Threat Brief: April 24, 2026

Four new or ongoing campaigns to be highlighted this week, the most critical is CVE-2026-32201, an actively-exploited SharePoint Server spoofing zero-day patched by Microsoft on April 1.  There are reports that 1,300+ internet-exposed SharePoint servers still unpatched as of April 21, and CISA has mandated federal remediation by April 28. Also active this week: the SPHINXLOCKER (publicly known as “Anubis”) ransomware attack on a hospital in Massachusetts, which diverted ambulances, cancelled chemotherapy appointments, and forced paper-based downtime procedures for two-plus weeks with estimated/reported 2 TB of patient data claimed stolen. CVE-2026-34197, an actively-exploited Apache ActiveMQ authenticated RCE added to the CISA KEV catalog (6,400+ servers exposed per Shadowserver); and the long-running UNC1543 FAKEUPDATES → UNC2165 hand-off pattern (GTI CAMP.25.039) that Mandiant’s M-Trends 2026 highlights as the key pattern defining 2025-2026 intrusions, with median access-broker-to-secondary-actor handoff time collapsing to 22 seconds. The dominant theme this week: attackers are moving faster than patch windows and defender handoffs, and healthcare remains a primary ransomware target.

Medical Device & IoT Security: CVE-2026-3650 (GDCM DICOM Memory Leak) — still no patch available as of April 24; compensating controls remain in effect. Contec CMS8000 (CVE-2024-12248 / CVE-2025-0626) FDA disconnect recommendation unchanged. New this week: ZionSiphon ICS malware observed targeting water treatment facilities — not healthcare-specific but reinforces OT-to-clinical lateral movement risk discussed in the March 6 brief.