Here are today’s top cybersecurity stories for Thursday, April 16, 2026.
CISA Adds Six Known Exploited Vulnerabilities to Catalog
CISA added six flaws to its Known Exploited Vulnerabilities catalog on Monday, citing active exploitation evidence. The additions include CVE-2025-60710, a Windows Task Host privilege escalation flaw patched in November 2025 that allows local attackers with basic user permissions to gain SYSTEM privileges, along with previously disclosed flaws in Fortinet FortiClient EMS, Microsoft, and Adobe software. Federal Civilian Executive Branch agencies must remediate all six flaws by April 27, 2026.
The Hacker News
Cisco Patches Four Critical Flaws in ISE and Webex, Including CVSS 9.8 SSO Impersonation Bug
Cisco released patches for four critical vulnerabilities affecting Identity Services Engine and Webex Services. The most severe, CVE-2026-20184 (CVSS 9.8), allows an unauthenticated remote attacker to impersonate any user within Webex by supplying a crafted token to the SSO endpoint. Cisco confirmed no active exploitation but advised Webex customers using SSO to upload a new IdP SAML certificate to Control Hub.
The Hacker News
nginx-ui CVE-2026-33032 (CVSS 9.8) Under Active Exploitation — Full Nginx Server Takeover in Two Requests
A critical authentication bypass in nginx-ui, an open-source Nginx web management interface, is under active exploitation. Tracked as CVE-2026-33032 and dubbed MCPwn, the flaw allows any unauthenticated network attacker to restart Nginx, modify server configurations, and trigger automatic config reloads using just two HTTP requests. Approximately 2,689 instances remain publicly exposed. Users must upgrade to nginx-ui version 2.3.4 immediately.
The Hacker News
UAC-0247 Targets Ukrainian Clinics and Government With AGINGFLY Data-Theft Malware
CERT-UA disclosed a campaign between March and April 2026 targeting Ukrainian municipal healthcare institutions and government agencies. The threat cluster UAC-0247 delivers AGINGFLY malware and RAVENSHELL through phishing emails posing as humanitarian aid proposals, stealing credentials from Chromium-based browsers and WhatsApp. Attackers also deploy ChromeElevator to bypass Chromium’s App-Bound Encryption and ZAPiXDESK to decrypt WhatsApp local databases.
The Hacker News
PHANTOMPULSE RAT Delivered Through Obsidian Plugin Abuse in Finance and Crypto Campaign
Elastic Security Labs disclosed campaign REF6598, in which threat actors posing as a venture capital firm approached targets in financial services and cryptocurrency through LinkedIn and Telegram. The attackers abused Obsidian’s Shell Commands and Hider community plugins to execute arbitrary code and deliver PHANTOMPULSE, a custom RAT that resolves its command-and-control server through Ethereum blockchain transactions. The malware supports keylogging, file upload, screenshot capture, and system telemetry exfiltration.
The Hacker News
PowMix Botnet Targeting Czech Workers Uses Randomized C2 to Evade Detection
Cisco Talos disclosed PowMix, a previously undocumented PowerShell-based botnet active against the Czech Republic workforce since at least December 2025. PowMix uses randomized C2 beaconing intervals — varying between zero and 1,450 seconds — to evade network signature detection, and embeds encrypted heartbeat data in C2 URL paths to mimic legitimate REST API traffic. Initial access relies on malicious ZIP files delivered via phishing, using Windows shortcut files to launch in-memory PowerShell loaders.
Cisco Talos
North Korean Hackers Steal $100K From Zerion in AI-Powered Social Engineering Attack
Cryptocurrency wallet service Zerion disclosed a security incident in which a team member’s device was compromised through an AI-powered social engineering attack attributed to North Korea-linked UNC1069. The attacker accessed internal hot wallets used for testing and operations, stealing approximately $100,000. No user funds or core infrastructure were affected. The Security Alliance has linked UNC1069 to 164 malicious domains used in ongoing campaigns targeting crypto and Web3 companies.
CryptoTimes
ShinyHunters Claims Amtrak Breach — 9.4 Million Salesforce Records Threatened
Ransomware group ShinyHunters added Amtrak (National Railroad Passenger Corporation) to its data leak site, claiming theft of 9.4 million Salesforce records containing personal and corporate data. The group used social engineering against Salesforce employees, the same attack vector tied to earlier breaches at Cisco, Rockstar Games, Hallmark, and McGraw-Hill. An April 14 ransom deadline passed without confirmed payment, and no verified data samples have been released.
SecurityWeek
McGraw-Hill Confirms 13.5 Million Accounts Exposed via Salesforce Misconfiguration
Education publisher McGraw-Hill confirmed that attackers exploited a Salesforce misconfiguration to access internal data affecting 13.5 million accounts. The company stated the breach did not expose Social Security numbers, financial data, or student records, and described the event as part of a broader issue affecting multiple Salesforce customers. ShinyHunters initially claimed 45 million records and launched an extortion campaign earlier this month.
BleepingComputer
CISA Deadline: TrueConf CVE-2026-3502 FCEB Remediation Due Today
April 16, 2026 marks the Federal Civilian Executive Branch remediation deadline for TrueConf CVE-2026-3502, a zero-day vulnerability added to CISA’s KEV catalog on April 2, 2026. A Chinese-nexus APT exploited the flaw against Southeast Asian government networks through a compromised TrueConf update mechanism. U.S. federal civilian agencies that have not patched are now past their mandated remediation window.
CISA
Stay tuned for today’s in-depth analysis posts.
