🤠 167 Patch Tuesday CVEs, Cisco's CI/CD Nightmare, and Adobe's Five-Month Zero-Day

This is an IT Support Group

Thursday Briefing 🤠

167 Patch Tuesday CVEs with a wormable CVSS 9.8, Cisco's CI/CD nightmare leaks everything, and Adobe's been hiding a zero-day since November

GM IT pros!

Happy Thursday! Here's what's worth knowing this week.

-Stetson

Tech News TL;DR

This week's IT and tech news in 5-minutes-ish or less

🔥 LEAD STORY: Patch Tuesday Landed — 167 CVEs, Three CVSS 9.8s, and a Wormable TCP/IP Flaw

If you manage Windows infrastructure, clear your calendar.

Microsoft's April Patch Tuesday dropped 167 vulnerabilities — the second-largest in history. Eight are critical, two are actively exploited zero-days, and three carry the maximum danger rating of CVSS 9.8.

The headline: CVE-2026-33827 is a wormable RCE in Windows TCP/IP that lets unauthenticated attackers execute code via crafted IPv6 packets on any system with IPSec enabled. No user interaction, network-adjacent propagation. This is the kind of flaw that keeps CISO phones buzzing at 2 AM.

Also at CVSS 9.8: CVE-2026-33824 (IKE service RCE) and CVE-2026-33826 (Active Directory RPC/LDAP RCE that can compromise an entire domain forest). Plus two Office preview pane RCEs (CVE-2026-26110 and CVE-2026-26113) — just previewing a malicious document is enough to get owned.

Priority order for your patching queue: Domain Controllers first, then IPSec/IKEv2 systems, then Hyper-V hosts, then Office across the enterprise. Bleeping Computer · Krebs on Security

🕵️ LEAD STORY: Cisco Got Breached Through Its Own CI/CD Pipeline — 3M+ Records, 300+ GitHub Repos

When your supply chain is the attack surface.

ShinyHunters compromised Cisco by weaponizing a malicious GitHub Action in the Trivy CI/CD tool, stealing credentials that opened the door to 3M+ Salesforce CRM records, 300+ GitHub repositories (including AI Assistant and AI Defense source code), and AWS assets.

This is a textbook supply chain attack via development tooling — the kind that makes every DevOps team sweat. If you're running CI/CD pipelines with third-party GitHub Actions, this is your wake-up call to audit what has access to your secrets. Security Boulevard

📄 LEAD STORY: Adobe's Been Hiding a Zero-Day Since November. They Just Patched It.

Five months of silent exploitation via malicious PDFs.

Adobe released emergency patches for Acrobat Reader addressing CVE-2026-34621 — a prototype pollution vulnerability that's been actively exploited since November 2025. Open a crafted PDF, and it executes arbitrary code and exfiltrates system info via Acrobat APIs before you've finished reading the first page.

Five months from exploitation to patch. If your users open PDFs (and they do), push this update yesterday. Adobe also patched 55 additional vulnerabilities across Illustrator, Photoshop, ColdFusion, and more. Help Net Security

⚡ QUICK HITS

The rest of the chaos, speed-round style.

🔐 BitLocker Is Locking People Out After the April Update
Windows Server 2025 devices with PCR7 in BitLocker Group Policy are booting straight into recovery after KB5082063. Subsequent reboots work fine, but nothing says "Monday morning panic" like a fleet of servers demanding recovery keys. Test before you deploy. Bleeping Computer

🏨 Booking.com Confirms Data Breach, Won't Say How Many Affected
Booking.com disclosed an April 13 breach exposing names, emails, addresses, phone numbers, and reservation details. Financial data reportedly safe, all PINs reset. They declined to share the number of affected users, which is never a great sign. TechCrunch

⛓️ New Infostealer Stores Its C2 on the Blockchain — Permanently
Omnistealer embeds staging code in TRON, Aptos, and BSC transactions, making its command infrastructure literally undeletable. 300K+ credentials already compromised from LastPass, Chrome, Firefox, and cloud storage. The blockchain was supposed to decentralize finance. Instead, it decentralized malware. Malwarebytes

🏥 New BLACKWATER Ransomware Gang Debuts With Turkish Hospital Chain
BLACKWATER claimed its first major victim — Medical Park Hospitals Group (36 hospitals), alleging 3.3TB of data stolen. Another week, another ransomware crew targeting healthcare because apparently nothing is sacred. Dexpose

💰 AI Startup Funding Hit $300 Billion in Q1 — That's Not a Typo
Venture funding shattered records with $300B in Q1 2026 (up 150% YoY), with AI capturing 80% of the total. OpenAI's $122B round did the heavy lifting, but cybersecurity startups are also feasting. The money printer goes brr, and it's aimed squarely at AI. Crunchbase

That's the Thursday briefing. Patch your DCs, audit your CI/CD pipelines, update Adobe Reader, and try not to think about wormable zero-days while you eat lunch.

Stay paranoid. Stay patched. See you next Friday 🤠