FortiClient EMS has a confirmed-exploited zero-day (CVE-2026-35616,
CVSS 9.1) with emergency hotfixes available now — patch immediately.
OpenClaw's privilege escalation from yesterday has crossed into
community-reported mass compromise; r/sysadmin is in full "you probably
got hacked" mode. The FBI classified last month's breach of its wiretap
and surveillance management networks as a federal major incident —
whoever did this knows who the Bureau is watching. A live phishing
campaign impersonating Coca-Cola and Ferrari recruiters deploys
real-time AiTM MFA relay against corporate Google Workspace accounts —
the third MFA-bypass kit this week. Block
hrguxhellito281[.]onrender[.]com.
Fortinet confirmed active exploitation of CVE-2026-35616, an improper access control flaw (CWE-284) in FortiClient EMS allowing unauthenticated RCE via crafted requests. CVSS 9.1. Emergency hotfixes for EMS 7.4.5 and 7.4.6 released; permanent fix in 7.4.7. Defused Cyber identified the exploitation; Fortinet validated. Covered by 2 sources. (Fortinet PSIRT, HelpNetSecurity)
This is an endpoint management server — compromise here means the attacker controls your agent deployment infrastructure, which is the definition of game over. Not in KEV yet; expect imminent addition. The latest in a now-predictable cadence of Fortinet edge product zero-days: if it's Fortinet and it faces the network, assume it will be exploited, and patch before that assumption is confirmed.
Since April 3: Yesterday we flagged OpenClaw's pairing-to-admin privilege escalation as "assume compromise until patching confirmed." Today the community confirmed it. A Hacker News thread hit 378 points linking to an r/sysadmin post titled "if you're running openclaw you probably got hacked." A second CVE (CVE-2026-34511, weak random values in OpenClaw ≤2026.4.1) has been assigned — possibly part of the exploitation chain. No EPSS or CVSS in enrichment, but 378 HN points and a mass-compromise sysadmin thread is a harder exploitation signal than any score. (NVD, VulDB)
Yesterday's "the lowest-privilege entry point yields everything" architectural critique was correct but understated the urgency. If you deploy OpenClaw, this is an active incident, not a patch cycle item. Rotate all credentials and tokens the agent had access to — which, given OpenClaw's design philosophy of requiring maximum OS-level access to function, is everything.
The FBI formally classified last month's breach of the networks managing wiretap orders and surveillance operations as a "major incident" under federal cybersecurity reporting thresholds, triggering mandatory OMB and CISA reporting. A criminal investigation is open. No attribution, CVEs, IOCs, or technical details disclosed. (DataBreaches.net)
Whoever hit this now knows who the FBI is surveilling. The counterintelligence implications are severe regardless of attribution — this is among the most sensitive law enforcement infrastructure in the US government. The target selection profile is consistent with state-level intelligence collection. "Major incident" classification is not applied lightly — it means reporting thresholds were crossed for either volume, sensitivity, or impact. Watch for attribution developments and downstream disclosures about what specific surveillance data was accessed.
Active phishing campaigns impersonating Coca-Cola and Ferrari
recruitment deploy a sophisticated AiTM attack against Google Workspace.
The kit uses Browser-in-Browser (BitB) rendering to fake a Chrome window
with spoofed accounts.google.com URL, then runs a real-time
relay polling the attacker backend every 3 seconds. After credential
capture, the backend dynamically selects which MFA challenge to present
(email code, authenticator, SMS, or Google phone prompt) based on what
Google is actually requesting in the parallel session. Full account
takeover with 2FA enabled. The kit explicitly filters out @gmail.com —
corporate accounts only (T1566.002, T1557.001, T1539). IOC:
hrguxhellito281[.]onrender[.]com. (Malwarebytes)
This is the third MFA-bypass kit surfaced this week — after EvilTokens (device code flow abuse) and VENOM (C-suite AitM). MFA bypass is being commoditized across multiple technique classes simultaneously. The corporate-only targeting filter and dynamic MFA challenge selection make this enterprise-grade. US unemployment at 4.3–4.5% and 1.17M 2025 layoffs provide an unusually large and motivated victim pool for job-lure pretexts. Block the onrender.com IOC at egress and hunt for anomalous OAuth token grants in Workspace audit logs.
Italy's Garante fined Intesa Sanpaolo — one of Europe's largest banks — €31.8M after a single employee accessed 3,573 customer accounts over two years before detection (T1078). The dwell time is the lesson: one insider with legitimate access, systematically abusing it, evaded monitoring at a major G-SIB for 24 months. One of the largest banking-sector data protection fines in memory. Financial sector peers should be asking whether their UBA/UEBA would catch the same pattern — the question isn't whether the tools exist, it's whether the detection thresholds are tuned for low-and-slow internal abuse. (DataBreaches.net)
Iran-linked hacktivist group Handala's destructive wiper attack against Stryker (covered April 2) resulted in approximately three weeks of operational disruption. Since then: Stryker confirms full restoration. No detail on whether data was exfiltrated before wiping. Handala's destructive capability against a Fortune 500 medical device company is not consistent with script-kiddie hacktivism — this is Iranian state-adjacent proxy work in the grey zone. (SC World)
CyberScoop reports Akira has materially accelerated intrusion-to-exfiltration velocity. The available summary is thin on specific TTPs — pull the primary CyberScoop piece for technique details. Compressed dwell times directly reduce detection and response windows; if Akira has automated lateral movement or data staging, that shifts detection engineering priorities. (SC World)
Four distinct data points this week form a clear pattern. OpenClaw (mass exploitation, above). PraisonAI (10 CVEs including OS command injection, SSRF, SQL injection, and sandbox escape across central execution paths — routine section). Unit 42's Bedrock multi-agent prompt injection research documenting lateral propagation across agent trust boundaries (Unit 42). And METR's measurement showing AI offensive capability doubling every ~10 months, with frontier models now at 50% success on tasks taking human experts ~3 hours (Latent Space). AI agent frameworks are being deployed to production faster than security review can follow, and the vulnerability classes — sandbox escape, missing auth, command injection in code execution paths — are architecturally fundamental, not edge cases.
Fifteen CVEs across Electron ≤38.8.5/39.x/40.x/41.x. UAF cluster is
highest concern for renderer-to-main-process trust boundary breakdown.
CSP bypass (CVE-2026-34767), authorization bypass on event calls
(CVE-2026-34766), and macOS OS command injection via
app.moveToApplicationsFolder (CVE-2026-34779) round out the
highlights. Electron runs VS Code, Slack, Discord, Obsidian, and
hundreds of other desktop apps — downstream update propagation to end
users is the real challenge. (VulDB)
Six CVEs in Athena ODBC 2.0.5.1. Command injection in the authentication flow (CVE-2026-35558) and certificate validation failure (CVE-2026-35560) in a driver that handles AWS credentials and runs in BI tool contexts (Tableau, Power BI). Check whether your org pins ODBC driver versions. (VulDB)
Five CVEs in CUPS 2.4.16. Heap overflow in attribute handling (CVE-2026-34979) paired with IPP service auth bypass on /admin/ (CVE-2026-34990) provides a plausible network-to-code-execution chain. Default-installed on most Linux distributions. (VulDB)
Wiz traced a three-week, six-account campaign exploiting
pull_request_target — the GitHub Actions trigger that
executes in the base repo's context with secrets access, even from fork
PRs. Linked to the earlier "hackerbot-claw" campaign. Three-week
detection lag is the operationally significant detail. (Wiz)
Texas health system disclosed a January 2026 breach. No vector, no attribution. Three-month disclosure gap is within legal norms. Covered by 2 sources. (DataBreaches.net, SC World)
Continuing stories — no material change since last coverage:
sfrclak[.]com,
142.11.206.73:8000).New but low-priority:
~109 entries skipped: 84 vulnerability (WordPress XSS/minor auth, PHP student project SQLi, historical Belden/GarrettCom OT CVEs from 2015–2022 newly indexed by VulDB, niche AI/ML tooling, consumer IoT, blockchain library issues, Emlog/Piwigo/Zulip/JupyterHub stubs); 25 general (8 CrowdStrike marketing posts continuing their campaign to outnumber actual threat actors, gambling prehistory, SF street naming auction, Oracle H-1B labor, Apple self-distillation arxiv paper, vendor marketing, Schneier's weekly squid thread, and an empty SC Magazine podcast segment).
The week's dominant threads — DPRK supply chain operations, MFA bypass commoditization, agentic AI attack surface — are all still active but produced no new intelligence today. The genuinely new items are the FortiClient EMS zero-day (patch now), OpenClaw mass compromise confirmation (incident response now), and the FBI wiretap breach classification (watch for attribution). The job-lure AiTM campaign is the third MFA-bypass kit in seven days; the arms race between MFA deployment and MFA bypass tooling is accelerating faster than conditional access policy can adapt. The quiet DPRK day won't last.