Researchers disclosed an unpatched NTLM coercion vulnerability in the Windows search: URI handler that allows attackers to steal Net-NTLMv2 hashes via a malicious link or command execution. Despite sharing the same severity and underlying mechanism as a recently patched Snipping Tool vulnerability (CVE-2026-33829), Microsoft declined to service this flaw. Defenders must rely on environmental mitigations like blocking outbound SMB and restricting NTLM traffic to prevent exploitation.
At Pwn2Own Berlin 2026, security researchers demonstrated 47 unique zero-day vulnerabilities across AI platforms and traditional enterprise software. Notable exploits included root-level code execution in AI agents via trust boundary failures, a SYSTEM-level RCE in Microsoft Exchange, a pre-authentication RCE in SharePoint, and a cross-tenant guest-to-host escape in VMware ESXi.
This threat intelligence report highlights a surge in ransomware activity, critical zero-day vulnerabilities in Windows, and the active exploitation of Cisco Catalyst SD-WAN controllers. Additionally, it details emerging AI-driven threats, including malicious Hugging Face repositories and the abuse of AI website generators for phishing, alongside an APT intrusion by FamousSparrow targeting the energy sector.
Google Threat Intelligence Group (GTIG) reports an escalation in adversaries leveraging generative AI for vulnerability discovery, autonomous malware orchestration, and defense evasion. Notable developments include the AI-assisted discovery of a zero-day 2FA bypass, the PROMPTSPY Android backdoor utilizing the Gemini API for autonomous UI navigation, and supply chain attacks by TeamPCP targeting AI dependencies like LiteLLM to extract cloud secrets.
The article discusses the impending 'vuln-pocalypse' driven by AI-accelerated vulnerability discovery and fuzzing. Threat actors, including FANCY BEAR and FAMOUS CHOLLIMA, are increasingly leveraging AI to enhance phishing campaigns and exploit zero-days faster, necessitating a shift toward threat-informed patch prioritization and robust post-exploitation behavioral detection.
Microsoft's April 2026 Patch Tuesday addresses 163 CVEs across 17 product families, including 8 Critical vulnerabilities and one actively exploited zero-day (CVE-2026-32201 in SharePoint). Organizations should prioritize patching the exploited SharePoint flaw, the publicly disclosed Defender bug (CVE-2026-33825), and a highly critical 9.8 CVSS RCE in Windows IKE (CVE-2026-33824).
The rapid advancement of AI models has significantly lowered the barrier for threat actors to discover vulnerabilities and generate exploits at scale, compressing the attack lifecycle. To defend against these machine-speed threats, organizations must modernize their security posture by integrating AI defensively, automating vulnerability management, securing software supply chains, and protecting newly deployed AI assets.
Microsoft's April 2026 Patch Tuesday addresses 165 vulnerabilities, including 8 critical flaws and one actively exploited zero-day vulnerability in Microsoft Office SharePoint (CVE-2026-32201). The update resolves critical Remote Code Execution (RCE) vulnerabilities across various components such as the Remote Desktop Client, Microsoft Office, Windows IKE, Active Directory, and TCP/IP.
In March 2026, 31 high-impact vulnerabilities were actively exploited, highlighted by the Interlock Ransomware Group leveraging a CVSS 10.0 zero-day in Cisco Secure FMC (CVE-2026-20131). The attackers utilized insecure Java deserialization to gain root access, deploying custom RATs, memory-resident web shells, and ransomware across enterprise networks.
Anthropic's new AI capabilities, Project Glasswing and Claude Mythos Preview, are accelerating the discovery of zero-day vulnerabilities across major software platforms. Akamai asserts that this rapid discovery will widen the gap between vulnerability identification and patching, thereby increasing the critical need for robust runtime protection and edge security solutions to defend against potential exploits before patches are available.
A zero-day vulnerability in Adobe Reader is being actively exploited in targeted attacks against the Russian oil and gas sector. Threat actors are utilizing malicious PDF files embedded with obfuscated JavaScript to execute privileged APIs, enabling sensitive data theft and potential remote code execution.
The Canadian Centre for Cyber Security issued an advisory regarding a critical vulnerability in Google Chrome (CVE-2026-5281) that is currently being exploited in the wild. Organizations are urged to update Chrome for Desktop to the latest stable versions to mitigate this active threat.
The Russia-aligned APT group Pawn Storm has launched a sophisticated campaign deploying the PRISMEX malware suite against Ukrainian and NATO defense supply chains. The attack chain leverages two critical vulnerabilities, CVE-2026-21509 and CVE-2026-21513, to achieve zero-click execution, utilizing advanced steganography and COM hijacking to evade detection while communicating via legitimate cloud services.
Mandiant's M-Trends 2026 report highlights a severe divergence in adversary tactics. Cybercriminals are optimizing for speed, with initial access hand-offs collapsing to 22 seconds, and focusing on recovery denial by targeting hypervisors and backup infrastructure. Conversely, espionage groups are prioritizing extreme persistence by exploiting zero-days and deploying in-memory malware on unmonitored edge devices, while voice phishing has emerged as a primary vector for bypassing MFA and compromising SaaS environments.
Cisco Secure Firewall Management Center (FMC) is actively being targeted by unauthenticated attackers exploiting CVE-2026-20131, a critical insecure deserialization vulnerability. Exploitation grants root access, enabling attackers to completely compromise the firewall management platform, alter security policies, and pivot into the internal network.
The CrowdStrike 2026 Global Threat Report highlights a shift toward highly evasive, malware-free attacks leveraging valid credentials, AI tools, and supply chain compromises. Adversaries are operating with unprecedented speed, with average breakout times dropping to 29 minutes, while increasingly targeting AI infrastructure, cloud environments, and network edge devices.
Cisco has disclosed a critical, unpatched vulnerability (CVE-2025-20393) affecting its Secure Email Gateway and Secure Email and Web Manager appliances. The flaw allows attackers to execute arbitrary commands with root privileges if the Spam Quarantine feature is enabled and exposed to the internet. Organizations are urged to immediately restrict internet access to this feature and contact Cisco TAC to check for indicators of compromise.
Google Threat Intelligence Group discovered DarkSword, a sophisticated iOS full-chain exploit leveraging six zero-day vulnerabilities to target iOS 18.4-18.7 devices. Adopted by multiple state-sponsored actors and commercial surveillance vendors, the pure-JavaScript exploit chain bypasses modern iOS mitigations to deploy data-mining payloads like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
Google Threat Intelligence Group's 2025 review highlights 90 exploited zero-day vulnerabilities, with a significant shift toward enterprise infrastructure and edge devices. Commercial surveillance vendors outpaced state-sponsored actors in zero-day usage, while financially motivated groups and PRC-nexus espionage operators continued to heavily leverage zero-days for initial access, persistence, and data theft.
AI Rush Opens New Attack Paths as Trusted Cloud Services Fuel Phishing
The rush to adopt artificial intelligence is giving attackers two new advantages: convincing lures to trick users and poorly secured infrastructure to exploit. This week, multiple campaigns used fake websites for the Claude AI assistant to infect victims with password-stealing malware, while researchers revealed that commercial robots and AI connection protocols contain critical flaws that let hackers hijack them. Because organizations are deploying AI tools faster than they can secure them, attackers are finding easy entry points into corporate networks.
In parallel, phishing campaigns are increasingly hijacking trusted cloud services like Amazon's email platform and Vercel's AI-powered website builder to send messages that bypass security filters entirely. A massive campaign targeting US employees used fake HR reviews to steal login sessions even when multi-factor authentication was enabled, and the breach of the Canvas learning platform exposed data on 275 million people that can now be used for highly convincing follow-up scams. These trends together suggest that traditional defenses are losing effectiveness because attackers are hiding inside the systems we already trust.
Organizations should immediately patch the actively exploited Palo Alto Networks and Ivanti vulnerabilities flagged by CISA this week, require phishing-resistant authentication methods, and treat every AI tool and robot connected to their network as a high-risk device that needs strict monitoring.