SANS Stormcast Wednesday, April 15th, 2026: Microsoft, Adobe, Fortinet and others Patches - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary5 min read

SANS Stormcast: April 15th, 2026 – Microsoft, Adobe, Fortinet and Others Patch Roundup

Overview

In this episode, host Johannes B. Ullrich delivers a compressive update on the latest Patch Tuesday releases, focusing on critical vulnerabilities and patch advisories from Microsoft, Adobe, and Fortinet. The episode dives into the scope, impact, and urgency of notable flaws, alongside essential patching guidance for cybersecurity professionals.

Key Discussion Points & Insights

1. Microsoft Patch Tuesday Breakdown

Volume & Scope
- Microsoft patched 243 vulnerabilities this cycle. Notably, this includes prior Microsoft Edge (Chromium) browser vulnerabilities.
- After excluding 78 Edge/Chromium issues, 165 vulnerabilities remain that are specific to Microsoft’s core products.
- [00:36]
- “I was quite surprised. According to our account, we have 243 vulnerabilities. But remember, our account also includes any Microsoft Edge vulnerabilities which were actually already patched before today...After we subtract these 78 vulnerabilities, we are left with 165 vulnerabilities that are affecting Microsoft's own products, which is still a pretty solid number.” — Johannes B. Ullrich
Notable Vulnerabilities
- Critical vulnerabilities: 8
- Already exploited: 1 (SharePoint spoofing)
- Publicly known (but not yet exploited): 1 (Microsoft Defender privilege escalation)
- [01:45]
  - “There are eight critical ones and one that's already being exploited and one that hasn't been exploited yet but, well, has become known before today.”
Highlighted Issues
- Microsoft Defender Privilege Escalation
  - Typical antivirus privilege escalation—attackers may run code with elevated privileges.
  - Previously disclosed, making it more urgent.
- SharePoint Server Spoofing Vulnerability
  - Two issues fixed, but only one is currently known to be exploited in the wild.
- TCP/IP Remote Code Execution (RCE)
  - Race condition; CVSS score ~8.
  - Allows unauthenticated RCE over the network.
  - “It does not get a full 10 on the CSS scale. It's sort of in the 8 range here. It's a race condition, which usually means that exploitation is tricky.” [02:35]
- Active Directory RCE
  - Limited details; significant because of network-wide implications.
  - “Again, not a lot of details at this point, CSS score in the 8 range, but that's definitely also one of those critical ones to watch.” [03:20]
- Office and Word Vulnerabilities
  - Perennial threats; often exploited, essential to address promptly.
- Remote Desktop Client RCE
  - Requires user to connect to a malicious RDP server.
  - “This can be triggered sort of with links. Yeah, it's certainly exploitable…” [03:55]
- IKE/Ipsec Vulnerability
  - Impacts key exchange; requires configuration and exposure.
- .NET Framework Denial of Service
  - Rated critical; typically rare for DoS in .NET to get this rating.

2. Adobe Patch Summary

Products and Flaws
- Patches for 11 products this round.
- Acrobat Reader:
  - Two security bulletins:
    1. A patch from the weekend (already exploited)
    2. A new patch (April 15th) for two more flaws:
      - One critical (arbitrary code execution)
      - One arbitrary file read
  - [05:00]
    - “So the first one is something to keep an eye on and that may be exploited soon.”
- ColdFusion:
  - Arbitrary code execution (CVSS 9.3) and file system read.
  - “There is also one operate code execution vulnerability here with a CSS space score of 9.3. Also like an arbitrary file system read…” [05:34]
- Other products mostly priority 3 (Adobe does not expect active exploitation).
- Acrobat Reader and ColdFusion are the usual repeat targets for attackers.

3. Fortinet Vulnerabilities

Scope
- 11 vulnerabilities patched across product lines
- Particularly notable: FortiSandbox
  - Critical OS command injection via improper neutralization through an API endpoint.
  - Also highlights missing authentication in some functions.
  - “An OS command injection vulnerability, those are always important critical really and yes, also reachable here through an API endpoint. Other than that, also some critical, particularly some interesting sort of missing authentication for gradle function vulnerabilities.” [06:20]
- Emphasized need to prioritize patches for border security and gateway devices (e.g., FortiOS).

4. Additional Notes & Minor Updates

Other companies briefly mentioned:
- WolfSSL (ESELL library)
- PHP Composer
- Ivanti Neurons
- SAP (with a large regular patch day)
- “There were a couple other vulnerabilities I sort of had on the list but well really I don't have the time to cover.” [07:04]

Notable Quotes & Moments

Patch Fatigue & Prioritization
- “As I always say, patch patch because we see so many attacks in particular against sort of any kind of gateway or border security device and that usually means 40os is the target here.” — Johannes B. Ullrich [06:50]
On Office Threats
- “Office table stakes kind of. You have to get it updated. It's just another well patch Tuesday in that respect.” [04:00]
On TCP/IP Race Condition
- “...exploitation is tricky. But yes, it does allow for unauthenticated code execution over the network. So certainly something to watch out for.” [02:40]

Key Timestamps

[00:36] – Patch Tuesday numbers breakdown
[01:45] – Overview of critical and publicly known vulnerabilities
[02:35] – Deep dive on TCP/IP RCE vulnerability
[03:20] – Active Directory RCE mention
[03:55] – Remote Desktop Client RCE details
[05:00] – Adobe patch advisories summary
[05:34] – ColdFusion vulnerabilities
[06:20] – Fortinet/FortiSandbox OS command injection
[07:04] – Other vendors and parting notes

Summary Table

| Vendor | Notable Vulnerabilities | Urgency / Exploitation | |-------------|-----------------------------|------------------------------------------------| | Microsoft | Defender priv. escalation, SharePoint spoofing, TCP/IP RCE, AD RCE, Office/Word, RDP client, .NET DoS | Active exploitation reported (SharePoint), public disclosure (Defender), critical flaws | | Adobe | Acrobat Reader (Code Exec, Arbitrary Read), ColdFusion (Code Exec, File Read) | Actively exploited in the wild; prioritize Reader/ColdFusion | | Fortinet | FortiSandbox OS Command Injection, Missing Authentication | Critical for border/gateway defenses |

Final Thought

Johannes’s tone is brisk and pragmatic, underlining the routine yet critical importance of timely patching—especially for products exposed to the internet or handling sensitive assets. The episode, typical for the Stormcast, is concise but data-packed, balancing the rundown of exploit details with practical advice on response prioritization.

Listeners are reminded to keep patching routines tight, especially after a major release day as busy as this one.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Wednesday, April 15, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich and today I'm recording from Stockheim, Germany and this episode is brought to you by the SANS EDU Undergraduate Certificate Program in Cybersecurity Fundamentals. Well, of course, no surprise today we're starting with Microsoft's patch Tuesday for April. And this is a little interesting. Patch Tuesday when I first looked at the number of vulnerabilities patched, I was quite surprised. According to our account, we have 243 vulnerabilities. But remember, our account also includes any Microsoft Edge vulnerabilities which were actually already patched before today. These are vulnerabilities in the underlying Chromium browser that that are then ported into Microsoft Edge as well. So after we subtract these 78 vulnerabilities, we are left with 165 vulnerabilities that are affecting Microsoft's own products, which is still a pretty solid number. Now there are a couple of noteworthy ones here. First of all, there are eight critical ones and one that's already being exploited and one that hasn't been exploited yet but, well, has become known before today. The one that has become known before today I may have mentioned, but it sort of came out, I think last week. And this is approach escalation in Microsoft Defender, one of those typical sort of antivirus vulnerabilities where basically an attacker can escalate privileges because well, antivirus has to operate at elevated privileges. The one that's already being exploited is then Microsoft SharePoint spoofing vulnerability. There are actually two very similar SharePoint server spoofing vulnerabilities that are being patched this month, but only one of them is already being exploited. Now other sort of interesting vulnerabilities, basically critical vulnerabilities. The one that sort of caught my eye first, that I think is sort of the most interesting one, maybe not the most critical one is TCPIP remote code execution vulnerability. Now it does not get a full 10 on the CSS scale. It's sort of in the 8 range here. It's a race condition, which usually means that exploitation is tricky. But yes, it does allow for unauthenticated code execution over the network. So certainly something to watch out for. Not really sufficient details known yet, at least as far as I could find to really know how severe of an issue that is, how difficult it would be to create an exploit exploiting this timing issue here that triggers the vulnerability. In addition, we do have an Active directory remote code execution vulnerability. Again, not a lot of details at this point, CSS score in the 8 range, but that's definitely also one of those critical ones to watch. As usual we got a couple of critical Office and Word vulnerabilities. Well those are often then exploited, so definitely something that you have to address. The, well, I would say less severe critical vulnerabilities that we have here is first of all a remote desktop client remote code execution vulnerability that typically requires that the user connects to a malicious RDP server. This can be triggered sort of with links. Yeah, it's certainly exploitable if someone can come up with the right kind of malicious server and then track the user to click on the link. But also that could probably be easily blocked as well. Then we have ankey Exchange vulnerability. So basically ipsec related. This will likely require that you are first of all configuring IKE and ipsec on the system and then of course that someone is able to connect to it. The last one, I don't quite understand why it got rated critical. It's a. NET Framework denial of service vulnerability. Typically denial of service vulnerabilities are not necessarily rated as critical. Maybe because it affects the. NET framework that they consider that more severe than other sort of denial of service vulnerabilities. But overall, like I said, the TCP IP vulnerability will be interesting to see what will come out of that. I personally doubt a little bit that it'll become a big deal, but certainly has some potential here in the description of it as well as the remote active directory vulnerability. Those are I think the two that you should really watch. Office table stakes kind of. You have to get it updated. It's just another well patch Tuesday in that respect. And of course we do have patches from Adobe as Well. Patches for 11 different products. And the one that's not a little bit more interesting here is one I already mentioned on Monday and that's a vulnerability in Adobe Acrobat Reader. First of all there's two bulletins now, the one was published over the weekend that patches the already exploited vulnerability. And then we got a second bulletin today that patches two vulnerabilities. One of the vulnerabilities is critical, it's an arbitrary code execution. The second one is an arbitrary file read vulnerability. So the first one is something to to keep an eye on and that may be exploited soon. We also got again updates in ColdFusion. ColdFusion of course, always something that I look at. And there is also one operate code execution vulnerability here with a CSS space score of 9.3. Also like an arbitrary file system read and such that can often then lead to more severe compromises. Definitely get this updated, get this patched and the other vulnerabilities that were patched, the other products, most of them have like a priority of three according to Adobe, which usually means that they don't really expect them to be exploited, which matches kind of my experience. These are the two products out of the list that we regular see exploits being developed for and Fortinet also released updates fixing 11 vulnerabilities across their product portfolio. The one product manager point out and don't really have the time to go into every single flaw here, but the one product that has a couple of interesting flaws is 40 Sandbox, which suffers for example from a critical vulnerability here, an improper neutralization of special elements used in OS commands. So an OS command injection vulnerability, those are always important critical really and yes, also reachable here through an API endpoint. Other than that, also some critical, particularly some interesting sort of missing authentication for gradle function vulnerabilities. So yes, as I always say, patch patch because we see so many attacks in particular against sort of any kind of gateway or border security device and that usually means 40os is the target here. Well and that's it for today at least that's what I had time for. There were a couple other vulnerabilities I sort of had on the list but well really I don't have the time to cover. Wolf Zelle the ESELL library There is a PHP composer an interesting issue that was addressed. Ivanti Neurons had some vulnerabilities being addressed and SAP a very large set of patches and it was their usual patch day as well. So thanks for listening, thanks for liking, thanks for recommending this podcast and talk to you again tomorrow. Bye.