April 13, 2026

Threat Report 171

By Craig Pepper · 6 minute read

In this week's report: a critical flaw in Progress ShareFile with a working exploit already publicly available, a serious vulnerability in Mitel MiCollab widely used for communications across NHS trusts, an actively exploited zero-day in Adobe Acrobat Reader affecting virtually every organisation, a UK-listed company that lost £700,000 to contractor payment fraud, and a ransomware attack disrupting healthcare software provider ChipSoft. Full report below...

Critical Flaw in Progress ShareFile Storage Zones Controller — Working Exploit Available

Progress ShareFile, formerly known as Citrix ShareFile, is a file sharing and collaboration platform used across many organisations, including NHS trusts and their suppliers. On 7 April 2026, Progress released a security update to fix two critical vulnerabilities in its Storage Zones Controller (SZC), the on-premises component of the platform.

The first flaw, CVE-2026-2699, has a severity score of 9.8 out of 10. It allows an attacker with no login details at all to reach restricted configuration pages inside the system. The second flaw, CVE-2026-2701, has a severity score of 9.1 out of 10. Once an attacker has access to those pages, they can upload a malicious file and use it to run their own code on the server. When the two flaws are chained together, an attacker can take over the server entirely, no username or password required.

A proof-of-concept exploit, a ready-made tool that demonstrates how to carry out the attack, is already publicly available. NHS England's National CSOC has assessed that exploitation is highly likely.

ShareFile is used to store and share files, often sensitive documents, financial records, or clinical information. An attacker who can run code on your Storage Zones Controller could access or steal everything stored there, change system settings, or use the compromised server as a stepping stone deeper into your network.

For NHS suppliers and organisations subject to the Data Security and Protection Toolkit (DSPT), a compromise of a file-sharing platform could trigger a reportable data breach affecting personal or patient data. The fact that a working exploit is already publicly available makes this an urgent, real-world risk, not just a theoretical one.

Recommendations

Check whether your organisation uses Progress ShareFile Storage Zones Controller (SZC) and confirm which version is running.
Apply the security update to version 5.12.3 or later immediately — do not wait.
If you cannot patch straight away, restrict network access to the SZC management interface so it is not reachable from the open internet or untrusted network segments.
Check your ShareFile logs for any unexpected access or configuration changes, particularly in the period since the vulnerability was disclosed.
If a managed service provider or IT supplier manages ShareFile on your behalf, ask them to confirm the patching status without delay.

Mitel MiCollab Critical SQL Injection Allows Unauthenticated Database Access

On 9 April 2026, Mitel released a security advisory covering two vulnerabilities in MiCollab, a widely used communications and collaboration platform. The most serious flaw is a SQL injection vulnerability with a severity score of 9.8 out of 10.

SQL injection is a technique where an attacker sends specially crafted commands to a database through a vulnerable input field. In this case, an attacker with no login credentials can send requests over the internet that trick the database into revealing sensitive information or executing commands it should not. This means they can potentially read user account details, system configuration data, and other sensitive information held in the database.

A second, separate flaw in MiCollab allows a local attacker to run commands with elevated system privileges. Mitel has warned that using both vulnerabilities together can significantly increase the overall impact of an attack.

Affected versions are MiCollab 10.2.0.24 and earlier.

Mitel MiCollab is widely deployed across NHS trusts, local authorities, and healthcare organisations as a central communications platform. It handles internal messaging, voicemail, video calls, and staff directories. A database compromise through the SQL injection flaw could expose staff account details, contact information, and system credentials — all of which could be used to launch further attacks.

For NHS organisations and NHS suppliers, a breach of communications infrastructure can affect the confidentiality of internal conversations, disrupt services, and trigger obligations under the DSPT and the UK GDPR.

Recommendations

Check whether your organisation runs Mitel MiCollab and confirm the version in use.
Apply the update referenced in Mitel Security Advisory MISA-2026-0002 as soon as possible.
Restrict external access to MiCollab administration interfaces where this has not already been done.
Review MiCollab access logs for any unusual or unauthorised activity.
If a third-party supplier manages your Mitel environment, ask them to confirm the patch has been applied.

Adobe Acrobat Reader Zero-Day Actively Exploited — Emergency Patch Released

On 12 April 2026, Adobe released an emergency security update for Adobe Acrobat Reader to fix a vulnerability that attackers are already exploiting in the real world. The flaw is tracked as CVE-2026-34621 and has a severity score of 8.6 out of 10.

The vulnerability is a type of coding flaw known as prototype pollution. In plain terms, it means that a specially crafted PDF file can manipulate how the software behaves in a way that allows an attacker to run their own code on the victim's computer. The victim does not need to take any action other than opening a malicious PDF document.

Adobe has confirmed that it is aware that this vulnerability is being actively exploited in the wild. Security researchers had been tracking the flaw for some time before the patch was released, noting that attackers were using it to identify and profile potential targets before deciding whether to deliver a more destructive payload.

The update affects both Windows and macOS versions of Acrobat Reader. Users should update to the latest release immediately.

Adobe Acrobat Reader is one of the most widely used pieces of software in the world. In healthcare settings, PDFs are ubiquitous; clinical documents, referral letters, discharge summaries, contracts, and policies are all routinely shared and opened as PDF files. This means that almost every NHS organisation, digital health company, and NHS supplier is potentially at risk.

Because the attack is triggered simply by opening a malicious PDF, there is no need for an attacker to trick a user into downloading a suspicious file or clicking an unusual link. A carefully crafted document sent by email or shared via a file transfer platform is enough. Given that exploitation is already confirmed, organisations should treat this as urgent.

Recommendations

Check the version of Adobe Acrobat Reader installed across all devices in your organisation and update to the latest release immediately.
Where possible, use software deployment tools to push the update centrally rather than relying on individual users to update manually.
Remind staff to be cautious when opening PDF documents from unexpected sources, even if the sender appears familiar.
Consider whether your email security gateway has the ability to sandbox or scan PDF attachments before they reach user inboxes.
If your organisation manages devices on behalf of others (for example, as an NHS supplier providing managed desktops), ensure the update is applied across all managed endpoints without delay.

UK Company Loses £700,000 After Contractor Payment Redirected by Attackers

On 9 April 2026, UK-listed company Zephyr Energy plc disclosed that it had lost approximately £700,000 after a cyber attack redirected a payment to a contractor into an account controlled by attackers. One of its American subsidiaries was targeted in what the company described as a highly sophisticated attack.

The attackers quietly interfered with what would otherwise have been a routine payment process. The money was transferred to a third-party bank account before anyone at the company realised anything was wrong. Zephyr did not disclose the exact method used, but the pattern is consistent with a well-known type of attack where criminals intercept, or impersonate parties in, a payment process to swap legitimate bank account details for their own.

The company said it has since taken additional security measures around payment verification and supplier bank detail changes. It also confirmed that its working capital is sufficient to absorb the loss.

This incident is a direct example of the financial damage that payment diversion fraud, sometimes called business email compromise (BEC) or mandate fraud, can cause. This type of attack does not require the attacker to break into your systems in the traditional sense. Instead, it targets the human and process elements of payment workflows.

NHS suppliers, digital health companies, and any organisation that processes payments to contractors, suppliers, or service providers faces the same risk. The NHS is a high-value target for fraud, and organisations involved in NHS contracting regularly make significant payments. A single intercepted payment or fraudulent bank detail change can result in substantial financial loss and reputational damage. Incidents of this kind may also trigger reporting obligations to the ICO if personal data was accessed as part of the attack.

Recommendations

Introduce a verbal verification step for any request to change a supplier's or contractor's bank account details — always call a known contact number, not one provided in the email requesting the change.
Apply multi-person authorisation to high-value payments, so that no single employee can approve a large transfer alone.
Train finance and accounts payable staff to recognise the warning signs of payment diversion fraud, including urgency, unusual email addresses, and requests to bypass normal processes.
Review your finance systems for any unexpected changes to supplier bank details that may have been made without proper verification.
Ensure your cyber insurance policy covers business email compromise and payment fraud losses.
If you suspect a payment has been diverted, contact your bank immediately — swift action can sometimes result in recovery of funds.

Ransomware Attack Disrupts ChipSoft Healthcare Systems

Dutch healthcare software provider ChipSoft was reportedly hit by a ransomware attack that disrupted customer services and caused operational issues across connected healthcare organisations.

ChipSoft provides core healthcare technology, including electronic patient record systems and administrative platforms used by hospitals and care providers. When a supplier of this kind is impacted, disruption can quickly spread beyond the provider itself and affect frontline care delivery.

Even where patient data is not confirmed stolen, outages to scheduling systems, records access, diagnostics workflows, or communications platforms can create serious operational pressure.

For NHS organisations and digital health suppliers, the incident is another reminder that third-party cyber resilience is just as important as internal security controls. If a critical supplier goes down, your operations may go down with it.