Here are today’s top cybersecurity stories for Wednesday, April 15, 2026.
Microsoft April 2026 Patch Tuesday: 167 Flaws Fixed, Including Actively Exploited SharePoint Zero-Day
Microsoft released security updates addressing 167 vulnerabilities, including two zero-days. CVE-2026-32201, an actively exploited spoofing flaw in SharePoint Server, has been added to CISA’s Known Exploited Vulnerabilities catalog with a remediation deadline of April 28. A second zero-day, CVE-2026-33825, a Microsoft Defender elevation of privilege vulnerability, was mitigated automatically via the Antimalware Platform update. Eight vulnerabilities are rated Critical, with seven enabling remote code execution.
BleepingComputer
CVE-2026-33824: CVSS 9.8 Windows IKE RCE Requires No Authentication or User Interaction
Among the April Patch Tuesday disclosures, CVE-2026-33824 stands out as the highest-severity flaw at CVSS 9.8. The vulnerability in Windows Internet Key Exchange Service Extensions allows unauthenticated remote code execution by sending specially crafted packets to systems with IKEv2 enabled. No privileges or user interaction are required. Microsoft recommends immediate patching or blocking UDP ports 500 and 4500 as a temporary measure for organizations unable to patch immediately.
Rapid7
SAP Patches CVSS 9.9 SQL Injection in Business Planning and Consolidation (CVE-2026-27681)
SAP’s April Security Patch Day addressed 19 vulnerabilities, led by CVE-2026-27681, a critical SQL injection flaw in SAP Business Planning and Consolidation and SAP Business Warehouse. A low-privileged authenticated attacker can upload files containing arbitrary SQL statements for execution, enabling full database read, modify, and delete access. SAP Security Note #3719353 deactivates the vulnerable program, and the Centre for Cybersecurity Belgium issued an advisory urging immediate patching.
The Hacker News
Fake Ledger Live App on Apple App Store Drains $9.5 Million from 50 Victims
A fraudulent Ledger Live application distributed through Apple’s official App Store stole approximately $9.5 million in cryptocurrency from at least 50 victims between April 7 and 13. Victims entered their hardware wallet recovery phrases into the malicious app, granting attackers full wallet access. On-chain investigator ZachXBT traced stolen funds — including Bitcoin, Ethereum, Solana, Tron, and XRP — to KuCoin and a laundering service known as AudiA6. Apple removed the app and terminated the associated developer account after the losses were reported.
BleepingComputer
Apache ActiveMQ CVE-2026-34197: 13-Year-Old RCE Flaw Discovered by Claude AI in Under 10 Minutes
Researchers disclosed CVE-2026-34197, a remote code execution vulnerability in Apache ActiveMQ Classic that went undetected for 13 years. The flaw abuses the Jolokia management API to force the broker to fetch a remote Spring XML file and execute arbitrary commands. The vulnerability scores CVSS 8.8 and becomes unauthenticated on versions 6.0.0 through 6.1.1 due to a separate API exposure bug. Discovery was attributed primarily to Anthropic’s Claude AI model. Patches are available in ActiveMQ Classic 6.2.3 and 5.19.4.
BleepingComputer
McGraw-Hill Confirms Data Breach After ShinyHunters Claims 45 Million Salesforce Records
Education publisher McGraw-Hill confirmed a data breach stemming from a Salesforce misconfiguration after ShinyHunters threatened to leak 45 million records unless a ransom was paid. The company stated the incident did not involve Social Security numbers, financial data, or student records, and described the event as part of a broader issue affecting multiple Salesforce customers. Salesforce denied any compromise of its own platform. ShinyHunters have targeted multiple Salesforce customers in recent months.
BleepingComputer
OpenAI Launches GPT-5.4-Cyber for Vetted Security Teams
OpenAI unveiled GPT-5.4-Cyber, a variant of its GPT-5.4 model optimized for defensive cybersecurity, available only to vetted professionals through its Trusted Access for Cyber (TAC) program. The model lowers refusal thresholds for legitimate security work and adds binary reverse engineering capabilities without source code access. Access will scale to thousands of individual defenders and hundreds of security teams. The release follows Anthropic’s Mythos cybersecurity research model preview issued earlier this month.
CyberScoop
Windows BitLocker Recovery Triggered by April 2026 KB5082063 Update on Enterprise Servers
Microsoft warned that Windows Server 2025 devices with non-recommended BitLocker Group Policy configurations may boot into the BitLocker recovery screen after installing the April 2026 KB5082063 update. The issue stems from the update switching boot managers and affects enterprise-managed systems with PCR7 profile misconfigurations. Administrators are advised to remove the misconfigured Group Policy before deployment, or apply a Known Issue Rollback on affected systems.
BleepingComputer
Fortinet Patches 11 Vulnerabilities Across FortiSandbox, FortiOS, FortiAnalyzer, and FortiManager
Fortinet released security advisories on April 14 addressing 11 vulnerabilities across multiple product lines, including two rated Critical. CVE-2026-39808, an OS command injection flaw in FortiSandbox and FortiSandbox PaaS, is among the highest severity. Additional issues affect FortiOS, FortiProxy, FortiAnalyzer, FortiManager, FortiPAM, and FortiSwitchManager. These advisories follow Fortinet’s emergency out-of-band patch for CVE-2026-35616 in FortiClient EMS, now in CISA’s KEV catalog, issued earlier this month.
SecurityWeek
Canada Launches Level 1 of the Canadian Program for Cyber Security Certification (CPCSC)
The Government of Canada formally introduced Level 1 of the Canadian Program for Cyber Security Certification on April 14, 2026. Beginning in Summer 2026, Level 1 compliance will be required in select federal defence contracts. Suppliers must complete an annual self-assessment covering 13 security controls and submit attestation through the Canada Buys portal. Level 2, requiring third-party assessment every three years, and Level 3, conducted by National Defence, will follow in subsequent phases.
Government of Canada / PSPC
Stay tuned for today’s in-depth analysis posts.
