Weekly Threat Bulletin – April 8th, 2026

Apple Expands Updates to iOS 18 Devices Affected by DarkSword Exploit

Apple has expanded the availability of updates for iOS 18.7.7 and iPadOS 18.7.7 to a broader range of devices to protect against the DarkSword exploit. This exploit is a six-vulnerability chain (CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, CVE-2025-43520) targeting iPhones running iOS 18.4 through 18.7, which allows extensive access to device data, including messages, stored passwords, and location history, after a user visits a compromised website with minimal interaction. Attacks have been observed in Saudi Arabia, Turkey, Malaysia, and Ukraine, with a recent campaign attributed to Star Blizzard (TA446/COLDRIVER) targeting government, think tank, higher education, financial, and legal entities. The exploit kit's public availability on GitHub lowers the barrier for other actors. While 74% of recent iPhones run iOS 26, which is not vulnerable, approximately 20% of iOS devices remain exposed, partly due to user reluctance to upgrade from iOS 18. Security teams are advised to push iOS 18.7.7 to all managed devices still on iOS 18, upgrade to iOS 26, or enable Lockdown Mode for high-risk users, as DarkSword does not execute on devices with this feature enabled.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Use your Mobile Device Management (MDM) solution to enforce an immediate update on all corporate iPhones and iPads to iOS 18.7.7 / iPadOS 18.7.7 or newer.
• Enable Lockdown Mode on iOS devices for high-risk users, such as executives, finance, and IT administrators, to provide an additional layer of protection.
• Use your vulnerability management or MDM tool to scan for and identify all devices running vulnerable iOS or iPadOS versions between 18.4 and 18.7.

Compliance Best Practices

• Develop and enforce a strict mobile device update policy that mandates the installation of critical security patches within a defined, short timeframe. Use your MDM platform to automate compliance and restrict network access for non-compliant devices.
• Establish a formal user risk-profiling program to classify employees based on their roles and data access. Use these risk profiles to apply tiered security controls to their devices automatically.
• Deploy or enhance a DNS filtering or Secure Web Gateway (SWG) solution to block access to known malicious domains and categories of websites that are frequently compromised.

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Fortinet has issued out-of-band patches for CVE-2026-35616, a critical pre-authentication API access bypass vulnerability (CVSS 9.1) impacting FortiClient EMS versions 7.4.5 and 7.4.6. This improper access control flaw (CWE-284) enables an unauthenticated attacker to execute unauthorized code or commands via crafted requests, thereby bypassing API authentication and authorization. Active exploitation of this vulnerability has been confirmed in the wild, with initial exploitation attempts detected on March 31, 2026. Hotfixes are currently available for the affected versions, and a comprehensive patch is expected in the upcoming version 7.4.7. Simo Kohonen of Defused Cyber and Nguyen Duc Anh are credited with discovering and reporting the flaw. This incident occurs shortly after another critical FortiClient EMS vulnerability, CVE-2026-21643 (CVSS 9.1), also came under active exploitation. Organizations are strongly urged to apply the provided hotfixes or update their FortiClient EMS installations without delay to address these significant security risks.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Use asset management systems and network scanners to identify all instances of FortiClient EMS in the environment and determine their software versions.
• Immediately apply the emergency hotfix provided by Fortinet to all identified FortiClient EMS instances running versions 7.4.5 and 7.4.6.
• If patching cannot be performed immediately, restrict network access to the FortiClient EMS management interface to only trusted IP addresses and administrative subnets using firewall rules.
• Review network logs for unusual or crafted API requests targeting FortiClient EMS servers, especially from untrusted or external IP addresses, to identify potential exploitation attempts.
• Scan FortiClient EMS server logs for indicators of compromise related to unauthorized code execution or command execution, consistent with the impact of CVE-2026-35616.

Compliance Best Practices

• Develop and enforce a patch management policy that defines specific, accelerated timelines for applying security updates to critical, internet-facing infrastructure, especially for vulnerabilities with evidence of active exploitation.
• Review and re-architect network configurations to ensure that critical management platforms like FortiClient EMS are not exposed to the public internet and are placed in a secure, segmented management zone.
• Implement a routine, authenticated vulnerability scanning program that covers all critical infrastructure, including management servers, to proactively identify and prioritize patching before vulnerabilities are actively exploited.
• Deploy a Web Application Firewall (WAF) in front of critical web-based management interfaces to monitor, filter, and block malicious or anomalous API requests.

Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

A large-scale credential harvesting operation, attributed by Cisco Talos to the threat cluster UAT-10608, has exploited CVE-2025-55182, a critical remote code execution vulnerability (CVSS 10.0) in React Server Components and Next.js App Router. This campaign has compromised at least 766 Next.js hosts across various geographic regions and cloud providers. Initial access is gained by exploiting the vulnerability, followed by the deployment of the NEXUS Listener collection framework. This framework utilizes a multi-phase harvesting script to exfiltrate a wide array of sensitive data, including database credentials, SSH private keys, AWS secrets, shell command history, Stripe API keys, GitHub tokens, environment variables, Kubernetes service account tokens, Docker configurations, API keys for services like OpenAI, Anthropic, NVIDIA NIM, SendGrid, Brevo, Telegram bot tokens, webhook secrets, GitLab tokens, and IAM role-associated temporary credentials from AWS, Google Cloud, and Microsoft Azure. The stolen information is managed via a password-protected web-based graphical user interface, NEXUS Listener V3, which provides operators with statistics on compromised hosts and credential types. The extensive data collected offers significant intelligence for crafting targeted follow-on attacks, social engineering campaigns, or selling access. Organizations are advised to audit environments for least privilege, enable secret scanning, avoid SSH key reuse, implement IMDSv2 enforcement on AWS EC2 instances, and rotate credentials if compromise is suspected.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Identify all public-facing Next.js applications and immediately patch them to a version that remediates CVE-2025-55182.
• Hunt for indicators of compromise (IOCs) associated with the 'NEXUS Listener' framework and CVE-2025-55182 exploitation in web server access logs, application logs, and network traffic.
• Enforce the use of Instance Metadata Service Version 2 (IMDSv2) on all AWS EC2 instances to mitigate credential theft from the metadata service.
• For any systems found to be vulnerable to CVE-2025-55182, immediately initiate a rotation of all associated secrets, including API keys, database credentials, service account passwords, and SSH keys.

Compliance Best Practices

• Initiate a recurring audit of all IAM roles and service account permissions in cloud and on-premise environments to enforce the principle of least privilege, ensuring applications only have the minimum access required.
• Integrate automated secret scanning tools into your CI/CD pipelines and source code repositories to proactively detect and block hardcoded credentials from being committed.
• Implement a centralized SSH key management solution or policy that enforces regular key rotation, prohibits key reuse across different environments, and logs all access.
• Develop and maintain a comprehensive, continuously updated inventory of all external-facing software assets and their versions to enable rapid identification of systems vulnerable to newly disclosed exploits.
• Deploy a Cloud Security Posture Management (CSPM) tool to continuously monitor all cloud environments for misconfigurations, such as overly permissive IAM roles, public S3 buckets, or unenforced IMDSv2.

You’re Not Supposed to ShareFile with Everyone (Progress ShareFile Pre-Auth RCE Chain CVE-2026-2699 CVE-2026-2701)

We discovered a chain of vulnerabilities in Progress ShareFile Storage Zone Controller branch 5.X, specifically version 5.12.3 and earlier, leading to pre-authenticated Remote Code Execution (RCE), resolved in version 5.12.4 on March 10, 2026. The first vulnerability, CVE-2026-2699, is an authentication bypass (CWE-698: Execution After Redirect) in `/ConfigService/Admin.aspx`, where the `httpContext.Response.Redirect(redirectPath, false)` function redirects without terminating page execution, allowing access to the admin panel by removing the HTTP `Location` header. This bypass enables modification of the Storage Zone Controller's configuration, including setting a new passphrase by exploiting a lack of validation for the "Old Passphrase" when changing the "Primary Zone Controller" field. Subsequently, CVE-2026-2701, a post-authentication RCE, becomes achievable: we can set the `Network Share Location` to a webroot directory (e.g., `C:\inetpub\wwwroot\ShareFile\StorageCenter\documentum`) and then upload a ZIP file containing an ASPX webshell to `/upload.aspx` with the `unzip=true` parameter. This upload requires calculating an HMAC-SHA256 signature for the request, which is derived by leaking and decrypting the `TempData2` parameter from `/ConfigService/api/StroageZoneConfig` using the newly set passphrase and a hard-coded salt (`p3510060xfZ2s9`). The webshell is then extracted to the controlled webroot, granting RCE on the approximately 30,000 internet-facing instances of the Storage Zone Controller.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Immediately patch all Progress ShareFile Storage Zone Controller 5.x instances to version 5.12.4 or later to mitigate CVE-2026-2699 and CVE-2026-2701.
• Use a vulnerability scanner or a custom script to send a GET request to `/ConfigService/Admin.aspx` on all ShareFile instances. Flag any system that returns an HTTP 302 status code with a response body larger than 10,000 bytes as vulnerable to CVE-2026-2699.
• Implement a rule on your Web Application Firewall (WAF) or reverse proxy to block all external access to the `/ConfigService/Admin.aspx` URI on ShareFile Storage Zone Controllers.
• In your SIEM or log management platform, search IIS logs from ShareFile servers for POST requests to `/upload.aspx` that contain the parameter `unzip=true` originating from external IP addresses.
• Using an EDR or manual file system search, hunt for recently created or modified `.aspx` files within the IIS webroot directories of your ShareFile Storage Zone Controllers, paying close attention to unexpected subdirectories.

Compliance Best Practices

• Review network access control lists (ACLs) and firewall rules to restrict all public internet access to administrative interfaces of all applications, including the ShareFile `/ConfigService/` path. These interfaces should only be accessible from a trusted internal management network.
• Audit and enforce file system permissions for the IIS application pool identity running the ShareFile service. Ensure the account has write access only to designated, non-web-accessible storage directories and read-only access elsewhere.
• Deploy and configure a File Integrity Monitoring (FIM) solution on web servers to generate high-priority alerts for any file creation or modification events involving script files (e.g., .aspx, .php, .jsp) within any IIS webroot directory.
• Update the asset inventory to classify all internet-facing file transfer solutions as critical assets. Ensure they are included in the scope of the vulnerability management program for frequent scanning and prioritized patching.

Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools

Qilin and Warlock ransomware operations are employing bring your own vulnerable driver (BYOVD) techniques to neutralize endpoint detection and response (EDR) tools on compromised systems. Qilin attacks deploy a malicious "msimg32.dll" via DLL side-loading, initiating a multi-stage infection that disables over 300 EDR drivers by utilizing "rwdrv.sys" (a renamed "ThrottleStop.sys") for physical memory access and "hlpdrv.sys" to terminate EDR processes, while also evading detection through user-mode hook neutralization and ETW log suppression. This group, frequently gaining initial access via stolen credentials, typically executes ransomware approximately six days post-compromise. Concurrently, the Warlock group, also known as Water Manaul, exploits unpatched Microsoft SharePoint servers and uses a vulnerable "NSecKrnl.sys" driver in BYOVD attacks to terminate security products at the kernel level, replacing previously used drivers, and has expanded its post-exploitation toolkit to include PsExec, RDP Patcher, Velociraptor, Visual Studio Code, Cloudflare Tunnel, Yuze, and Rclone for persistence, lateral movement, and data exfiltration. To counter these threats, organizations should permit only signed drivers from trusted publishers, monitor driver installation events, maintain rigorous patch management, and implement a multi-layered defense focusing on kernel integrity, strict driver governance, and real-time kernel-level activity monitoring.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Immediately apply all available security patches to on-premises Microsoft SharePoint servers to mitigate the initial access vector used by the Warlock ransomware group.
• Use your EDR or SIEM to scan endpoints and logs for the presence of the malicious file 'msimg32.dll', particularly in relation to DLL side-loading events.
• Use your EDR or SIEM to hunt for the presence or loading of the driver file 'rwdrv.sys' or 'ThrottleStop.sys' on endpoints.
• Use your EDR or SIEM to hunt for the presence or loading of the driver file 'hlpdrv.sys' on endpoints.
• Use your EDR or SIEM to hunt for the presence or loading of the vulnerable driver file 'NSecKrnl.sys' on endpoints.
• Review endpoint and network logs for suspicious or unauthorized execution of PsExec, especially if originating from non-administrative workstations.
• Monitor network traffic and endpoint processes for unauthorized use of Rclone or large, unexpected data transfers to external cloud storage providers.

Compliance Best Practices

• Develop and implement a strict driver governance policy using application control or endpoint security features to allow only signed drivers from an explicit list of trusted publishers.
• Configure and tune your EDR solution to generate high-priority alerts for suspicious kernel-level activities, such as a process attempting to unload or disable security agent drivers.
• Enforce multi-factor authentication (MFA) for all remote access, privileged accounts, and critical system logins to mitigate credential theft.
• Establish and enforce a rigorous patch management policy to ensure all operating systems, applications, and security tools are updated within a defined timeframe.
• Implement network segmentation to isolate critical servers from general user workstations, restricting east-west traffic to prevent attackers from moving laterally across the network.
• Configure firewall egress filtering rules to block or alert on traffic to known anonymizing services and unexpected destinations or ports to disrupt command-and-control communications.