Here you'll find a digest of cybersecurity news stories from April 2026! Check:
1. A zero-day vulnerability in SharePoint actively exploited: 1,370+ servers globally still unpatched
A critical zero-day spoofing vulnerability in Microsoft SharePoint Server (CVE-2026-32201) is being actively exploited, as confirmed by Microsoft on April 14, 2026. The flaw affects multiple SharePoint Server versions due to improper input validation, allowing unauthenticated remote attackers to perform spoofing attacks and access sensitive organisational data. Although the individual risk to confidentiality and integrity is low, the lack of authentication requirements coupled with active exploitation raises significant concerns.
Microsoft has released security updates for affected versions:
- SharePoint Server Subscription Edition — KB5002853
- SharePoint Server 2019 — KB5002854
- SharePoint Enterprise Server 2016 — KB5002861
Organisations are advised to treat these as emergency updates, applying them immediately and monitoring for unusual activity. It is also recommended to restrict external-facing SharePoint instances until patches are applied and to enhance defences to protect against exploitation. Over 1,370 internet-facing IP addresses remain unpatched worldwide.
2. Google uses Gemini AI to block 8.3 billion malicious ads
Threat actors are increasingly using generative AI for advertising scams, prompting Google to enhance its security with Gemini AI models. According to the 2025 Ads Safety Report, this has improved Google's defence, blocking over 99% of policy-violating ads before users see them. Key achievements in 2025 include:
- Blocking or removing over 8.3 billion malicious ads globally.
- Suspending 24.9 million advertiser accounts for severe violations.
- Intercepting 602 million ads linked to scams.
- Disabling 4 million accounts associated with active scams.
Google's proactive security now blocks harmful content at submission, with plans to expand this capability. Gemini AI has also increased the efficiency of user report handling, leading to an 80% reduction in incorrect advertiser suspensions compared to the previous year.
3. Microsoft April 2026 Patch Tuesday
Microsoft's April 2026 Patch Tuesday addresses 168 vulnerabilities, including 1 actively exploited zero-day vulnerability (the SharePoint Server Spoofing Vulnerability) and one publicly disclosed flaw, across a wide span of Microsoft portfolio, including Windows Kernel (multiple EoP flaws), Windows Print Spooler, Windows LSASS, Windows Hyper-V, Remote Desktop Licensing Service, Azure Monitor Agent, Azure Logic Apps, Microsoft SQL Server, SharePoint Server, PowerShell, GitHub Copilot, and Visual Studio Code.
4. Data breach at Booking.com: Customer information has been hacked
Booking.com has confirmed a cyberattack where unauthorised third parties accessed customers' personal data, including names, email addresses, phone numbers, and reservation details. The company detected suspicious activity and has notified affected customers via email.
While specific numbers of impacted customers and details about the breach remain undisclosed, Booking.com has reset the PINs for affected reservations. It is confirmed that financial information was not accessed, but the status of stored credit card data is unclear. Customers are warned that Booking.com will never request sensitive information via phone, SMS, or WhatsApp. Security experts advise users to be vigilant against phishing attempts and to verify communications through official channels.
5. Critical Android vulnerabilities patched: Update now!
Google's April 2026 Android Security Bulletin has been released, addressing critical vulnerabilities in millions of Android devices worldwide. The key issues include:
1. CVE-2026-0049: A critical zero-interaction vulnerability in the Android Framework that can lead to local denial-of-service attacks, making devices unresponsive or crashing without user interaction. Since the attack does not need any extra execution permissions, it is worryingly easy for malicious actors to engage in. The flaw affects Android versions 14, 15, 16, and 16-qpr2.
2. CVE-2025-48651: A high-severity vulnerability in the StrongBox component, which protects cryptographic keys. This flaw affects several hardware implementations from vendors like Google, NXP, STMicroelectronics, and Thales. Given that StrongBox is intended to serve as the supreme safeguard for a device's essential cryptographic information, addressing this vulnerability is crucial for preserving the device's overall integrity.
Device manufacturers were notified of these issues a month in advance to prepare updates. Users are advised to check their security patch level in settings; a date of 2026-04-05 or later indicates protection against these vulnerabilities. Google emphasises the importance of applying the latest security updates promptly.
6. Adobe breach: A threat actor claims to have leaked 13 million support tickets and employee records
A threat actor claims to have breached Adobe, exfiltrating sensitive data including 13 million support tickets, 15,000 employee records, and all HackerOne bug bounty submissions. The breach originated through an Indian BPO firm contracted by Adobe, highlighting risks in third-party vendor relationships.
The attacker deployed a Remote Access Tool (RAT) via a phishing email, gaining access to an employee’s machine and escalating control by phishing their manager. This access allowed bulk data extraction from Adobe's support ticketing platform without triggering security controls. The incident raises concerns about third-party vendor security, access management, and data export capabilities. Adobe has not confirmed the breach, but if verified, this would represent one of the more significant data exposures of 2026. Security teams are advised to monitor their own contractor access and audit permissions.
7. Starbucks breach: Alleged attacks result in the theft of 10GB of source code
The threat group ShadowByt3s has attacked Starbucks, claiming to have stolen 10GB of proprietary source code and operational firmware. The data was obtained from a misconfigured Amazon S3 bucket named "sbux-assets" as part of a campaign exploiting cloud vulnerabilities. The stolen data includes operational technology for physical store machines and various internal management tools, such as a centralised "New Web UI" and an inventory management portal (b4-inv).
This incident follows a previous security breach in March 2026, where a phishing campaign compromised 889 employee accounts, exposing financial data and personal information, while the recent attack focuses on corporate infrastructure.
Hope your systems will stay safe and NIS2-compliant throughout 2026! If you need help, contact us for expert advice!