🔴 Weekly Threat Intelligence Briefing | Monday, April 6, 2026 A Fortinet zero-day exploited over the Easter weekend, a CVSS 10.0 Cisco firewall flaw actively used in ransomware, a North Korean state operation that ran for six months before draining $285M from a crypto exchange, and a fresh Chrome zero-day added to the KEV catalog. Four things that needed to land on your desk this Monday morning. CVE-2026-35616 — Fortinet FortiClient EMS Zero-Day (Active Easter Weekend Exploitation) Affected: FortiClient EMS versions 7.4.5 and 7.4.6 CVSS: 9.1 (Critical) | Status: Actively exploited zero-day — emergency hotfix released April 4, 2026. NOT yet on KEV as of this writing. Source: @DefusedCyber (X) confirmed zero-day exploitation April 4; Fortinet same-day advisory; watchTowr honeypot hits dating to March 31. DIB Implication: FortiClient EMS is the central endpoint management hub in many contractor and enterprise environments — it controls policy enforcement, software deployment, and VPN configuration across managed endpoints. Unauthenticated API bypass means an attacker can execute arbitrary code without credentials and gain full control of endpoint management. If your EMS interface is internet-exposed, you are almost certainly already being scanned. Apply the hotfix today. This is the second critical unauthenticated flaw in FortiClient EMS in a matter of weeks — treat it as an emergency response situation, not scheduled maintenance. CVE-2026-20131 — Cisco Secure Firewall Management Center (CVSS 10.0, Ransomware-Confirmed) Affected: Cisco FMC Software (versions 6.4.0, 7.0.x–7.7.x, 10.0.0); Cisco Security Cloud Control Firewall Management CVSS: 10.0 | Status: Actively exploited in ransomware campaigns. KEV-listed March 19, 2026. No workarounds — patch only. DIB Implication: Cisco FMC is the central management hub for firewall policy across an entire network. Root-level unauthenticated code execution means the attacker owns your boundary enforcement device — silently altering firewall rules, suppressing alerts, and pivoting toward CUI. If FMC is in your CMMC assessment boundary and remains unpatched, document compensating controls before your next assessment interaction. AC.L2-3.1.3 and SI.L2-3.14.1 are directly at risk. 📌 Watch — DPRK UNC4736: $285M Drift Heist Was a Six-Month Intelligence Operation North Korean state group UNC4736 (AppleJeus / Citrine Sleet) spent six months embedding itself inside the Drift DeFi protocol as a fake quantitative trading firm — meeting contributors in person at industry conferences, depositing $1M+ of their own capital, and sharing malicious code repos and apps throughout. Attack vectors included a VSCode/Cursor silent code execution vulnerability (flagged by the security community since late 2025 and left unpatched by victims) and a malicious TestFlight app. Execution took roughly 12 minutes on April 1. Total: $285M drained. This is not a crypto story. This is the DPRK's social engineering playbook applied at maximum sophistication — constructed professional identities, months of relationship-building, third-party intermediaries conducting face-to-face contact. The VSCode/Cursor silent execution vector is directly relevant to any development team or contractor managing code repositories. If your developers clone repos from external sources, that's an active attack surface today. Practitioner Takeaway • FortiClient EMS (CVE-2026-35616): Apply the emergency hotfix now for versions 7.4.5 and 7.4.6 — do not wait for 7.4.7. Restrict EMS management interface from internet exposure immediately if patching is delayed. Monitor EMS API logs for unauthenticated requests. This was exploited over Easter weekend deliberately — attacker head start is already measured in days. • Cisco FMC (CVE-2026-20131 / CVE-2026-20079, both CVSS 10.0): No workarounds exist. Patch to a fixed version. If FMC is in your CMMC boundary, document compensating controls today. Isolate the management interface to out-of-band networks if patching is delayed. • VSCode/Cursor silent code execution: If your development team clones repos from external parties — vendors, teaming partners, open-source projects — this is an active threat vector today. Require code review before execution and audit developer workstations that accepted external repos since December 2025. • Chrome zero-day (CVE-2026-5281, KEV April 1, FCEB deadline April 15): Push browser updates across all managed endpoints this week. Pay particular attention to contractor-owned devices accessing Microsoft 365, SharePoint, or any CUI-adjacent contractor portal via browser. Two unauthenticated critical flaws in FortiClient EMS in the span of two weeks — and a DPRK operation that exploited an unpatched developer tool for months. Where are you seeing the biggest patch lag in your environment right now: endpoint management, firewall infrastructure, or developer toolchains? Drop it in the comments. Craig Wood | CISM | CCA Lead Assessor | ISO 27001 Lead Auditor CEO, PSY Logistics Technology Partners CMMC | Maritime Cybersecurity | vCISO | DIB #ThreatIntelligence #Cybersecurity #InfoSec #PSYLogistics #CMMC #DIB #CVE #PatchManagement #CISA #KEV #ZeroDay #Ransomware #vCISO #GRC #Fortinet #DPRK

Weekly Threat Intelligence Briefing — April 06, 2026

April 06, 2026•4 min read

🔴 Weekly Threat Intelligence Briefing|Monday, April 6, 2026

A Fortinet zero-day exploited over the Easter weekend, a CVSS 10.0 Cisco firewall flaw actively used in ransomware, a North Korean state operation that ran for six months before draining $285M from a crypto exchange, and a fresh Chrome zero-day added to the KEV catalog. Four things that needed to land on your desk this Monday morning.

CVE-2026-35616 — Fortinet FortiClient EMS Zero-Day (Active Easter Weekend Exploitation)

Affected: FortiClient EMS versions 7.4.5 and 7.4.6

CVSS: 9.1 (Critical)|Status: Actively exploited zero-day — emergency hotfix released April 4, 2026. NOT yet on KEV as of this writing.

Source: @DefusedCyber (X) confirmed zero-day exploitation April 4; Fortinet same-day advisory; watchTowr honeypot hits dating to March 31.

DIB Implication: FortiClient EMS is the central endpoint management hub in many contractor and enterprise environments — it controls policy enforcement, software deployment, and VPN configuration across managed endpoints. Unauthenticated API bypass means an attacker can execute arbitrary code without credentials and gain full control of endpoint management. If your EMS interface is internet-exposed, you are almost certainly already being scanned. Apply the hotfix today. This is the second critical unauthenticated flaw in FortiClient EMS in a matter of weeks — treat it as an emergency response situation, not scheduled maintenance.

CVE-2026-20131 — Cisco Secure Firewall Management Center (CVSS 10.0, Ransomware-Confirmed)

Affected: Cisco FMC Software (versions 6.4.0, 7.0.x–7.7.x, 10.0.0); Cisco Security Cloud Control Firewall Management

CVSS: 10.0|Status: Actively exploited in ransomware campaigns. KEV-listed March 19, 2026. No workarounds — patch only.

DIB Implication: Cisco FMC is the central management hub for firewall policy across an entire network. Root-level unauthenticated code execution means the attacker owns your boundary enforcement device — silently altering firewall rules, suppressing alerts, and pivoting toward CUI. If FMC is in your CMMC assessment boundary and remains unpatched, document compensating controls before your next assessment interaction. AC.L2-3.1.3 and SI.L2-3.14.1 are directly at risk.

📌 Watch — DPRK UNC4736: $285M Drift Heist Was a Six-Month Intelligence Operation

North Korean state group UNC4736 (AppleJeus / Citrine Sleet) spent six months embedding itself inside the Drift DeFi protocol as a fake quantitative trading firm — meeting contributors in person at industry conferences, depositing $1M+ of their own capital, and sharing malicious code repos and apps throughout. Attack vectors included a VSCode/Cursor silent code execution vulnerability (flagged by the security community since late 2025 and left unpatched by victims) and a malicious TestFlight app. Execution took roughly 12 minutes on April 1. Total: $285M drained. This is not a crypto story. This is the DPRK's social engineering playbook applied at maximum sophistication — constructed professional identities, months of relationship-building, third-party intermediaries conducting face-to-face contact. The VSCode/Cursor silent execution vector is directly relevant to any development team or contractor managing code repositories. If your developers clone repos from external sources, that's an active attack surface today.

Practitioner Takeaway

•FortiClient EMS (CVE-2026-35616): Apply the emergency hotfix now for versions 7.4.5 and 7.4.6 — do not wait for 7.4.7. Restrict EMS management interface from internet exposure immediately if patching is delayed. Monitor EMS API logs for unauthenticated requests. This was exploited over Easter weekend deliberately — attacker head start is already measured in days.

•Cisco FMC (CVE-2026-20131 / CVE-2026-20079, both CVSS 10.0): No workarounds exist. Patch to a fixed version. If FMC is in your CMMC boundary, document compensating controls today. Isolate the management interface to out-of-band networks if patching is delayed.

•VSCode/Cursor silent code execution: If your development team clones repos from external parties — vendors, teaming partners, open-source projects — this is an active threat vector today. Require code review before execution and audit developer workstations that accepted external repos since December 2025.

•Chrome zero-day (CVE-2026-5281, KEV April 1, FCEB deadline April 15): Push browser updates across all managed endpoints this week. Pay particular attention to contractor-owned devices accessing Microsoft 365, SharePoint, or any CUI-adjacent contractor portal via browser.

Two unauthenticated critical flaws in FortiClient EMS in the span of two weeks — and a DPRK operation that exploited an unpatched developer tool for months. Where are you seeing the biggest patch lag in your environment right now: endpoint management, firewall infrastructure, or developer toolchains? Drop it in the comments.

Craig Wood | CISM | CCA Lead Assessor

CEO, PSY Logistics Technology Partners

CMMC | Maritime Cybersecurity | vCISO | DIB

#ThreatIntelligence #Cybersecurity #InfoSec #PSYLogistics #CMMC #DIB #CVE #PatchManagement #CISA #KEV #ZeroDay #Ransomware #vCISO #GRC #Fortinet #DPRK

Craig Wood

Back to Blog