security-vulnerabilities-01-2025" used_in: "lead — SimpleHelp advisory, fixed versions 5.5.8 / 5.4.10 / 5.3.9" - url: "https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html" used_in: "brief:bitwarden-cli — Checkmarx supply-chain campaign, compromised version 2026.4.0, window April 22 5:57pm-7:30pm ET" - url: "https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026/" used_in: "brief:cpanel-emergency — Namecheap status update, TCP 2083/2087 block, April 28 timeline" - url: "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html" used_in: "brief:chrome-147 — Chrome stable 147.0.7727.137/138, 30 security fixes, four Critical use-after-frees" - url: "https://nvd.nist.gov/vuln/detail/CVE-2026-33825" used_in: "brief:defender-lpe-kev — Microsoft Defender LPE CVSS 7.8, fixed in 4.18.26030.3011" - url: "https://nvd.nist.gov/vuln/detail/CVE-2026-32202" used_in: "brief:windows-shell-kev — Windows Shell spoofing CVSS 4.3" - url: "https://nvd.nist.gov/vuln/detail/CVE-2026-39987" used_in: "brief:marimo-rce — Marimo pre-auth RCE CVSS 9.8 / v4.0 9.3" - url: "https://nvd.nist.gov/vuln/detail/CVE-2024-7399" used_in: "brief:samsung-magicinfo — Samsung MagicINFO 9 path-traversal CVSS 8.8, fixed in 21.1050" - url: "https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new" used_in: "brief:intune-autopatch — Autopatch update risk visibility report, week of April 27" - url: "https://learn.microsoft.com/en-us/defender-xdr/whats-new" used_in: "brief:defender-xdr-april — built-in alert tuning rules GA, AIAgentsInfo extension, predictive shielding status preview" - url: "https://www.microsoft.com/en-us/security/blog/2026/04/28/simplifying-aws-defense-microsoft-sentinel-ueba/" used_in: "brief:sentinel-aws-ueba — Sentinel UEBA for CloudTrail launch April 28" - url: "https://www.reddit.com/r/msp/comments/1sy9tbh/kb5083769_april_2026_patch_tuesday_causing/" used_in: "brief:kb5083769-field — community-reported KB5083769 regressions on Windows 11 25H2" status: published

CISA added three remote-management vulnerabilities to its Known Exploited Vulnerabilities catalog this week — and all three live in tools that MSPs use to manage client endpoints. ConnectWise ScreenConnect picked up CVE-2024-1708 (path traversal, CVSS 8.4) on April 28. SimpleHelp picked up CVE-2024-57726 (missing authorization, CVSS 9.9) and CVE-2024-57728 (path traversal, CVSS 7.2) on April 24. None of the CVEs are new — all three were disclosed in 2024 or early 2025 — but KEV inclusion is CISA's signal that exploitation in the wild is now confirmed and the agency is recommending a remediation deadline.

If you run either platform on-premises, this is the same-week patch list:

• ScreenConnect 23.9.7 and earlier → upgrade to 23.9.8 or later. ConnectWise's security bulletin describes the upgrade path for off-maintenance partners (2.1 → 2.5 → 3.1 → 4.4 → 5.4 → 19.2 → 22.8 → 23.3 → 23.9.8) and notes that ConnectWise-hosted cloud instances were remediated on the vendor side. CISA due date: May 12, 2026.
• SimpleHelp 5.5.7 and earlier → upgrade to 5.5.8 (or apply the 5.4.10 / 5.3.9 patches if you can't move to the 5.5 branch). The SimpleHelp advisory covers all three CVEs in the bundle and recommends rotating administrator and technician passwords on top of the upgrade. CISA due date: May 8, 2026.

The ScreenConnect entry has a notable provenance. CVE-2024-1708 was disclosed in February 2024 alongside CVE-2024-1709 — the unauthenticated authentication-bypass that drove the original ScreenConnect emergency. CISA added CVE-2024-1709 to KEV at the time but left CVE-2024-1708 off. Adding the path-traversal entry now points at post-auth exploitation against servers that patched CVE-2024-1709 but still ship the path-traversal flaw — i.e. customers who upgraded once in 2024 and never came back.

The SimpleHelp CVEs have a similar character. They were originally published in January 2025 and got broad coverage at the time. KEV inclusion now means CISA has confirmed continued in-the-wild exploitation against unpatched 5.5.7 servers. The pairing of CVE-2024-57726 (technicians can mint API keys with admin permissions) with CVE-2024-57728 (admins can write arbitrary files via zip-slip) is the privilege-escalation path: technician → admin → server-side code execution → every endpoint registered to that SimpleHelp server.

What to do this week:

1. Patch both platforms. Hit the version targets above ahead of the CISA due dates — CISA's deadlines are minimums, not targets.
2. Audit for compromise before you re-enable internet exposure. Review SimpleHelp technician accounts and API keys for unfamiliar entries. For ScreenConnect, work through the ConnectWise + Mandiant Remediation and Hardening Guide before bringing the server back online.
3. Restrict the management plane. Put SimpleHelp and ScreenConnect behind a VPN, IP allowlist, or jump host. Internet-reachable RMM management interfaces are the same attack surface as internet-reachable Fortinet management.
4. Rotate credentials on the way back. The SimpleHelp advisory calls out administrator and technician password rotation explicitly. ScreenConnect deployments should treat any admin account that existed during the vulnerable window as suspect.

Two RMM platforms back on KEV in the same week is the story to take to clients who ask why patching cadence on management tools matters. The tools that reach every endpoint are the tools attackers want most.

Advisories

Brief 1 — Bitwarden CLI 2026.4.0 compromised in Checkmarx supply-chain campaign

The malicious @bitwarden/cli@2026.4.0 package was distributed via npm between 5:57 PM and 7:30 PM ET on April 22 before Bitwarden pulled it. The Checkmarx-attributed campaign breached Bitwarden's CI/CD pipeline through a malicious GitHub Action and shipped a preinstall hook that exfiltrated developer secrets, GitHub and npm tokens, SSH keys, environment variables, and AI coding-tool configs (Claude, Cursor, Codex) to audit.checkmarx[.]cx. Approximately 334 downloads occurred in the window. Bitwarden states no end-user vault data was accessed. The fix is 2026.4.1, a re-release of 2026.3.0. The Hacker News writeup.

Action: if your build pipelines or runbooks pull @bitwarden/cli from npm, check installed versions across CI runners and developer workstations. If 2026.4.0 was installed during the two-hour window, rotate every secret that was readable to that machine: GitHub PATs, npm tokens, SSH keys, cloud credentials, and any AI tool API keys stored in the user profile. Pin to 2026.4.1 going forward.

Brief 2 — cPanel/WHM emergency authentication-bypass advisory shipped April 28

cPanel released an emergency security update on April 28 covering an authentication-login exploit affecting all currently supported versions. The fix shipped late the same day. Hosting providers including Namecheap blocked TCP ports 2083 and 2087 at the firewall while waiting for the patch — restricting access to cPanel, WHM, Webmail, and Webdisk for several hours per the Namecheap status update. The CVE assignment was not public at the time of writing.

Action: if you manage cPanel or WHM servers directly, confirm your servers received the April 28 cPanel security patch. If you resell cPanel hosting through a provider, confirm the provider applied the patch and lifted the firewall block before assuring clients that their control panels are reachable again.

Brief 3 — Chrome 147.0.7727.137/138 ships 30 security fixes including four Critical use-after-frees

Google shipped Chrome stable 147.0.7727.137/138 (Windows/Mac) and 147.0.7727.137 (Linux) on April 28 with 30 security fixes. Four are rated Critical, all use-after-free: CVE-2026-7363 (Canvas), CVE-2026-7361 (iOS), CVE-2026-7344 (Accessibility), and CVE-2026-7343 (Views). Release notes. Microsoft Edge will pick up the same Chromium fixes on its own update cadence.

Action: push the update via your endpoint management tool this week. Set the minimum Chrome version to 147.0.7727.137 (Linux) / 147.0.7727.138 (Windows/Mac) and audit any device still on a prior 147.x build for browser-update health.

Brief 4 — Microsoft Defender LPE CVE-2026-33825 added to KEV April 22

CISA added CVE-2026-33825 (CVSS 7.8) to KEV on April 22 with a remediation due date of May 6. The vulnerability is an insufficient-granularity-of-access-control flaw in the Defender Antimalware Platform that lets an authorized local user escalate privileges. Fixed in platform version 4.18.26030.3011 and later. NVD entry.

Action: verify your endpoints' Defender Antimalware Platform version is at or above 4.18.26030.3011. The platform updates separately from Windows Update on most systems, so a fully patched OS is not enough. Get-MpComputerStatus returns the platform version per host for fleet-wide audit.

Brief 5 — Windows Shell spoofing CVE-2026-32202 added to KEV April 28

CISA added CVE-2026-32202 (CVSS 4.3) to KEV on April 28 with a due date of May 12. The vulnerability is a protection-mechanism failure in Windows Shell that allows network-based spoofing. The CVSS is medium, but KEV inclusion means CISA has observed exploitation. The fix shipped in the April Patch Tuesday cumulative update. NVD entry.

Action: if any Windows host in your fleet has not yet installed the April cumulative update, this is now a KEV-deadline patch. Cross-reference your patch-compliance dashboard against the affected build numbers in the NVD entry.

Brief 6 — Marimo pre-auth RCE CVE-2026-39987 added to KEV April 23

Marimo, a reactive Python notebook used in data-engineering and ML environments, contains a pre-authentication RCE: the /terminal/ws WebSocket endpoint lacked authentication validation, giving unauthenticated attackers a full PTY shell on the host. CVSS 9.8 v3.1 / 9.3 v4.0. Fixed in Marimo 0.23.0. CISA due date: May 7. NVD entry.

Action: if any client of yours runs Marimo notebooks (data-science teams, MLOps platforms, or developer-tooling stacks), upgrade to 0.23.0+. The terminal endpoint should never have been internet-reachable in any deployment, but check anyway — pre-auth RCE on a notebook server is a foothold-class bug.

Brief 7 — Samsung MagicINFO 9 Server CVE-2024-7399 added to KEV April 24

CISA added CVE-2024-7399 (CVSS 8.8) on April 24 with a due date of May 8. The vulnerability is a path-traversal flaw that allows arbitrary file write as the system authority. Fixed in MagicINFO 9 Server 21.1050 and later. NVD entry.

Action: MagicINFO is digital-signage software — if any client uses Samsung digital-signage installations (retail, hospitality, healthcare lobbies), confirm the server version is at 21.1050+. The internet-reachable signage server is a frequently overlooked attack surface in physical-environment IT.

Product changes

Brief 8 — Intune Autopatch update risk visibility report ships, Ubuntu 26.04 LTS supported

Microsoft Intune's What's new shows two changes in the week of April 27. The Autopatch update risk visibility report extends the security update status dashboard with per-device classification (Current, Exposed, or Critical) and identifies the policies contributing to each device's risk class. Intune also added support for Ubuntu 26.04 LTS — and Ubuntu 22.04 LTS support ends August 2026.

Action: enable the Autopatch update risk visibility report and use the policy attribution to clean up risk-contributing policies before they appear in client compliance reviews. For Linux fleets, filter Devices > All devices by Linux, add the OS version column, and queue Ubuntu 22.04 upgrades.

Brief 9 — Defender XDR April rollups: alert-tuning rules GA, AI-agent visibility expanded

Three Defender XDR changes landed in April per the Defender XDR What's new. Built-in alert-tuning rules are now generally available and suppress benign-activity alerts in Defender for Endpoint and Defender for Office 365 without affecting Automated Investigation and Response. The AIAgentsInfo advanced-hunting table extended its coverage from Copilot Studio alone to all agent types, including Microsoft Foundry, third-party marketplace, and custom line-of-business agents. The predictive-shielding action status is now visible in the Activities tab of incident pages in preview.

Action: review your custom alert-tuning rules and remove any that duplicate the new built-in suppressions — running both creates conflicting tune state. If your tenants have rolled out Microsoft Foundry or custom agents, write a baseline AIAgentsInfo hunting query so you have an inventory before someone asks.

Brief 10 — Microsoft Sentinel UEBA extends to AWS CloudTrail

Microsoft published guidance on April 28 covering Sentinel UEBA enrichment for AWS CloudTrail. The behavioral signals previously available for Microsoft 365 and Entra ID activity now apply to CloudTrail logs, so AWS API calls show user-context and peer-comparison enrichment in the unified SecOps portal.

Action: if you operate Sentinel for clients with AWS workloads, confirm the CloudTrail data connector is ingesting and enable UEBA on the workspace. The enrichment is most useful on accounts where one or two privileged identities perform most of the API activity.

Field notes

Brief 11 — KB5083769 (April Patch Tuesday) breaks Outlook delivery, NinjaOne Backup, DISM, and Network Discovery on Windows 11 25H2

A r/msp thread documents post-update regressions on Windows 11 25H2 endpoints that received KB5083769. The poster reports six of more than one hundred managed endpoints affected, on a NinjaOne / Huntress / Emsisoft / AutoElevate / M365 stack. Symptoms include Outlook Classic stopping new-mail delivery silently, NinjaOne Backup file/folder jobs failing without errors, DISM failing with 0x800f0915, and Network Discovery hanging in File Explorer. The community theory points at SMB-compression-over-QUIC changes in the patch.

Action: watch Windows 11 25H2 endpoints with KB5083769 installed for silent backup failures and Outlook delivery problems. Closing and reopening Outlook temporarily restores delivery — a useful triage signal. Track the Windows release health dashboard for an official acknowledgement, and consider deferring KB5083769 on Windows 11 25H2 rings until Microsoft posts a known-issue note or follow-up cumulative.