Weekly security intelligence digest covering the most critical vulnerabilities, threats, and breach news from the past week.

🚨 Critical: CISA Known Exploited Vulnerabilities

These vulnerabilities are being actively exploited in the wild. Immediate action required.

CVE-2026-34197: Apache ActiveMQ Improper Input Validation Vulnerability

Vendor/Product: Apache ActiveMQ

Description: Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA Due Date: 2026-04-30

Reference: CVE-2026-34197 - NVD

Expert take: ActiveMQ keeps showing up in these lists, and it’s going to keep showing up until orgs stop running unpatched message brokers exposed to the network. This one allows code injection via bad input validation — meaning an attacker can push malicious payloads through the broker without much friction. If you’re running ActiveMQ in any capacity, especially in a hybrid cloud setup, check your version right now. The blast radius here is wide because message brokers sit in the middle of a lot of internal traffic. You have until April 30 — don’t wait until the 29th.

CVE-2009-0238: Microsoft Office Remote Code Execution

Vendor/Product: Microsoft Office

Description: Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA Due Date: 2026-04-28

Reference: CVE-2009-0238 - NVD

Expert take: This CVE is from 2009. And it’s on the active exploitation list in 2026. That tells you everything you need to know about legacy software risk. Attackers are still finding unpatched Office installations — in enterprise environments, in OT networks, in places where people assumed nobody was looking. A malformed Excel file is a low-barrier delivery method. Phishing is still the easiest path in. If your org has any systems running older Office versions without this patch, that’s not a legacy risk — that’s an open door. The deadline is April 28, which is Monday. Get this done.

CVE-2026-32201: Microsoft SharePoint Server Improper Input Validation Vulnerability

Vendor/Product: Microsoft SharePoint Server

Description: Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA Due Date: 2026-04-28

Reference: CVE-2026-32201 - NVD

Expert take: SharePoint spoofing vulnerabilities are particularly nasty in M365-heavy environments because SharePoint is treated as a trusted internal platform. Users don’t second-guess links or content that comes from it. An attacker who can spoof over the network via SharePoint can craft convincing internal-looking content — fake document approval flows, credential harvesting pages, social engineering hooks that bypass user skepticism. Patch first, then audit who has external sharing enabled and whether any SharePoint sites are accidentally internet-facing. Also a deadline of April 28 — same as the Excel CVE above.

📰 This Week’s Security News

Vercel confirms breach as hackers claim to be selling stolen data

Cloud development platform Vercel has disclosed a security incident after threat actors claimed to have breached its systems and are attempting to sell stolen data.

Read more: Vercel confirms breach as hackers claim to be selling stolen data

Expert take: Cloud development platforms are high-value targets because what’s sitting in them is often code, environment variables, API keys, and secrets — not just files. If Vercel data is being sold, the downstream risk isn’t just for Vercel — it’s for every app built and deployed on the platform. If your team uses Vercel, rotate any secrets stored in project environment variables, audit your deployment configurations, and check whether any production credentials were embedded somewhere they shouldn’t be. This is a good reminder that your CI/CD pipeline and deployment platform is part of your attack surface, not separate from it.

Payouts King ransomware uses QEMU VMs to bypass endpoint security

The Payouts King ransomware is using the QEMU emulator as a reverse SSH backdoor to run hidden virtual machines on compromised systems and bypass endpoint security.

Read more: Payouts King ransomware uses QEMU VMs to bypass endpoint security

Expert take: Worth paying attention to because of the technique, not just the threat actor. Running a hidden VM inside a compromised host to create a reverse SSH tunnel is a way to bypass endpoint detection tools that watch the host OS. Your EDR doesn’t see inside the VM. Network monitoring might catch unusual outbound SSH if it’s tuned right, but most environments aren’t watching for QEMU process spawning as an indicator. If you’re not monitoring for unexpected hypervisor or virtualization processes on endpoints that have no business running them — that’s a detection gap worth addressing. Add QEMU and related process names to your alert rules now, before you need them.

NAKIVO v11.2: Ransomware Defense, Faster Replication, vSphere 9, and Proxmox VE 9.0 Support

NAKIVO Inc. announced the general availability of NAKIVO Backup & Replication v11.2, focused on fast, reliable, and proactive data protection.

Read more: NAKIVO v11.2: Ransomware Defense, Faster Replication, vSphere 9, and Proxmox VE 9.0 Support

Expert take: Not a threat, but relevant. Ransomware defense improvements in backup tooling matter because backups are consistently the last line of defense when everything else fails. If your backup solution isn’t actively hardened against ransomware — immutable storage, air-gapping, write-once policies — you’re one encryption event away from a bad recovery conversation. Worth checking what version you’re on and whether the new features apply to your environment.

✅ What You Should Do This Week

  • Immediate: Patch CVE-2026-34197, CVE-2009-0238, and CVE-2026-32201 — two of these deadlines land on Monday April 28
  • Verify: Check your systems against the CISA KEV catalog
  • Monitor: Review Azure AD sign-in logs for suspicious activity
  • Audit: Verify MFA is enforced for all privileged accounts
  • Hunt: Add QEMU and hypervisor process names to your endpoint alert rules
  • Rotate: If your team uses Vercel, rotate secrets and audit environment variables now
  • Backup: Test your disaster recovery procedures

📬 Stay Updated

Subscribe to receive weekly security digests directly in your inbox.

Questions or feedback? Contact us

GRC Vitrix provides cloud security and compliance intelligence for financial services professionals. This digest is curated from publicly available sources including CISA, Microsoft MSRC, and industry news.