Security Digest

Blockades and Breaches

A Fortinet zero-day giving attackers full endpoint control. Trump's naval blockade of Iran. An Easter ceasefire in Ukraine that didn't hold. Week 15 brought the pressure.

3 min read By FTRCRP

This Week in Brief

A Fortinet zero-day giving attackers full endpoint control. Trump’s naval blockade of Iran. An Easter ceasefire in Ukraine that didn’t hold. Week 15 brought the pressure.

Security

FortiClient EMS Zero-Day โ€” Patch Now

CVE-2026-35616 (CVSS 9.1) is a pre-authentication API bypass in FortiClient EMS, actively exploited since March 31 โ€” before public disclosure. An unauthenticated attacker can execute code on the EMS server, push malicious policies, and move laterally. CISA added it to KEV on April 6 with a remediation deadline of April 9. Hotfixes available for 7.4.5 and 7.4.6. If you run Fortinet endpoint management, this is your top priority.

Adobe Acrobat Reader Zero-Day

CVE-2026-34621 (CVSS 8.6) โ€” a critical flaw in Acrobat Reader, exploited in the wild since December 2025 but only patched this week. Malicious JavaScript executes when opening crafted PDFs. Update immediately.

Flowise AI Platform โ€” Maximum Severity

CVE-2025-59528 (CVSS 10.0) โ€” a code injection vulnerability in Flowise, the open-source AI workflow platform. Allows remote code execution. If your organisation uses Flowise for AI pipelines, patch or take offline.

Marimo RCE โ€” Exploited Within Hours

CVE-2026-39987 hit the Marimo Python notebook platform and was exploited within 10 hours of public disclosure. The speed of weaponisation continues to accelerate.

CPUID Website Compromised

The website hosting CPU-Z and HWMonitor was compromised to serve malicious executables containing the STX RAT trojan. If you downloaded CPUID tools recently, verify checksums.

APT37 on Facebook

North Korean group APT37 launched a social engineering campaign via Facebook, delivering the RokRAT remote access trojan through multi-stage infection chains.

Ransomware Roundup

  • ChipSoft (Netherlands) โ€” targeted by ransomware on April 7, confirmed by Z-CERT. ChipSoft provides healthcare IT systems across Dutch hospitals.
  • Gritman Medical Center (Idaho) โ€” ransomware caused outages across multiple clinic locations.
  • SongTrivia โ€” 2.9 million accounts exposed including auth tokens and passwords, data published on breach forums.
  • NightSpire emerged as a new ransomware group using multi-stage execution and EDR-killing techniques.
  • LockBit 5.0 has claimed 207 victims since platform launch, targeting manufacturing, healthcare, government, and construction.

AI as Attack Surface (continued)

Anthropic restricted its Mythos Preview model after it was found autonomously discovering and exploiting zero-day vulnerabilities across operating systems and browsers. The AI-finding-zero-days scenario is no longer theoretical.

Conflicts

Iran-US: Ceasefire to Blockade in One Week

The week started with a ceasefire announcement (April 7-8) โ€” Trump accepted Pakistan’s proposal, Iran agreed to open the Strait of Hormuz. By April 9, neither side was implementing. Iran accused the US and Israel of violations in Lebanon. The Islamabad talks collapsed. By April 13, Trump announced a full naval blockade of Iran. One week, from ceasefire to blockade. Oil markets are reacting.

Ukraine-Russia: Easter Ceasefire That Wasn’t

Both sides agreed to a 32-hour Orthodox Easter ceasefire starting April 11. Both sides immediately accused the other of violations. “Relative calm” was the best description โ€” which says everything about the baseline. Russia has now lost an estimated 1,000,000 military casualties. Ukraine’s drone strikes have taken out 40% of Russia’s western oil export capacity. Trump and Zelenskyy reportedly agree on 90-95% of a peace proposal.

By the Numbers

Category This Week
Fortinet CVE-2026-35616 CVSS 9.1
Flowise CVE-2025-59528 CVSS 10.0
Marimo exploit time after disclosure 10 hours
LockBit 5.0 victims (2026 YTD) 207
Iran ceasefire duration before collapse ~48 hours
Russian military casualties (est.) 1,000,000

What to Do This Week

  1. Patch FortiClient EMS โ€” CVE-2026-35616 is pre-auth RCE. If you run Fortinet endpoint management, this is critical.
  2. Update Adobe Acrobat Reader โ€” CVE-2026-34621 has been exploited since December.
  3. Audit AI tool deployments โ€” Flowise (CVSS 10.0) and the Anthropic Mythos incident show AI platforms are now active targets.
  4. Verify CPUID downloads โ€” if you grabbed CPU-Z or HWMonitor recently, check your sources.
  5. Monitor supply chains โ€” ransomware groups are increasingly targeting healthcare IT providers (ChipSoft, Gritman).

FTRCRP Security Digest โ€” published weekly. Sources: FTRCRP evidence pipeline, HAL intelligence feeds, open-source reporting. Week 15 ยท 2026-04-14