Summary

In April 2026, the cyber security landscape was flooded with news about Anthropic’s new Mythos bug-hunting AI and Project Glasswing. The rose-colored takeaway is that one year from now, software will be free from vulnerabilities because AI will find all of the flaws and vendors will patch. Major software companies will scan all their products pre-release and software vulnerabilities will be a thing of the past. However, reality likely has something else in store. Let’s dig into the evolving cyber risk landscape of April 2026.

April 2026 Threat Report

Although several of this month’s top threats are mentioned here, many emerging vulnerabilities are not. OPENVAS SCAN doesn’t just detect the most critical flaws in your IT environment. Greenbone’s OPENVAS ENTERPRISE FEED adds thousands of new vulnerability tests per month to detect flaws in enterprise software applications, IT networking products, major OSs and browsers, Linux packages, productivity tools, agentic AI tooling, and more. Defenders seeking to detect and protect can try Greenbone’s entry-level OPENVAS BASIC for free, including a two-week trial of the ENTERPRISE FEED.

Mythos or Reality? Time to Find Out

Project Glasswing created a media frenzy, yet transparency remained elusive. Anthropic did not release a public list matching its claim of “thousands of zero-day vulnerabilities” across “every major operating system” and “every major web browser”. This month, VulnCheck found only 75 published CVE records mentioning “Anthropic” and only 40 of those were credited to Anthropic researchers. So far, only one CVE is explicitly attributed to Project Glasswing: CVE-2026-4747 (CVSS 8.8).

The potential risk posed by offensive AI technology is high. The immediate advice from established cyber security authorities SANS Institute and the Cloud Security Alliance (CSA) is for organizations to double down on core cybersecurity measures. Ensure strong mitigating and preventative controls such as the principle of least privilege (PoLP), network segmentation to prevent lateral movement, patch faster, and be prepared for a possible influx of new high-severity CVEs. Also, where potential zero-day exploitation creates high risk, outfit endpoints with detection and response technologies, and be prepared to redeploy critical assets with minimal downtime. Third-party risk can also directly impact your organization’s operations. This is a more balanced interpretation of the near-term risk that organizations face.

Apache ActiveMQ Actively Exploited for RCE

CVE-2026-34197 (CVSS 8.8, EPSS ≥ 98th pctl) is a code injection flaw caused by improper input validation affecting Apache ActiveMQ Classic. Apache ActiveMQ is a popular Java-based message broker that handles asynchronous communication via message queues with support for flexible client options. CVE-2026-34197 has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog and multiple national CERT agencies have issued alerts globally [1][2][3][4][5][6][7][8]. Previous flaws in ActiveMQ are known to be leveraged in ransomware attacks. A full technical description and proof-of-concept (PoC) exploit kit are publicly available increasing the risk. Shadowserver reports roughly 8,000 exposed instances of ActiveMQ on the Internet.

The new CVE is considered a bypass of CVE-2022-41678 (CVSS 8.8). Exploiting CVE-2026-34197 does not require credentials on ActiveMQ v6.0.0–6.1.1 due to another unpatched missing authentication vulnerability, CVE-2024-32114 (CVSS 8.8). While authentication is required for exploiting other versions of ActiveMQ, default credentials are also a factor for unauthorized access. Incidentally, the Horizon3.ai security researcher who discovered CVE-2026-34197 attributed 80% of the process to a pre-Mythos version of Claude AI.

Greenbone’s OPENVAS ENTERPRISE FEED includes an active check and a remote banner version check for CVE-2026-34197. Users must upgrade to v5.19.4 or v6.2.3 for mitigation.

Trojan Documents Exploiting Adobe Acrobat and Reader

CVE-2026-34621 (CVSS 8.6, EPSS ≥ 92nd pctl) is a prototype pollution flaw [CWE-1321] that allows arbitrary code execution in the context of the current user. CVE-2026-34621 is exploitable via social engineering and requires a malicious PDF file to be opened. CVE-2026-34621 has been added to CISA’s KEV list and Adobe acknowledged active exploitation in a security bulletin. Numerous national CERT alerts have been issued globally [1][2][3][4][5][6][7][8][9][10][11][12][13][14].

According to security researchers, the flaw has been exploited since at least late 2025 as indicated by VirusTotal findings. The identified malware base64-decodes a payload and executes it as JavaScript to extract information from the victim’s computer, including the contents of local files, sends the data to the attacker’s command-and-control (C2) server, and awaits further instructions to execute. Another malware analysis report found that malware exploiting CVE-2026-34621 abuses multiple undocumented internal APIs in Adobe Acrobat and Reader in the attack chain.

Affected products are Acrobat DC Continuous 26.001.21367 and earlier, Acrobat Reader DC Continuous 26.001.21367 and earlier, and Acrobat 2024 Classic 2024 24.001.30356 and earlier on Windows and macOS. The OPENVAS ENTERPRISE FEED includes detection tests for all affected products on Windows [15][16][17] and macOS [18][19][20]. Users should update to a patched version immediately.

CVE-2026-3854: Authenticated RCE in Git Enterprise and GitHub.com

CVE-2026-3854 (CVSS 8.8) allows an authenticated attacker with push permissions to a repository to achieve RCE on a Git server. During a git push operation, user-supplied values are not properly sanitized before being included in internal service headers, potentially resulting in command injection [CWE-77] and RCE.

Several Git products including GitHub.com, GitHub Enterprise Server, and GitHub Enterprise Cloud are affected. A full technical description has been published and public PoC exploits have been sighted by CIRCL.lu. Although GitHub.com’s public infrastructure was affected, internal forensic review found no evidence of in-the-wild exploitation or indicators of compromise (IoC).

The OPENVAS ENTERPRISE FEED includes package-level detection for GitHub Enterprise Server. Users should upgrade to GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, or 3.19.4.

Patch Now! High-Severity Flaws in Core Linux Components

Let’s turn our focus to Greenbone’s support for Linux security advisories and what the OPENVAS ENTERPRISE FEED can do for security teams managing Linux assets by reviewing some of the top Linux flaws from April 2026.

Pack2TheRoot: Linux Privilege Escalation via Linux PackageKit

PackageKit is the D-Bus system-level API for managing software packages across different Linux package managers, including APT, DNF, RPM, and Pacman. CVE-2026-41651 (CVSS 8.8), dubbed Pack2TheRoot, is an attack chain that combines three separate bugs into an exploitable time-of-check-time-of-use (TOCTOU) race condition [CWE-367]. The flaw ultimately allows unprivileged users to install arbitrary packages as root.

Telekom Security published a technical description, including a detailed PoC exploit. Other PoC exploits can also be found online [1][2] and several national CERT alerts have been issued globally [1][2][3]. The OPENVAS ENTERPRISE FEED includes detection for CVE-2026-41651 as reported in Linux security advisories. PackageKit versions 1.0.2 through 1.3.4 are affected and users should update to version 1.3.5.

CVE-2026-33413: Authentication Bypass in etcd

etcd is a distributed key-value store designed for authoritative data coordination in Linux environments. CVE-2026-33413 (CVSS 8.8) is a missing authorization vulnerability [CWE-862] in etcd clusters with auth enabled. The flaw allows attackers to access sensitive etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. RCE is not described as a potential impact of CVE-2026-33413. However, an attacker may learn cluster topology, including member IDs and advertised endpoints, permanently remove historical revisions, disrupt watch, audit, and recovery workflows, or trigger denial of service (DoS) conditions.

etcd is often associated with Kubernetes, where it stores the cluster’s authoritative state, including nodes, pods, secrets, and control-plane metadata. However, since Kubernetes does not rely on etcd’s built-in authentication and authorization, typical Kubernetes deployments are not affected.

Germany [1] and France [2] have issued national CERT advisories for the flaw. Greenbone includes remote banner version check for detecting exposed etcd services affected by CVE-2026-33413. etcd versions 3.4.42, 3.5.28, and 3.6.9 contain a patch for CVE-2026-33413.

CVE-2026-34714: Trojan Vim Files Can Execute Arbitrary Code

CVE-2026-34714 (CVSS 8.6) allows arbitrary OS commands to be executed when a user opens a specially crafted file. These commands are executed with the privileges of the user who opened the file. CVE-2026-34714 is classified as a command injection flaw caused by improper neutralization of special elements [CWE-78].

There is no public PoC exploit for CVE-2026-34714, and it is not considered exploited in the wild. The OPENVAS ENTERPRISE FEED includes detection for CVE-2026-34714 as reported in Linux security advisories. The flaw was introduced in v9.1.1390 and patched in v9.2.0172.

CVE-2026-34078: Sandbox Escape and RCE via Malicious Flatpak Apps

CVE-2026-34078 (CVSS 10) is a complete sandbox escape of the flatpak run process caused by an exploitable TOCTOU race condition [CWE-367] when file paths provided as sandbox-expose options are replaced with symlinks post-verification. Once flatpak run mounts the swapped-out symlink in the sandbox, a malicious app can read and write arbitrary files on the host and exploit these unauthorized privileges to gain code execution.

There is no public PoC exploit for CVE-2026-34078, and it is not considered exploited in the wild. The OPENVAS ENTERPRISE FEED includes detection for CVE-2026-34078 as reported in Linux security advisories. Users should upgrade to Flatpak version 1.16.4 for mitigation.

Microsoft Risk: New Active Exploitation and Disclosure Controversy

A large Patch Tuesday included 173 new vulnerabilities in Microsoft’s core products. Nineteen were rated as “Exploitation More Likely”, and two were quickly added to CISA’s KEV list. Another critical flaw, CVE-2026-40372 (CVSS 9.1), was disclosed out-of-band. Also, a disgruntled security researcher abandoned the responsible disclosure process with Microsoft and published PoC exploit code for an otherwise undisclosed and unpatched vulnerability.

Let’s review some of these new high-risk Microsoft vulnerabilities:

• CVE-2026-33825 (CVSS 7.8, EPSS ≥ 87th pctl): A local privilege escalation (LPE) in Microsoft Defender allows a local user to gain SYSTEM-level permissions. Dubbed “BlueHammer”, the flaw was reportedly disclosed by a disgruntled security researcher, along with a PoC exploit. Technical analyses have also been published [1][2]. BlueHammer is exploited in the wild and has been added to CISA’s KEV list. Two additional zero-days disclosed by the disgruntled researcher, dubbed RedSun and UnDefend, remain unpatched by Microsoft despite having PoC exploits [3][4] and being observed in active attacks.
• CVE-2026-32201 (CVSS 6.5): A new actively exploited flaw in Microsoft SharePoint Server caused by improper input validation [CWE-20] allows an unauthorized attacker to perform spoofing over a network. Technical details about CVE-2026-32201 are not publicly available, and no public PoC exploit exists. Previous SharePoint flaws have been targeted by sophisticated nation-state threat actors [5][6][7]. CVE-2026-32201 comes soon after another SharePoint vulnerability, CVE-2026-20963 (CVSS 9.8, EPSS ≥ 90th pctl), was added to CISA’s KEV in April 2026.
• CVE-2026-32202 (CVSS 4.3, EPSS ≥ 92nd pctl): A protection mechanism failure [CWE-693] in Windows Shell allows an unauthorized attacker to remotely bypass Microsoft Defender security controls. The flaw has been added to CISA’s KEV list. A detailed technical report from Akamai shows that CVE-2026-32202 is an incomplete patch for CVE-2026-21510 (CVSS 8.8), which was actively exploited by APT-28.
• CVE-2026-40372 (CVSS 9.1): Changes introduced in version 10.0.6 of the AspNetCore.DataProtection package in .NET Core caused secret decryption failure for some users [8][9]. Following investigation, Microsoft determined that the update also allows unauthorized attackers to elevate privileges over a network. Technical details about CVE-2026-40372 are not publicly available, and no public PoC exploit exists. Versions 10.0.0 – 10.0.6 are affected by CVE-2026-40372 and users should update .NET Core runtime to version 10.0.7 and .NET Core SDK to version 10.0.107 or 10.0.203.

Greenbone’s OPENVAS ENTERPRISE FEED includes detection for all Microsoft CVEs referenced above and frequently updated dedicated families of detection tests for Microsoft products.

CVE-2026-2699: Unauthenticated RCE in Progress ShareFile with Public PoC

CVE-2026-2699 (CVSS 9.8, EPSS ≥ 96th pctl) allows unauthenticated read and write access to restricted configuration pages on Progress ShareFile Storage Controller. The flaw allows changing system configurations and potentially, unauthenticated RCE. CVE-2026-2701 (CVSS 8.8, EPSS ≥ 70th pctl) has a similar impact for authenticated users; an authenticated attacker can upload a malicious file and execute it, leading to RCE.

Progress Software’s products have frequently been targeted in ransomware attacks in the past [1][2][3][4]. Although neither CVE is considered actively exploited yet, watchTowr Labs released a full technical write-up covering both CVEs that includes PoC exploit code. ShadowServer data indicates that the majority of publicly exposed instances are concentrated in the United States. Italy [5] and France [6] have issued CERT alerts for the pair of new CVEs.

The OPENVAS ENTERPRISE FEED includes a remote exploitability check for CVE-2026-2699 and a remote banner version check that covers both CVE-2026-2699 and CVE-2026-2701. All versions of Progress ShareFile StorageZones Controller before 5.12.4 are affected.

CVE-2025-59528: Actively Exploited CVSS 10 Flaw in Flowise

CVE-2025-59528 (CVSS 10, EPSS ≥ 99th pctl) is a code injection flaw [CWE-94] affecting Flowise prior to version 3.0.6. User-defined configuration settings from the CustomMCP node are passed directly to the Function() constructor, which executes JavaScript expressions without security validation. CustomMCP runs with Node.js runtime privileges and has access to dangerous modules such as child_process and fs.

CVE-2025-59528 was disclosed in September 2025, but the flaw gained more attention [1][2][3] this month, when it was reported as actively exploited. Notably, PoC exploit code was revealed by the vendor at disclosure time. The OPENVAS ENTERPRISE FEED has included a remote banner version check for CVE-2025-59528 since it was published, along with numerous tests for other Flowise CVEs, and a product detection module for Flowise. Users should upgrade to version 3.0.6.

Authenticated Command Execution on Juniper Networks MX Series Devices

CVE-2026-33785 (CVSS 8.8) allows a local, authenticated user with low privileges to execute dangerous commands on the CLI on Juniper Networks Junos OS on MX Series. Exploitation could lead to complete system compromise of managed devices. The root cause is missing authorization [CWE-862] for request csds operations, which are only meant to be executed by high-privileged users.

CVE-2026-33785 is not considered actively exploited and PoC exploit code is not publicly available. The OPENVAS ENTERPRISE FEED includes a remote banner version check for CVE-2026-33785, and detection for many other flaws in Juniper Networks products. CVE-2026-33785 affects Junos OS on MX Series, 24.4 releases before 24.4R2-S3 and 25.2 releases before 25.2R2. This issue does not affect Junos OS releases before 24.4.

TrueChaos: Campaign Targeting TrueConf Client in Southeast Asia

CVE-2026-3502 (CVSS 7.8, EPSS ≥ 85th pctl) allows an attacker who can influence the update delivery path to TrueConf Client applications to inject and execute a tampered update payload. TrueConf is a video conferencing and unified communications product family often deployed on-premises in private networks for secure, sovereign communication.

CVE-2026-3502 was added to CISA’s KEV list and Check Point has published details on at least one attack campaign dubbed “TrueChaos” targeting the government agencies of an unnamed Southeast Asian country. The malicious update still upgraded the victim’s client from 8.5.1 to 8.5.2 to reduce suspicion.

Greenbone’s OPENVAS ENTERPRISE FEED includes an authenticated registry check to identify vulnerable installations of TrueConf Client. All versions prior to 8.5.3.884 are affected and users should upgrade TrueConf Client to version 8.5.3.884 or later.

Summary

AI-assisted vulnerability discovery has accelerated the sheer number of CVEs published each month. The increase reflects a combination of both AI-slop and legitimate critical-severity flaws in widely popular enterprise software. Anthropic’s Mythos could result in more high-impact disclosures, but so far evidence has been elusive. The SANS institute and CSA have advised organizations to essentially double their efforts towards core cyber security controls.

Defenders should employ continuous vulnerability management programs to reduce risk exposure with OPENVAS SCAN and the OPENVAS ENTERPRISE FEED for industry-leading vulnerability coverage. Greenbone produces thousands of new vulnerability tests per month to detect flaws in enterprise software applications, IT networking products, major OSs and browsers, Linux packages, productivity tools, agentic AI tooling, and more. Defenders seeking to detect and protect can try Greenbone’s entry-level OPENVAS BASIC for free, including a two-week trial of the ENTERPRISE FEED.

Until recently, a digital product could be placed on the European market with essentially no binding cyber security standard attached to it. Manufacturers decided how much security to build in, and buyers had no assurances and no way to compare. When vulnerabilities emerged, there was no legal obligation to report or fix them. Products could be abandoned without prior notice, leaving them vulnerable to cyber attack.

The EU Cyber Resilience Act is the first EU regulation to require cyber security as a baseline condition for bringing digital products to market. Adopted in October 2024, its key obligations enter the enforcement phase in September 2026. [1] If you manufacture or distribute a digital enforcement phase in September 2026. [1] If you manufacture or distribute a digital product that is sold on the EU market, this regulation applies to you.

What Does ‘Cyber Resilience’ Actually Mean?

Cyber resilience refers to the ability to anticipate, withstand, recover from, and adapt to adverse cyber security events. The CRA operationalises cyber resilience at the market level by turning broad cyber security expectations into legally enforceable product obligations. Products must be designed to be resilient against attacks, and manufacturers must actively manage vulnerabilities throughout their product’s life cycle.

What Is a “Product With Digital Elements”?

The CRA uses the term ‘product with digital elements’ to define its scope. A product with digital elements is defined as any software or hardware product – and its remote data processing solutions – that can connect, directly or indirectly, to another device or network [2]. All things considered, this includes virtually all software that runs on a standard desktop computer, laptop, or mobile phone, and even simple hardware devices like a TV remote control.

The major product groups include:

• Enterprise software platforms: ERP systems, CRM software, security tools, and collaboration platforms
• Consumer hardware: smart home devices, connected appliances, routers, and IP cameras
• Industrial products: PLCs, SCADA systems, industrial sensors, and connected machinery
• Developer tools: IDEs, CI/CD platforms, and build tools with network connectivity
• Operating systems: desktop, server, and embedded OS products
• Mobile applications and other software components

Who Has to Comply?

The CRA places the primary obligation on manufacturers: the legal entities designing, developing, or producing products with digital elements and placing them on the EU market under their own name or trademark. But it does not end there. Importers and distributors also carry obligations. If you bring a third-party product to the EU market or make it available within the EU, you are responsible for verifying that it meets CRA requirements.

The CRA applies wherever you are based. A US software vendor selling to EU customers falls within its scope. Where a non-EU manufacturer’s products are sold in the EU by a European distributor, both parties carry obligations – the manufacturer as the entity responsible for the product, and the distributor as the entity making it available on the EU market.

The maximum fine for CRA non-compliance is €15 million or 2.5% of global annual turnover, whichever is higher – figures that concentrate board attention quickly.

What Is Explicitly Out of Scope?

• Products covered by equivalent sector-specific legislation, such as certain medical devices, aviation equipment, and motor vehicles, where existing rules provide comparable cyber security requirements
• Purely non-commercial open-source software (CRA still applies to open-source components of commercial products and open-source stewards)
• National security, intelligence, and military products
• Products not available on the market and designed exclusively for certain purposes, such as evaluation prototypes

What Does the CRA Actually Require?

At its core, the CRA requires manufacturers to do four things:

1. Build secure digital products: Design, develop, and produce products with cyber security in mind from the start – not bolted on afterward. Products must ship without known exploitable vulnerabilities, with a minimal attack surface, and in a secure default configuration.
2. Actively support product security: Provide security updates free of charge for at least five years. Responsibly document and manage security flaws. Maintain a Software Bill of Materials (SBOM) identifying all software components.
3. Report exploited vulnerabilities: From 11 September 2026, report actively exploited vulnerabilities to ENISA within 24 hours and submit full technical details within 72 hours. [3]
4. Assess and demonstrate conformity: Conduct a cyber security risk assessment before market placement. Maintain technical documentation for 10 years. Affix CE marking to demonstrate conformity. [4]

The September 2026 Deadline: Why It Matters Now

Most manufacturers are focused on the December 2027 full enforcement date – but the more immediately urgent deadline is September 11th, 2026, which kicks off vulnerability reporting obligations. That is less than five months away. From that date, any actively exploited vulnerability in your products must trigger a formal notification process to European cyber security authorities within 24 hours. [5]

Building and testing the internal process for that requires preparation. Not just a policy document, but an actual operational workflow, with tooling, escalation paths, and staff training. For security and engineering leads, September 2026 is the deadline that justifies budget conversations now — not after the 2027 full-enforcement date, when the window for orderly implementation will have closed.

What CRA Compliance Actually Requires in Practice

Meeting these obligations requires a technical foundation: you need to know what components are in your products, track which CVEs affect them, and have a way to prioritise what gets fixed first. In practice, this means vulnerability management tooling integrated into your pipeline — not as a compliance checkbox, but as a continuous process that produces a CRA-compliant audit trail. The CRA does not prescribe a specific tool, but it does prescribe the outcome: documented, traceable, repeatable vulnerability handling.

Done well, these processes can also make developers’ day-to-day work less chaotic: fewer emergency patch cycles, actionable alerts instead of raw CVE firehose output, and clear triage priority so the team is fixing what actually matters rather than everything at once.

If you are mapping out what that process needs to look like for your organisation, our upcoming posts will cover the core components of a CRA-ready vulnerability management workflow – including what an SBOM needs to contain, how exploitability scoring works in practice, and where open source tooling fits in.

In early April, Cisco announced two critical-severity CVEs along with additional high and medium-severity vulnerabilities. Collectively, the flaws allow authentication bypass, privilege escalation to an Administrator account, unauthenticated remote code execution (RCE) as the root user, information disclosure, and Denial of Service conditions. The two critical flaws are CVE-2026-20160 (CVSS 9.8) affecting Cisco Smart Software Manager On-Prem (SSM On-Prem) and CVE-2026-20093 (CVSS 9.8) affecting Cisco Integrated Management Controller (IMC).

Greenbone’s OPENVAS ENTERPRISE FEED has included vulnerability detection for CVE-2026-20160 and CVE-2026-20093 since their disclosure, helping defenders mitigate these evolving threats. Defenders seeking to detect and protect can try Greenbone’s entry-level OPENVAS BASIC for free, including a two-week trial of the ENTERPRISE FEED.

Critical Flaws in Cisco SSM & IMC

CVE-2026-20160 and CVE-2026-20093 pose significant threats to enterprise IT. While SSM On-Prem and IMC are both internal network services that are not meant to be publicly exposed, these CVEs may offer adversaries with a covert foothold the opportunity for lateral movement to high-value assets.

Cisco IMC is especially high risk because it is embedded in physical server and edge platforms that often sit close to core enterprise workloads. If an attacker gains administrative access, they may be able to disrupt services, pivot into adjacent networks, or use the compromised device as a staging point to target sensitive internal systems. If a target network is not strictly segmented between departments or if access controls are not tightly limited according to the principle of least privilege, risk is further increased.

Let’s first examine the two new critical-severity CVEs and then some additional CVEs published in early April 2026.

CVE-2026-20160 (CVSS 9.8) Affecting Cisco Smart Software Manager On-Prem (SSM On-Prem)

An exposed internal service allows unauthenticated remote attackers to execute arbitrary commands on the underlying OS with root privileges. CVE-2026-20160 can be exploited via HTTP requests to the exposed service’s API. The flaw is essentially an improper access control that Cisco has classified as “Exposure of Resource to Wrong Sphere” [CWE-668]. Cisco Smart Software Manager On-Prem (SSM On-Prem) versions 9-202502 to 9-202510 are affected.

Cisco SSM On-Prem is an on-premises software license-management server deployed as a virtual machine. SSM On-Prem exposes a web UI on port 8443 for administration and licensing workflows. SSM On-Prem acts as a local Smart Licensing manager for Cisco products, instead of requiring them to connect directly to Cisco’s cloud-hosted Smart Software Manager.

Multiple national CERT advisories have been issued for CVE-2026-20160 [1][2][3][4][5][6][7][8]. However, active exploitation, full technical details, or a public proof of concept (PoC) exploit are not confirmed. The OPENVAS ENTERPRISE FEED includes a remote banner version check to identify affected instances [9]. Users should update to version 9-202601 or later. See Cisco’s official advisory for more information.

CVE-2026-20093 (CVSS 9.8) Affecting Cisco Integrated Management Controller (IMC)

Improper input validation [CWE-20] can lead to authentication bypass during password change requests to the IMC. An attacker could exploit this vulnerability remotely via HTTP requests to alter the passwords of any user on the system (including an Admin user) and gain access to the system as that user.

Cisco IMC is an embedded Baseboard Management Controller (BMC) built into Cisco UCS rack and storage server platforms. The core function of Cisco IMC is out-of-band server management of physical servers when they operate in Standalone Mode via the Redfish RESTful API standard, SNMP, IPMI v2.0, or the Cisco IMC XML API. Multiple Cisco physical server products are affected if they include the Cisco Integrated Management Controller (IMC):

• 5000 Series Enterprise Network Compute Systems (ENCS)
• Catalyst 8300 Series Edge uCPE
• UCS C-Series M5 and M6 Rack Servers in standalone mode
• UCS E-Series Servers M3
• UCS E-Series Servers M6

Multiple national CERT advisories have been issued for CVE-2026-20093 [1][2][3][4][5][6][7]. However, active exploitation, full technical details, or a public proof of concept (PoC) exploit are not confirmed. Greenbone’s OPENVAS ENTERPRISE FEED includes an active check [9] and a remote banner version check [10] for devices affected by CVE-2026-20093. See Cisco’s official advisory for more information including a list of fixed releases for affected products.

Other Recent High-Severity Flaws in Cisco Products

Cisco also disclosed several high and medium-severity vulnerabilities that expand the risk posed to enterprise customers. While all of the CVEs below require valid account access to exploit, credential theft is a common tactic used in many sophisticated cyber attacks. If unpatched, these flaws could still result in command execution, privilege escalation, denial of service, or sensitive information exposure.

• CVE-2026-20094 (CVSS 8.8): A command injection flaw due to improper validation of user-supplied input [CWE-77] allows an authenticated, remote attacker with read-only privileges to execute arbitrary commands on the underlying OS with root privileges. The flaw is exploitable via HTTP requests. The web-based management interface of Cisco IMC and Cisco Enterprise NFVIS version 4.18.x and prior are affected. A full list of affected products and fixed releases are available in Cisco’s official advisory.
• CVE-2026-20155 (CVSS 8.0): Improper authorization checks [CWE-862] on an API endpoint allow an authenticated, remote attacker with low privileges to access sensitive information without authorization. The flaw affects the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) devices prior to version 8.1.2 for all configurations. More information is available in Cisco’s official advisory.
• CVE-2026-20151 (CVSS 7.3): Due to the improper transmission of sensitive user information [CWE-201], an attacker can retrieve session credentials from status messages to elevate privileges from a low-level account to admin. SSM On-Prem version 9-202510 and earlier in all configurations are affected. More information is available in Cisco’s official advisory.
• CVE-2026-20095 (CVSS 6.5): Due to improper validation of user-supplied input, an authenticated remote user can execute arbitrary code or commands [CWE-77] on the underlying OS of an affected system and elevate privileges. The flaw is exploitable via HTTP requests. The web-based management interface of Cisco IMC and Cisco Enterprise NFVIS version 4.18.x and earlier are affected. A full list of affected products and fixed releases are available in Cisco’s official advisory.
• CVE-2026-20096 (CVSS 6.5): Due to improper validation of user-supplied input, an authenticated remote admin user can execute arbitrary commands [CWE-77] on the underlying OS with root privileges. The flaw is exploitable via HTTP requests. The web-based management interface of Cisco IMC and Cisco Enterprise NFVIS version 4.18.x and prior are affected. A full list of affected products and fixed releases are available in Cisco’s official advisory.
• CVE-2026-20097 (CVSS 6.5): Due to improper validation of user-supplied input, an authenticated remote admin user can execute arbitrary commands [CWE-77] on the underlying OS with root privileges. The web-based management interface of Cisco IMC and Cisco Enterprise NFVIS version 4.18.x and prior are affected. A full list of affected products and fixed releases are available in Cisco’s official advisory.
• CVE-2026-20110 (CVSS 6.5): A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to cause a denial of service (DoS) condition. This vulnerability exists because incorrect privileges are associated with the start maintenance All versions of Cisco IOS XE Software are affected if the start maintenance command is supported. See Cisco’s official advisory for more information.

Cisco has assigned a Security Impact Rating (SIR) of High to CVE-2026-20095, CVE-2026-20096, and CVE-2026-20097, which is above their CVSS ranking of Medium, because additional security implications apply if an attacker gains root-level access. The OPENVAS ENTERPRISE FEED includes detection tests for all aforementioned CVEs [1][2][3][4][5].

Summary

Cisco’s early April 2026 security disclosures indicate elevated risk across several products. This includes the vendor’s SSM On-Prem license management server and Cisco Integrated Management Controller (IMC), which impacts a wide array of physical hardware products, including Cisco UCS rack and storage server platforms. The most severe new flaws enable authentication bypass and unauthenticated RCE as the root user.

Although public exploitation has not been confirmed, the affected systems are high-value internal assets that represent attractive targets for advanced persistent threat (APT) actors. Organizations should verify exposure to these and other software vulnerabilities and prioritize patching. Defenders seeking to detect and protect can try Greenbone’s entry-level OPENVAS BASIC for free, including a two-week trial of the ENTERPRISE FEED.

This month exposed new cyber security risks at all levels of enterprise IT infrastructure. New critical vulnerability exposure emerged in perimeter networking gear and core network appliances. Other risks included actively exploited flaws in major browsers, enterprise email clients, agentic workflow platforms, core OS components, and virtually every other aspect of the enterprise IT ecosystem. In 2026, hunting for new vulnerabilities regularly is a fundamental cyber security activity and an essential component of an Exposure Management approach to cybersecurity.

March 2026 Threat Report

Defenders seeking to detect and protect can try Greenbone’s OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.

CitrixBleed 3: Memory Leak in Citrix Netscaler ADC and Gateway Actively Exploited

CVE-2026-3055 (CVSS 9.3) is a memory disclosure flaw that is exploitable remotely and without authentication. The root cause is insufficient input validation allowing out-of-bounds memory read access [CWE-125]. The flaw affects NetScaler ADC and NetScaler Gateway appliances configured as a SAML Identity Provider (IDP), reported to be a common single-sign-on (SSO) configuration.

Active reconnaissance for authentication methods in the /cgi/GetAuthMethods endpoint was reported 3 days post-disclosure. On March 30th, CVE-2026-3055 was added to CISA’s KEV list and was reported as actively exploited by other sources. A full technical analysis with exploit code has been published. The flaw resembles previous memory leak flaws affecting Netscaler ADC and Gateway, dubbed CitrixBleed and CitrixBleed 2, whose use for initial access is well documented [1][2][3][4]. Several national cyber security agencies have issued alerts for the new CVEs [5][6][7][8][9][10][11][12][13][14][15][16][17][18].

Citrix reported another high severity flaw in the same report. CVE-2026-4368 (CVSS 7.7) is a race condition bug that can cause user session mix-up on gateway or AAA virtual server configurations. See the official security advisory for more information, including affected versions for both new CVEs. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner check to identify appliances that are potentially vulnerable to CVE-2026-3055 [19] and a similar check for CVE-2026-4368 [20].

SharePoint Actively Exploited, RegPwn, and Other Emerging Microsoft Risks

CVE-2026-20963 (CVSS 8.8, EPSS ≥ 91st pctl) affecting Microsoft SharePoint and published in January 2026, was added to CISA’s KEV list in March. The flaw is caused by improper deserialization of untrusted data [CWE-502] and could allow arbitrary remote code execution (RCE) to an authenticated attacker. The vulnerability attracted global attention from national CERT agencies [1][2][3][4][5][6][7][8][9][10][11]. Greenbone’s OPENVAS ENTERPRISE FEED includes detection for Microsoft SharePoint Server 2019 and Microsoft SharePoint Enterprise Server 2016 [12][13].

Other high-profile risks affecting Microsoft products in March 2026 include:

• CVE-2026-24291 (CVSS 7.8): An incorrect permission assignment for a critical resource [CWE-732] in Windows Accessibility Infrastructure (ATBroker.exe) allows an authorized local attacker to elevate privileges and modify Windows Registry keys. Dubbed RegPwn, full technical descriptions [14][15] and proof-of-concept (PoC) exploit code are publicly available, increasing risk. The OPENVAS ENTERPRISE FEED includes registry checks for vulnerability detection across Windows OS versions.
• CVE-2026-26110 (CVSS 7.8): A type confusion flaw [CWE-843] in Microsoft Office allows an unauthorized local attacker to execute arbitrary code with high-level privileges. The OPENVAS ENTERPRISE FEED includes package version detection for Windows and macOS versions of Microsoft Office [16][17].
• CVE-2026-26113 (CVSS 7.8): An untrusted pointer dereference vulnerability [CWE-822] in Microsoft Office allows an unauthorized local attacker to execute arbitrary code with high-level privileges. The OPENVAS ENTERPRISE FEED includes package version detection for Windows and macOS versions of Microsoft Office [16][17] and SharePoint for Windows [18][19].

CVE-2026-33017: Langflow API Actively Exploited for Unauthenticated RCE

CVE-2026-33017 (CVSS 9.8, EPSS ≥ 90th pctl) is an unauthenticated RCE flaw that can be exploited via malicious HTTP request. The CVE affects any network-exposed Langflow instances prior to version 1.9.0. CVE-2026-33017 has been reported as actively exploited by multiple sources [1][2]. Several technical analyses [2][3][4] and public PoC exploits [3] exist, increasing the risk. Multiple CERT alerts have been issued globally [5][6][7][8][9].

Langflow is an open-source “low-code” platform for building, testing, and deploying agentic AI and LLM-enabled workflows. The flaw exists in Langflow’s API endpoint for building public flows. By design, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without authentication. The official Langflow API documentation states that Build Public Tmp only works for workflows marked as public in the database. The vulnerability arises when the optional data parameter is supplied: Langflow uses attacker-controlled flow code, which may contain arbitrary Python code, instead of the stored code from the database. This code is passed to exec() without sandboxing, resulting in unauthenticated RCE.

The OPENVAS ENTERPRISE FEED includes a remote banner check to identify vulnerable instances of Langflow. Users should upgrade to version 1.9.0.

Living On The Edge: Perimeter Security Risks Emerging in March 2026

Exploitation of perimeter networking devices has been consistently measured as a top initial-access vector in cyber breaches. New vulnerabilities affecting key perimeter devices are published continuously and defenders need to be able to detect and patch these exposed entry points reliably. Here are several high-risk vulnerabilities affecting perimeter networking devices that emerged in March 2026:

New Cisco Firewall Flaws Ignite Perimeter Risk

Cisco published a group of 48 CVEs affecting its firewall product line, including two critical CVSS 10 vulnerabilities. One of these, CVE-2026-20131, was soon added to CISA’s KEV list. Active exploitation was also confirmed by Cisco. Ransomware attacks exploiting CVE-2026-20131 have been attributed to the Interlock threat actor. Numerous national CERT advisories have been issued globally [1][2][3][4][5][6][7][8][9][10][11][12][13][14].

Greenbone’s OPENVAS ENTERPRISE FEED includes detection tests for all 48 CVEs disclosed in Cisco’s security advisory, and a family of tests dedicated to Cisco software flaws. Users are advised to identify affected products in their network, apply patches immediately, and conduct breach assessments by hunting for any indicators of compromise (IoCs) [15]. The highest risk CVEs from the group are described below:

• CVE-2026-20131 (CVSS 10, EPSS 71st pctl): Insecure deserialization [CWE-502] of a user-supplied Java byte stream allows unauthenticated Java RCE with root privileges. The flaw affects the web-based management interface of Cisco Secure Firewall Management Center (FMC). If the FMC management interface is not internet accessible, the attack surface is significantly reduced.
• CVE-2026-20079 (CVSS 10, EPSS 90th pctl): An flawed system process is created at boot time that allows a remote attacker to bypass authentication [CWE-288] via crafted HTTP requests and execute script files. This may allow an attacker to obtain root privileges on the underlying OS. A full technical analysis and PoC exploit code are publicly available, increasing the risk. CVE-2026-20079 affects the web interface of Cisco Secure FMC.

CVE-2026-22557: CVSS 10 Unauthenticated Account Takeover on Ubiquiti UniFi Network Application

CVE-2026-22557 (CVSS 10) allows unauthorized account takeover through a path-traversal flaw [CWE-22] that lets attackers manipulate files on the underlying system. Public technical details are available and researchers assess that automated exploitation is trivial. Risk is also elevated because Ubiquiti network products are widely used. Multiple national CERT agencies have issued alerts globally [1][2][3][4][5].

Another CVE published in the same vendor advisory imposes additional high risk:

• CVE-2026-22559 (CVSS 8.8): An input validation flaw that is exploitable via social engineering if an attacker can trick the victim with network access to a Ubiquiti UniFi Network Application web interface to click on a malicious link.

CVE-2026-22557 affects Ubiquiti UniFi Network Application version 10.1.85 and earlier, Release Candidate 10.2.93 and earlier, and UniFi Express version 9.0.114 and earlier. OPENVAS ENTERPRISE FEED includes a remote banner check to identify affected instances. Mitigation instructions for both aforementioned CVEs are available on the vendor’s official security advisory.

Other Notable Security Risks Affecting Perimeter Networking Devices

Other emerging threats to perimeter networking devices in March 2026 include:

F5 BIG-IP APM Access Policy

CVE-2025-53521 (CVSS 7.5) is an actively exploited flaw that allows attackers to trigger Denial of Service (DoS) on F5 BIG-IP if an APM Access Policy is configured on a virtual server. National CERT agencies have issued alerts [1][2][3][4][5][6][7][8][9][10][11][12][13][14]. The OPENVAS ENTERPRISE FEED provides package-level detection for CVE-2025-53521 and a dedicated family of F5 security checks.

Juniper Networks Junos OS Evolved on PTX Series

CVE-2026-21902 (CVSS 9.8) is an Incorrect Permission Assignment for Critical Resource flaw [CWE-732] that allows unauthenticated RCE as root. CVE-2026-21902 affects the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series. The On-Box Anomaly detection framework is enabled by default. This flaw affects all PTX Series 25.4 versions before 25.4R1-S1-EVO and 25.4R2-EVO. This issue does not affect Junos OS Evolved versions before 25.4R1-EVO or Junos OS. A detailed technical description is publicly available reducing the burden for exploit development. Numerous national CERT agencies have published alerts [1][2][3][4][5][6][7][8][9][10][11]. An active check and a remote banner check are available in the OPENVAS ENTERPRISE FEED and a dedicated family of authenticated security checks for JunOS. See the vendor’s official advisory for more information.

Critical and High-Severity Flaws in HPE Aruba Networking Products

Hewlett-Packard Enterprise (HPE) published an advisory on March 10th, disclosing one critical and three high-severity CVEs in their Aruba networking AOS-CX switches. Multiple national CERT advisories were issued globally for the group of vulnerabilities [1][2][3][4][5][6][7][8][9][10][11][12]. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner check for all CVEs disclosed in the advisory, which are described below. Users are strongly encouraged to identify any vulnerable AOS-CX appliances in their environment and update to the most recent version.

• CVE-2026-23813 (CVSS 9.8): An improper authentication flaw [CWE-287] in the web-based management interface of AOS-CX switches allows an unauthenticated remote attacker to circumvent existing authentication controls, including resetting the admin password.
• CVE-2026-23814 (CVSS 8.8): A command injection flaw [CWE-77] affecting the parameters of certain AOS-CX command-line interface (CLI) commands could allow an authenticated low-privilege remote attacker to inject malicious commands.
• CVE-2026-23815 (CVSS 7.2): A command injection flaw [CWE-77] in a custom binary used in the AOS-CX CLI could allow an authenticated remote attacker with high privileges to execute unauthorized commands.
• CVE-2026-23816 (CVSS 7.2): A command injection flaw [CWE-77] in the command line interface of AOS-CX switches could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
• CVE-2026-23817 (CVSS 6.5): A vulnerability in the web-based management interface of AOS-CX switches could allow an unauthenticated remote attacker to redirect users to an arbitrary URL [CWE-601].

A Spotlight on Shadow IT: OpenClaw (Clawd/Moltbot) AI Agent

OpenClaw (previously Clawd and Moltbot) is an open-source agentic AI assistant that can execute system-level tasks on behalf of a human user. OpenClaw’s capabilities include sending email, reading and writing files, and interacting with web services and APIs. The software was originally released as Clawd in November 2025, was rebranded to Moltbot in early 2026, and then rebranded again to OpenClaw [1].

Despite OpenClaw’s rise in popularity, criticism from the security community has been harsh [2][3][4][5]. Germany’s BSI listed over 60 vulnerabilities, and since its release, over 200 CVEs have been issued for the popular but unstable AI agent including 32 critical severity CVEs released in March 2026 alone. The most severe of the vulnerabilities allow unauthenticated RCE in the OpenClaw context. National CERT alerts have been issued for the product [1][2][3].

Considering the operational risks to unauthorized access and data security that OpenClaw poses to organizations, it should be banned from use. The OPENVAS ENTERPRISE FEED includes remote and local authenticated product detection for OpenClaw. Security teams can set alerts to notify them if OpenClaw is detected within their network.

Unauthenticated RCE in Wazuh Manager via Cluster Mode Worker Nodes

CVE-2026-25769 (CVSS 9.1) is an RCE that allows an authorized attacker with access to a cluster worker node to execute code on the master node as root. The root cause is flawed deserialization of untrusted data [CWE-502]. Risk is elevated because successful compromise of any worker in cluster mode can lead to full root-level compromise of the master node. A full technical analysis and PoC exploit kit are publicly available for CVE-2026-25769 lowering the barrier for attackers. Several national CERT agencies have issued alerts [1][2][3].

Five other CVEs were included in the disclosure by Wazuh including one additional critical severity flaw: CVE-2025-30201 (CVSS 9.1) allows authenticated attackers to force NTLM authentication through malicious UNC paths via agent configuration settings, potentially leading NTLM relay attacks [CWE-294] for privilege escalation and RCE. Technical detail and a PoC exploit are publicly available online.

The newly disclosed CVEs affect various version ranges of Wazuh Manager, but all require patching to version 4.14.3 or higher. The OPENVAS ENTERPRISE FEED includes detection for all aforementioned CVEs [1][2][3][4], and prior vulnerabilities affecting Wazuh. Users should consult Wazuh’s security advisories for specific details on each vulnerability.

n8n Agentic Workflow Platform Exposes New Critical Flaws

In recent months numerous critical and high-severity vulnerabilities have been exposed in the popular agentic workflow platform n8n. Attackers are starting to take advantage; on March 11th, 2026, CVE-2025-68613 (CVSS 8.8) was added to CISA’s KEV list. CVE-2025-68613 and other n8n flaws were covered in Part 2 of the January 2026 Threat Report.

Flawed expression evaluation has been a common cause of vulnerabilities. n8n expressions are specially formatted strings that allow dynamic manipulation of data for batch processing tasks, among other use cases. The highest-risk CVEs affecting n8n that emerged in March 2026 include:

• CVE-2026-27495 (CVSS 9.9): An authenticated user with workflow permissions can exploit a vulnerability in the JavaScript Task Runner to execute arbitrary code outside the sandbox boundary. On instances using the default internal Task Runners this could result in full compromise of the n8n host. Exploitability depends on Task Runners being enabled with the N8N_RUNNERS_ENABLED=true setting.
• CVE-2026-27577 (CVSS 9.9): An authenticated user with workflow permissions can abuse crafted expression parameters to trigger unintended command execution on the n8n host. This flaw allows bypass of security measures put in place to restrict command execution capabilities.
• CVE-2026-33696 (CVSS 8.8): An authenticated user with workflow permissions can exploit a prototype pollution vulnerability in the XML and GSuiteAdmin nodes. By supplying crafted parameters as part of node configuration, an attacker could write attacker-controlled values onto `Object.prototype` and achieve RCE.
• CVE-2026-33660 (CVSS 9.4): An authenticated user with workflow permissions can use the Merge node’s “Combine by SQL” mode to read local files on the n8n host and achieve RCE.

The OPENVAS ENTERPRISE FEED includes detection for all CVEs mentioned above [1][2][3][4] and other known n8n flaws. Each flaw affects various v1.x and v2.x instances of n8n. In many cases, if patches cannot be applied immediately, system administrators may disable affected nodes using the NODES_EXCLUDE environment variable. However, there are no workarounds offering full mitigation for any of the CVEs. Mitigation depends on updating to the latest version of n8n. See n8n’s security advisories for a complete list of vulnerabilities with descriptions.

Other Notable Critical Risk CVEs Emerging in March 2026

Let’s wrap up this month’s threat report with a quick-fire of other emerging threats in March 2026:

CVE-2026-3564 (CVSS 9.0) in ConnectWise ScreenConnect prior to version 26.1

An attacker with access to configuration files can extract a device’s machine key and use it for session authentication. ScreenConnect is a remote support and remote access platform that lets IT staff securely connect to attended or unattended devices. Several national CERT alerts have been issued [1][2][3]. The OPENVAS ENTERPRISE FEED includes a remote banner check to identify affected instances.

CVE-2026-27944 (CVSS 9.8) in Nginx UI prior to v2.3.3

An unauthenticated remote attacker can download a full backup of the underlying system containing sensitive data, including user credentials, session tokens, SSL private keys, and Nginx server configurations. The flaw is due to the /api/backup endpoint being accessible without authentication and disclosing the encryption keys to decrypt the backup. Full technical analysis and PoC exploits are publicly available [1][2] and several national CERT alerts have been issued [3][4][5][6][7][8]. Nginx UI is a web user interface for the Nginx web server. The OPENVAS ENTERPRISE FEED includes an active check to identify affected instances.

CVE-2025-66168 (CVSS 8.8) in Apache ActiveMQ Message Broker

An integer overflow flaw [CWE-190] results in failure to properly validate the MQTT control packet’s remaining length field. Exploitation may lead to unexpected behavior including Denial of Service (DoS). The OPENVAS ENTERPRISE FEED includes a remote banner check to identify affected Apache ActiveMQ instances. See the vendor’s announcement for more details.

CVE-2026-1603 (CVSS 7.3, EPSS 65th pctl) in Ivanti Endpoint Manager prior to 2024 SU5

A new actively exploited authentication bypass vulnerability [CWE-288] could be exploited to leak credential data from Ivanti Endpoint Manager devices before version 2024 SU5. The OPENVAS ENTERPRISE FEED includes a remote banner check to detect CVE-2026-1603 and CVE-2026-1602 (CVSS 6.5). The two CVEs were disclosed in February 2026, and patches are available from Ivanti’s security advisory. No PoC exploit or detailed technical analysis are publicly available.

CVE-2026-21643 (CVSS 9.8) in FortiClientEMS v7.4.x prior to v7.4.5

An improper neutralization of special elements allows SQL injection [CWE-89] in Fortinet FortiClientEMS 7.4.x prior to v7.4.5. Exploitation can lead to unauthenticated RCE via specifically crafted HTTP requests. A technical root-cause analysis has been published potentially enabling rapid exploit development. Numerous national CERT alerts have been issued [1][2][3][4][5][6][7][8][9][10][11][12][13]. The OPENVAS ENTERPRISE FEED provides a remote banner check for CVE-2026-21643. Update to version 7.4.5 or later. See Fortinet’s official advisory for more information.

Summary

March 2026 brought new cyber risk at all levels of enterprise IT infrastructure. Perimeter networking gear and network appliances were hit especially hard. Other emerging threats included actively exploited flaws in major browsers, enterprise email clients, agentic workflow platforms, core OS components, and virtually every other aspect of the enterprise IT ecosystem. In 2026, hunting for new vulnerabilities regularly is a fundamental cyber security activity, and an essential component of an Exposure Management approach to cybersecurity.

Defenders seeking to detect and protect can try Greenbone’s OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.