Weekly Exploit Roundup

Generated 2026-04-07T08:00:17.192155+00:00 (UTC)

1. Initial Access Brokers have Shifted to High-Value Targets and Premium Pricing
   Source: Rapid7 Cybersecurity Blog | Published: 2026-03-31T13:00:00+00:00 | Score: 28.949
   Initial Access Brokers (IABs) are a key component of the cybercrime ecosystem, offering hassle-free building blocks for ransomware, data theft, and extortion. Rapid7’s analysis of H2 2025 activity across five major forums grants fresh insight into a power balance shift toward initial access sales from newer marketplaces, such as RAMP and DarkForums. Higher asking prices and more focus on high-value sectors and large organizations, such as Government, Retail, and IT, reveal a mature and profit-focused IAB market. This blog highlights key access trends and pricing, pinpoints the most targeted industries and regions, and gives actionable recommendations for identifying and isolating potential breaches via popular IAB offerings. Key findings Our detailed analysis of six months of data from Exploit, XSS, BreachForums, DarkForums, and RAMP reveals the following key findings: Access prices and target organization size increased dramatically: The average alleged victim revenue and offering bas
2. Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed
   Source: The Hacker News | Published: 2026-04-07T05:56:00+00:00 | Score: 23.738
   Threat actors are exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck.
   The vulnerability in question is CVE-2025-59528 (CVSS score: 10.0), a code injection vulnerability that could result in remote code execution.
   "The CustomMCP node allows users to input configuration settings for connecting
3. Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS
   Source: The Hacker News | Published: 2026-04-05T04:32:00+00:00 | Score: 22.568
   Fortinet has released out-of-band patches for a critical security flaw impacting FortiClient EMS that it said has been exploited in the wild.
   The vulnerability, tracked as CVE-2026-35616 (CVSS score: 9.1), has been described as a pre-authentication API access bypass leading to privilege escalation.
   "An improper access control vulnerability [CWE-284] in FortiClient EMS may allow an
4. New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released
   Source: The Hacker News | Published: 2026-04-01T11:42:00+00:00 | Score: 22.424
   Google on Thursday released security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild.
   The high-severity vulnerability, CVE-2026-5281 (CVSS score: N/A), concerns a use-after-free bug in Dawn, an open-source and cross-platform implementation of the WebGPU standard.
   "Use-after-free in Dawn in Google Chrome prior
5. vSphere and BRICKSTORM Malware: A Defender's Guide
   Source: Threat Intelligence | Published: 2026-04-02T14:00:00+00:00 | Score: 19.107
   Written by: Stuart Carrera Introduction Building on recent BRICKSTORM research from Google Threat Intelligence Group (GTIG), this post explores the evolving threats facing virtualized environments. These operations directly target the VMware vSphere ecosystem, specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors. To help organizations stay ahead of these risks, we will focus on the essential hardening strategies and mitigating controls necessary to secure these critical assets. By establishing persistence at the virtualization layer, threat actors operate beneath the guest operating system where traditional security protections are ineffective. This strategy takes advantage of a significant visibility gap, as these control planes do not support standard endpoint detection and response (EDR) agents and have historically received less security focus than traditional endpoints. This activity is not the result of a security vulnerability in vendors' products or infrastruct
6. Metasploit Wrap-Up 04/03/2026
   Source: Rapid7 Cybersecurity Blog | Published: 2026-04-03T19:06:10+00:00 | Score: 18.973
   Additional Adapters and More Modules This week, we added a whole new bunch of HTTP/HTTPS-based CMD payloads for X64 and X86 versions of Windows. The additional breadth of selectable payloads and delivery techniques allows users new options to tailor the attack workflow for their environment. This was contributed by bwatters-r7 . Adding new architectures for adapted payloads is surprisingly easy and something a first-time contributor might want to look into! New modules added to Metasploit Framework also allow for targeting FreeScout and Grav CMS, both of which result in remote code execution. These modules were contributed by Chocapikk and x1o3 respectively. Thanks! Thanks to g0tmi1k , Metasploit Framework now also includes an exploit module, multi/http/os_cmd_exec, which allows for targeting generic HTTP command execution vulnerabilities where user-supplied input is directly passed to system execution functions via an HTTP request. This can result in a Meterpreter shell on the remote
7. You Don’t Have a Security Problem, You Have a Visibility Problem
   Source: Rapid7 Cybersecurity Blog | Published: 2026-04-03T13:46:13+00:00 | Score: 17.814
   What you’ll learn in this article This article explains why many breaches are driven by gaps in visibility rather than advanced exploits, how attackers move through modern environments, and what changes when organizations start connecting assets, identities, and attack paths into a single view. What is a visibility problem in cybersecurity? A visibility problem exists when security teams cannot clearly answer three basic questions: what assets exist, who or what can access them, and how those elements connect. When those answers are incomplete, decisions are made based on assumptions – and that creates conditions where risk can grow, unnoticed. As environments expand across cloud, SaaS, and hybrid infrastructure, the number of systems and identities grows quickly. What often falls behind is a clear understanding of how they relate to each other, and that gap is where attackers tend to operate. How visibility gaps turn into breaches A large medical technology organization experienced a
8. New FortiClient EMS flaw exploited in attacks, emergency patch released
   Source: BleepingComputer | Published: 2026-04-05T18:45:17+00:00 | Score: 16.091
   Fortinet has released an emergency weekend security update for a new critical FortiClient Enterprise Management Server (EMS) vulnerability that is actively exploited in attacks. […]
9. Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit
   Source: BleepingComputer | Published: 2026-04-06T19:19:27+00:00 | Score: 15.323
   Exploit code has been released for an unpatched Windows privilege escalation flaw reported privately to Microsoft, allowing attackers to gain SYSTEM or elevated administrator permissions. […]
10. CISA orders feds to patch exploited Fortinet EMS flaw by Friday
    Source: BleepingComputer | Published: 2026-04-06T16:02:14+00:00 | Score: 15.025
    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to secure FortiClient Enterprise Management Server (EMS) instances against an actively exploited vulnerability by Friday. […]

End of report.