critical
• Affected Products: Microsoft Defender on Windows
• Status: Patched in April 2026 Patch Tuesday; CISA has mandated federal remediation with a two-week deadline from today.

ASP.NET Core Critical Privilege Escalation — Emergency OOB Patch

Microsoft issued an emergency out-of-band patch for a critical privilege escalation vulnerability in ASP.NET Core. The out-of-band nature of the release underscores severity and active risk.

• CVE: Not yet confirmed in available research results — verify on MSRC.
• CVSS: Critical
• Affected Products: ASP.NET Core applications and services
• Status: Emergency patch released; apply immediately.

CISA KEV Catalog — May 4, 2026 Federal Deadline Approaching

CISA previously added 8 exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, setting a May 4, 2026 patching deadline for federal agencies. Organizations should audit their environments against the full KEV catalog ahead of this deadline.

• Affected Products: Multiple vendors; check the full CISA KEV catalog for the complete list.
• Action: FCEB agencies must remediate by May 4, 2026; all organizations should prioritize KEV items.

1 sources

securityweek.com

securityweek.com

Breaches & Incidents

Zscaler ThreatLabz 2026 VPN Risk Report

The Hacker News homepage (updated 11 hours ago) references the newly released Zscaler ThreatLabz 2026 VPN Risk Report, signaling fresh intelligence on VPN-related attack surfaces and organizational exposure. Full details were not available in research results at press time — readers should consult the report directly for scope and incident data.

CSIS Significant Incidents Tracker — Elevated Tempo of State-Linked Incidents

The CSIS tracker, updated one day ago, continues to document an elevated baseline of high-impact cyber incidents including state espionage and attacks with material financial consequences (>$1M losses). This reflects the broader trend identified in the Waterfall Threat Report: while some ransomware metrics show moderation, nation-state activity against critical infrastructure remains persistently high.

Industry & Policy

CISA Issues Two-Week BlueHammer Remediation Mandate

Published just 12 hours ago, CISA's directive formally orders all Federal Civilian Executive Branch agencies to patch the BlueHammer Microsoft Defender zero-day within two weeks. This represents one of the more aggressive timelines CISA has set for a single vulnerability, reflecting the severity of active exploitation and the ease of privilege escalation the flaw enables.

Microsoft Copilot Now Removable from Enterprise Devices via Policy

BleepingComputer (updated two days ago) reports that Microsoft IT administrators can now uninstall the AI-powered Copilot digital assistant from enterprise devices using a new policy setting, broadly available following the April 2026 Patch Tuesday. This gives enterprise security teams greater control over AI tool deployment on managed endpoints — a notable governance development as AI tooling expands attack surface concerns.

Zscaler Releases 2026 VPN Risk Report

Zscaler and Cybersecurity Insiders have jointly published the ThreatLabz 2026 VPN Risk Report, highlighted on The Hacker News homepage today (11 hours ago). VPN infrastructure continues to represent a significant initial access vector for threat actors; organizations should review the report's findings against their own VPN exposure.

What to Watch

• BlueHammer patch deadline pressure: The two-week CISA federal deadline creates immediate urgency — watch for reports of exploitation attempts targeting unpatched federal and enterprise systems as adversaries race against the remediation window.
• Phishing campaign evolution: With phishing reclaiming the #1 initial access vector spot in Q1 2026 (per Talos IR data), expect continued refinement of AI-assisted spear-phishing lures, particularly targeting public sector and payroll systems as flagged in recent threat reports.
• ASP.NET Core emergency patch fallout: Monitor for proof-of-concept exploits targeting the newly patched ASP.NET Core critical flaw; emergency OOB patches often attract rapid adversary attention once details are public.

Reader Action Items

1. Patch BlueHammer now: Apply Microsoft's patches for the BlueHammer Defender zero-days (CVE-2026-33825 and siblings) immediately across all Windows endpoints. Federal agencies face a mandatory two-week deadline; all organizations should treat this as P1.

2. Apply the ASP.NET Core emergency patch: If your environment runs any ASP.NET Core applications or services, deploy Microsoft's emergency OOB patch without delay — the critical privilege escalation severity warrants immediate action ahead of scheduled maintenance windows.

3. Audit your CISA KEV exposure before May 4: With the May 4, 2026 federal remediation deadline approaching for the latest batch of KEV catalog additions, audit your asset inventory against the full CISA KEV list and prioritize any outstanding items this week.