Cybersecurity Radar — 2026-04-06

🔴 Critical Alerts

Fortinet CVE-2026-35616 — Actively Exploited Privilege Escalation in FortiClient EMS

Fortinet has issued an emergency patch for CVE-2026-35616 (CVSS 9.1), a privilege escalation vulnerability affecting FortiClient EMS versions 7.4.5–7.4.6. According to The Hacker News, exploitation of this flaw began in the wild on March 31, 2026 — meaning attackers had a multi-day head start before the patch was released. Successful exploitation allows an attacker to escalate privileges on vulnerable systems, potentially gaining full control of enterprise endpoints.

Who's affected: Organizations running FortiClient EMS 7.4.5 or 7.4.6. Severity: Critical (CVSS 9.1). Recommended action: Apply Fortinet's patch immediately. Audit FortiClient EMS deployments and review logs from March 31 onward for signs of unauthorized privilege changes.

Apple Expands iOS 18.7.7 Update to Block DarkSword Exploit

Apple has broadened the rollout of iOS 18.7.7 (originally released April 1, 2026) to additional device classes following the public disclosure of the DarkSword exploit. The expanded update enables automatic security updates across a wider range of devices, ensuring users who have not manually updated are still protected. DarkSword represents a serious threat capable of being leveraged against unpatched iOS devices.

Who's affected: All iPhone and iPad users not yet on iOS 18.7.7. Severity: High — active exploit disclosed. Recommended action: Verify iOS version immediately; enable automatic updates. Do not defer this patch.

Threat Landscape

Ransomware in March 2026: Activity Trends Shift

BlackFog's State of Ransomware: March 2026 report, published this week, documents publicly disclosed and non-disclosed ransomware attacks globally through the end of Q1. The data provides a critical baseline as organizations enter Q2. The report follows findings from earlier threat intelligence that publicly recorded cyber breaches with physical consequences across heavy industry and critical infrastructure fell 25% to 57 incidents in 2025 — but researchers caution this slowdown masks a deeper shift toward nation-state activity rather than representing a genuine improvement in the threat environment.

2 sources

blackfog.com

The State Of Ransomware 2026 | BlackFog

blackfog.com

The State of Ransomware: March 2026 | BlackFog

Stolen Credentials Fueling Both Criminal and Nation-State Attacks

A SecurityWeek analysis published this week highlights how compromised logins have become the universal attack enabler — powering campaigns from opportunistic ransomware groups all the way to sophisticated nation-state intrusions. The report highlights the financially motivated threat actor "Shai-Hulud," which has been observed attempting to delete target home directories when it finds little to harvest — a scorched-earth tactic that blurs the line between cybercrime and destructive operations. The piece notes that rising geopolitical tension has "decreased any remaining honor among thieves," with criminal and state actors increasingly overlapping in their tooling and targets.

SparkCat Malware Returns — New Version Found on App Store and Google Play

The Hacker News reports that cybersecurity researchers have discovered a new version of the SparkCat malware on both the Apple App Store and Google Play Store, more than a year after the trojan was first identified. The malware is classified under Mobile Security / Threat Intelligence and represents a renewed supply-chain risk for mobile users globally. Specific targeted sectors and full technical indicators were still emerging at publication time.

Vulnerabilities & Patches

CVE-2026-35616 — FortiClient EMS Privilege Escalation (CVSS 9.1)

As detailed in Critical Alerts above, Fortinet patched this actively exploited flaw in FortiClient EMS 7.4.5–7.4.6. Active exploitation confirmed from March 31, 2026.

TrueConf Zero-Day CVE-2026-3502 — Used Against Southeast Asian Governments

CVE-2026-3502 (CVSS 7.8) was exploited in early 2026 through trojanized TrueConf update mechanisms, enabling the deployment of Havoc malware across government networks in Southeast Asia. The vulnerability has since been patched, but the campaign demonstrates the continued weaponization of legitimate software update channels by sophisticated threat actors. Government agencies and organizations using TrueConf should audit update histories and endpoint telemetry for indicators of Havoc malware.

Microsoft Force-Upgrading Windows 11 Devices to 25H2

BleepingComputer reports that as of this week, Microsoft has begun force-upgrading unmanaged devices running Windows 11 24H2 Home and Pro editions to Windows 11 25H2. This affects organizations with unmanaged endpoints. IT teams should verify update policies to ensure this transition does not disrupt operations, and review 25H2 compatibility for legacy applications.

Breaches & Incidents

Next.js Exploitation Campaign — 766 Hosts Breached via CVE-2025-55182

Attackers have exploited CVE-2025-55182 in Next.js applications to breach 766 hosts, enabling mass credential theft and targeted follow-on attacks. The campaign highlights the danger of leaving web framework vulnerabilities unpatched, particularly in internet-facing deployments. Credential theft at this scale creates downstream risk for any organization whose users reuse passwords or where the compromised systems have privileged access to internal networks.

Recommended action: Audit all Next.js deployments. Patch to the latest version. Rotate credentials for any accounts associated with affected systems.

European Union Cybersecurity Incident Noted by BleepingComputer

BleepingComputer referenced a European security development as of April 3, 2026, though full details were still emerging. Readers should monitor BleepingComputer for updates on European regulatory or incident developments this week.

Industry & Policy

Nation-State Pivot: Infrastructure Attacks Rise Even as Ransomware Dips

The Waterfall Threat Report 2026 (published last week by Industrial Cyber) documents a 25% drop in cyber breaches with physical consequences across heavy industry in 2025 — but analysts warn this is a "misleading signal." The report's central thesis is that ransomware actors are being displaced or supplemented by nation-state actors targeting critical infrastructure, a shift that may be less visible in public incident counts but poses significantly greater risk. Energy, water, and manufacturing sectors remain primary targets.

Microsoft Begins Forced Windows 11 25H2 Migration for Unmanaged Devices

As noted in Vulnerabilities & Patches, Microsoft's forced upgrade of unmanaged Windows 11 24H2 endpoints to 25H2 has begun this week. Organizations should review device management policies and ensure endpoints are enrolled in managed update channels to retain control over patching timelines.

What to Watch

• Fortinet exploitation escalation: With CVE-2026-35616 already exploited since March 31, threat actors have had nearly a week of dwell time. Expect follow-on ransomware or data exfiltration campaigns targeting unpatched FortiClient EMS deployments in the coming days.
• SparkCat mobile malware evolution: The return of SparkCat on both major app stores signals that mobile supply-chain threats are intensifying. Watch for CISA advisories or vendor guidance on SparkCat indicators of compromise in the coming days.
• Credential-based attack surge: As stolen login data fuels both criminal and nation-state campaigns, organizations should anticipate increased credential-stuffing and account-takeover attempts, particularly in sectors adjacent to recently breached Next.js infrastructure.

Reader Action Items

1. Patch Fortinet FortiClient EMS immediately. If you are running versions 7.4.5 or 7.4.6, apply the patch for CVE-2026-35616 (CVSS 9.1) today. Review endpoint logs from March 31 onward for signs of privilege escalation — attackers had a multi-day window before the fix was available.

2. Update all Apple devices to iOS 18.7.7. The DarkSword exploit is publicly known. Ensure every iPhone and iPad in your environment is updated, and verify that automatic security updates are enabled to prevent future gaps.

3. Audit Next.js deployments and rotate credentials. If any of your applications run Next.js, verify patching status for CVE-2025-55182. For any systems potentially in scope of the 766-host breach campaign, treat associated credentials as compromised and rotate them proactively.