This Week in Security - Week 16, April 2026

Weekly security intelligence digest covering the most critical vulnerabilities, threats, and breach news from the past week.

🚨 Critical: CISA Known Exploited Vulnerabilities

These vulnerabilities are being actively exploited in the wild. Immediate action required.

CVE-2026-1340: Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability

Vendor/Product: Ivanti Endpoint Manager Mobile (EPMM)

Description: Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA Due Date: 2026-04-11

Reference: CVE-2026-1340 - NVD

Expert take: Ivanti keeps showing up on the CISA KEV list and this one’s bad — unauthenticated RCE means an attacker doesn’t even need credentials to own the device. If you’re running EPMM in a financial services environment, this isn’t a “patch it next sprint” situation. It should already be done. The CISA due date was April 11th, so if you haven’t applied mitigations yet, that’s the first thing to do Monday morning. If patching isn’t immediately possible, isolate the system from internet exposure and restrict access while you work through it. And honestly, if this product keeps appearing on these lists, it’s worth having a broader conversation about whether it’s the right tool for your environment.

📰 This Week’s Security News

Critical Marimo pre-auth RCE flaw now under active exploitation

A critical pre-authentication remote code execution (RCE) vulnerability in Marimo is now under active exploitation, leveraged for credential theft.

Expert take: Marimo is a Python notebook tool — the kind of thing that often runs on developer machines or internal data platforms and gets treated like a low-risk internal tool. That’s exactly why this is worth paying attention to. Pre-auth RCE means there’s no barrier at all for an attacker if the service is exposed. If your teams use Marimo for data analysis or internal workflows, check whether it’s internet-facing or accessible outside your VPN. It probably shouldn’t be. Patch it, restrict it, or both.

Nearly 4,000 US industrial devices exposed to Iranian cyberattacks

The attack surface targeted by Iranian-linked hackers in cyberattacks against U.S. critical infrastructure networks includes thousands of Internet-exposed programmable logic controllers (PLCs).

Expert take: PLCs running directly on the internet is a problem that shouldn’t exist in 2026, and yet here we are. These are operational technology (OT) devices — they control physical processes. Once compromised, the impact goes well beyond data theft. For financial services firms, the direct exposure risk is lower, but the indirect risk is real: third-party vendors, data center infrastructure, and utilities that your operations depend on could all be in scope. If you haven’t already mapped your OT and ICS dependencies in your vendor risk program, this is a good week to start that conversation.

Microsoft: Canadian employees targeted in payroll pirate attacks

A financially motivated threat actor tracked as Storm-2755 is stealing Canadian employees’ salary payments after hijacking their accounts in payroll pirate attacks.

Expert take: This one’s directly relevant if you’re in Canadian financial services or managing a team here. Storm-2755 is going after payroll — direct deposit details, HR platform access, anything that lets them redirect salary payments. The attack chain typically starts with phishing or credential stuffing, then pivots to HR or payroll systems once they’re in. So the controls that matter here are MFA on HR and payroll platforms (not just email), monitoring for changes to banking details, and making sure employees know what a payroll-redirect phishing attempt looks like. It’s a financially targeted attack and it works because these systems are often less protected than the corporate network itself.

✅ What You Should Do This Week

Immediate: Patch CVE-2026-1340 (actively exploited)
Verify: Check your systems against the CISA KEV catalog
Monitor: Review Azure AD sign-in logs for suspicious activity, especially any changes to MFA methods or direct deposit/banking info
Audit: Verify MFA is enforced for all privileged accounts — and specifically for HR and payroll platforms
Backup: Test your disaster recovery procedures

📬 Stay Updated

Subscribe to receive weekly security digests directly in your inbox.

Questions or feedback? Contact us

GRC Vitrix provides cloud security and compliance intelligence for financial services professionals. This digest is curated from publicly available sources including CISA, Microsoft MSRC, and industry news.

🚨 Critical: CISA Known Exploited Vulnerabilities#

CVE-2026-1340: Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability#

📰 This Week’s Security News#

Critical Marimo pre-auth RCE flaw now under active exploitation#

Nearly 4,000 US industrial devices exposed to Iranian cyberattacks#

Microsoft: Canadian employees targeted in payroll pirate attacks#

✅ What You Should Do This Week#

📬 Stay Updated#