Vulnerability Review – April 2026
This blog is a recap of the most critical vulnerabilities disclosed between 01 April and 30 April 2026 that most likely impact software utilized by managed service providers (MSPs).
While not all MSPs use the software discussed in this blog, the software has been labeled as a priority software by Blackpoint Cyber’s Adversary Pursuit Group (APG) due to the overall number of MSPs/organizations that use it.
Key Findings
- There were more than 6,000 vulnerabilities disclosed between 01 April and 30 April 2026, with more than 50% scored with a high or critical Common Vulnerability Scoring System (CVSS) rating.
- There are several that have been actively exploited and 31 that have been added to the U.S. CISA Known Exploited Vulnerabilities (KEV) Catalog, indicating reliable reports of active exploitation.
- Blackpoint’s APG assesses with high confidence that threat actors will continue to leverage known and unknown vulnerabilities in ubiquitous software and services over the next 12 months.
Prioritized Software Categories – April 2026
The Blackpoint APG tracks prioritized software across six categories; in April 2026, we delivered notices spanning five of them. These categories include tools that are widely used and critical to daily operations, indicating that security issues in these areas have a higher change of causing devastating impacts if successfully exploited. These categories are detailed in the Glossary.
cPanel – CVE-2026-41940
- Prioritized Category: Enterprise Software
- Impacted Software: cPanel and WHM versions after 11.40
- Type: Authentication Bypass
- CVSS: 9.8 (Critical)
- CISA KEV Catalog: Yes – added April 30, 2026
An authentication bypass vulnerability impacting cPanel & WHM and WP Squared that could allow a threat actor to bypass authentication controls and gain administrator-level access to the hosting environment, enabling full compromise of the server, hosted websites, and associated data. [1]
While specific details of exploitation remain scarce at the time of writing, multiple resources have reported widespread exploitation of this vulnerability. cPanel and WHM act as web hosting control panel software for tens of millions of domains, indicating that this vulnerability will continue to be an attractive target due to the level of access granted. Researchers with ShadowServer reported more than half a million exposed instances and researchers with Defused have reported more than 1,000 exploitation attempts since disclosure.
Additionally, there is a publicly available proof-of-concept for this vulnerability. This could allow lower skill level threat actors to attempt exploitation over the next 30 to 60 days.
Cisco – Multiple Vulnerabilities
CVE-2026-20147, CVE-2026-20180, CVE-2026-20186
- Prioritized Category: Remote Access & Identity
- Impacted Software: Cisco ISE/ISE-PIC
- Type: Remote Code Execution
- CVSS: 9.9 (Critical)
- CISA KEV Catalog: No
CVE-2026-20147 is a remote code execution (RCE) vulnerability that could allow a threat actor with valid administrative credentials to execute arbitrary commands on the underlying operating system. In single-node deployments, exploitation could cause the system to become unavailable, leading to a denial-of-service (DoS) condition that prevents new endpoint authentication.[2]
CVE-2026-20180 and CVE-2026-20180 are RCE vulnerabilities that could allow a threat actor with at least Read Only Admin credentials could send a crafted HTTP request to execute arbitrary commands on the underlying operating system of an affected Cisco ISE device. This vulnerability does not impact Cisco ISE Passive Identity Connector (ISE-PIC). [3]
- Prioritized Category: Productivity, Communication, & Knowledge
- Impacted Software: Cisco Webex
- Type: Certificate Validation
- CVSS: 9.8 (Critical)
- CISA KEV Catalog: No
A certification validation vulnerability that could allow a threat actor to impersonate legitimate users without authentication, potentially gaining access to Webex services, data, and communications. This vulnerability impacts the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services.[4]
- Prioritized Category: Remote Access & Identity
- Impacted Software: Cisco ISE
- Type: Path Traversal
- CVSS: 4.9 (Medium)
- CISA KEV Catalog: No
A path traversal vulnerability that could allow a threat actor with valid administrative credentials could exploit this vulnerability to perform path traversal and read arbitrary files on the system. This may expose sensitive configuration data or credentials, which could support further compromise.[2]
At the time of writing, there is no evidence of active exploitation of these vulnerabilities in the wild. Threat actors can exploit these devices to impersonate users, elevate privileges, bypass security controls, and move laterally across networks. Threat actors can target these devices to takeover accounts, exfiltrate data, gain persistence, and deploy malware.
Fortinet – CVE-2026-39808 and CVE-2026-39813
- Prioritized Category: Security & Threat Defense
- Impacted Software: Fortinet FortiSandbox
- Type: OS Command Injection and Path Traversal
- CVSS: Both 9.1 (Critical)
- CISA KEV Catalog: No
CVE-2026-39808 is an OS command injection vulnerability that could allow a threat actor to execute unauthorized code or commands through an unspecified attack vector. Successful exploitation of this vulnerability could result in complete system compromise, allowing a threat actor to manipulate data, execute code, and more.[5]
An unauthenticated threat actor could exploit CVE-2026-39813 over the network without requiring user interaction to elevate privileges. Threat actors could then compromise the impacted FortiSandbox environment, access sensitive data, and likely identify opportunities for lateral movement.[6]
While these vulnerabilities have not been reported to be actively exploited, Fortinet devices are frequently an attractive target for threat actors. These devices are used by security teams to safely analyze suspicious files and detect advanced threats before they reach production systems. They detonate and inspect potentially malicious content to identify hidden or evasive malware.
Microsoft – Multiple Vulnerabilities
- Prioritized Category: Security & Threat Defense
- Impacted Software: Microsoft Defender
- Type: Elevation of Privilege
- CVSS: 7.8 (High)
- CISA KEV Catalog: Yes – added on April 22, 2026
An elevation of privilege vulnerability that could allow a threat actor to elevate privileges to SYSTEM.[8] The vulnerability was disclosed alongside a PoC, dubbed “BlueHammer”. The vulnerability stems from a race condition in Windows Defender’s file remediation logic.
The BlueHammer exploit works by placing a file that triggers a detection; when Defender initiates remediation the exploit abuses a batch opportunistic lock (oplock) to pause the file operation. During the pause, the exploit modifies the filesystem by creating an NTFS junction point that redirects Defender’s target path from the attacker-controlled temporary directory to C:\Windows\System32.[9]
- Prioritized Category: Productivity, Communication, & Knowledge
- Impacted Software: Microsoft SharePoint Server
- Type: Spoofing
- CVSS: 6.5 (Medium)
- CISA KEV Catalog: Yes – added on April 14, 2026
A spoofing vulnerability that could allow a threat actor to perform spoofing over a network, which could allow them to view sensitive information and make changes to the information. The vulnerability was reported as a zero-day vulnerability and has been added to the CISA KEV Catalog; however, specific details of the exploitation have not been released at the time of writing.[10]
- Prioritized Category: Remote Access & Identity
- Impacted Software: Remote Desktop Client
- Type: RCE
- CVSS: 8.8 (High)
- CISA KEV Catalog: No
A RCE vulnerability that could allow a threat actor to gain code execution on a client; however, this vulnerability requires an authorized user on the client to connect to a malicious server. This vulnerability stems from a use-after-free condition in the Remote Desktop Client. The client improperly references memory when handling data from a Remote Desktop session.[11]
If a user connects to a malicious RDP server; the server can send crafted data that triggers memory corruption, which can then be leveraged to execute arbitrary code in the context of the logged in user. This exploitation could lead to full system compromise.
- Prioritized Category: Remote Access & Identity
- Impacted Software: Windows Active Directory
- Type: RCE
- CVSS: 8.0 (High)
- CISA KEV Catalog: No
A threat actor could achieve remote code execution (RCE) on the server side with the same permissions as the RPC service. To exploit, the threat actor must be authenticated and send a specially crafted RPC call to an RPC host. Once these are met, a threat actor can craft malicious input that bypasses validation checks, thus achieving code execution.[12]
- Prioritized Category: Network & Infrastructure
- Impacted Software: Windows Internet Key Exchange (IKE) Service Extensions
- Type: RCE
- CVSS: 9.8 (Critical)
- CISA KEV Catalog: No
An unauthenticated threat actor could send specially crafted packets to a Windows machine with IKE version 2 enabled, which could lead to remote code execution. This issue derives from a double free condition in the Windows IKE Extension component. This vulnerability can be triggered remotely by sending specially crafted IKS packets to the target system.[13]
Adobe – CVE-2026-34621, CVE-2026-34622 and CVE-2026-34626
- Prioritized Category: Productivity, Communication, & Knowledge
- Impacted Software: Adobe Acrobat and Reader
- Type: Prototype Pollution
- CVSS: 8.6, 8.6, and 6.3 (High & Medium)
- CISA KEV Catalog: Yes – CVE-2026-34621 was added on April 13, 2026
These vulnerabilities could allow malicious files to bypass sandbox restrictions and invoke privileged JavaScript APIs, which could lead to arbitrary code execution. CVE-2026-34621 has been reportedly exploited to enable reading and stealing arbitrary files. No user interaction is required, beyond opening a malicious file, to exploit these vulnerabilities.[14] [15]
Threat actors frequently target Adobe Acrobat and Reader because it is widely deployed across organizations and routinely used to open trusted documents like invoices, contracts, and reports. This makes malicious PDFs an effective and low-friction delivery method for exploits, allowing attackers to gain initial access with minimal user suspicion and then pivot to deeper compromise.
Blackpoint’s APG Analysis
As the threat landscape shifts, Blackpoint stays ahead by building and deploying real-time detections tuned to the latest adversary tradecraft. When threats are identified, Blackpoint takes decisive action by hunting down and actioning every associated IOC across customer environments before attackers can establish a foothold or move laterally. Additionally, Blackpoint has detections in place to identify the behaviors associated with the vulnerabilities detailed within this blog.
Blackpoint’s APG assesses with high confidence that threat actors will continue to target, or begin targeting, these vulnerabilities over the next 12 months to deploy malware, steal sensitive information, and gain unauthorized access to organizations. It is likely that these vulnerabilities will be targeted by multiple types of threat actors, including both nation-state and financially motivated threat actors over the next 12 months.
Glossary
- Data Protection & Recovery: These tools are very likely to store important data from multiple systems in one place, making them an attractive target for threat actors. Attackers who gain access to these systems can delete company backups, encrypt them, or steal data.
- IT Management & Operations: IT teams use these tools to monitor systems, fix issues, and automate tasks. These tools typically have high-level access permissions and an attacker who gains access could change settings, run malicious code, or spread across many systems without detection. A single compromise of these tools could impact multiple customers as the result of a single intrusion.
- Network & Infrastructure: These systems control how data moves in and out of a network; they often sit between the internal systems and the internet. Due to their exposure and being highly trusted, they are attractive targets for threat actors and are frequently targeted. An attacker that successfully targets these systems could access internal systems, access network traffic, or bypass security controls.
- Productivity, Communication, & Knowledge: These tools frequently contain sensitive data, instructions, and private conversations, making them attractive tools for threat actors. An attacker that gains access to these tools can read private messages, steal information, impersonate trusted users, and conduct additional attacks from a trusted platform.
- Remote Access & Identity: These tools are frequently used by administrators and are trusted across the environment, making them an attractive target for threat actors. An attacker that gains access to or abuses tools within this category can log in as legitimate users, bypass security checks, and more through systems without being detected.
- Security & Threat Defense: These tools collect security data and alert teams when something appears suspicious or malicious. Attackers that exploit these tools can hide their activity, turn off alerts, or delete evidence of their activity. This type of abuse can leave security teams blind to malicious activity and allow attackers to complete their objectives.
References
DATE PUBLISHEDMay 15, 2026
AUTHORBlackpoint Cyber
SHARE ON
2026 Annual Threat Report
What actually worked for attackers in 2025.
Most attackers aren’t breaking in
They’re logging in
Explore the real patterns behind modern intrusions in the 2026 Annual Threat Report