🛑 April Patch Tuesday spans SAP, Adobe, Microsoft, Fortinet—and core vendors like Apple, Google, Cisco, VMware, Palo Alto, AWS, and Linux.

SAP (CVSS 9.9) enables SQL execution. Adobe Reader and SharePoint flaws are already exploited.

🔗 Read → https://thehackernews.com/2026/04/april-patch-tuesday-fixes-critical.html

🚨 A critical nginx-ui flaw is now exploited in the wild.

CVE-2026-33032 (9.8) allows auth bypass via the /mcp_message endpoint, letting attackers take full control of Nginx with two HTTP requests due to an “allow-all” default.

🔗 Details here → https://thehackernews.com/2026/04/critical-nginx-ui-vulnerability-cve.html

🤖 AI is now embedded across security teams. 100% of CISOs report active use.

Agentic testing adds variability, so results change between runs and break repeatability. Hybrid models keep tests consistent while using AI to adapt.

🔗 Learn why hybrid AI models are replacing agentic security testing → https://thehackernews.com/2026/04/deterministic-agentic-ai-architecture.html

⚠️ Attackers are abusing automation tools as delivery infrastructure.

Cisco Talos found #n8n webhooks used for phishing, malware, and tracking, leveraging trusted *.n8n.cloud domains to bypass filters.

email link → CAPTCHA → silent download → RMM-based persistence.

🔗 Read → https://thehackernews.com/2026/04/n8n-webhooks-abused-since-october-2025.html

Ukraine’s CERT-UA reports attacks on hospitals and government using AGINGFLY to steal browser and WhatsApp data.

Phishing triggers LNK → HTA via mshta.exe, deploying RAVENSHELL for remote control, credential theft, and lateral movement.

🔗 Full attack chain and tools used → https://thehackernews.com/2026/04/uac-0247-targets-ukrainian-clinics-and.html

Google added E2EE to Gmail on Android and iOS for Workspace users.

Client-side encryption lets licensed users send encrypted emails to any address, readable in Gmail or secure web view.

🔗 How Gmail handles encrypted emails → https://thehackernews.com/2026/04/weekly-recap-fiber-optic-spying-windows.html#:~:text=Google%20Brings%20E2EE%20to%20Gmail%20for%20Android%20and%20iOS

⚠️ Attackers are using Obsidian’s plugin system to run malware.

Targets move LinkedIn → Telegram → shared vault, where code runs only after enabling plugins. The payload deploys PHANTOMPULSE with Ethereum-based C2.

🔗 Read how → https://thehackernews.com/2026/04/obsidian-plugin-abuse-delivers.html

Cisco patched 4 critical flaws (CVSS up to 9.9) in Webex and ISE.

Bugs allow user impersonation, remote code execution, and OS command execution—even with low-level admin access. Exploits can lead to root access or outages.

🔗 CVEs, impact, and fixes → https://thehackernews.com/2026/04/cisco-patches-four-critical-identity.html

Work with real ICS/OT security scenarios, tools, and techniques at the SANS ICS Security Summit.

Join experts and practitioners in Orlando, or attend virtually, for workshops, technical talks, and community discussions.

Register - https://thn.news/ics-security-summit-26

This week's ThreatsDay Bulletin is wild:

🧓 17-year-old Excel bug exploited again
💸 Fake Ledger app drains $9.5M
🛡️ New Defender zero-day drops
☁️ APT41 hiding in your cloud
🔗 WordPress plugins poisoned via acquisition
💬 $21B black market still live on Telegram
...and 12 more.

Read all new stories here ↓ https://thehackernews.com/2026/04/threatsday-bulletin-17-year-old-excel.html

88% of AI proof-of-concepts never make it to production, according to IDC. That wasn’t the case for Robinhood.

On April 23rd, join the Robinhood team live as they walk through their journey with AI, from evaluation to production. You’ll hear first-hand how they:

🔸 Doubled alert triage capacity across all severity levels
🔸 Built multi-agent AI systems to handle complex investigations
🔸 Use human-in-the-loop guardrails and confidence scoring to maintain accuracy
🔸 Reduced both threat exposure and incident exposure windows

If you're interested in maximizing your AI investment, this live session is for you - https://thn.news/tines-ai-roadmap

[Webinar] Ghost Identities in Autonomous AI...

Live session on securing non-human identities across cloud environments.

Learn to discover service accounts and API keys, remediate excessive permissions, and automate removal of ghost identities before risk escalates.

🔗 Watch it here → https://thehackernews.com/2026/04/webinar-find-and-eliminate-orphaned-non.html

⚠️ Researchers uncovered PowMix Botnet, active since Dec 2025.

Randomized C2 beaconing and phishing ZIP → LNK → PowerShell chains enable in-memory control and persistence.

RondoDox separately exploits 170+ flaws for DDoS and crypto mining.

🔗Read → https://thehackernews.com/2026/04/newly-discovered-powmix-botnet-hits.html

🚨 CISA flags active exploitation of an Apache ActiveMQ flaw enabling remote code execution.

Attackers abuse the Jolokia API to run OS commands. Default creds—and in some versions no auth—make it easier to exploit.

🔗 Read → https://thehackernews.com/2026/04/apache-activemq-cve-2026-34197-added-to.html

⚠️ A global operation just disrupted DDoS-for-hire networks used by cybercriminals.

53 domains seized, 4 arrests in Operation PowerOFF across 21 countries. Authorities accessed 3M+ user accounts tied to these services.

🔗 Read → https://thehackernews.com/2026/04/operation-poweroff-seizes-53-ddos.html

🔥 NIST will now prioritize CVE analysis.

263% rise in vulnerabilities forced it to enrich only high-risk cases (KEV, federal, critical software). Others stay listed but without full analysis, marked “Not Scheduled.”

🔗 Read about it here → https://thehackernews.com/2026/04/nist-limits-cve-enrichment-after-263.html

Google updated Android 17 privacy rules while reporting 8.3B ads blocked and 24.9M accounts suspended in 2025.

Apps must now limit contact and location access or justify it. Separately, AI is stopping most malicious ads before users see them.

🔗 Read → https://thehackernews.com/2026/04/google-blocks-83b-policy-violating-ads.html

⚡ Researchers confirm exploitation of three Microsoft Defender flaws—one patched (CVE-2026-33825) , two unpatched.

Attackers escalate privileges and can block Defender updates.

🔗 Learn how these flaws are used in attacks → https://thehackernews.com/2026/04/three-microsoft-defender-zero-days.html

Attackers are exploiting CVE-2024-3721 in TBK DVRs to deploy Mirai variant Nexcorium.

It spreads via old exploits and default creds, persists on devices, and launches DDoS attacks. EoL TP-Link routers are also being targeted via known flaws.

🔗 Read → https://thehackernews.com/2026/04/mirai-variant-nexcorium-exploits-cve.html

Sanctioned #cryptocurrency exchange Grinex is shutting down after a $13.74M hack.

Stolen funds were quickly moved and swapped to avoid freezing. The platform is linked to Garantex, flagged for laundering over $100M.

🔗 Read → https://thehackernews.com/2026/04/1374m-hack-shuts-down-sanctioned-grinex.html

The EU says its age verification app is ready for rollout.

Users can prove age with ID without sharing personal data. The system is anonymous, open source, and built to support child safety rules across platforms.

🔗 What the EU’s system actually does → https://thehackernews.com/2026/04/threatsday-bulletin-17-year-old-excel.html#anonymous-age-checks