Executive Summary
- Critical nginx-ui authentication bypass (CVE-2026-33032) is actively exploited in the wild, enabling full server takeover without credentials
- Microsoft released record 169 security patches including actively exploited SharePoint zero-day; critical flaws also identified in AI agents (Copilot, Agentforce)
- n8n workflow automation platform webhooks weaponized since October 2025 for phishing campaigns and malware delivery at scale
- WordPress plugin supply chain compromised; malicious signed software disabling antivirus protections across government, healthcare, and education sectors
- Russian state-backed actors harvesting Microsoft Office authentication tokens via compromised routers; AgingFly malware targeting Ukrainian government and hospitals
Top Threats Today
1. nginx-ui Critical Authentication Bypass (CVE-2026-33032)
Severity: CRITICAL Affected: Technology Government
A critical vulnerability (CVSS 9.8) in nginx-ui with Model Context Protocol (MCP) support is being actively exploited to achieve unauthenticated full server takeover. Threat actors can restart, create, modify, and delete nginx configuration files, granting complete control of web infrastructure. No authentication required.
Recommended Action
- Immediately patch nginx-ui to latest version or disable MCP integration if patching is delayed
- Review nginx server logs for suspicious configuration changes or restart events
- Implement network segmentation to restrict access to nginx management interfaces
2. Microsoft April Patch Tuesday: 169 Vulnerabilities Including SharePoint Zero-Day
Severity: CRITICAL Affected: Technology Finance Government
Microsoft released record 169 patches addressing 8 critical and 157 important vulnerabilities. A SharePoint Server zero-day actively exploited in the wild is included, alongside critical AI agent flaws in Copilot and Salesforce Agentforce that enable prompt injection and sensitive data leakage. Windows Defender “BlueHammer” weakness also disclosed.
Recommended Action
- Prioritize patching of SharePoint Server, Windows, and Microsoft 365 systems within 24-48 hours
- Audit Copilot and Agentforce deployments for unauthorized data access or prompt injection attempts
- Deploy endpoint detection and response (EDR) to monitor for exploitation patterns across enterprise
3. n8n Webhook Abuse for Phishing and Malware Delivery
Severity: CRITICAL Affected: Technology Finance
Threat actors have been weaponizing n8n automation platform webhooks since October 2025 to send sophisticated phishing emails at scale and deliver malicious payloads. The abuse leverages n8n’s trusted infrastructure to bypass email filtering and reputation systems, enabling device fingerprinting and initial access for APT operations.
Recommended Action
- Audit all n8n workflow configurations and disable or restrict webhook automation if not essential
- Implement strict email gateway rules to block n8n domains if not business-critical
- Deploy advanced email threat protection with sandbox detonation for n8n-originated messages
4. WordPress Plugin Supply Chain Compromise and Malicious Signed Software
Severity: CRITICAL Affected: Technology Education Healthcare
Over 30 plugins in the EssentialPlugin suite were compromised with malicious code enabling unauthorized website access. Separately, digitally signed adware deployed SYSTEM-privileged payloads that disabled antivirus protections on thousands of endpoints in government, education, utilities, and healthcare sectors. Legitimate code signatures exploited to bypass detection.
Recommended Action
- Immediately audit and remove EssentialPlugin suite; restore from clean backups if installed
- Scan all systems for signed malware with SYSTEM privileges; quarantine and rebuild if detected
- Implement application whitelisting and code signing verification for all third-party software
5. Russian State-Backed Credential Theft via Router Compromise and AgingFly Malware
Severity: CRITICAL Affected: Government Healthcare
Russian military intelligence units are exploiting known router vulnerabilities to mass harvest Microsoft Office authentication tokens. Separately, new AgingFly malware family steals credentials from Chromium browsers and WhatsApp, targeting Ukrainian government and hospitals. Both campaigns indicate state-sponsored reconnaissance and credential harvesting at scale.
Recommended Action
- Update all network routing equipment to latest firmware; replace unsupported legacy models immediately
- Deploy network detection and response (NDR) to detect abnormal token exfiltration patterns
- Enforce multi-factor authentication across all Microsoft Office and critical systems to limit token value
Today’s Action Checklist
- ☐ URGENT: Patch nginx-ui servers or disable MCP integration to prevent unauthenticated takeover
- ☐ URGENT: Apply Microsoft April 2026 patches to Windows, SharePoint, and Microsoft 365 infrastructure
- ☐ URGENT: Audit and remove EssentialPlugin suite from all WordPress installations
- ☐ HIGH: Review n8n webhook configurations and restrict automation if not business-critical
- ☐ HIGH: Scan network for signed malware with SYSTEM privileges; restore affected systems from clean backups
- ☐ HIGH: Update all legacy routers and network equipment to latest firmware versions
- ☐ HIGH: Enforce multi-factor authentication across Microsoft Office 365 and critical enterprise systems
- ☐ MEDIUM: Audit Copilot and Agentforce deployments for data leakage via prompt injection
- ☐ MEDIUM: Deploy or update endpoint detection and response (EDR) to monitor exploitation attempts
- ☐ MEDIUM: Review email gateway rules to block or monitor n8n-originated messages