postinstall$
Dispatch 002

SharePoint zero-day actively exploited, Storm-1175 names your MSP toolstack in its Medusa ransomware targeting list, and DarkSword lands on GitHub

April 21, 2026

April Patch Tuesday shipped 167 fixes including an actively exploited SharePoint zero-day and Outlook preview-pane RCEs that need no user click; Microsoft published a full threat actor profile on Storm-1175, a Medusa ransomware affiliate whose confirmed exploit inventory includes Exchange, ConnectWise ScreenConnect, SimpleHelp, BeyondTrust, and PaperCut; CISA added Apache ActiveMQ's thirteen-year-old unauthenticated RCE to the KEV catalog; Apple pushed DarkSword patches to most iPhones as the kit appeared on GitHub; a Cisco baseboard management controller auth bypass gives attackers hardware-level access below your EDR's line of sight; and April's Patch Tuesday silently flipped Kerberos RC4 enforcement on every domain controller you just patched, with July as the final deadline to clear dependencies before rollback is no longer possible.

Patch today

Items with immediate action required.

  1. CVE-2026-32201 in Microsoft SharePoint actively exploited; Office Word and Excel RCEs trigger through the Outlook preview pane in the same cycle

    Deploy April Patch Tuesday to production now. The SharePoint zero-day is under active exploitation and the Office preview-pane RCEs require no user action beyond receiving an email.

    Why it matters: April's Patch Tuesday is the second-largest in Microsoft's history at 167 vulnerabilities, which matters less as a number than as a pattern: the actively exploited zero-day this cycle is CVE-2026-32201, an improper input validation flaw in Microsoft SharePoint Server (on-premises, all supported editions) that allows an unauthenticated attacker to perform spoofing over the network with no user interaction required. Microsoft confirmed exploitation in the wild; CISA listed it April 14 with a federal remediation deadline of April 28. If you run on-premises SharePoint, that flaw is the urgent item. If you do not, the broader concern in this cycle is the set of Word and Excel RCEs (CVE-2026-33114, CVE-2026-33115, CVE-2026-32190) that fire through Outlook's reading pane without requiring a user to open the attachment. Preview it, trigger it. That is every inbox in every tenant you manage. Separately: CVE-2026-33825, an elevation-of-privilege flaw in the Microsoft Defender Antimalware Platform, was publicly disclosed before the patch shipped. Defender updates automatically to version 4.18.26050.3011, which addresses it, but only if you have not blocked automatic Defender definition updates in your RMM or endpoint policy.

    What to do: If you staged a pilot ring last week per issue 001, promote to production this week. If you skipped the pilot, send to production now; the confirmed exploitation of CVE-2026-32201 removes the usual buffer. For on-premises SharePoint (Server 2016, 2019, and Subscription Edition), apply the April Cumulative Update through WSUS or your RMM and then pull the SharePoint ULS logs for anomalous activity since April 1: look for unexpected admin account creation, permission changes, and file modifications in site collection audit logs. For the Outlook preview-pane RCEs: confirm your Microsoft 365 Apps update channel is current. Monthly Enterprise Channel should be on Version 2503 or later; Semi-Annual Channel (Targeted) should be on 2502. For Defender: run a spot check on a sample of endpoints to confirm the Antimalware Platform is on 4.18.26050.3011 or later. If any endpoints are behind, check whether your RMM policy or a GPO is holding back signature updates.

    Microsoft MSRC advisory

  2. CVE-2026-34197 in Apache ActiveMQ, unauthenticated RCE via the Jolokia management endpoint, CISA KEV listed April 16 with April 30 deadline

    If you run ActiveMQ, upgrade to 5.19.4 or 6.2.3 before April 30 and firewall the Jolokia endpoint today. If you are not sure whether you run it, find out before reading the next item.

    Why it matters: CVE-2026-34197 is a code injection flaw in Apache ActiveMQ Classic that sat undetected in the Jolokia management API for thirteen years. An attacker who can reach the Jolokia endpoint sends a crafted management operation that instructs the broker to fetch a remote configuration file and execute operating system commands. No credentials required. CISA added it to the KEV catalog on April 16 with an April 30 federal remediation deadline. ActiveMQ is a popular message broker, but it also appears as a bundled dependency in integration platforms (Apache Camel, older WSO2, some MuleSoft configurations) and legacy automation middleware in places that do not obviously announce 'we run a message broker.' The SMB practitioner relevance here is exactly that ambiguity: the systems most likely to be running an exposed Jolokia endpoint are the ones nobody is actively monitoring.

    What to do: Search your asset inventory for ActiveMQ deployments. If your inventory does not surface it definitively, scan your server fleet for port 8161 (the default ActiveMQ web console and Jolokia API port). Upgrade to Apache ActiveMQ 5.19.4 if on the 5.x line, or 6.2.3 if on the 6.x line. If you cannot patch immediately, block external access to the /api/jolokia path on port 8161 and 8162 at the firewall or reverse proxy. Then review the Jolokia endpoint access logs for the configConfMo method called against the aaaUser object class since March 1; that specific call pattern is the exploitation signature published by Horizon3.ai. Any match in the logs is an incident.

    Apache ActiveMQ security advisory

  3. CVE-2023-21529 in Microsoft Exchange Server KEV-listed April 13, weaponized by Storm-1175 in Medusa ransomware attacks; MSP toolstack is in the confirmed exploit inventory

    Patch on-premises Exchange this week. More importantly, cross-reference the Storm-1175 exploit inventory against every internet-facing tool you run for clients, because several of them are on the list.

    Why it matters: On April 6, Microsoft published a detailed threat actor profile on Storm-1175, a China-based financially motivated group operating as a Medusa ransomware affiliate. The profile is worth reading in full, but the summary for MSPs is this: Storm-1175 has confirmed exploitation of more than sixteen vulnerabilities across ten products, and the list reads like a managed service provider's infrastructure diagram. ConnectWise ScreenConnect (CVE-2024-1709), SimpleHelp (CVE-2024-57726, CVE-2024-57727, CVE-2024-57728), BeyondTrust Remote Support (CVE-2026-1731), PaperCut (CVE-2023-27350, CVE-2023-27351), Ivanti Connect Secure, JetBrains TeamCity, CrushFTP, and GoAnywhere MFT are all documented. Microsoft Exchange is also on the list via CVE-2023-21529, a deserialization RCE that CISA KEV-listed April 13 with a federal deadline of April 27 after Microsoft confirmed Storm-1175 is actively weaponizing it. The operational tempo is the part that changes the calculus: Microsoft documented Storm-1175 moving from initial access to Medusa ransomware deployment in under twenty-four hours in multiple observed cases, and exploiting some vulnerabilities as zero-days a week before public disclosure. The window between a patch dropping and Storm-1175 having a working exploit is, in several documented instances, measured in days.

    What to do: For on-premises Exchange Server (2016, 2019, and Subscription Edition), apply the April 2026 Cumulative Update through WSUS or your RMM if you have not already deployed Patch Tuesday this cycle. CVE-2023-21529 requires an authenticated attacker, so also confirm that Exchange PowerShell remoting and OWA are not exposed directly to the internet without a reverse proxy or VPN requirement in front of them; Storm-1175 has previously chained Exchange OWA exposure with follow-on RCE. Then pull your internet-facing tool inventory and check each against the Storm-1175 CVE list: ConnectWise ScreenConnect should be on 23.9.8 or later to clear CVE-2024-1709; SimpleHelp should be on 5.3.9 or later to clear the three SimpleHelp CVEs; BeyondTrust Remote Support should be on the February 2026 patch for CVE-2026-1731; PaperCut NG/MF should be on 22.1.3 or later for both PaperCut CVEs. If any of those are internet-reachable and unpatched, that is the priority before Exchange. Finally, review your Microsoft Sentinel or Defender XDR alerts for Storm-1175 indicators; Microsoft published the full indicator set alongside the April 6 threat actor profile.

    Microsoft Security Blog: Storm-1175 profile

This week

Worth investigating this week but not today.

  1. DarkSword iOS exploit kit published on GitHub; Apple expanded iOS 18.7.7 coverage to most iPhones April 1

    Push iOS 18.7.7 through your MDM this week with a hard compliance deadline. The toolkit that was nation-state-only six months ago is now public.

    Why it matters: DarkSword is a drive-by watering hole exploit kit targeting iOS 18.4 through 18.7. A user on a vulnerable device visits a legitimate but compromised website; no tap, no download, no confirmation prompt is required. State-sponsored groups have been using it against targets in Malaysia, Saudi Arabia, Turkey, and Ukraine since July 2025, deploying backdoors and a persistent dataminer. In early April, the kit was posted publicly to GitHub. That is the inflection point: a tool that required significant resources to operate six months ago is now available to anyone with a repository search and an afternoon. Apple expanded iOS 18.7.7 availability to nearly all supported iPhone and iPad models on April 1. Approximately 25 percent of iPhone users remained on iOS 18 as of February, which is a large unpatched population heading into a period where exploitation tooling is newly accessible.

    What to do: If you manage iOS and iPadOS devices through Jamf Pro, Microsoft Intune, or another MDM, create or update your OS enforcement policy to require iOS 18.7.7 (or iOS 26.x, which has been protected since 2025) with a grace period of seven days and a hard block at fourteen. For BYOD fleets without MDM enforcement, send a notification today with the specific path (Settings > General > Software Update), the plain-English risk (a publicly available tool can take over unpatched iPhones through ordinary websites with no user interaction), and a compliance deadline. Check your MDM compliance dashboard the following week and follow up individually with any devices still below 18.7.7. Devices on iOS 26.x require no action.

    SecurityWeek coverage

Monthly or quarterly review

Add to longer-term planning cycles.

  1. CVE-2026-20833 Kerberos RC4 enforcement is already live on your domain controllers; the July deadline removes the rollback option permanently

    April Patch Tuesday flipped phase 2 enforcement on every domain controller you just patched. If you have not audited RC4 dependencies since January, do it before July removes your ability to roll back.

    Why it matters: This one is easy to miss because it arrived inside a Patch Tuesday cycle rather than as a standalone advisory, and because the phase 1 audit mode that shipped in January did not break anything. Phase 2 is different. With April's cumulative update installed, Windows domain controllers now default to AES-SHA1 for all Kerberos ticket issuance on accounts that do not have an explicit msDS-SupportedEncryptionTypes attribute set. RC4 connections from non-compliant devices are blocked, not just logged. Manual rollback to audit mode is still possible through the RC4DefaultDisablementPhase registry value, but that option disappears entirely when July's update ships. The SMB relevance is specific: the things most likely to break are not workstations. They are NAS devices (Synology, QNAP, older NetApp), print servers, Linux and macOS clients using older Kerberos libraries, service accounts that inherited default encryption settings at creation and have never been touched since, and FSLogix profile storage over SMB in AVD environments. None of those announce themselves; you find them through the KDCSVC events that have been logging on your domain controllers since January. The underlying vulnerability, CVE-2026-20833, is a Kerberoasting information disclosure flaw: RC4-encrypted service tickets can be cracked offline by an attacker with a standard domain account and a GPU, recovering service account passwords without triggering a single alert. Modern hardware can test billions of RC4 keys per second. AES-256 reduces that to thousands. For any password shorter than exceptional, RC4 is effectively a staged credential handoff to the next Kerberoasting campaign.

    What to do: On a domain controller, open Event Viewer and filter the System log for KDCSVC source, event IDs 201 through 209. These have been accumulating since January if you deployed that update. Event 205 means a service account has no AES keys configured; event 207 means a client is requesting RC4 only. Export those events and build a remediation list from them. For each affected service account, set the msDS-SupportedEncryptionTypes attribute to 24 (AES-128 and AES-256) in ADUC or via Set-ADUser; then run a net user /domain reset or re-join to generate new AES keys. For NAS and appliance dependencies, check vendor firmware release notes; most major NAS vendors shipped AES Kerberos support in 2022 or later, and you are likely one firmware update away. For any legacy application that genuinely cannot support AES, set msDS-SupportedEncryptionTypes to 28 on that specific service account to explicitly permit RC4 as a documented exception, and note it in your exceptions register; that configuration survives July enforcement. Complete remediation and pilot testing before the July Windows update cycle. After July, there is no rollback path.

    Microsoft KB: Managing Kerberos RC4 changes for CVE-2026-20833