Nightwatch

PUBLISHED ON

EEDDIITTIIOONN  000022

Exploitation windows measured in hours, not days.

Attackers finally read the docs.

WEEKLY OPENING

This week the threat landscape did not slow down to let defenders catch up. A critical zero-day in Fortinet FortiClientEMS was confirmed exploited the same day its advisory dropped, a Marimo notebook flaw was weaponized in under 10 hours — without a proof-of-concept — and Microsoft's threat intelligence team published hard numbers showing AI-assisted phishing now achieves a 54% click-through rate, compared to roughly 12% for traditional campaigns. That 450% effectiveness gap is no longer a projection; it is a measured operational reality. Meanwhile, the ongoing Iran-adjacent cyber campaign continues to evolve in scope and noise level, with DDoS, phishing, and mobile surveillance tooling all in play. The window between disclosure and exploitation is not shrinking gradually — it is collapsing.

EXECUTIVE TAKE

The defining story of this week is velocity. Two separate high-severity vulnerabilities — one in Fortinet FortiClientEMS (CVE-2026-35616) and one in the Marimo Python notebook platform (CVE-2026-39987) — were observed being actively exploited within hours of their public advisories, in one case with no published proof-of-concept code available. This means threat actors are operationalizing their own exploit research directly from advisory text, at a pace that eliminates any grace period for defenders who are waiting for PoC confirmation before patching.

The second major theme is AI as an attack force multiplier. Microsoft's published research this week quantified what many had theorized: AI-enhanced phishing campaigns achieve click-through rates of 54%, versus roughly 12% for non-AI campaigns. Critically, Microsoft notes this is a precision improvement, not a volume improvement — campaigns are better targeted, better localized, and increasingly paired with MFA-bypass infrastructure, making detection at the gateway layer substantially harder. This is a signal for leadership: phishing controls designed around 2023 threat baselines are under-tuned for 2026 conditions.

The geopolitical cyber dimension remains elevated. The Iran-aligned threat activity continues post-Operation Epic Fury, with Unit 42 tracking active mobile surveillance campaigns, DDoS operations from proxy groups, and phishing infrastructure impersonating legitimate Israeli emergency services. Trellix published additional research this week mapping Iranian cyber capability depth, and a joint FBI/CISA/NSA advisory on Iranian APT activity circulated in the reporting window. Organizations in government, defense, and critical infrastructure sectors should treat this as a persistent, elevated baseline rather than a discrete incident.

KEY FINDINGS

  • CVE-2026-35616 (Fortinet FortiClientEMS): Critical improper access control zero-day confirmed exploited in the wild on the same day Fortinet published its advisory; unauthenticated attackers can bypass API authentication and execute arbitrary code remotely.

  • CVE-2026-39987 (Marimo Python Notebook): Pre-authenticated RCE via an unauthenticated WebSocket terminal endpoint, CVSS 9.3; first exploitation observed within 9 hours and 41 minutes of disclosure, with no PoC published at the time.

  • CVE-2025-53521 (F5 BIG-IP APM): Reclassified from high-severity DoS to critical stack-based buffer overflow enabling RCE; added to CISA KEV on March 27, 2026 — organizations still running pre-patch versions remain actively exposed.

  • CVE-2026-5281 (Google Chrome): High-severity use-after-free in the Dawn WebGPU component exploited in the wild; Google issued an emergency patch — representing a continuation of the rapid browser-flaw weaponization pattern seen throughout 2026.

  • Axios Supply Chain Attack: North Korean threat actors hijacked an npm maintainer account to publish malicious versions 1.14.1 and 0.30.4 of the widely used JavaScript HTTP client, injecting a cross-platform backdoor via a rogue dependency.

  • AI-Enhanced Phishing: Microsoft Threat Intelligence published data showing AI-assisted phishing achieving 54% click-through rates, a 450% improvement over traditional campaigns, with the gain driven by precision targeting and role-specific lure crafting.

  • Iranian APT Cyber Campaign: Following Operation Epic Fury, Iran-aligned groups are running a multi-vector campaign including mobile surveillance via a weaponized RedAlert APK, DDoS from proxy actors, and phishing lures targeting Israeli and Western targets.

  • CVE-2026-35616 / Fortinet Zero-Day Attribution: No attribution has been confirmed as of reporting; exploitation was observed and confirmed by both Fortinet and independent researcher Defused, who reported active zero-day exploitation on April 4.

  • Marimo Exploitation Behavior: The observed threat actor conducted manual reconnaissance, harvested .env files and SSH keys, and reconnected four times over 90 minutes — consistent with a human operator triaging a list of targets, not an automated scanner.

  • PwC Threat Dynamics 2026: PwC's annual report confirms identity-centric attacks as the dominant adversary paradigm, with threat actors exploiting legitimate access rather than perimeter breaches, aided by AI-driven reconnaissance and social engineering at scale.

WEEKLY THREAT NARRATIVE

The Exploitation Window Is No Longer a Window

Two separate incidents this week demonstrated that the defender grace period between vulnerability disclosure and weaponization has effectively collapsed. CVE-2026-35616 in Fortinet FortiClientEMS was confirmed exploited on the same day as the vendor advisory, April 4. CVE-2026-39987 in Marimo was operationalized within 9 hours and 41 minutes, with attackers building a functional exploit directly from the advisory text — no published PoC required.

This is no longer a pattern to anticipate. It is now the operational baseline. Threat actors are monitoring vulnerability feeds in near-real time, reading advisory language carefully enough to reconstruct exploitation logic, and moving into active reconnaissance before most organizations have completed change management approval for an emergency patch. The Sysdig Marimo analysis is particularly instructive: the attacker was a human operator, not a scanner, returning methodically across four sessions. The value being harvested was credential material from .env files and SSH keys — artifacts of cloud and DevOps workflows, not legacy enterprise targets.

AI Shifts From Enabler to Infrastructure

Microsoft's published research this week moved the AI-in-attacks conversation from theoretical to evidential. A 54% click-through rate on AI-enhanced phishing compared to 12% for traditional campaigns is not an incremental gain — it represents a category shift in phishing effectiveness. Microsoft is careful to note that human operators are still in the loop; these are not fully autonomous AI campaigns. The capability gain comes from precision: better role targeting, better language localization, and tighter integration with MFA-bypass infrastructure.

The practical implication for defenders is that phishing detection tuned to volume and known-bad infrastructure is increasingly blind to this threat class. AI-generated lures are varied, low-volume, and contextually credible. Detection strategy needs to shift toward behavioral signals — anomalous authentication patterns, session anomalies post-click, and lateral movement from newly authenticated sessions — rather than relying on pre-click content filtering alone.

Iran's Cyber Campaign: Persistent, Layered, and Still Evolving

Unit 42 and Trellix both published research this week on the Iranian cyber threat posture following Operation Epic Fury. The campaign is multi-vector: DDoS noise from proxy and activist groups, a weaponized Android APK mimicking the Israeli Home Front Command's RedAlert application for mobile surveillance and data exfiltration, and phishing operations targeting Western and regional entities. A joint FBI/CISA/NSA advisory on Iranian APT targeting circulated during the reporting window.

Unit 42 notes that core nation-state threat activity from within Iran is somewhat constrained by limited domestic internet connectivity, but proxy actors operating outside Iran's borders face no such limitation. This campaign should not be read as a discrete incident tied to the kinetic conflict timeline. The infrastructure, tooling, and targeting patterns indicate a persistent operational posture that will continue to evolve regardless of ceasefire or escalation dynamics.

NOTABLE TECHNICAL SIGNALS

Top CVEs

  • CVE-2026-35616 — Fortinet FortiClientEMS, critical improper access control; unauthenticated remote code execution via malformed API requests. Actively exploited in the wild as of April 4, 2026. Patch immediately; no workaround is sufficient.

  • CVE-2026-39987 — Marimo Python notebook, CVSS 9.3, pre-authenticated RCE via unauthenticated WebSocket endpoint /terminal/ws; fixed in version 0.23.0. Exploited within 10 hours of disclosure. Any internet-exposed Marimo instance running ≤ 0.20.4 should be treated as compromised pending investigation.

  • CVE-2025-53521 — F5 BIG-IP Access Policy Manager; reclassified critical stack-based buffer overflow enabling RCE; CISA KEV listed March 27, 2026. Organizations that applied original DoS mitigations only are still vulnerable.

  • CVE-2026-5281 — Google Chrome, high-severity use-after-free in Dawn WebGPU component; exploited in the wild. Emergency patch issued.

Attack Vectors This Week

Exploitation of unpatched network-facing appliances and developer tooling dominated this week's attack surface, with Fortinet and Marimo representing contrasting but equally concerning profiles — a perimeter security product and a developer productivity tool, both turned into initial access vectors within hours of advisory publication. Supply chain compromise via the npm ecosystem continued as a secondary vector, with the Axios poisoning incident illustrating that package maintainer account security remains a systemic weak point. AI-enhanced phishing rounds out the picture as the primary credential harvesting mechanism, increasingly effective at bypassing both human skepticism and gateway controls.

Actor & Infrastructure Patterns

North Korean threat actors were attributed by Unit 42 to the Axios npm supply chain attack, consistent with the group's documented history of targeting developer ecosystems for both credential theft and downstream access at scale. Iranian APT and proxy groups continue to operate multi-channel campaigns, combining noisy DDoS activity with quieter mobile surveillance tooling and phishing infrastructure. The RedAlert APK campaign is particularly notable for its targeting of civilians alongside government and military personnel. The Marimo exploitation actor displayed human-operated, methodical behavior — connecting four times over 90 minutes to a honeypot, suggesting a structured target triage process rather than opportunistic scanning.

MITRE ATT&CK Themes

T1190 (Exploit Public-Facing Application) — Both CVE-2026-35616 and CVE-2026-39987 represent direct exploitation of internet-facing services; observed in the wild this week.

T1195.002 (Supply Chain Compromise: Compromise Software Supply Chain) — Axios npm poisoning via hijacked maintainer account; cross-platform backdoor deployed via postinstall hook.

T1566.002 (Phishing: Spearphishing Link) — AI-enhanced phishing with 54% click-through observed; MFA-bypass infrastructure integration confirmed by Microsoft research.

T1078 (Valid Accounts) — Identity-centric attack patterns dominant per PwC 2026 report; adversaries abusing legitimate credentials rather than breaking perimeters.

T1552.001 (Unsecured Credentials: Credentials in Files) — Marimo exploitation actor specifically harvested .env files and SSH key material from compromised host.

T1071.001 (Application Layer Protocol: Web Protocols) — WebSocket-based C2 and exploitation observed in Marimo attack chain; traffic blends with legitimate developer tooling.

Threat Detection

SIGMA Rule — Marimo Unauthenticated WebSocket Exploitation (CVE-2026-39987)
texttitle: Marimo Terminal WebSocket Unauthenticated Access Attempt
id: marimo-rce-cve-2026-39987
status: experimental
description: Detects unauthenticated connections to Marimo /terminal/ws WebSocket endpoint indicative of CVE-2026-39987 exploitation
references:
  - https://thehackernews.com/2026/04/marimo-rce-flaw-cve-2026-39987.html
logsource:
  category: webserver
  product: nginx  # or equivalent reverse proxy
detection:
  selection:
    cs-uri-stem|contains: '/terminal/ws'
    cs-method: 'GET'
  filter_authenticated:
    # Filter known authenticated session tokens if available
    cs-cookie|contains: 'session='
  condition: selection and not filter_authenticated
falsepositives:
  - Legitimate developer access to local Marimo instances (mitigate by scoping to internet-facing sources only)
level: critical
tags:
  - attack.initial_access
  - attack.t1190
SIEM Query Pseudocode — Fortinet FortiClientEMS Zero-Day Exploitation (CVE-2026-35616)
text// Detects anomalous unauthenticated API requests to FortiClientEMS endpoints
// consistent with CVE-2026-35616 exploitation patterns

INDEX = firewall OR proxy OR forticlientems_logs
WHERE
  destination_port IN (443, 8013)          // FortiClientEMS default ports
  AND http_method = "POST"
  AND uri_path MATCHES "/api/*"
  AND auth_status = "unauthenticated"       // No valid session token present
  AND response_code IN (200, 201, 202)      // Successful unauthenticated API response (anomalous)
  AND source_ip NOT IN trusted_management_ranges

STATS count() AS attempt_count BY source_ip, uri_path, _time_bucket(5m)
WHERE attempt_count >= 3                   // Threshold: multiple fast attempts from same source

ALERT severity=critical
  message="Possible CVE-2026-35616 exploitation: unauthenticated FortiClientEMS API success"

DEFENDER PRIORITIES

Patch CVE-2026-35616 in Fortinet FortiClientEMS and CVE-2026-39987 in Marimo as the absolute first priority this week. Both are confirmed actively exploited, both allow unauthenticated remote code execution, and both have been weaponized within hours of advisory publication. If patching cannot happen immediately, restrict network access to these services at the perimeter — internet exposure for either product is not acceptable in the current threat environment. Treat any instance that was internet-facing before patching as potentially compromised and initiate investigation.

Second priority is the F5 BIG-IP APM CVE-2025-53521 reclassification. Organizations that addressed this vulnerability as a DoS flaw using pre-RCE mitigations need to reassess. The CISA KEV listing as of March 27 means federal agencies are already under mandate, and the broader community should treat this with equivalent urgency. Verify your installed version and confirm that the latest patch addressing the RCE vector — not only the DoS vector — is in place.

The Axios npm supply chain compromise requires attention from any development or DevOps team managing JavaScript dependencies. Immediately audit package.json and lock files across all projects for references to Axios versions 1.14.1 or 0.30.4. If either version is present, rotate all secrets and credentials accessible from those environments, and hunt for indicators associated with the plain-crypto-js dependency and its postinstall behavior. Given the North Korean attribution, treat any positive finding as a serious intrusion, not merely a dependency hygiene issue.

Finally, the AI-enhanced phishing data from Microsoft warrants a prompt review of your phishing simulation and awareness program baselines. If your red team exercises are using pre-AI phishing templates, click-through benchmarks from those exercises are no longer meaningful for measuring real-world resilience. Threat hunting for post-authentication anomalies — particularly from users in roles that would be high-value phishing targets — should be prioritized alongside MFA configuration review.

RECOMMENDED ACTIONS

  • Patch Fortinet FortiClientEMS to the version resolving CVE-2026-35616 immediately; restrict API management interfaces to trusted IP ranges pending patch deployment.

  • Patch Marimo to version 0.23.0 or later; if upgrade is not immediately possible, block external access to the /terminal/ws WebSocket endpoint at the network or reverse proxy layer.

  • Patch F5 BIG-IP APM using the latest advisory addressing the RCE reclassification of CVE-2025-53521; verify prior mitigations addressed the stack overflow, not only the original DoS vector.

  • Audit all JavaScript/Node.js dependency trees for Axios versions 1.14.1 or 0.30.4; freeze Axios at a confirmed-clean version and rotate credentials if affected versions are detected.

  • Update Google Chrome across all endpoints to the version patching CVE-2026-5281; enforce managed browser policy to ensure automatic updates are not disabled.

  • Review MFA configuration across all externally accessible services to ensure it cannot be bypassed via session-token replay or adversary-in-the-middle phishing proxies; prioritize phishing-resistant MFA (FIDO2/passkeys) for high-value accounts.

  • Hunt for .env file access, SSH key reads, and unauthenticated WebSocket connections in application and proxy logs for the past 14 days, particularly on developer-facing tooling and cloud-connected environments.

  • Block known Iranian APT infrastructure and review mobile device management policies to detect and remove the malicious RedAlert APK or other unsigned APKs from managed Android devices.

  • Revoke and rotate any secrets, tokens, or API keys stored in environment files on developer or CI/CD hosts that were accessible prior to patching CVE-2026-39987.

  • Update phishing simulation templates and click-through benchmarks to reflect AI-enhanced lure quality; prioritize post-authentication behavioral detection over gateway-only pre-click filtering.

CONFIDENCE & LIMITATIONS

This roundup draws on publicly available reporting from the April 6–12, 2026 window, with additional context from advisories published in late March 2026 that remained actively relevant (F5 BIG-IP reclassification, Chrome CVE). Exploitation confirmation for CVE-2026-35616 relies on Fortinet's advisory and Defused's independent observation — no detailed post-exploitation analysis has been published as of writing. The Marimo exploitation findings are from a single honeypot deployment by Sysdig and reflect one observed actor's behavior; broader exploitation prevalence is unknown. Iranian APT attribution is based on Unit 42 and Trellix research; while confidence in the general campaign is high, specific sub-group attribution for individual incidents within the campaign remains uncertain.

Create a free website with Framer, the website builder loved by startups, designers and agencies.