Insights

Monthly Threat Brief: What Shaped Cyber Risk in April 2026 Cyber risk in April wasn't defined by a single event, it was shaped by patterns. Across environments, attackers are continuing to shift how they operate - leaning into trusted tools, valid access, and speed. This month's developments highlight a clear reality: the attack surface isn't just expanding, it's blending into normal business activity in ways that are harder to detect and easier to overlook. Here's what stood out. Social Engineering Is Moving Into Everyday Tools Phishing hasn't gone away, it's just changed form. Instead of relying solely on email, attackers are now initiating conversations through platforms employees already trust, like collaboration and messaging tools. By impersonating internal IT or helpdesk personnel, they're able to guide users into launching legitimate remote support tools and granting access themselves. Because these interactions happen in familiar environments and follow what looks like normal workflow,…

This advisory details steps organizations can take to defend against attacks originating from large, dynamic networks of compromised devices, based on guidance from the National Cyber Security Centre. The recommendations are tailored based on organizational size and risk level. All Organizations: The NCSC recommends mapping and understanding your network edge devices to gain a clear understanding of organizational assets and expected connections. General good cyber security practices should also be followed. Larger or More At-Risk Organizations: For organizations facing higher risk, consider these more comprehensive measures, either in-house or through a security provider: Apply IP address allow lists instead of deny lists for connections to corporate VPNs for remote workers. Use geographic allow lists or profile incoming connections based on operating system, time zones, and/or organization-specific system configuration settings. Implement zero trust policies for connections. Enforce machine certificates for Secure Sockets Layer (SSL) connections. Reduce the internet-facing presence of your IT…

Critical Security Bulletin Fortinet FortiClient EMS - Unauthenticated Remote Code Execution (CVE-2026-35616)Advisory: Fortinet PSIRT FG-IR-26-099Published: April 4, 2026Severity: Critical (CVSS 9.1-9.8)Status: Active exploitation observed Executive Summary A critical vulnerability in Fortinet FortiClient EMS (Endpoint Management Server) allows unauthenticated remote attackers to execute arbitrary code via crafted API requests. This issue, tracked as CVE-2026-35616, stems from improper access control in exposed API functionality and requires no authentication or user interaction. Active exploitation has already been observed in the wild, elevating this from a patching priority to an immediate incident response concern. Technical Overview Vulnerability Type: Improper Access Control (CWE-284) Attack Vector: Network (remote, unauthenticated) Component: FortiClient EMS API Attack Complexity: Low Privileges Required: None User Interaction: None The flaw allows attackers to bypass API authentication controls and submit crafted requests that execute arbitrary code on the EMS server. Root Cause Failure to properly enforce authentication and authorization checks within API endpoints…

Security Bulletin CVE-2026-32987 - OpenClaw Bootstrap Code Replay Leading to Administrative Access Overview CVE-2026-32987 is a critical vulnerability affecting OpenClaw that allows an unauthenticated attacker to achieve full administrative access through repeated replay of bootstrap pairing codes. The issue stems from improper enforcement of single-use validation during the device onboarding process. This allows an attacker to reuse a valid bootstrap code multiple times and progressively escalate privileges. This vulnerability is network exploitable, requires no authentication, and does not require user interaction. Affected Systems OpenClaw versions prior to 2026.3.13 Any environment leveraging OpenClaw for device onboarding or orchestration should be considered at risk if not fully patched. Severity Assessment CVSS Classification: Critical Attack Vector: Network Authentication Required: None User Interaction: None Impact: Full administrative compromise This vulnerability provides a direct path to operator.admin-level access, effectively granting complete control of the platform. Technical Details The vulnerability is categorized under: CWE-294: Authentication Bypass…