Security Digest

Hospitals and Hormuz

Patch Tuesday dropped 167 CVEs and two live zero-days. Dutch hospitals are still offline after ChipSoft. Iran shut Hormuz again when the US refused to lift the blockade. A new class of 1.58-bit AI arrived at 8B parameters.

5 min read By FTRCRP

This Week in Brief

The week opened with Microsoft’s largest Patch Tuesday on record, 167 fixes including two actively exploited zero-days. It closed with Iran re-asserting control of the Strait of Hormuz after the US refused to drop its naval blockade. Healthcare ransomware kept grinding, and a former FBI cyber chief proposed treating hospital ransomware as terrorism. In AI, the first natively-trained 1.58-bit model at 8B parameters shipped, a structural shift in what local inference costs.

Security

SharePoint Zero-Day Lands in CISA KEV

CVE-2026-32201 (CVSS 6.5) is an input-validation flaw in SharePoint Server that allows an unauthenticated attacker to spoof across the network. Microsoft patched it in the April 15 cumulative release, CISA added it to the Known Exploited Vulnerabilities catalog the same week, and federal agencies have an April 28 remediation deadline. The CVSS number undersells it, pre-auth exploitation against a product that ransomware actors already hunt is a priority patch whatever the scoring rubric says.

SAP Business Planning SQL Injection

CVE-2026-27681 (CVSS 9.9) lands on SAP Business Planning and Consolidation plus SAP Business Warehouse. A low-privileged user uploads a file carrying arbitrary SQL, and the database executes it. Data extraction, deletion, corruption, all on the table. If your SAP environment has any kind of self-service upload surface, patch now and audit what has gone through it.

April Patch Tuesday in Context

Microsoft addressed between 161 and 167 flaws depending on how you count associated advisories, the second largest single release from Redmond ever. Two zero-days in active exploitation at release. Adobe, SAP, and Fortinet all had critical updates land in the same window. The volume matters, patch cycles need budgeted time this month, not a weekend sprint.

Hospital Ransomware Keeps Compounding

Three healthcare incidents ran through the week’s news cycle:

  • Signature Healthcare / Brockton Hospital (Massachusetts) — Anubis ransomware crew claimed responsibility April 9 for the April 6 attack. Patients turned away from chemotherapy infusions. Downtime procedures were projected to run two weeks.
  • ACN Healthcare — Lynx ransomware named April 10.
  • ChipSoft (Netherlands) — the vendor behind HiX, the electronic patient record system at 70 to 80 percent of Dutch hospitals. Eleven hospitals disconnected their systems following the April 7 attack. As of mid-week no group had claimed it. Unclaimed ransomware against this much of a country’s healthcare plumbing is a different shape of problem, it suggests either coordination discipline or state-adjacent actors playing quieter.

On April 21, a former FBI cyber official publicly proposed applying terrorism designations to ransomware actors targeting hospitals and life-safety infrastructure. Policy response catching up with reality.

AI Platform: Ternary Arrives at 8B

On April 16, PrismML released Ternary Bonsai 8B, a natively 1.58-bit trained model at 1.75 GB, trained end-to-end with ternary weights {-1, 0, +1} across every layer rather than quantized down from a higher-precision starting point. Benchmarked at 27 tokens per second on iPhone 17 Pro Max. The security implication, cheaper-to-run 8B-class models expand both defender and attacker capability, and the attacker ROI on local inference keeps improving. Ollama still does not support BitNet-format weights natively (ollama#10337), BitNet.cpp remains the runtime. Expect that gap to close this quarter.

Conflicts

Hormuz Re-Shut After a Five-Day Gesture

Trump accepted Pakistan’s April 7 ceasefire proposal, Iran agreed to open the Strait of Hormuz as a confidence measure during the truce covering Lebanon. April 17, Iran announced commercial vessel passage would resume. April 18, after the US declined to lift its naval blockade against Iranian-flagged shipping, Iran reasserted control. The five days between gesture and withdrawal tell the shape of this negotiation. Trump on April 20 called extension of the ceasefire “highly unlikely,” and dispatched negotiators to Pakistan for what he framed as Iran’s last chance.

Oil markets have pulled back somewhat on the ceasefire announcement, but the blockade is still functionally in place and shipping insurers are pricing the risk accordingly.

Ukraine-Russia: Easter Held the Name, Not the Line

Both sides accused the other of breaching the Orthodox Easter ceasefire that took effect April 11. OCHA reported at least a dozen civilian deaths and 140 injuries across Donetsk, Kherson, and Sumy in the four days following. US-brokered Ukraine-Russia talks have stalled while the administration focuses on Iran. Russia’s spring offensive has gained local tactical ground without producing operational-level gains, Donbas remains beyond reach for 2026 at current tempo.

DOJ Epstein Archive

The Transparency Act pipeline crossed 171,436 PDFs in our local mirror this week, with fresh pulls underway on DataSet 10 as we write (several thousand new files tonight). Known-figure hit counts as of the evening report:

rod-larsen      657
jagland         383
ehnbom          237
andersson-dubin  12
Mona Juul         7

No new tracked-figure hits this week from the text scanner, but the archive continues to grow and the Nordic OCR scanner on image-heavy files is still being tuned.

By the Numbers

Category This Week
Microsoft April 2026 Patch Tuesday CVEs 161-167
Actively-exploited zero-days at release 2
SAP CVE-2026-27681 CVSS 9.9
Hospitals disconnected (Netherlands, ChipSoft fallout) 11
Days between Hormuz re-opening and re-closing ~1
OCHA-reported civilian deaths, Ukraine ceasefire window 12+
DOJ PDFs in local archive 171,436+
Ternary Bonsai 8B memory footprint 1.75 GB

What to Do This Week

  1. Patch SharePoint (CVE-2026-32201) before April 28. CISA KEV deadline, pre-auth exploitation in the wild.
  2. Patch SAP BPC and BW (CVE-2026-27681). If you allow any user-supplied file intake into the platform, audit what went through since the vulnerability was disclosed.
  3. Work through Microsoft April Patch Tuesday systematically. 167 flaws across Microsoft alone is a budget-the-week problem, not a weekend one. Add Adobe, SAP, Fortinet.
  4. Healthcare readers: assume ransomware targets your electronic record vendor, not just you directly. ChipSoft and Signature Healthcare show the vendor-side blast radius is the story now.

FTRCRP Security Digest, published weekly. Sources: FTRCRP evidence pipeline (scam monitor, DOJ tracker), open-source reporting (The Hacker News, SecurityWeek, HIPAA Journal, Al Jazeera, Reuters, BleepingComputer). Week 17, 2026-04-22