ASP.NET Core Privilege Elevation Flaw; CISA KEV Adds Ten Flaws; Vercel Finds More Compromised Accounts

Microsoft has published an out-of-band security update for the .NET framework that includes a patch for a critical flaw in versions 10.0.0 to 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package. CVE-2026-40372, CVSS score 9.1, allows an unauthorized attacker to elevate privileges over a network by forging authentication cookies, due to improper verification of cryptographic signatures. With these privileges, an attacker could induce the application to issue legitimately signed tokens, which will remain valid even after updating to version 10.0.7 unless the DataProtection key ring is rotated. Rahul Bandari, a Senior Program Manager at Microsoft, explains, "the managed authenticated encryptor could compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash, which could result in elevation of privilege." Microsoft states that only applications running on Linux, macOS, and other non-Windows operating systems are impacted, specifically those that use Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet, and only if the NuGet copy of the library was actually loaded at runtime, not the shared framework copy. A secondary affected configuration involving versions 10.0.0 through 10.0.6 is detailed in Microsoft's advisory on GitHub. No Windows applications are affected. Users should upgrade Microsoft.AspNetCore.DataProtection to 10.0.7 or later and redeploy; rotate the DataProtection key ring; audit application-level long-lived artifacts; audit plaintext stored inside protected payloads; and review web server logs.

On Monday, April 20, 2026, the US Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities in Cisco Catalyst SD-WAN Manager (formerly known as vManage) to the Known Exploited Vulnerabilities (KEV) catalog, each with a three-day mitigation deadline. All three of the flaws — an incorrect use of privileged APIs vulnerability (CVE-2026-20122), an exposure of sensitive information to an unauthorized actor vulnerability (CVE-2026-20133), and a storing passwords in a recoverable format vulnerability (CVE-2026-20128) — were addressed in a February 25 Cisco security advisory. Federal Civilian Executive Branch (FCEB) agencies have until Thursday, April 23 to mitigate these vulnerabilities in their systems. Also on April 20, CISA added a cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite (CVE-2025-48700) to the KEV catalog with a mitigation due date of April 23. On Wednesday, April 22, 2026, CISA added a high-severity insufficient granularity of access control vulnerability in Microsoft Defender to the KEV catalog. The vulnerability can be exploited to achieve local privilege elevation. The flaw, which was addressed in Microsoft's April 14 monthly security update, has been actively exploited. A week prior to that, a proof-of-concept exploit for the vulnerability was released, and the flaw was nicknamed BlueHammer. FCEB agencies have until May 6, 2026 to mitigate the issue. Other CVEs added to KEV this week include an RCE vulnerability in Marino (CVE-2026-39987), a relative path traversal vulnerability in JetBrains TeamCity (CVE-2024-27199), an improper authentication vulnerability in Quest KACE Systems Management Appliance (SMA) (CVE-2025-32975), an improper authentication vulnerability in PaperCut NG/MF (CVE-2023-27351), and a path traversal vulnerability in Kentico Xperience (CVE-2025-2749).

Vercel, cloud provider and maintainer of Next.js, has updated its advisory about a breach of its internal systems through compromise of an employee's Context.ai app, first disclosed on April 19, 2026. After investigating additional indicators of compromise (IoCs), network requests, and logs of environment variable read events, Vercel found two additional groups of compromised accounts beyond the one account initially reported: some that were also breached as part of this incident, and some that were compromised prior to this incident, "potentially as a result of social engineering, malware, or other methods." Vercel is collaborating with Google Mandiant, GitHub, Microsoft, npm, Socket, AWS, Wiz, and law enforcement to monitor and investigate. Research from Hudson Rock indicates that this breach can likely be traced to a Context.ai employee's system infected with the Lumma infostealer when the employee was downloading game exploits for the video game Roblox, compromising Context.ai support credentials. Context.ai was certified by compliance startup Delve, whose legitimacy has been scrutinized following whistleblower allegations in March; another of Delve's clients was LiteLLM, which that same month suffered a supply chain attack following the compromise of Trivy. Vercel CEO Guillermo Rauch stated in a social media post on Wednesday, April 22, that "threat intel points to the distribution of malware to computers in search of valuable tokens like keys to Vercel accounts and other providers," leading to "rapid and comprehensive API usage, with a focus on enumeration of non-sensitive environment variables" by the attacker. The company has notified affected account holders as well as other organizations suspected to be victims, and there is no evidence of tampering or compromise in Vercel npm packages. Vercel's recommendations remain the same: set Deployment Protection to Standard or higher, rotate Deployment Protection Tokens and environment variables and designate secrets as "sensitive," review recent deployments and the activity log, and search for IoCs.

Mozilla used Anthropic's Claude Mythos Preview AI model to search for vulnerabilities in Firefox 150, and Mythos returned 271 security issues. Of those, just over 40 merited CVE designation. Several weeks ago, Mozilla found 22 security issues in Firefox 148 using Anthropic’s Opus 4.6 model. In a blog post, Mozilla CTO Bobby Holley writes that while initially the findings inspired a temporary feeling of "vertigo, ... our experience is a hopeful one for teams who shake off the vertigo and get to work." Holley notes, "So far we’ve found no category or complexity of vulnerability that humans can find that this model can’t. This can feel terrifying in the immediate term, but it’s ultimately great news for defenders. A gap between machine-discoverable and human-discoverable bugs favors the attacker, who can concentrate many months of costly human effort to find a single bug. Closing this gap erodes the attacker’s long-term advantage by making all discoveries cheap."

Apple released updates for iOS and iPadOS on Wednesday, April 22, 2026 to address a logging issue in which notifications marked for deletion could be unexpectedly retained on the device. The vulnerability (CVE-2026-28950) was addressed with improved data redaction. The FBI reportedly leveraged the vulnerability to access incoming Signal messages on a suspect's iPhone, even after the Signal app was deleted from the device. During a federal trial in March, "an FBI agent testified that the agency was able to access Sharp's incoming Signal messages because copies of their content had been saved on her phone's push notification database." The Signal app's push notification default configuration shows both the sender's name and a portion of the message's content. While users have the option of changing that configuration to display only the sender's name, the owner of the iPhone in question had not made that change. Prior to the Apple updates, the iPhone would store the content of Signal push notifications in internal memory. Apple has fixed the issue in iOS and iPadOS 18.7.8 and 26.4.2. The fix should also prevent this issue from occurring in other messaging apps.

A third former ransomware negotiator has pleaded guilty to conspiring to commit ransomware attacks against US companies in 2023. Angelo Martino, who worked as a ransomware negotiator for companies experiencing ransomware attacks, began helping operators of the Blackcat/ALPHV ransomware extort companies by sharing confidential information he had access to through his position at a cyber incident response company. That information helped the threat actors maximize the amount of ransom they would be paid by the companies they were extorting. Martino also admitted that he and two other individuals, Ryan Clifford Goldberg and Kevin Tyler Martin, deployed BlackCat ransomware between April and November 2023; Goldberg and Martin also leveraged their experience from within the cybersecurity industry to launch the attacks. They pleaded guilty to related charges in December 2025.

A bill known as the SECURE Data Act has been introduced in the US House of Representatives by Republican legislators, described as a comprehensive "national framework for consumer privacy rights and the protection of personal data." The International Association of Privacy Professionals (IAPP) notes that the bill is positioned to preempt existing state-level privacy laws if adopted, and that while it conforms with existing laws in Virginia and Kentucky, certain common topics are absent, such as data protection impact assessments, AI and automated decision-making technologies, and obligation to recognize universal opt-out mechanisms. The bill also lacks private right of action, which would allow consumers to directly sue companies in violation of the law.

The bill begins by outlining consumer rights, which include the right to opt out of data processing for targeted advertising, sale, and profiling, as well as to access, correct, delete, and obtain a copy of collected data. Controllers that collect data must either comply or decline (subject to appeal) within 45 days of a consumer's request, but this can be extended by another 45 days "when reasonably necessary." The section on data security mandates that controllers "establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and that are appropriate to the volume, sensitivity, and nature of such personal data." The bill presumes this to be the case if a controller's code of conduct or certification meets the bill's criteria, or if its security practices adhere to "widely-accepted technical specification" or "third-party attestation" and its data security program "reasonably conforms to a relevant Federal or widely-accepted international risk management framework" for addressing security risks and incidents. Extensive provisions are made to free controllers from restrictions when engaging with law enforcement, legal claims, contracts and services, safety concerns, security incidents and subsequent investigation/litigation, and research. This includes allowing unrestricted collection and processing of personal data to conduct internal research, effectuate a recall, identify and repair a technical error, and perform broadly-defined internal operations.

At a joint hearing by the Subcommittee on Border Security and Enforcement and the Subcommittee on Cybersecurity and Infrastructure Protection titled, “Online Scams, Crypto Fraud, and Digital Extortion: An Examination of How Transnational Criminal Networks Target Americans,” Cynthia Kaiser, Senior Vice President, Halcyon Ransomware Research Center and former deputy assistant director at the FBI’s Cyber Division between 2022 and 2025, told the panel that "The gap between the severity of these crimes and the consequences that follow needs to close." Kaiser called on legislators to "champion three specific authorities" to help close this gap: First, call on the departments of State, Justice, and Treasury to evaluate whether the activity of ransomware actors "who knowingly and repeatedly target hospitals" can be designated as terrorism, which would allow for "asset freezing, heightened Intelligence Community collection authorities, expanded travel restrictions, and significant diplomatic consequences for nations harboring these individuals." Second, Kaiser urged the panel to "request a report from the Department of Justice on the feasibility and appropriateness of pursuing homicide charges in cases where ransomware attacks on healthcare facilities resulted in documented patient deaths." US federal law allows prosecutors to pursue murder charges when deaths occur in the commission of certain felonies, even if the intent was not lethal. Finally, Kaiser called for legislators to fully fund and reauthorize the State and Local Cybersecurity Grant Program. Other witnesses testifying at the hearing include Ari Redbord, Global Head of Policy, TRM Labs; Joshua Bercu, Senior Vice President, Policy, USTelecom – The Broadband Association; and Megan Stifel, Chief Strategy Officer, Institute for Security and Technology.

Interrail customers have received communications from parent company Eurail B.V. warning them that personal data stolen in a cybersecurity incident in December 2025 "has been offered for sale on the dark web and a sample dataset has been published on Telegram." The company first notified customers of the breach in mid-January, and the DiscoverEU program stated at the time that data including "name, surname, date of birth or age, passport/ID information or photocopies, email address, postal address and country of residence, phone number, bank account reference (IBAN)," and certain health data may have been accessed. Disclosure letters sent in March estimated the number of affected individuals at 308,777, and mentioned only names and passport numbers as having been accessed. The UK Passport Office has reportedly advised cancelling passports to prevent identity fraud, and customers across Europe are struggling with practical, personal, and financial repercussions of the data leak, according to The Guardian. Eurail states that it has notified all customers whose data appeared in the leaked dataset, and recommends customers "remain vigilant for suspicious communications, update their passwords and monitor their accounts for any unusual activity."