AUSCERT Week in Review for 17th April 2026

Greetings,

A major data breach at global education publisher McGraw Hill has exposed the personal information of approximately 13.5 million users. The incident followed an extortion attempt by the ShinyHunters cybercrime group, which has since leaked more than 100GB of stolen data online.

According to McGraw Hill, attackers exploited a misconfiguration in a Salesforce hosted web environment used by the company, rather than gaining access to its core internal systems. The publisher stated that its primary customer databases, learning platforms and courseware were not compromised, and that the issue appears to be linked to a broader configuration problem affecting multiple Salesforce customers. While McGraw Hill described the exposed information as a “limited” data set, independent analysis by breach notification service Have I Been Pwned shows the leaked files contain 13.5 million unique email addresses, with some records also including names, phone numbers and physical addresses.

The attackers initially claimed to have accessed as many as 45 million records and threatened to release the data unless a ransom was paid. When negotiations appeared to fail, ShinyHunters followed through on its threat, publishing the information on its dark web leak site. Although no passwords, payment details or student academic records were reported among the exposed data, cyber security experts warn the information is still highly valuable to criminals. At this scale, even partial personal data can significantly increase the effectiveness of phishing, credential stuffing and other social engineering attacks.

The breach highlights the growing risks associated with third party cloud platforms and shared responsibility models. As organisations increasingly rely on SaaS environments such as Salesforce, small configuration errors can have outsized consequences, reinforcing the need for ongoing security monitoring, governance and independent validation of cloud deployments.

Critical flaw in wolfSSL library enables forged certificate use
Date: 2026-04-13
Author: Bleeping Computer.com

A critical vulnerability in the wolfSSL SSL/TLS library can weaken security via improper verification of the hash algorithm or its size when checking Elliptic Curve Digital Signature Algorithm (ECDSA) signatures.
Researchers warn that an attacker could exploit the issue to force a target device or application to accept forged certificates for malicious servers or connections.

Critical MCP Integration Flaw Puts NGINX at Risk
Date: 2026-04-16
Author: Dark Reading

Attackers are actively exploiting a critical flaw in the widely used nginx-ui interface for managing NGINX web servers.
The flaw, tracked as CVE-2026-33032, (CVSS: 9.8) stems from nginx-ui's insecure implementation of the Model Context Protocol (MCP) and gives attackers a way to make unauthorized changes to NGINX server configurations with little or no authentication in some cases.

Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days
Date: 2026-04-14
Author: Bleeping Computer

[AUSCERT has published security bulletins for these Microsoft updates]
Today is Microsoft's April 2026 Patch Tuesday with security updates for 167 flaws, including 2 zero-day vulnerabilities.
This Patch Tuesday also addresses eight "Critical" vulnerabilities, 7 of which are remote code execution flaws and the other is a denial of service flaw.

Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621
Date: 2026-04-12
Author: The Hacker News

[Please see also AUSCERT Bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.3505/]
Adobe has released emergency updates to fix a critical security flaw in Acrobat Reader that has come under active exploitation in the wild.
The vulnerability, assigned the CVE identifier CVE-2026-34621, carries a CVSS score of 8.6 out of 10.0. Successful exploitation of the flaw could allow an attacker to run malicious code on affected installations.

Fake Claude Website Distributes PlugX RAT
Date: 2026-04-13
Author: Security Week

A website posing as a legitimate Anthropic Claude domain was caught serving a remote access trojan to its visitors, Malwarebytes reports.
Relying on Claude’s popularity, a threat actor created a site that hosts a download link pointing to a ZIP archive allegedly containing a pro version of the LLM.
The file contains an MSI installer that mimics the legitimate Anthropic installation chain and installs the real Claude application.

ASB-2026.0066 – Microsoft Office, Microsoft Office Services and Web Apps: CVSS (Max): 8.4

Microsoft urges immediate patching of 14 Office and SharePoint vulnerabilities, including multiple RCE and information disclosure flaws. CVE-2026-32201 (SharePoint spoofing) is actively exploited in the wild.

ESB-2026.3685 – Adobe Experience Manager: CVSS (Max): 9.8*

Adobe patched multiple vulnerabilities in AEM Screens, including critical flaws. Exploitation may allow remote code execution and privilege escalation.

ESB-2026.3724 – Fortinet FortiSandbox: CVSS (Max): 9.1

Fortinet patched a vulnerability affecting Fortinet products that may allow unauthorized access or code execution.

ESB-2026.3787 – Cisco Identity Services Engine: CVSS (Max): 9.9

Unauthenticated Remote Code Execution vulnerability in Cisco Identity Services Engine (ISE) allows attackers to execute arbitrary commands remotely.

ESB-2026.3801 – Splunk Operator for Kubernetes Add-on 3.1: CVSS (Max): 10.0

Splunk addresses critical fixes related to third-party package updates in Splunk Operator for Kubernetes. Users are advised to upgrade to version 3.1.0 or later to remediate the issues.

Stay safe, stay patched and have a good weekend!

The AUSCERT team