End-of-Day report
Timeframe: Montag 13-04-2026 18:00 - Dienstag 14-04-2026 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
News
Große Gym-Kette: Cyberangriff auf Basic-Fit betrifft eine Million Mitglieder
Ein unbekannter Angreifer ist in die IT von Basic-Fit eingedrungen und hat zahlreiche persönliche Daten von Mitgliedern aus ganz Europa abgerufen.
https://www.golem.de/news/grosse-gym-kette-cyberangriff-auf-basic-fit-betrifft-eine-million-mitglieder-2604-207526.html
ASFINAG-Phishing: Über eine Fake-Mail an die Kreditkartendaten
Erwischt beim Fahren ohne Vignette? Mit der Zahlung einer Ersatzmaut in Höhe von 12,36 Euro ist die Angelegenheit aus der Welt geschafft? Was auf den ersten Blick aussieht wie eine echte Benachrichtigung der ASFINAG, ist in Wahrheit eine neue Phishing-Welle.
https://www.watchlist-internet.at/news/asfinag-phishing-mail-kreditkartendaten/
The AI-Assisted Breach of Mexicos Government Infrastructure
In February, we published our initial findings on the AI-assisted breach of Mexico's government infrastructure, warning of the elevated risk that AI-powered threat actors now pose. A single operator used AI to breach nine Mexican government organizations and exfiltrate hundreds of millions of citizen records. Today, we release the full technical report.
https://gambit.security/blog-post/a-single-operator-two-ai-platforms-nine-government-agencies-the-full-technical-report
The -AI Vulnerability Storm-: Building a -Mythos-ready- Security Program
A briefing for security leaders on how AI-driven vulnerability discovery is reshaping the defender timeline, the operating model of vulnerability management, and the minimum actions required now.
https://labs.cloudsecurityalliance.org/mythos-ciso/
108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure
Sockets Threat Research Team identified 108 malicious Chrome extensions operating as a coordinated campaign under a shared C2 infrastructure at cloudapi[.]stream. The extensions are published under five distinct publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt) and collectively account for approximately 20k Chrome Web Store installs. All 108 route stolen credentials, user identities, and browsing data to servers controlled by the same operator.
https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2?utm_medium=feed
Vulnerabilities
Critical flaw in wolfSSL library enables forged certificate use
A critical vulnerability in the wolfSSL SSL/TLS library can weaken security via improper verification of the hash algorithm or its size when checking Elliptic Curve Digital Signature Algorithm (ECDSA) signatures.
https://www.bleepingcomputer.com/news/security/critical-flaw-in-wolfssl-library-enables-forged-certificate-use/
SAP-Patchday: Eine kritische SQL-Injection-Lücke - und 18 weitere
Am April-Patchday behandelt SAP Schwachstellen mit 19 Sicherheitsnotizen. Eine kritische erlaubt das Einschleusen von SQL-Befehlen.
https://www.heise.de/news/SAP-Patchday-Eine-kritische-SQL-Injection-Luecke-und-18-weitere-11256627.html
Attackers Actively Exploiting Critical Vulnerability in Kali Forms Plugin
Considering this vulnerability is under active attack, we urge users to ensure their sites are updated with the latest patched version of Kali Forms, version 2.4.10 at the time of this writing, as soon as possible.
https://www.wordfence.com/blog/2026/04/attackers-actively-exploiting-critical-vulnerability-in-kali-forms-plugin/
Fortninet: OS Command Injection through API endpoint
CVSSv3 Score: 9.1 An Improper Neutralization of Special Elements used in an OS Command (OS command injection) vulnerability [CWE-78] in FortiSandbox may allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests.
https://fortiguard.fortinet.com/psirt/FG-IR-26-100
Fortninet: SQL Injection via API
CVSSv3 Score: 7.9 An improper neutralization of special elements used in an SQL command (SQL Injection) vulnerability [CWE-89] in FortiDDoS-F may allow an authenticated attacker to run arbitrary SQL queries on the database by sending crafted HTTP requests.
https://fortiguard.fortinet.com/psirt/FG-IR-26-119
Fortninet: Unauthenticated Authentication bypass and Privilege escalation in FortiSandbox
CVSSv3 Score: 9.1 A Path Traversal vulnerability [CWE-24] in FortiSandbox JRPC API may allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests.
https://fortiguard.fortinet.com/psirt/FG-IR-26-112
April 2026 Security Update
Ivanti releases standard security patches on the second Tuesday of every month. Our vulnerability management program is central to our commitment to maintaining secure products. [..] To that end, today Ivanti is disclosing vulnerabilities in Ivanti Neurons for ITSM (on-premises and cloud).
https://www.ivanti.com/blog/april-2026-security-update
Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them
Last week, I wrote about catching a supply chain attack on a WordPress plugin called Widget Logic. A trusted name, acquired by a new owner, turned into something malicious. It happened again. This time at a much larger scale.
https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/
LWN Security updates for Tuesday
https://lwn.net/Articles/1067595/