An Anthropic researcher used Claude to find Apache ActiveMQ flaw CVE-2026-34197. Maintainers shipped the fix in seven days. CISA added the CVE to its federal exploited-vulnerability list. The same week, Cal.com closed source citing AI scanners as the reason. I have run defender-side tooling rollouts for 20 years. Every wave gets framed as attacker-only for six months first. One team shipped the patch. The other shipped the excuse.

#InfoSec #OpenSource #AI #CyberSecurity

Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation

https://thehackernews.com/2026/04/apache-activemq-cve-2026-34197-added-to.html

Read on HackerWorkspace: https://hackerworkspace.com/article/apache-activemq-cve-2026-34197-added-to-cisa-kev-amid-active-exploitation

#cybersecurity #vulnerability #exploit

⚠️ CRITICAL: CVE-2026-34197 is a remote code execution vuln in Apache ActiveMQ. No patch or confirmed exploitation yet. Monitor vendor advisories & apply security best practices. Details: https://radar.offseq.com/threat/recent-apache-activemq-vulnerability-exploited-in--98176e07 #OffSeq #ApacheActiveMQ #Vuln #Infosec

New KEV added 🚨
CVE-2026-34197 (Apache ActiveMQ)
• Active exploitation confirmed
• High-risk entry point
KEV = patch now, not later

Source: https://www.cisa.gov/news-events/alerts/2026/04/16/cisa-adds-one-known-exploited-vulnerability-catalog

💬 How fast is your patch cycle?
Follow @technadu

#InfoSec #CyberSecurity #KEV

⚡ Researchers confirm exploitation of three Microsoft Defender flaws—one patched (CVE-2026-33825) , two unpatched.

Attackers escalate privileges and can block Defender updates.

🔗 Learn how these flaws are used in attacks → https://thehackernews.com/2026/04/three-microsoft-defender-zero-days.html

Explotación activa de vulnerabilidades en Windows permite escalar privilegios y afectar a Defender

Se ha detectado explotación activa de tres técnicas filtradas —BlueHammer, RedSun y UnDefend— que permiten elevar privilegios hasta SYSTEM/admin y, en algunos casos, impedir que Microsoft Defender actualice sus definiciones. BlueHammer ya tiene identificador (CVE-2026-33825)...

https://unaaldia.hispasec.com/2026/04/explotacion-activa-de-vulnerabilidades-en-windows-permite-escalar-privilegios-y-afectar-a-defender.html

This Week in Security: Docker Auth, Windows Tools, and a Very Full Patch Tuesday

CVE-2026-34040 lets attackers bypass some Docker authentication plugins by allowing an empty request body. Present since 2024, this bug was caused by a previous fix to the auth workflow. In the 2024 bug, the authentication system could be tricked into passing a zero-length request to the authentication handler. In the modern vulnerability, the system can be tricked into removing a too-large authentication request and passing a zero-length request to the authentication handler.

In both cases, the authentication system may not properly handle the malformed request and allow creation of docker images with access to stored credentials and secrets.

Bugs like these are increasing in visibility because AI agents running in Docker, like OpenClaw, may be tricked via prompt injection into leveraging the vulnerability.

Windows CPU Tools Compromised

videocardz.com notes that the popular Windows monitoring software Cpu-Z and HWMonitor appear to have been compromised. Reports indicate that the download site was compromised, not the actual packages, but that it was redirecting update requests to packages including malware. While the site has been repaired, unfortunately it looks like there is no warning to users that the downloads were compromised for a period of time.

Anecdotally, there has been a rash of Discord account takeovers in the past week, where long-standing accounts in multiple servers have been compromised and turned into spambots. While there is no evidence these events are linked, clearly a new credential or authentication stealing malware is in play, which involves stealing credentials from Discord.

X.Org and XWayland Updated

The X.Org and XWayland servers saw security updates this week, fixing a handful of vulnerabilities involving uninitialized memory use, use-after-free, and reading beyond the end of a buffer.

The vulnerabilities are generally classified as “moderate”, but of course, don’t leave known vulnerabilities when you can avoid it! Fixed releases should find their way into distributions soon.

OpenSSL 4.0 Released

OpenSSL released version 4.0 this week, adding support for Encrypted Client Hello / ECH / RFC9849 as well as deprecating some older SSL 2.0 behavior.

Encrypted Client Hello is a new enhancement to TLS (nee SSL) client handshake. When a client connects to a TLS server like a website, one of the first packets sent is the Client Hello which contains the TLS version, supported algorithms, and importantly, the server name the client is connecting to. Including the server name in the hello message allows modern multi-homed and cloud-based websites to function, because it indicates which web server and SSL certificate should be used to handle the request, but exposes the hostname the user is connecting to.

With ECH, the hello message is split into multiple messages, with the true hostname encrypted inside the second, inner message. The outer message allows routing the request to a server responsible for decrypting the inner communication and dispatching the request to the proper server. It is possible, for instance, for an ISP to see that a user has connected to a website on the Cloudflare infrastructure, but not which website hosted on Cloudflare.

For individual sites, the value of ECH is debatable – without a central server to dispatch to the specific hosts, the outer hostname is still readable – but for sites hosted behind load balancers, there is additional protection for users against identification of browsing habits. Although it brings extra complexity, adding new standards like ECH at least moves the needle towards better user privacy and protection by default.

Rockstar games breached (again)

Rockstar Games (of Grand Theft Auto and Red Dead Redemption fame) has been breached by a ransomware/extortion group. If this sounds familiar, in 2022 the company was breached and early GTA 6 gameplay was stolen.

This go around, the breach was actually of the data warehousing company Snowflake, via another service, Anodot. Used for cloud monitoring and analytics, Bleeping Computer reports that an Anodot breach was used to access Snowflake data, which is now used to extort Rockstar.

Rockstar says the data stolen does not impact players or the functioning of the company, and they will not be paying the ransom.

Linux Kernel Certificate OOB

Linux Kernel 7.0 releases this week, and includes a fix to out-of-bounds memory access in certificate handling. The fix is also being back-ported to stable and LTS kernel versions (Linux 6.4, 6.6 LTS, 6.12 LTS, 6.18 LTS, and 6.19) so be on the lookout for updates!

The out-of-bounds bug lies in the kernel keyring API; any user on the system can submit an invalid certificate to the kernel keyring. In this specific case the impact seems limited to a kernel crash instead of arbitrary privilege escalation.

NIST no Longer Enriching CVE

The NIST organization is no longer enriching CVE entries in the National Vulnerability Database, except for those in the Known Exploited Vulnerabilities catalog, used in federal government, or those in designated critical software. Previously, the NIST NVD provided additional information and severity rankings for reported vulnerabilities. Citing a lack of funding and an overwhelming number of reported vulnerabilities, they will no longer provide updated severity scores or details.

It’s understandable, but a net loss to the security community, and the Internet at large, when we lose analysis and commentary on risks. CVE details and risks are often self-assigned by the vendor, which can lead in some cases to a culture of “malicious compliance” where the released information is technically correct and complete, but contains little or no actual detail and assumes the least impactful interpretations. Third-party evaluation and classification by organizations like NIST offered additional context and analysis to identify the truly critical reports.

Patch Tuesday, Everybody Panic!

OK – don’t actually panic, but if you’re a Microsoft user, you already know. This month’s Patch Tuesday — the scheduled day for Microsoft updates, for anyone lucky enough not to have to observe — includes over 160 security updates. This makes it the second largest Patch Tuesday ever. It includes a fix to the publicly available Bluehammer exploit for bypassing Windows Defender, and over 60 patches for browser vulnerabilities.

Additionally, Chrome published fixes for 20 vulnerabilities, and Adobe published fixes for Reader, with evidence on both that the bugs are already being publicly exploited.

This is your monthly reminder to stay on top of security updates whenever they are available, on whatever platform you use. Unknown zero-day exploits might get all the attention, but outdated software with known, patched bugs can be the biggest vector for exploits and malware. Once a bug is known and patched, there is no reason to save the exploit for targeted attacks; the days and weeks after a bug is publicly fixed can be a wave of automated exploits, and many of the largest attacks use vulnerabilities fixed weeks or months prior.

Botconf Talks Streaming

Finally, a quick aside for anyone interested in pursing more related content, the Botconf EU conference about fighting botnets and malware is streaming the conference content; by the time this post goes live the conference is likely to be concluded, but the talk streams are accessible!

hackaday.com/2026/04/17/this-w…

nginx-ui CVE-2026-33032: the /mcp endpoint had auth, /mcp_message didn't. One missing check = full server takeover. As tools rush to add MCP support, expect more of these gaps. - https://thehackernews.com/2026/04/critical-nginx-ui-vulnerability-cve.html

CVE-2026-39987: Marimo RCE Zero-Day Exploited Within 10 Hours of Disclosure — 662 Attacks Recorded
#CyberSecurity
https://securebulletin.com/cve-2026-39987-marimo-rce-zero-day-exploited-within-10-hours-of-disclosure-662-attacks-recorded/

Marimo is a Python notebook used in AI toolchains. It was exploited 9 hours 41 minutes after CVE-2026-39987 disclosure. Sysdig published the telemetry. Full remote takeover, no login required. The patch shipped with the advisory. Most shops do not have weekend on-call for a Python notebook. By Sunday morning the command-and-control traffic was already 14 hours deep. Patch window is shorter than one night of sleep. On-call SLA is the new budget line.

#CyberSecurity #DevOps #Python #InfoSec

CVE-2026-39987 update: How attackers weaponized marimo to deploy a blockchain botnet via HuggingFace | Sysdig

https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface

Read on HackerWorkspace: https://hackerworkspace.com/article/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface-sysdig

#malware #cybersecurity #vulnerability

🚨 Cyber Dreigingsradar 17 april 2026

Dreigingsniveau VERHOOGD (72/100)
• 35 nieuwe incidenten in NL/BE (24u)
• CVE-2025-43300 (CVSS 10.0) actief misbruikt
• CVE-2023-33538 aanvallen op TP-Link routers

Vandaag in het nieuws:
• EU leeftijdsverificatie app binnen 2 min gehackt
• Gelekte Windows zero days actief misbruikt
• Kritieke RCE in Cisco ISE

Actie: patch netwerkapparatuur + test backup-herstel.

Bekijk de volledige Dreigingsradar:
https://www.digiweerbaar.nl/cyber-dreigingsradar

#dreigingsradar #cybersecurity

I just published a post on the new PowerShell CVE (CVE-2026-26143) with tips and guidance to ensure you are protected.

I breakdown, who’s affected, how to check, and what to do next.

https://www.dowst.dev/powershell-vulnerability-update-cve-2026-26143-what-you-need-to-know/

#PowerShell #CyberSecurity #DevOps #Automation

🚨 Cyber Dreigingsradar 17 april 2026

Dreigingsniveau VERHOOGD (72/100)
• 35 nieuwe incidenten in NL/BE (24u)
• CVE-2025-43300 (CVSS 10.0) actief misbruikt
• CVE-2023-33538 aanvallen op TP-Link routers

Vandaag in het nieuws:
• EU leeftijdsverificatie app binnen 2 min gehackt
• Gelekte Windows zero days actief misbruikt
• Kritieke RCE in Cisco ISE

Actie: patch netwerkapparatuur + test backup-herstel.

Bekijk de volledige Dreigingsradar:
https://www.digiweerbaar.nl/cyber-dreigingsradar

#dreigingsradar #cybersecurity