Patch Tuesday: Microsoft, Adobe, SAP, Fortinet, and Cisco

On Tuesday, April 14, Microsoft released updates to address 167 vulnerabilities in their products, as well as dozens of vulnerabilities in Chromium. One of the Microsoft vulnerabilities, a spoofing vulnerability in Microsoft Office SharePoint (CVE-2026-32201) is being actively exploited, and another, a privilege elevation vulnerability in Microsoft Defender (CVE-2026-33825) was previously disclosed. Adobe released updates to address 55 vulnerabilities in 11 products, including five critical vulnerabilities in Adobe Cold Fusion: two security feature bypass flaws, two arbitrary code execution flaws, and an arbitrary file system read flaw. Adobe also released fixes for critical vulnerabilities in Acrobat Reader, InDesign, InCopy, FrameMaker, Connect, Bridge, Photoshop, and Illustrator. Adobe also addressed several other important vulnerabilities, including arbitrary code execution flaws, application denial-of-service flaws, and a memory exposure issue, in Adobe Experience Manager (AEM) and Adobe DNG Software Development Kit (SDK). SAP released 22 new and updated security notes, including addressing a critical SQL injection vulnerability in Business Planning and Consolidation and Business Warehouse (CVE-2026-27681).

Fortinet's Product Security Incident Response Team (PSIRT) issued patches for more than 25 vulnerabilities on Tuesday, April 14, 2026, including two critical-severity and three high-severity flaws. CVE-2026-39808 allows an unauthenticated attacker to execute arbitrary code or commands using crafted HTTP requests, due to an OS command injection vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8. CVE-2026-39813 also affects FortiSandbox 4.4.0 through 4.4.8 as well as 5.0.0 through 5.0.5, and allows an unauthenticated attacker to bypass authentication using crafted HTTP requests, due to a path traversal vulnerability in the JRPC API. Both flaws carry CVSS score 9.1; users should update to fixed versions of FortiSandbox 4.4.9 or later, or 5.0.6 or later. Two of the high-severity flaws are SQL injection vulnerabilities, in FortiDDoS-F and FortiClientEMS respectively, allowing authenticated arbitrary SQL queries (CVE-2026-39815, CVSS 7.9; CVE-2026-39809, CVSS 7.1), and the third is a heap-based buffer overflow vulnerability in the FortiAnalyzer Cloud oftpd daemon allowing unauthenticated remote code execution (CVE-2026-22828, CVSS 7.3).

This week, Cisco, published 10 security advisories to address security issues in Cisco Webex Services, Cisco Webex Contact Center, Cisco Secure Web Appliance, Cisco Identity Services Engine (ISE), Cisco Unity Connection, and Cisco ThousandEyes Enterprise Agent. In all, the bulletins address 15 security issues, including four critical vulnerabilities: a vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services (CVE-2026-20184) that could be exploited to allow an unauthenticated, remote attacker to impersonate any user within the service; a remote code execution vulnerability in Cisco ISE and ISE Passive Identity Connector (ISE-PIC, CVE-2026-20147); and a path traversal vulnerability (CVE-2026-20180) and a command injection vulnerability (CVE-2026-20186) in Cisco ISE.

The UK's AI Security Institute (AISI) has conducted independent testing on the autonomous cyberattack capabilities of Anthropic's Mythos Preview model, comparing its performance to contemporary models. Testing skills in isolation within capture-the-flag (CTF) challenges, Mythos Preview's average success rate was the highest among the group on Expert level (73%) and Apprentice level tasks, and closely followed other models on Technical non-expert and Practitioner level tasks. At all four levels of CTF, Mythos did not exceed its nearest competitors' success rates by more than ten percentage points, and no competitor exceeded Mythos by more than five percentage points. However, Mythos is the first model to fully solve "The Last Ones," (TLO) AISI's 32-step cyber range simulating an attack on a corporate network, "spanning initial reconnaissance through to full network takeover, which [AISI] estimate[s] to require humans 20 hours to complete." Across ten attempts, Mythos averaged 22 completed steps and in three cases solved all 32; the next best performance was from Claude Opus 4.6 at an average of 16 completed steps, with its best attempt reaching 28. In an OT-focused "Cooling Tower" range, Mythos Preview "got stuck on IT sections" and did not complete the challenge. The ranges lack active defenders and defensive tooling, and they do not penalize models for actions that would trigger security alerts, but AISI posits that Mythos Preview "is at least capable of autonomously attacking small, weakly defended and vulnerable enterprise systems where access to a network has been gained." AISI's blog post states that this test "highlights the importance of cybersecurity basics, such as regular application of security updates, robust access controls, security configuration, and comprehensive logging. [...] Future frontier models will be more capable still, so investment now in cyber defence is vital."

In response to a 263% surge in CVE submissions between 2020 and 2025, the US National Institute for Standards and Technology (NIST) has announced their shift toward a "new risk-based model" for prioritizing CVE analysis in the National Vulnerability Database (NVD). Rather than enriching every new CVE — which includes adding associated information such as severity score, common weakness enumeration (CWE), and common platform enumeration (CPE) — after April 15, 2026, NIST will prioritize three categories for enrichment: 1. CVEs added to the Known Exploited Vulnerabilities catalog maintained by the Cybersecurity and Infrastructure Security Agency (CISA KEV), 2. CVEs affecting software used in the federal government, and 3. CVEs for software designated as critical under Executive Order 14028. Users can email nvd@nist[.]gov to request enrichment of unscheduled CVEs. Backlogged CVEs with an NVD publish date prior to March 1, 2026 will not be scheduled for enrichment, with the exception of those in the CISA KEV. Meanwhile, the European Union Agency for Cybersecurity (ENISA) is in the process of becoming the third top-level root CVE Numbering Authority (TL-Root CNA), expecting to join CISA and MITRE in this role within the next year.

A critical flaw has been added to the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog (CISA KEV), affecting Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for Mac. 17-year-old CVE-2009-0238 carries a CVSS score of 8.8, and allows a remote attacker to execute arbitrary code when a targeted user opens a crafted Excel document that triggers an access attempt on an invalid object. CISA has not offered details about current exploitation, but the original CVE entry notes that the flaw was already exploited to deliver a trojan dropper at the time of disclosure in 2009. Federal Civilian Executive Branch (FCEB) agencies have until April 28 to remediate this flaw.

Microsoft is offering users still running Exchange 2016 and 2019 a second period of Extended Security Updates (ESU), ostensibly to allow them additional time to migrate to Exchange Subscription Edition (SE). The first ESU period began in October 2025 and ends this month. The new ESU period will begin in May 2026 and will run through October 2026. Microsoft Enterprise Agreement (EA) customers wishing to enroll in the second ESU period must purchase a new contract to receive Critical and Important security updates. Microsoft is offering a similar ESU program for Skype for Business 2015 and 2019.

Cookeville Regional Medical Center (CRMC) in Tennessee has notified 337,917 patients that a July 2025 ransomware attack compromised their personal and protected health information (PHI). CRMC became aware of the attack on July 14, 2025, and a subsequent forensic investigation determined that the intruder had access to CRMC systems between July 11 and July 14, 2025. CRMC notified the US Department of Health and Human Services Office for Civil Rights (HHS OCR) of the incident in August 2025, using a figure of 500 as a placeholder for number of individuals affected. The incident review was completed in mid-March 2026, at which time CRMC obtained a list of affected individuals. The compromised data include addresses, dates of birth, Social Security numbers, driver’s license and financial account numbers, medical treatment information, medical record numbers, and health insurance policy information.

A US District Court Judge in Massachusetts has sentenced two people to prison for their roles in facilitating North Korean remote information technology (IT) workers posing as US residents to obtain work at more than 100 US companies. Kejia Wang pleaded guilty to conspiracy to commit wire fraud, conspiracy to commit money laundering, and conspiracy to commit identity theft in September 2025; he was sentenced to nine years in prison. Zhenxing Wang pleaded guilty to conspiracy to commit wire fraud and conspiracy to commit money laundering; he was sentenced to nearly eight years in prison. Kejia Wang traveled to China to confer with contacts involved in the scheme and supervised facilitators of the operation in the US. Zhenxing Wang set up laptops for remote access and enabled technology, including keyboard-video-mouse (KVM) switches that made it appear as though the remote computers were operating within the US. The men were also ordered to forfeit the $600,000 they received for facilitating the operation. Eight additional defendants who were indicted in June 2025 remain at large.