Microsoft Patches Two Zero-Day Vulnerabilities in April Patch Tuesday Release

Microsoft has rolled out its April Patch Tuesday update, addressing a significant number of security flaws, including two zero-day vulnerabilities. One of these is already being actively exploited in the wild, raising urgent concerns for IT administrators worldwide.

Active Exploitation: SharePoint Spoofing Flaw (CVE-2026-32201)

The first zero-day, tracked as CVE-2026-32201, is a server spoofing vulnerability in Microsoft SharePoint. This bug stems from improper input validation, allowing an unauthorized attacker to perform spoofing over a network. According to Mike Walters, president of Action1, the flaw can deceive users by manipulating how information is presented within trusted SharePoint environments.

“By exploiting this flaw, an attacker can manipulate how information is presented to users, potentially tricking them into trusting malicious content,” Walters explained. “While the direct impact on data is limited, the ability to deceive users makes this a powerful tool for broader attacks.”

This vulnerability can enable phishing campaigns, unauthorized data manipulation, or social engineering attacks, posing a serious threat to organizations relying on SharePoint for collaboration.

Publicly Disclosed but Not Exploited: Microsoft Defender EoP Bug (CVE-2026-33825)

The second zero-day, CVE-2026-33825, is an elevation of privilege (EoP) vulnerability in Microsoft Defender. While it has been publicly disclosed, it has not yet been exploited in active attacks. However, Jack Bicer, director of vulnerability research at Action1, warns that it could be chained with other vulnerabilities in real-world scenarios.

“CVE-2026-33825 significantly increases risk in environments where attackers have already gained a foothold,” Bicer said. “Once exploited, it allows full control over endpoints, enabling data exfiltration, disabling security tools, and lateral movement across networks.”

As a result, even organizations with strong perimeter defenses are at risk if internal systems are compromised.

EoP Bugs Dominate April Patch Tuesday

In fact, elevation of privilege vulnerabilities are the largest category in this month’s update, totaling 93 flaws. Information disclosure (21), remote code execution (20), and security feature bypass (13) round out the top categories by volume.

Critical RCE Flaw in Windows IKE Service (CVE-2026-33824)

Beyond the zero-days, Walters urged administrators to pay close attention to CVE-2026-33824. With a CVSS score of 9.8, this remote code execution vulnerability is the most dangerous on paper this month. It impacts the Windows Internet Key Exchange (IKE) service, and threat actors could exploit it remotely by sending specially crafted network packets.

“This issue poses a serious threat to enterprise environments, especially those relying on VPN or IPsec for secure communications,” Walters continued. “Successful exploitation can result in complete system compromise, allowing attackers to steal sensitive data, disrupt operations, or move laterally across the network.”

Internet-facing IKEv2 systems are particularly at risk, making prompt patching essential.

Recommendations for IT Administrators

Given the active exploitation of the SharePoint spoofing flaw, security teams should prioritize applying the April Patch Tuesday updates immediately. Additionally, monitoring for unusual network activity related to IKE services is advisable.

For more on this month’s fixes, see our Patch Tuesday guide. To stay updated on emerging threats, check out our vulnerability management tips.

Building on this, organizations should also review their security posture regarding Microsoft Defender and SharePoint to mitigate potential risks from chained attacks.

Sharp Rise in Brute-Force Attacks Targets SonicWall and Fortinet Devices, Researchers Warn

Security researchers have observed a dramatic increase in brute-force attacks aimed at compromising SonicWall and Fortinet devices. According to a new report from Barracuda Networks, the vast majority of these attempts—88%—appear to originate from the Middle East. While many attacks were blocked, the trend signals a growing threat to perimeter security.

What Drives the Surge in Brute-Force Attacks?

Barracuda’s analysis reveals that most of these brute-force attacks were unsuccessful, either thwarted by security tools or targeting invalid usernames. However, the timing is noteworthy. The spike coincides with heightened US and Israeli hostilities against Iran, suggesting a possible geopolitical motive. Attackers may be routing traffic through Middle Eastern servers, but the pattern raises alarms about state-linked cyber activity.

In recent weeks, Iranian-affiliated hackers have targeted US critical infrastructure and medtech firms. The line between state-sponsored operations and financially motivated cybercrime continues to blur, as seen with the resurgence of the Pay2Key ransomware group. For more context, read our analysis on hybrid Middle East conflicts triggering global cyber activity.

Why Edge Devices Are Prime Targets

Edge devices like VPNs and firewalls from SonicWall and Fortinet are internet-facing yet provide direct access to corporate networks. This makes them attractive targets for brute-force attacks. Barracuda reports that over half (56%) of all confirmed incidents from February to March involved such attacks.

“Attackers are aggressively scanning and testing perimeter devices for weak or exposed credentials,” warns Laila Mubashar, senior cybersecurity analyst at Barracuda. “Even when attacks fail, persistent probing raises the risk that a single weak password or misconfiguration could lead to compromise.”

How to Protect Your Network

To defend against these threats, organizations should take immediate action:

• Enforce strong, unique passwords on all network and security devices.
• Enable multi-factor authentication (MFA) on all VPNs, firewalls, and remote access services.
• Monitor and investigate repeated failed login attempts.
• Restrict management interfaces to trusted IP ranges where possible.

For additional guidance, check out our network security best practices guide.

The Rise of ClickFix Social Engineering Attacks

Alongside the brute-force attacks, Barracuda highlights a surge in ClickFix attacks. These social engineering schemes trick users into copying and executing malicious scripts under the guise of fixing a non-existent technical issue. Mubashar explains that such attacks exploit user trust and anxiety.

“Attackers use familiar elements like pop-ups, prompts, and instructions to run a fix,” she adds. “Because ClickFix attacks rely on duping users into adding malicious commands themselves, they are harder for automated security systems to spot.”

To mitigate this threat, organizations should improve end-user education, restrict who can run PowerShell or command-line tools, and deploy monitoring tools for unusual behavior. Learn more about social engineering defense strategies.

Final Thoughts on the Growing Threat Landscape

The surge in brute-force attacks on SonicWall and Fortinet devices underscores the importance of robust perimeter security. As geopolitical tensions rise, attackers are becoming more persistent and sophisticated. By implementing strong authentication measures and educating users, organizations can reduce their risk of compromise.

Italian Spyware Maker IPS Exposed for Distributing Fake Android Surveillance Apps

Another Italian spyware maker has been caught in the act, this time distributing fake Android apps to install surveillance software on unsuspecting targets. A new report from Osservatorio Nessuno, an Italian digital rights organization, reveals how the company IPS used a deceptive phone-updating app to deploy its Morpheus spyware.

The discovery highlights the growing demand for spyware among law enforcement and intelligence agencies worldwide. As a result, numerous companies are quietly supplying these tools, often operating far from public scrutiny.

How the Morpheus Spyware Works

According to the researchers, Morpheus is a “low cost” spyware that relies on tricking victims into installing it themselves. Unlike advanced spyware from firms like NSO Group or Paragon Solutions, which use invisible zero-click attacks, Morpheus depends on social engineering.

In this case, the target’s mobile provider deliberately blocked their data connection. Then, the telecom sent an SMS urging the victim to install a fake app to restore cellular access. This strategy has been documented in other cases involving Italian spyware makers.

Once installed, the malware abused Android’s accessibility features to read screen data and interact with other apps. It then prompted a fake update, showed a reboot screen, and spoofed WhatsApp to request biometric authentication. Unbeknownst to the target, this granted the spyware full access to their WhatsApp account.

IPS: An Old Company with a New Spyware Product

Osservatorio Nessuno’s researchers, identified only as Davide and Giulio, linked the spyware to IPS based on its infrastructure. One IP address was registered to “IPS Intelligence Public Security.” Additionally, the malware code contained Italian phrases, including references to Gomorra and “spaghetti” — a common trait among Italian spyware makers.

IPS has operated for over 30 years, providing traditional lawful interception technology to governments. Its website lists several Italian police forces as customers and claims operations in more than 20 countries. However, the company did not respond to requests for comment about the spyware report.

The Target: Political Activism in Italy

Davide and Giulio could not reveal specific details about the target but believe the attack is “related to political activism” in Italy. They noted that such targeted attacks are increasingly common in this sphere.

A researcher at a cybersecurity firm, who reviewed the report, confirmed that the malware was definitely developed by an Italian surveillance tech maker. This aligns with a broader trend of Italian firms filling the void left by Hacking Team, one of the first spyware makers globally.

The Rise of Italian Spyware Makers

IPS joins a long list of Italian spyware makers exposed in recent years, including CY4GATE, eSurv, GR Sistemi, Movia, Negg, Raxir, RCS Lab, and SIO. Earlier this month, WhatsApp notified around 200 users who installed a fake version of the app, which was actually spyware made by SIO.

In 2021, Italian prosecutors suspended their use of CY4GATE and SIO spyware due to serious malfunctions. This pattern raises questions about the oversight and regulation of surveillance technology in Italy and beyond.

Building on these findings, it’s clear that the demand for government spyware continues to drive innovation in deception tactics. For more insights, explore our guide on how to protect Android from spyware. Additionally, learn about understanding lawful interception technology to grasp the legal landscape.

In conclusion, the exposure of IPS demonstrates that even established companies are turning to covert methods to meet the demands of law enforcement. As a result, users must remain vigilant against fake apps and suspicious messages, especially those claiming to fix network issues.