Cybersecurity Radar — 2026-04-22
CISA has added 8 newly exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, setting emergency federal patching deadlines as early as April 23, 2026. Meanwhile, Microsoft has released out-of-band updates to address critical issues in Windows Server systems following April 2026 Patch Tuesday — and three Windows zero-days that were leaked and actively exploited remain at the center of urgent remediation efforts.
Cybersecurity Radar — 2026-04-22
🔴 Critical Alerts
CISA Adds 8 Exploited Flaws to KEV — April 23 & May 4 Deadlines
CISA has expanded its Known Exploited Vulnerabilities catalog with 8 newly confirmed in-the-wild exploits, imposing hard deadlines for federal civilian agencies (FCEB). Some patches are due by April 23, 2026 — effectively tomorrow — with a second wave due by May 4, 2026. The announcement, published within the last 24 hours, reinforces NIST's prioritization criteria (effective April 15, 2026) tying CVE remediation urgency directly to KEV catalog membership. All organizations — not just federal — should treat these as critical patch priorities.
Microsoft Releases Out-of-Band Updates for Windows Server Post-Patch Tuesday
Microsoft has issued emergency out-of-band (OOB) security updates within the last 24 hours to fix problems introduced by the April 2026 Patch Tuesday updates, which affected Windows Server systems. This follows a massive April 2026 Patch Tuesday that addressed 167 flaws including two actively exploited zero-days. Additionally, three Microsoft Defender zero-days — first exploited starting April 10, 2026 — enabling privilege escalation and denial-of-service attacks have now all been confirmed exploited in the wild, with two previously unpatched. Organizations running Windows Server or Microsoft Defender should apply the latest updates immediately.
Threat Landscape
Windows Zero-Days Leaked and Actively Exploited
Threat actors are exploiting three recently disclosed Windows security vulnerabilities aimed at gaining SYSTEM or elevated administrator permissions. These flaws, which were leaked before patches were available, are now confirmed in active attack campaigns. One of the vulnerabilities — CVE-2026-33825 — enables attackers to escalate privileges via Windows Defender's remediation logic to achieve SYSTEM access through what researchers have dubbed the "BlueHammer" and "RedSun" exploits.
.png)
U.S. Public Sector Under Siege: Q1 2026 Intelligence
Trend Micro's Q1 2026 threat intelligence report highlights a multi-vector siege on U.S. public sector organizations. Key findings: AI is lowering the barrier to sophisticated attacks while expanding the attack surface through AI-enabled government services; nation-state actors have demonstrated the ability to penetrate the highest levels of U.S. government communications; and ransomware groups are now operating with the efficiency of professional enterprises. The report underscores the convergence of criminal and nation-state capabilities as a defining threat of 2026.
Ransomware Reaches Elevated "New Normal" — Attack Volumes Hold Steady
GuidePoint Research reports that ransomware has reached a sustained elevated "new normal" as attack volumes hold steady into 2026, reshaping baseline risk expectations for organizations. Rather than a temporary spike, the data indicates that elevated ransomware activity is becoming the baseline — forcing security teams to recalibrate their risk models accordingly.
Vulnerabilities & Patches
CVE-2026-33825 — Windows Defender Privilege Escalation (Zero-Day, Actively Exploited)
This zero-day in Microsoft Defender enables attackers to abuse the product's remediation logic to escalate privileges to SYSTEM level. Proof-of-concept exploits ("BlueHammer") are publicly available and the vulnerability is confirmed exploited in the wild. Two additional Defender zero-days enabling privilege escalation and denial-of-service were also disclosed and are being exploited. Microsoft has addressed the patched zero-day in its April 2026 Patch Tuesday update; two remain unpatched as of the prior issue. Monitor Microsoft's security advisories for the latest patch status.
NIST CVE Prioritization Criteria Now in Effect (as of April 15, 2026)
NIST's updated CVE prioritization criteria went into effect on April 15, 2026. Under the new framework, CVEs appearing in CISA's KEV catalog receive the highest priority weighting. Security teams should revisit their vulnerability management workflows to ensure KEV-listed CVEs are automatically elevated to top priority for patching.
Fortinet FortiClient Zero-Day — CVE-2026-35616 (Authentication Bypass)
An authentication bypass flaw in Fortinet's FortiClient, tracked as CVE-2026-35616, has been exploited in the wild. Fortinet issued an emergency patch. This is the latest in a series of Fortinet vulnerabilities actively targeted by threat actors. Any organization running FortiClient should apply the emergency patch immediately.
Breaches & Incidents
CSIS Significant Cyber Incidents Timeline Updated
The Center for Strategic and International Studies (CSIS) updated its living timeline of significant cyber incidents within the past 24 hours. The tracker — focused on state actions, espionage, and attacks with losses exceeding $1 million — reflects ongoing global activity. Organizations conducting threat intelligence should reference the updated tracker for the latest recorded state-sponsored and high-impact incidents.
66% of Global IT Leaders Report Up to Two Breaches in the Past Year
According to the 2026 Armis Cyberwarfare Report, 66% of global IT leaders have experienced up to two breaches in the past year — up from the prior year — despite 79% claiming preparedness. The report highlights nation-state attacks now operating at "machine speed," outpacing traditional detection and response capabilities.
Industry & Policy
NIST Activates New KEV-Linked CVE Prioritization Framework
NIST's updated prioritization criteria — effective April 15, 2026 — formally ties CVE remediation urgency to KEV catalog status. This policy shift has direct operational implications for federal agencies and is influencing best-practice frameworks across the private sector. The change arrived just as CISA published its latest KEV additions with tight deadlines, amplifying the urgency of the new framework.
Microsoft Out-of-Band Patching After Patch Tuesday Side Effects
Microsoft's out-of-band update release within the past 24 hours signals that the April 2026 Patch Tuesday — described by experts as potentially the second-largest by CVE count in Microsoft's history — introduced unintended stability issues in Windows Server environments. This is a reminder for enterprise teams to maintain rollback plans and stage Patch Tuesday updates in test environments before broad deployment.
What to Watch
- April 23 KEV deadline: Federal agencies must patch the first wave of newly added KEV vulnerabilities by tomorrow. Non-federal organizations should treat these with equivalent urgency given confirmed active exploitation.
- Two Defender zero-days still unpatched: Microsoft has not yet released fixes for two of the three actively exploited Defender privilege escalation and DoS zero-days disclosed in mid-April. Watch for emergency patches and isolate affected systems per Microsoft guidance.
- Nation-state convergence with ransomware: Intelligence from Trend Micro and Armis confirms threat actors are increasingly blending nation-state TTPs with financially motivated ransomware operations — particularly targeting U.S. public sector, defense contractors, and critical infrastructure. Expect the volume and sophistication of hybrid attacks to continue rising.
Reader Action Items
-
Patch now — KEV April 23 deadline: Review CISA's updated KEV catalog immediately and prioritize patching all newly listed vulnerabilities. Federal agencies have until April 23 for the first wave; private organizations should match this urgency given confirmed exploitation in the wild. []
-
Apply Microsoft OOB updates and monitor Defender zero-days: Deploy Microsoft's out-of-band Windows Server patches released within the last 24 hours. For the unpatched Defender zero-days (privilege escalation / DoS), follow Microsoft's interim guidance — consider isolating high-value systems running Defender until patches are available.
-
Audit Fortinet FortiClient deployments: Apply the emergency patch for CVE-2026-35616 (authentication bypass) on all FortiClient instances. Review Fortinet security advisories for the full scope of recently exploited vulnerabilities across the Fortinet product portfolio.
This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.
Powered by
