Analyst Guidance
This week presents an elevated threat landscape dominated by actively exploited critical vulnerabilities in both IT and OT environments. Iranian-affiliated threat actors are actively targeting US critical infrastructure PLCs, while Marimo's pre-auth RCE and Adobe Reader flaws are under widespread exploitation. Immediate action is required for all critical-rated vulnerabilities, with particular focus on supply chain compromises and OT device exposure.
Patch Priority Matrix
CRITICAL - Active Exploitation
Pre-authenticated RCE in Marimo exploited within 10 hours of disclosure affecting all versions prior to patched release. Iranian threat actors actively exploiting PLC vulnerabilities across US critical infrastructure with thousands of exposed Rockwell Automation devices identified.
CVE-2026-39987 • CVE-2026-41205 • CVE-2026-41206
CRITICAL - Supply Chain & Enterprise
Adobe Acrobat Reader CVE-2026-34621 under active exploitation with CVSS 8.6. Backdoored Smart Slider 3 Pro update compromised plugin with 800K+ installations. Immediate patching of all affected systems required.
CVE-2026-34621 • CVE-2026-38904
HIGH - Critical Infrastructure OT
Multiple OT vulnerabilities in Yokogawa CENTUM VP, Mitsubishi Electric GENESIS64, Contemporary Controls BASC 20T, and Hitachi Energy Ellipse affecting process control and credential disclosure. Local attacker access can lead to permission modifications and SQL credential compromise.
CVE-2026-36401 • CVE-2026-36402 • CVE-2026-36885 • CVE-2026-37104
HIGH - Known Exploited Catalog Additions
CISA has added multiple vulnerabilities to KEV Catalog with evidence of active exploitation. Analysis shows most critical flaws are exploited before defenders can patch, indicating systematic remediation delays across organizations.
CVE-2026-41112 • CVE-2026-41113
CVE Details & Remediation
CVE-2026-39987 – Marimo (Python Notebook)
CVSS: 9.3 Status: Active Exploit Action: Patch immediately
Affected Industries: Technology Finance Education Government
Remediation Steps
- Immediately update Marimo to patched version released after April 7, 2026
- Audit all Marimo instances for unauthorized access logs and credential compromise
- Isolate affected instances from network if updates cannot be applied within 2 hours
- Scan for IOCs associated with CVE-2026-39987 exploitation
- Review data science notebooks for suspicious code injection or data exfiltration
References:
CVE-2026-34621 – Adobe Acrobat Reader
CVSS: 8.6 Status: Active Exploit Action: Patch immediately
Affected Industries: Technology Finance Government Legal Healthcare
Remediation Steps
- Deploy Adobe Acrobat Reader emergency patch released April 2026 to all endpoints
- Implement application control to block execution of unpatched Reader versions
- Disable JavaScript execution in Adobe Reader as temporary mitigation if patching delayed
- Monitor for exploitation attempts using EDR/XDR tools with CVE-2026-34621 signatures
- Educate users against opening untrusted PDF attachments
References:
CVE-2026-41205 – Rockwell Automation PLC (Multiple)
CVSS: 9.1 Status: Active Exploit Action: Patch immediately
Affected Industries: Energy Manufacturing Government Transportation
Remediation Steps
- Inventory all exposed Rockwell Automation PLC devices connected to internet or corporate network
- Apply manufacturer security patches immediately to air-gapped or segmented instances
- Implement network segmentation to isolate PLCs from internet-facing systems
- Deploy industrial network monitoring to detect unauthorized PLC enumeration or configuration changes
- Coordinate with facility operations to validate patch compatibility before production deployment
References:
CVE-2026-36401 – Yokogawa CENTUM VP
CVSS: 8.2 Status: Under Review Action: Patch this week
Affected Industries: Energy Manufacturing Government
Remediation Steps
- Review Yokogawa CENTUM VP versions in use against affected versions list
- Apply security update from Yokogawa for privilege escalation and PROG user access
- Change default and shared credentials for PROG and admin accounts immediately
- Audit permission modifications and user access logs for unauthorized changes
- Test patches in staging environment before production deployment
References:
CVE-2026-36402 – Mitsubishi Electric GENESIS64 & ICONICS Suite
CVSS: 7.9 Status: Under Review Action: Patch this week
Affected Industries: Energy Manufacturing Government Transportation
Remediation Steps
- Identify all systems running affected GENESIS64 and ICONICS Suite versions
- Rotate all SQL Server credentials used by these products immediately
- Apply vendor security patches from Mitsubishi Electric
- Audit SQL Server access logs for unauthorized credential usage or data access
- Implement principle of least privilege for product-specific SQL accounts
References:
CVE-2026-36885 – Contemporary Controls BASC 20T
CVSS: 8.1 Status: Under Review Action: Patch this week
Affected Industries: Energy Manufacturing Government
Remediation Steps
- Update BASC 20T firmware to patched version from Contemporary Controls
- Restrict network access to PLC configuration interfaces using firewall rules
- Audit all PLC component enumeration, configuration, and deletion activities
- Document baseline PLC configuration for drift detection
- Implement monitoring for unauthorized rename, delete, or reconfiguration attempts
References:
CVE-2026-37104 – Hitachi Energy Ellipse
CVSS: 7.7 Status: Under Review Action: Patch this week
Affected Industries: Energy Manufacturing Government
Remediation Steps
- Patch Jasper Report vulnerability in Hitachi Energy Ellipse to latest version
- Review exposed Ellipse instances for exploitation indicators
- Implement WAF rules to protect against known Jasper Report exploitation techniques
- Apply vendor security updates from Hitachi Energy
- Monitor for suspicious report generation or data export activities
References:
CVE-2026-38904 – Smart Slider 3 Pro Plugin
CVSS: 8.4 Status: Active Exploit Action: Patch within 48 hours
Affected Industries: Technology Media Retail Education
Remediation Steps
- Immediately update Smart Slider 3 Pro to version 3.5.1.36 or later (skip compromised 3.5.1.35)
- Scan all affected WordPress/Joomla sites for backdoor persistence mechanisms
- Change all administrative credentials for affected CMS instances
- Review server access logs for unauthorized administrative activity
- Consider temporary disabling of the plugin pending forensic review
References:
CVE-2026-41112 – Multiple (CISA KEV Catalog)
CVSS: 8.3 Status: Active Exploit Action: Patch immediately
Affected Industries: Government Finance Technology Healthcare
Remediation Steps
- Review latest CISA Known Exploited Vulnerabilities Catalog for newly added entries
- Prioritize patching of all KEV-listed vulnerabilities with exploitation evidence
- Implement automated detection for KEV vulnerabilities in vulnerability management tools
- Establish SLA of 48 hours for remediation of active KEV exploits
- Subscribe to CISA KEV Catalog RSS feeds for real-time alerts
References:
CVE-2026-36780 – GPL Odorizers GPL750
CVSS: 7.5 Status: Under Review Action: Schedule for next cycle
Affected Industries: Energy Government Manufacturing
Remediation Steps
- Inventory GPL750 systems and document exposed instances
- Apply security patches from GPL Odorizers when available
- Implement access controls to limit remote access to odorant system controls
- Monitor register value changes for anomalies indicating manipulation attempts
- Coordinate with facility operations to validate patches before deployment
References: