SANS Stormcast Wednesday, April 15th, 2026: Microsoft, Adobe, Fortinet and others Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9892.mp3

previous

Microsoft, Adobe, Fortinet and others Patches

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Wednesday, April 15, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Stockheim, Germany. And this episode is brought to you by
 the SANS.edu Undergraduate Certificate Program in
 Cybersecurity Fundamentals. Well, of course, no surprise
 today. We're starting with Microsoft's patch Tuesday for
 April. And it's a little interesting patch Tuesday.
 When I first looked at the number of vulnerabilities
 patched, I was quite surprised. According to our
 account, we have 243 vulnerabilities. But remember,
 our account also includes any Microsoft Edge
 vulnerabilities, which were actually already patched
 before today. These are vulnerabilities in the
 underlying Chromium browser that are then ported into
 Microsoft Edge as well. So after we subtract these 78
 vulnerabilities, we're left with 165 vulnerabilities that
 are affecting Microsoft's own products, which is still a
 pretty solid number. Now, there are a couple of
 noteworthy ones here. First of all, there are eight critical
 ones and one that's already being exploited and one that
 hasn't been exploited yet, but well, has become known before
 today. The one that has become known before today, I may have
 mentioned, but it sort of came out, I think, last week. And
 this is approach escalation in Microsoft Defender. One of
 those typical sort of, you know, antivirus
 vulnerabilities where basically an attacker can
 escalate privileges because, well, antivirus has to operate
 at elevated privileges. The one that's already being
 exploited is then Microsoft SharePoint spoofing
 vulnerability. There are actually two very similar
 SharePoint server spoofing vulnerabilities that are being
 patched this month, but only one of them is already being
 exploited. Now, other sort of interesting vulnerabilities,
 basically cradle vulnerabilities. The one that
 sort of caught my eye first that I think is sort of the
 most interesting one, maybe not the most critical one is
 TCP/IP remote code execution vulnerability. Now, it does
 not get a full 10 on the CVSS scale. It's sort of in the 8
 range here. It's a race condition, which usually means
 that exploitation is tricky. But yes, it does allow for
 unauthenticated code execution over the network. So it's
 something to watch out for. Not really sufficient details
 known yet, at least as far as I could find, to really know
 how severe of an issue that is, how difficult it would be
 to create an exploit exploiting this timing issue
 here that triggers the vulnerability. In addition, we
 do have an active directory remote code execution
 vulnerability. Again, not a lot of details at this point.
 CVSS score in the 8 range, but that's definitely also one of
 those cradle ones to watch. As usual, we got a couple of
 cradle office and word vulnerabilities. Well, those
 are often then exploited. So definitely something that you
 have to address. The, well, I would say less severe cradle
 vulnerabilities that we have here is first of all, a remote
 desktop client remote code execution vulnerability that
 typically requires that the user connects to a malicious
 RDP server. This can be triggered sort of with links.
 Yeah, it's certainly exploitable if someone can
 come up with the right kind of malicious server and then
 trick the user to click on the link. But also, you know, that
 could probably be easily blocked as well. Then we have
 an Ike in a key exchange vulnerability. So basically
 IPsec related. This will likely require that you are,
 first of all, configuring Ike and IPsec on the system. And
 then, of course, that someone is able to connect to it. The
 last one, I don't quite understand why it got rated
 critical. It's a .NET framework denial of service
 vulnerability. Typically, denial of service
 vulnerabilities are not necessarily rated as critical,
 maybe because it affects the .NET framework that they
 consider that more severe than other sort of denial of
 service vulnerabilities. But overall, like I said, the TCP
 IP vulnerability will be interesting to see what will
 come out of that. I personally doubt a little bit that it
 will become a big deal, but certainly has some potential
 here in the description of it, as well as the remote active
 directory vulnerability. Because I think the two that
 you should really watch Office, not table stakes, kind
 of you have to get it updated. It's just another patch
 Tuesday in that respect. And of course, we do have patches
 from Adobe as well. Patches for 11 different products. And
 the one that's a little bit more interesting here is one I
 already mentioned on Monday. And that's a vulnerability in
 Adobe Acrobat Reader. First of all, there's two bulletins
 now. The one that was published over the weekend
 that patches the already exploited vulnerability. And
 then we got a second bulletin today that patches two
 vulnerabilities. One of the vulnerabilities is critical.
 It's an arbitrary code execution. The second one is
 an arbitrary file read vulnerability. So definitely
 the first one is something to keep an eye on and that may be
 exploited soon. We also got again updates in code. Fusion.
 And cold fusion, of course, always something that I look
 at. And there is also one arbitrary code execution
 vulnerability here with a CVSS -based score of 9.3. Also like
 an arbitrary file system rate and such that can often then
 lead to more severe compromises. Definitely get
 this updated, get this patched. And the other
 vulnerabilities that were patched. The other products,
 most of them have like a priority of three according to
 Adobe, which usually means that they don't really expect
 them to be exploited, which matches kind of my experience.
 These are the two products out of the list that the regular
 see exploits being developed for. And Fortinet also
 released updates fixing 11 vulnerabilities across their
 product portfolio. The one product I want to just point
 out and don't really have the time to go into every single
 flaw here. But the one product that has a couple interesting
 flaws here is Forty Sandbox, which suffers, for example,
 from a critical vulnerability here, an improper
 neutralization of special elements used in OS command.
 So an OS command injection vulnerability, those are
 always important and critical really. And yes, also
 reachable here through an API endpoint. Other than that,
 also some critical of Forty OS, particularly some
 interesting sort of missing authentication for Gradle
 function vulnerabilities. So yes, as I always say, patch,
 patch, because we see so many attacks, in particular,
 against sort of any kind of gateway or border security
 device. And that usually means Forty OS is the target here.
 Well, and that's it for today. At least that's what I had
 time for. There were a couple other vulnerabilities I sort
 of had on the list, but well, really don't have the time to
 cover Wolf SSL, the SSL library. There is a PHP
 Composer, an interesting issue that was addressed. Ivanti
 Neurons had some vulnerabilities being
 addressed. And SAP, a very large set of patches. It was
 their usual patch day as well. So thanks for listening.
 Thanks for liking. Thanks for recommending this podcast. And
 talk to you again tomorrow. Bye.