Here are today’s top cybersecurity stories for Tuesday, April 21, 2026.
CISA Adds Eight Known Exploited Vulnerabilities to Catalog — 48-Hour Federal Deadline for Cisco Flaws
CISA added eight actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog, covering Cisco Catalyst SD-WAN Manager (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122), PaperCut NG/MF (CVE-2023-27351), JetBrains TeamCity (CVE-2024-27199), Quest KACE SMA (CVE-2025-32975), Kentico Xperience (CVE-2025-2749), and Zimbra Collaboration Suite (CVE-2025-48700). Federal Civilian Executive Branch agencies must patch the three Cisco flaws by April 23 and the remaining five by May 4. CISA
CISA Flags Additional Cisco Catalyst SD-WAN Manager Flaw as Actively Exploited — CVE-2026-20133
CISA separately flagged CVE-2026-20133, an information disclosure vulnerability in Cisco Catalyst SD-WAN Manager, as actively exploited in the wild. The flaw allows unauthenticated remote attackers to view sensitive information due to insufficient file system access restrictions. Federal agencies have until April 23 to remediate. Cisco’s PSIRT had not yet confirmed exploitation at time of reporting. Help Net Security
Former Ransomware Negotiator Pleads Guilty to Helping BlackCat Extort $52 Million From Victims
Angelo Martino, 41, a former employee of incident response firm DigitalMint, pleaded guilty to conspiring with the BlackCat (ALPHV) ransomware group to extort at least five US organizations, including a financial services firm paying $25.6 million and a nonprofit paying $26.8 million. Martino fed confidential victim information to ALPHV while ostensibly negotiating ransoms on behalf of those same victims. He faces up to 20 years in prison and authorities seized $10 million in assets including digital currency, vehicles, and a luxury fishing boat. BleepingComputer
TridentLocker Ransomware Hits Sedgwick Government Solutions — Federal Contractor Handles DHS and CISA Claims
TridentLocker actors breached Sedgwick Government Solutions, a subsidiary providing claims and risk management services to US federal agencies including DHS and CISA. The attackers compromised an isolated file transfer system and claimed to have exfiltrated 3.4 gigabytes of data. Sedgwick confirmed the breach and stated core network and claims management servers were not accessed. SecurityWeek
PHP Composer Patches Two Command Injection Vulnerabilities in Perforce Driver
Two high-severity command injection flaws were disclosed in PHP Composer affecting the Perforce VCS driver. CVE-2026-40176 (CVSS 7.8) allows an attacker controlling a malicious composer.json to inject arbitrary shell commands, while CVE-2026-40261 (CVSS 8.8) enables injection via crafted source references containing shell metacharacters. Composer 2.9.6 and 2.2.27 LTS patch both vulnerabilities. Packagist.org found no evidence of in-the-wild exploitation but disabled Perforce source metadata publication as a precaution. The Hacker News
Illinois DHS Misconfiguration Exposes 700,000 Residents’ Medicaid and Disability Records
The Illinois Department of Human Services disclosed a long-running data exposure caused by misconfigured privacy settings on publicly accessible mapping tools. Records belonging to roughly 672,000 Medicaid and Medicare Savings Program recipients and 32,000 disability services clients — including names, addresses, case numbers, and medical assistance plan data — were publicly accessible for years before discovery in September 2025. The agency restricted access within four days of discovery and is notifying affected individuals. BleepingComputer
ShowDoc CVE-2025-0520 Actively Exploited — CVSS 9.4 RCE Flaw in IT Documentation Platform
Threat actors are actively exploiting CVE-2025-0520, a critical unrestricted file upload vulnerability in ShowDoc, an IT documentation and collaboration platform widely deployed in China. The flaw allows unauthenticated attackers to upload arbitrary PHP files and achieve remote code execution. Over 2,000 internet-facing instances have been identified; the vulnerability was patched in ShowDoc 2.8.7 in October 2020 but remains unaddressed on many servers. The Hacker News
AI-Driven Pushpaganda Campaign Abuses Google Discover to Deliver Scareware Across Canada and Four Other Countries
HUMAN Security’s Satori Threat Intelligence team identified Pushpaganda, an AI-powered ad fraud operation injecting fabricated news stories into Google Discover feeds on Android devices, tricking users into enabling persistent browser notification subscriptions. Those subscriptions then deliver scareware and redirect users to fraudulent ad sites. The campaign began in India before expanding to Canada, the US, Australia, South Africa, and the UK. The Hacker News
EPA Proposes $19.1 Million Cybersecurity Investment for Water Infrastructure in FY2027 Budget
The US Environmental Protection Agency’s FY2027 budget request includes $9.6 million in new cybersecurity investment, bringing total information security spending to $19.1 million. The request includes dedicated funding for a cybersecurity grant program within the Drinking Water Infrastructure Resilience Grant Program to help water utilities strengthen defenses. The proposal follows ongoing concerns about nation-state targeting of water and wastewater OT systems. Industrial Cyber
Stay tuned for today’s in-depth analysis posts.
