[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fW69n8JgeQX12yOCPjXVieTWRGa3bA-oQWSy57vQ6-1A":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"d9aacafb-3cc5-451a-8c1f-7258329df23f","April 2026 CVE Landscape","april-2026-cve-landscape-ccd61c","In April 2026, Insikt Group® identified 37 high-impact vulnerabilities that should be prioritized for remediation, 35 of which had a Very Critical Recorded Future Risk Score. This represents a 19% increase from last month.","Insikt Group identified 37 high-impact vulnerabilities in April 2026, with 35 having a Very Critical Recorded Future Risk Score. 31 of the 37 were in CISA's KEV catalog, and seven were linked to ransomware activity, including Storm-1175's Medusa ransomware.","Insikt Group identified 37 high-impact vulnerabilities in April 2026, a 19% increase from the previous month.","April 2026 CVE Landscape In April 2026, Insikt Group® identified 37 high-impact vulnerabilities that should be prioritized for remediation, 35 of which had a Very Critical Recorded Future Risk Score. This represents a 19% increase from last month. 31 of the 37 were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, and six were surfaced only through honeypot data. Those six CVEs associated with honeypots are available only to Recorded Future customers. Those 37 vulnerabilities affected products from 23 vendors. Microsoft accounted for approximately 22%, while the remaining exposure was concentrated across a range of enterprise-facing vendors, particularly security and systems management tools, collaboration and server platforms, developer and application-delivery software, remote support tools, and network-edge infrastructure. In April, Insikt Group created Nuclei templates for the missing authentication vulnerabilities in Nginx UI (CVE-2026-33032) and Marimo (CVE-2026-39987). These Nuclei templates are available to Recorded Future customers. Quick Reference: April 2026 Vulnerability Table All 31 vulnerabilities below were actively exploited in April 2026. This table does not include the 6 CVEs associated with honeypot activity. The table below also provides examples of public PoCs identified by Insikt Group®. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing. # Vulnerability RiskScore Vendor\u002FProduct KEV Malware Analysis RCE PoC 1 CVE-2009-0238 99 Microsoft Office Excel, Excel Viewer, Office Compatibility Pack, Office ✓ ✓ (available to Recorded Future Customers) ✓ 2 CVE-2012-1854 99 Microsoft Office, Visual Basic for Applications ✓ 3 CVE-2020-9715 99 Adobe Acrobat, Acrobat Reader ✓ ✓ ✓ Link 4 CVE-2023-21529 99 Microsoft Exchange Server ✓ ✓ 5 CVE-2023-27351 99 PaperCut NG, MF ✓ 6 CVE-2023-36424 99 Microsoft Windows Server ✓ ✓ Link 7 CVE-2024-1708 99 ConnectWise ScreenConnect ✓ ✓ Link 8 CVE-2024-27199 99 JetBrains TeamCity On-Premises ✓ ✓ Link 9 CVE-2024-57726 99 SimpleHelp remote support software ✓ 10 CVE-2024-57728 99 SimpleHelp remote support software ✓ ✓ 11 CVE-2024-7399 99 Samsung MagicINFO Server ✓ ✓ Link 12 CVE-2025-2749 99 Kentico Xperience ✓ ✓ ✓ Link 13 CVE-2025-29635 99 D-Link DIR-823X ✓ ✓ 14 CVE-2025-32975 99 Quest KACE Systems Management Appliance ✓ 15 CVE-2025-48700 99 Synacor Zimbra Collaboration Suite (ZCS) ✓ 16 CVE-2025-60710 99 Windows Server Host Process for Windows Tasks ✓ ✓ Link 17 CVE-2026-1340 99 Ivanti Endpoint Manager Mobile ✓ ✓ ✓ Link 18 CVE-2026-20122 99 Cisco Catalyst SD-WAN Manager ✓ 19 CVE-2026-20128 99 Cisco Catalyst SD-WAN Manager ✓ 20 CVE-2026-20133 99 Cisco Catalyst SD-WAN Manager ✓ 21 CVE-2026-21643 99 Fortinet FortiClient EMS ✓ ✓ ✓ Link 22 CVE-2026-32201 99 Microsoft SharePoint Server ✓ ✓ Link 23 CVE-2026-32202 99 Windows Shell ✓ ✓ Link 24 CVE-2026-33825 99 Microsoft Defender ✓ ✓ (available to Recorded Future Customers) ✓ Link 25 CVE-2026-34197 99 Apache ActiveMQ, ActiveMQ Broker ✓ ✓ ✓ Link 26 CVE-2026-34621 99 Adobe Acrobat, Acrobat Reader ✓ ✓ ✓ Link 27 CVE-2026-35616 99 Fortinet FortiClient EMS ✓ ✓ ✓ Link 28 CVE-2026-39987 99 Marimo ✓ ✓ ✓ Link 29 CVE-2026-41940 99 cPanel, WHM, WP Squared ✓ ✓ Link 30 CVE-2026-3502 89 TrueConf Client ✓ ✓ ✓ Link 31 CVE-2026-5281 89 Dawn in Google Chrome ✓ ✓ ✓ Link Table 1: List of vulnerabilities that were actively exploited in April based on Recorded Future data (excluding honeypot-sourced CVEs). Key Trends: March 2026 In April 2026, seven of the 37 vulnerabilities in this report were linked to ransomware activity. Six are explicitly tied to Storm-1175's Medusa ransomware operations. CISA has also linked CVE-2026-41940 with known ransomware use (Sorry Ransomware, per open source reporting). Additionally, threat actors exploited CVE-2024-3721 in TBK DVR devices to deliver the Nexcorium botnet. Sixteen of the 37 vulnerabilities enabled remote code execution (RCE), affecting products from twelve vendors: Adobe, Apache, D-Link, Fortinet, Google, Ivanti, Kentico, Marimo, Microsoft, SimpleHelp, TrueConf, and Wazuh. Insikt Group® identified public proof-of-concept (PoC) exploits for 24 of the 37 vulnerabilities in this report. The most commonly observed flaws this month were CWE-22 (Path Traversal), followed by CWE-94 (Code Injection), CWE-20 (Improper Input Validation), and CWE-306 (Missing Authentication for Critical Function). Three of the 37 vulnerabilities are at least five years old, with the oldest approximately seventeen years old, reinforcing how attackers continue to exploit long-known weaknesses in environments where patching has lagged. Additionally, the fastest observed time from a vulnerability’s public disclosure to exploitation was two days. Exploitation Analysis This section highlights some of the highest-impact, actively exploited vulnerabilities this month, specifically those linked to known threat actor campaigns, that have public PoC exploits available, or for which Insikt Group® has created Nuclei templates to detect the vulnerability. Vulnerabilities with no meaningful public technical detail are summarized in the disclosures table only. Threat Actors Exploit TBK DVR Vulnerability (CVE-2024-3721) to Deliver Nexcorium On April 17, 2026, FortiGuard Labs (@FortiGuardLabs on X, formerly known as Twitter), associated with Fortinet (@Fortinet), published a technical analysis detailing a campaign that exploits TBK Digital Video Recorder (DVR) devices to deliver Nexcorium, a Mirai-based botnet. A TBK DVR device is a surveillance system recorder that captures, stores, and allows playback or remote viewing of video from connected security cameras. According to FortiGuard Labs, Nexcorium targets TBK DVR-4104 and DVR-4216 systems by exploiting CVE-2024-3721, an operating system (OS) command injection vulnerability that allows remote threat actors to execute arbitrary system commands. Based on FortiGuard Labs’ analysis, the campaign begins with the exploitation of CVE-2024-3721 through crafted requests that manipulate the mdb and mdc arguments in TBK DVR devices, which delivers a downloader script named dvr. The exploit includes the HTTP header X-Hacked-By with the value Nexus Team - Exploited By Erratic. The dvr script retrieves Nexcorium binaries with filenames beginning with nexuscorp for architectures such as ARM, MIPS R3000, and x86-64. The dvr script then sets the Nexcorium binaries’ permissions to 777, and executes them with an argument that identifies the compromised system. Further technical details associated with this activity, including sample analysis and IoCs, are available to Recorded Future customers via Insikt Group reporting. Recorded Future customers can also access Malware Intelligence queries, which surface samples that connect to known network indicators. Figure 1: Vulnerability Intelligence Card® for CVE-2024-3721 in Recorded Future (Source: Recorded Future) Insikt® Validated TTP: Using Nuclei to Detect CVE-2026-33032, an Actively Exploited Missing Authentication Vulnerability Affecting Nginx UI On March 28, 2026, GitHub user Jacky (0xJacky) published an advisory in the Nginx UI repository detailing CVE-2026-33032 and a PoC exploit. CVE-2026-33032 is a Missing Authentication for Critical Function vulnerability affecting all versions of Nginx UI. Nginx UI is a web-based management interface for Nginx that lets administrators view status, create and modify configuration files, and control operations such as reloads and restarts. Exploiting CVE-2026-33032 allows an unauthenticated remote threat actor to restart, create, modify, or delete configuration files, and trigger configuration reloads, resulting in a complete Nginx service takeover. According to Recorded Future data, active exploitation of CVE-2026-33032 was observed on April 1, 2026, on deception technology honeypots, four days","https:\u002F\u002Fbit.ly\u002F4uhtjjA","https:\u002F\u002Fwww.recordedfuture.com\u002Fblog\u002Fmedia_1239191713c0e7359a6e3e0dd047fe76e065dcc92.jpg?width=1200&format=pjpg&optimize=medium","2026-05-15T18:49:06+00:00","2026-05-15T19:00:08.213+00:00",9,[18,21,23,25,27,29],{"name":19,"type":20},"Insikt Group","vendor",{"name":22,"type":20},"Recorded Future",{"name":24,"type":20},"Microsoft",{"name":26,"type":20},"Adobe",{"name":28,"type":20},"PaperCut",{"name":30,"type":20},"ConnectWise","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":31,"icon":33,"name":34,"slug":35},null,"Vulnerabilities","vulnerabilities",[37,39],{"category":38},{"id":31,"icon":33,"name":34,"slug":35},{"category":40},{"id":41,"icon":33,"name":42,"slug":43},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[45,49,52,55,58,61,64,67,70,73,75,78,81,84,87,90,93,96,99,101,103,106,109,112,115,118,120,122,125,128,131],{"type":46,"value":47,"context":48},"cve","CVE-2009-0238","Microsoft Office Excel, Excel Viewer, Office Compatibility Pack, Office",{"type":46,"value":50,"context":51},"CVE-2012-1854","Microsoft Office, Visual Basic for Applications",{"type":46,"value":53,"context":54},"CVE-2020-9715","Adobe Acrobat, Acrobat Reader",{"type":46,"value":56,"context":57},"CVE-2023-21529","Microsoft Exchange Server",{"type":46,"value":59,"context":60},"CVE-2023-27351","PaperCut NG, MF",{"type":46,"value":62,"context":63},"CVE-2023-36424","Microsoft Windows Server",{"type":46,"value":65,"context":66},"CVE-2024-1708","ConnectWise ScreenConnect",{"type":46,"value":68,"context":69},"CVE-2024-27199","JetBrains TeamCity On-Premises",{"type":46,"value":71,"context":72},"CVE-2024-57726","SimpleHelp remote support software",{"type":46,"value":74,"context":72},"CVE-2024-57728",{"type":46,"value":76,"context":77},"CVE-2024-7399","Samsung MagicINFO Server",{"type":46,"value":79,"context":80},"CVE-2025-2749","Kentico Xperience",{"type":46,"value":82,"context":83},"CVE-2025-29635","D-Link DIR-823X",{"type":46,"value":85,"context":86},"CVE-2025-32975","Quest KACE Systems Management Appliance",{"type":46,"value":88,"context":89},"CVE-2025-48700","Synacor Zimbra Collaboration Suite (ZCS)",{"type":46,"value":91,"context":92},"CVE-2025-60710","Windows Server Host Process for Windows Tasks",{"type":46,"value":94,"context":95},"CVE-2026-1340","Ivanti Endpoint Manager Mobile",{"type":46,"value":97,"context":98},"CVE-2026-20122","Cisco Catalyst SD-WAN Manager",{"type":46,"value":100,"context":98},"CVE-2026-20128",{"type":46,"value":102,"context":98},"CVE-2026-20133",{"type":46,"value":104,"context":105},"CVE-2026-21643","Fortinet FortiClient EMS",{"type":46,"value":107,"context":108},"CVE-2026-32201","Microsoft SharePoint Server",{"type":46,"value":110,"context":111},"CVE-2026-32202","Windows Shell",{"type":46,"value":113,"context":114},"CVE-2026-33825","Microsoft Defender",{"type":46,"value":116,"context":117},"CVE-2026-34197","Apache ActiveMQ, ActiveMQ Broker",{"type":46,"value":119,"context":54},"CVE-2026-34621",{"type":46,"value":121,"context":105},"CVE-2026-35616",{"type":46,"value":123,"context":124},"CVE-2026-39987","Marimo",{"type":46,"value":126,"context":127},"CVE-2026-41940","cPanel, WHM, WP Squared",{"type":46,"value":129,"context":130},"CVE-2026-3502","TrueConf Client",{"type":46,"value":132,"context":133},"CVE-2026-5281","Dawn in Google Chrome"]