Live Threats
[CVE-2026-1234]Windows CLFS Driver zero-day — privilege escalation to SYSTEM, CISA KEV confirmed, patch immediately|
[CVE-2026-0891]Fortinet FortiOS authentication bypass — unauthenticated admin access, active exploitation in the wild|
[CVE-2026-2201]Palo Alto PAN-OS command injection — remote code execution on firewall management plane, CISA KEV listed|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed including 3 zero-days, deploy immediately|
[BREACH]Healthcare sector breach — 2.3M patient records exposed, PHI including SSNs and medical histories compromised|
[CVE-2026-1887]Chrome V8 type confusion RCE — remote code execution via malicious web page, update Chrome immediately|
[COMPLIANCE]PCI DSS 4.0.1 MFA deadline — mandatory multi-factor authentication enforcement now in effect for all merchants|
[CVE-2026-3310]Cisco IOS XE privilege escalation — authenticated users gain root on affected switches and routers, patch now|
[RANSOMWARE]LockBit 4.0 SMB campaign — RDP brute-force targeting small businesses, double-extortion, 72-hour ransom window|
[ADVISORY]Adobe Acrobat PDF phishing wave — malicious PDFs bypassing email filters, credential harvesting at scale|
[CVE-2026-1234]Windows CLFS Driver zero-day — privilege escalation to SYSTEM, CISA KEV confirmed, patch immediately|
[CVE-2026-0891]Fortinet FortiOS authentication bypass — unauthenticated admin access, active exploitation in the wild|
[CVE-2026-2201]Palo Alto PAN-OS command injection — remote code execution on firewall management plane, CISA KEV listed|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed including 3 zero-days, deploy immediately|
[BREACH]Healthcare sector breach — 2.3M patient records exposed, PHI including SSNs and medical histories compromised|
[CVE-2026-1887]Chrome V8 type confusion RCE — remote code execution via malicious web page, update Chrome immediately|
[COMPLIANCE]PCI DSS 4.0.1 MFA deadline — mandatory multi-factor authentication enforcement now in effect for all merchants|
[CVE-2026-3310]Cisco IOS XE privilege escalation — authenticated users gain root on affected switches and routers, patch now|
[RANSOMWARE]LockBit 4.0 SMB campaign — RDP brute-force targeting small businesses, double-extortion, 72-hour ransom window|
[ADVISORY]Adobe Acrobat PDF phishing wave — malicious PDFs bypassing email filters, credential harvesting at scale|
View All
Ivanti Connect Secure Critical Patch — Do Not Delay
Security News/Issue #17 — April 14 – April 20, 2026
PATCH UPDATECRITICALCVE-2026-1122

Ivanti Connect Secure Critical Patch — Do Not Delay

Published April 17, 2026
3 min read
Source: Ivanti / CISA Emergency Directive
SHARE:
Affected Systems
Ivanti Connect Secure (all versions prior to 22.7R2.6)Ivanti Policy Secure (all versions prior to 22.7R1.4)
Executive Summary

Ivanti released an out-of-band patch for CVE-2026-1122, a stack-based buffer overflow in Connect Secure and Policy Secure gateways allowing unauthenticated remote code execution. CVSS score: 9.8.

Vulnerability Details

Ivanti disclosed CVE-2026-1122 on April 16, 2026, a stack-based buffer overflow vulnerability in the web component of Ivanti Connect Secure and Policy Secure gateways. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical) and allows an unauthenticated remote attacker to execute arbitrary code on the affected appliance. No authentication or user interaction is required — an attacker simply needs to send a specially crafted HTTP request to the management interface. Ivanti released an out-of-band patch the same day, indicating the severity warranted immediate action outside of their normal patch cycle.

CISA Emergency Directive

CISA issued Emergency Directive 26-03 on April 16, 2026, requiring all federal civilian executive branch agencies to apply the Ivanti patch within 48 hours. CISA also strongly recommended that all organizations — including private sector businesses — treat this with the same urgency. This is the third CISA emergency directive related to Ivanti products in the past 18 months, reflecting the ongoing security challenges with this product line. CISA's directive also requires agencies to perform a factory reset of affected appliances after patching, as prior Ivanti vulnerabilities were exploited to install persistent malware that survived standard updates.

Post-Patch Actions

Patching alone may not be sufficient if your appliance was already compromised. Ivanti and CISA recommend performing a factory reset of the appliance after applying the patch, then re-provisioning it from a known-good configuration backup. Review your VPN authentication logs for the past 30 days for signs of exploitation — look for authentication attempts from unusual geographic locations, successful authentications followed by unusual activity, or any configuration changes you did not make. If you find evidence of compromise, treat this as a security incident and engage your incident response process.

Key Takeaways & Action Items
  • Apply the Ivanti patch within 48 hours — CISA has issued an emergency directive
  • If you cannot patch immediately, take the appliance offline until patching is complete
  • After patching, perform a factory reset and re-provision the appliance per Ivanti's guidance
  • Review VPN logs for signs of exploitation — look for unusual authentication patterns
  • Consider replacing Ivanti with an alternative VPN solution if your organization has been repeatedly affected by Ivanti vulnerabilities
Share This
LinkedInX / TwitterEmail

Need Help With This Threat?

Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.

Schedule a Security ReviewCall (210) 496-7313

Stay ahead of the next threat

Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.

Breach alerts
Patch roundups
Compliance news
No spam, ever
Back to Issue #17: April 14 – April 20, 2026
PREVIOUS ARTICLE
Your Office Router May Be Spying for China — Texas Just Sued the Maker
NEXT ARTICLE
BlackCat Is Back Under a New Name — and It's Coming for Small Businesses First
Talk with Us