Critical Zero-Day Exploits Target Major Platforms
Five high-severity vulnerabilities across Microsoft Defender, GitHub, LiteLLM, PackageKit, and Robinhood were exploited in the wild during April 2026, with attackers leveraging publicly available proof-of-concept code within hours of disclosure. The most severe, CVE-2026-3854 affecting GitHub, exposed millions of repositories to remote code execution attacks.
According to SecurityWeek, the Microsoft Defender zero-day CVE-2026-33825 (CVSS 7.8) was first exploited on April 10, just eight days after public disclosure by researcher Chaotic Eclipse. Huntress observed attacks leveraging Russian-geolocated infrastructure targeting the privilege escalation flaw.
Microsoft Defender BlueHammer Attacks Surge
The Microsoft Defender vulnerability, dubbed “BlueHammer,” exploits a time-of-check to time-of-use (TOCTOU) race condition in Defender’s signature update mechanism. Attackers with low privileges can escalate to full System permissions by manipulating operation locks and triggering signature updates.
Huntress identified suspicious FortiGate SSL VPN access tied to compromised environments, with source IPs geolocated to Russia. The attacks used all three published techniques: BlueHammer, RedSun, and UnDefend. BlueHammer suspends Defender operations, tricks the system into copying the Security Account Manager (SAM) database, then decrypts user NT hashes to generate admin sessions.
Microsoft patched CVE-2026-33825 on April 14, but the 12-day window between disclosure and patching allowed widespread exploitation. The vulnerability affects insufficient granularity in access control mechanisms.
GitHub RCE Exposed Millions of Repositories
Cloud security firm Wiz discovered CVE-2026-3854, a critical remote code execution vulnerability affecting GitHub’s internal Git infrastructure. The flaw impacts GitHub Enterprise Server, GitHub.com, and Enterprise Cloud variants.
“By exploiting an injection flaw in GitHub’s internal protocol, any authenticated user could execute arbitrary commands on GitHub’s backend servers with a single git push command,” Wiz explained. On GitHub.com, the vulnerability allowed RCE on shared storage nodes where millions of public and private repositories were accessible.
GitHub deployed a fix to GitHub.com on March 4, the same day Wiz reported the issue. Enterprise Server patches followed shortly after. GitHub’s forensic investigation found no evidence of wild exploitation, despite the ease of attack requiring only standard git client access.
PackageKit Flaw Grants Root Access Across Linux Distros
Deutsche Telekom’s Red Team discovered CVE-2026-41651 (CVSS 8.1), dubbed “Pack2TheRoot,” affecting PackageKit versions 1.0.2 to 1.3.4. The vulnerability likely existed since version 0.8.1, released 14 years ago.
The TOCTOU race condition allows unprivileged users to install arbitrary RPM packages with root privileges without authentication. NIST’s advisory confirms impacts across Ubuntu Desktop 18.04-26.04, Ubuntu Server 22.04-24.04, Debian Trixie 13.4, RockyLinux 10.1, and Fedora 43.
“It is reasonable to assume that all distributions that ship PackageKit with it enabled are vulnerable,” Deutsche Telekom noted. The flaw is “reliably exploitable in seconds” but researchers withheld technical details due to the ease of exploitation.
LiteLLM SQL Injection Exploited Within 36 Hours
CVE-2026-42208 (CVSS 9.3) in the open-source AI gateway LiteLLM was exploited just 36 hours after GitHub indexed the vulnerability advisory on April 24. Sysdig reported attackers specifically targeted three database tables containing API keys, provider credentials, and environment configurations.
The SQL injection occurs during proxy API key verification, where database queries include caller-supplied values directly rather than as separate parameters. Unauthenticated attackers can send crafted Authorization headers to access the database via error-handling paths.
“The call happens before authentication is decided, so the injection is fully pre-auth,” Sysdig noted. Attackers demonstrated knowledge of LiteLLM’s Prisma-generated PostgreSQL identifier casing and performed systematic column-count discovery sweeps.
Robinhood Phishing Exploits Account Creation Flaw
Robinhood confirmed cybercriminals exploited a vulnerability in its account creation process to send legitimate phishing emails from ‘@robinhood.com’ addresses. The attacks leveraged Gmail’s “dot trick” where periods in usernames are ignored by Gmail but treated as distinct accounts by Robinhood.
Attackers created new Robinhood accounts using modified Gmail addresses, then injected malicious HTML into device name fields during signup. This triggered legitimate “recent login” notification emails that rendered unsanitized HTML with embedded phishing links.
According to Robinhood, “This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted.”
What This Means
The rapid exploitation of these vulnerabilities highlights the compressed timeline between disclosure and active attacks. CVE-2026-42208 was exploited within 36 hours of public indexing, while CVE-2026-33825 saw attacks just eight days post-disclosure.
The diversity of attack vectors—from TOCTOU race conditions to SQL injection and HTML injection—demonstrates the broad attack surface across modern software stacks. GitHub’s CVE-2026-3854 represents the most severe impact, potentially exposing millions of repositories to RCE attacks.
Organizations must prioritize rapid patching cycles, especially for publicly disclosed vulnerabilities with available proof-of-concept code. The PackageKit vulnerability’s 14-year existence underscores the importance of legacy code auditing in widely deployed infrastructure components.
FAQ
Which vulnerability poses the greatest immediate risk?
CVE-2026-3854 (GitHub RCE) represents the highest impact due to its potential exposure of millions of repositories, though GitHub patched it quickly. CVE-2026-33825 (Microsoft Defender) poses ongoing risk for unpatched systems with confirmed wild exploitation.
How quickly were these vulnerabilities exploited after disclosure?
LiteLLM’s CVE-2026-42208 was exploited within 36 hours of GitHub advisory indexing. Microsoft Defender’s CVE-2026-33825 saw attacks eight days after public disclosure. This demonstrates the critical importance of immediate patching for publicly disclosed flaws.
What should organizations prioritize for protection?
Immediate patching of Microsoft Defender (April 14 update), GitHub Enterprise Server, and PackageKit across Linux distributions. Organizations should also review account creation flows for HTML injection vulnerabilities similar to the Robinhood issue and implement input sanitization controls.
Related news
Sources
- Recent Microsoft Defender Vulnerability Exploited as Zero-Day – SecurityWeek
- Critical GitHub Vulnerability Exposed Millions of Repositories – SecurityWeek
