Skip to content
All posts

Threat Report 172

By  Craig Pepper  ·  6 minute read

Three Microsoft Defender zero-day vulnerabilities are currently being actively exploited, and only one has been patched so far.

Cisco has issued emergency updates for critical flaws in Identity Services Engine (ISE), a core network access control platform widely deployed across UK enterprises and healthcare environments.

A 13-year-old remote code execution weakness in Apache ActiveMQ has been added to CISA’s Known Exploited Vulnerabilities list, confirming real-world attacks are underway.

Fitness giant Basic-Fit has disclosed a breach affecting member data, while Booking.com has warned customers about an increase in targeted phishing scams using stolen booking details.

Finally, textbook publisher McGraw-Hill has appeared on a ransomware group’s leak site after a Salesforce-related misconfiguration exposed 13.5 million records.

Full report below...

Three Microsoft Defender Zero-Days Are Being Actively Exploited

Security firm Huntress has confirmed that attackers are actively exploiting three zero-day vulnerabilities in Microsoft Defender, the built-in antivirus tool for Windows. The issues, named BlueHammer, RedSun, and UnDefend, were released publicly by a researcher known as Chaotic Eclipse following a dispute with Microsoft about the disclosure process.

BlueHammer and RedSun allow an attacker who already has some level of access on a device to escalate their privileges, making it significantly easier to install malware, move laterally, and gain persistence across the network. UnDefend can be used to disable Defender’s ability to download updated threat definitions, creating a window where new malware may go undetected. Huntress observed exploitation beginning on 10 April 2026, with proof-of-concept tooling for the remaining flaws appearing from 16 April. Microsoft has addressed BlueHammer under CVE-2026-33825 in the April Patch Tuesday release, but at the time of writing, RedSun and UnDefend remain unpatched. The same update cycle also fixed 165 additional vulnerabilities, including CVE-2026-32201, an already-exploited spoofing flaw in SharePoint Server.

Microsoft Defender is the default endpoint protection on the vast majority of Windows systems used by NHS trusts, digital health organisations, and NHS suppliers. When the primary security control on an endpoint is itself vulnerable, attackers can disable protections, escalate access, and operate with fewer chances of detection. With two of the three vulnerabilities still awaiting fixes, organisations need to compensate with closer monitoring, robust privilege management, and strong change control on endpoints.

SharePoint Server is also embedded across UK healthcare environments for policy libraries, clinical documentation, and internal collaboration. An exploited spoofing vulnerability in SharePoint significantly increases the likelihood of convincing phishing, credential theft, and unauthorised access to sensitive content. For organisations in scope of the DSPT, weaknesses in core endpoint and collaboration platforms translate directly into increased risk to the confidentiality, integrity, and availability of patient and business data — and need to be treated as a priority issue for both IT and governance teams.

Recommendations

  • Apply the April 2026 Microsoft Patch Tuesday updates across all devices as soon as possible, including the BlueHammer fix (CVE-2026-33825) and the exploited SharePoint flaw (CVE-2026-32201).
  • Watch Microsoft's advisories for the RedSun and UnDefend patches and plan to deploy them the moment they are released.
  • Monitor Windows endpoints for unusual local privilege escalation activity and for signs that Defender definition updates are failing.
  • Make sure Defender tamper protection is switched on everywhere it can be.
  • Review privileged account access and remove any local administrator rights that are no longer needed.
  • Check that your SharePoint Server environment is fully patched and that administrative access is restricted to a small number of trusted users.

Critical Vulnerabilities in Cisco Identity Services Engine

On 16 April 2026, Cisco published two security advisories covering four vulnerabilities in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). ISE is the software that decides who and what is allowed to connect to an organisation's network. It is used to enforce access policies for laptops, phones, medical devices, and any other kit that connects to the wire or Wi-Fi.

Three of the flaws, CVE-2026-20147, CVE-2026-20180, and CVE-2026-20186, each carry a severity score of 9.9 out of 10. They allow an authenticated attacker, including those with only Read-Only Admin credentials, to send a specially crafted request and run their own commands as root on the server that operates ISE. A fourth flaw, CVE-2026-20148, allows the same type of attacker to read sensitive files on the server. All versions of ISE from 3.1. x through 3.5. x are affected, and Cisco has released software updates to fix the issues.

ISE is a highly sensitive part of any network. It controls who can connect and under what conditions, and it typically holds shared secrets and configuration for a large number of network devices. If an attacker can run commands as root on your ISE server, they can potentially take over network access across an entire estate, bypass network access controls, and reach sensitive internal systems. Many NHS trusts, NHS suppliers, and UK enterprises use Cisco network kit, and ISE is a common choice for network access control. A compromise here could directly undermine DSPT controls around access control and network security, and it could create a route into clinical, corporate, and operational networks alike.

Recommendations

  • Check whether your organisation uses Cisco ISE or ISE-PIC and confirm the exact version.
  • Apply the updates referenced in Cisco advisories cisco-sa-ise-rce-traversal-8bYndVrZ and cisco-sa-ise-rce-4fverepv as soon as possible.
  • Make sure the ISE administration interface is not reachable from the open internet or from untrusted parts of the network.
  • Review ISE administrative accounts, including Read Only Admin accounts, and remove any that are no longer needed.
  • Rotate passwords for ISE admin users and for the accounts that integrate ISE with other systems.
  • If a managed service provider looks after your Cisco estate, ask them for written confirmation of patching status.

13-Year-Old Apache ActiveMQ Bug Added to CISA Known Exploited List

The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-34197, a remote code execution flaw in Apache ActiveMQ, to its Known Exploited Vulnerabilities catalogue. Apache ActiveMQ is a popular open-source message broker used to pass data between different applications and services, often inside healthcare platforms, financial systems, and large enterprise software stacks.

The bug had been sitting in the code for around 13 years before being discovered. It allows an authenticated user to abuse the Jolokia management API so that the broker fetches a remote configuration file and then runs arbitrary operating-system commands. In theory, the attacker needs valid credentials, but in practice, many deployments still use default admin passwords. On some versions, an older flaw can expose the Jolokia API without authentication at all, creating a zero-authentication attack chain. Fixes are available in ActiveMQ versions 5.19.5 and 6.2.3.

Message brokers like ActiveMQ sit quietly in the middle of many important systems, including electronic patient record platforms, clinical integration layers, finance systems, and supplier software. They are often forgotten about during patching because they do not have a user interface that people log into day to day. That makes them an attractive target.

Recommendations

  • Ask your internal teams and key suppliers whether Apache ActiveMQ is used anywhere in your environment, including inside third-party software.
  • Update affected systems to ActiveMQ 5.19.5 or 6.2.3 as soon as possible.
  • Change any default or weak credentials on ActiveMQ installations.
  • Restrict access to the Jolokia management API.
  • Include message brokers and other middleware in regular vulnerability scanning and patching routines.

Salesforce-Linked Breach Exposes 13.5 Million McGraw-Hill Records

Textbook publisher McGraw-Hill has been added to the ShinyHunters ransomware leak site after a Salesforce-linked misconfiguration led to 13.5 million records being exposed. The data reportedly includes names, phone numbers, email addresses, and some physical addresses.

Most Salesforce-related breaches are not caused by a flaw in Salesforce itself. They usually come from stolen user logins, abused OAuth permissions, or integrations that have been given far more access than they need. The case follows a wider pattern where attackers quietly use valid access to pull large amounts of customer data out of cloud platforms.

Salesforce and similar SaaS platforms are used heavily across UK businesses, digital health companies, and NHS suppliers. A single misconfigured page, over-permissioned integration, or compromised employee account can put millions of records at risk very quickly.

Recommendations

  • Review which Salesforce pages, forms, and sites are publicly accessible.
  • Audit connected applications and remove unused integrations.
  • Enforce strong MFA for all users.
  • Apply least privilege to integration accounts.
  • Monitor for unusual exports or API activity.
  • Ensure your incident response plan covers SaaS breaches.

Basic-Fit Confirms Member Data Breach

Basic-Fit, one of Europe’s largest gym operators, has disclosed a cyber incident affecting customer data. Reports indicate that personal information including names, email addresses, and membership details may have been exposed. The company stated there was no evidence of payment card or password data being compromised, but investigations are ongoing.

Incidents involving high-volume consumer platforms are important because they show how valuable routine identity data has become. Even where financial data is not stolen, names, contact details, and account information can still be used for phishing, credential stuffing, impersonation attempts, and fraud. Attackers increasingly target organisations with large customer bases because even “basic” data sets can be monetised quickly.

For digital health companies, fitness apps, insurers, and membership-based healthcare providers, the lesson is clear: customer data itself is a target, even when it appears low risk.


Booking.com Warns of Targeted Phishing Attacks

Booking.com has warned customers about an increase in sophisticated phishing attacks where criminals use stolen booking details to make scam messages appear genuine. In some cases, attackers compromise accommodation partner accounts or use previously stolen data to send messages referencing real reservations, dates, and destinations.

This type of attack is particularly effective because it combines trust, urgency, and accurate personal context. Victims are far more likely to click a payment link or hand over credentials when the message references a genuine booking.

The wider lesson for healthcare and suppliers is that stolen operational data can be just as dangerous as stolen financial data. Appointment dates, patient names, project details, supplier schedules, or contract references can all be weaponised in the same way.


Stay Ahead of Threats Like These

Our team supports digital health companies and NHS suppliers with practical, hands-on cybersecurity assurance — from vulnerability management and secure configuration reviews to DSPT readiness and incident response.

Want help staying ahead of threats like these? Sign up for our latest insights and blog posts.

Contact Us

Related posts