Threat Intelligence Report

Report Date: 2026-04-15

This report summarizes exploited vulnerabilities, major emerging CVEs, campaign-related activity, and vendor concentration trends observed over the last 7 days.

Top KEVs

Most important exploited vulnerabilities added to the KEV catalog during the reporting window.

• CVE-2026-21643 – Fortinet FortiClient EMS | CVSS 9.8 | Ransomware Use: No
• CVE-2009-0238 – Microsoft Office | CVSS 8.8 | Ransomware Use: No
• CVE-2023-21529 – Microsoft Exchange Server | CVSS 8.8 | Ransomware Use: No
• CVE-2026-34621 – Adobe Acrobat and Reader | CVSS 8.6 | Ransomware Use: No
• CVE-2012-1854 – Microsoft Visual Basic for Applications (VBA) | CVSS 7.8 | Ransomware Use: No
• CVE-2025-60710 – Microsoft Windows | CVSS 7.8 | Ransomware Use: No
• CVE-2023-36424 – Microsoft Windows | CVSS 7.8 | Ransomware Use: No

Major CVEs

High-severity recent CVEs not yet represented in KEV but worth monitoring closely.

• CVE-2025-52221 – tenda | CVSS 9.8 (CRITICAL) | Published: 2026-04-08
• CVE-2026-2942 – Unknown Vendor | CVSS 9.8 (CRITICAL) | Published: 2026-04-08
• CVE-2026-31017 – frappe | CVSS 9.1 (CRITICAL) | Published: 2026-04-08

Active Campaigns

Recent campaign-oriented activity and advisory content from selected threat and advisory sources.

• SANS ISC – ISC Stormcast For Wednesday, April 15th, 2026 https://isc.sans.edu/podcastdetail/9892, (Wed, Apr 15th)
• SANS ISC – Scanning for AI Models, (Tue, Apr 14th)
  Starting March 10, 2026, my DShield sensor started getting probe for various AI models such as claude, openclaw, huggingface, etc. Reviewing the data already reported by other DShield sensors to ISC, the DShield database…
• SANS ISC – Microsoft Patch Tuesday April 2026., (Tue, Apr 14th)
  This month's Microsoft Patch Tuesday looks like a record one, but let's look at it a bit closer to understand what is happening
• SANS ISC – ISC Stormcast For Tuesday, April 14th, 2026 https://isc.sans.edu/podcastdetail/9890, (Tue, Apr 14th)
• SANS ISC – Scans for EncystPHP Webshell, (Mon, Apr 13th)
  Last week, I wrote about attackers scanning for various webshells, hoping to find some that do not require authentication or others that use well-known credentials. But some attackers are paying attention and are deployi…

Vendor-Specific Risks

Vendors showing the strongest concentration of exploited vulnerabilities, major CVEs, or campaign mentions.

• Microsoft – KEVs: 5, Major CVEs: 0, Campaign Mentions: 1
• Adobe – KEVs: 1, Major CVEs: 0, Campaign Mentions: 0
• Fortinet – KEVs: 1, Major CVEs: 0, Campaign Mentions: 0
• frappe – KEVs: 0, Major CVEs: 1, Campaign Mentions: 0
• tenda – KEVs: 0, Major CVEs: 1, Campaign Mentions: 0