Critical Zero-Days in nginx-ui, Fortinet, and Cisco Are Being Actively Exploited
April 2026 has seen a surge of critical CVEs with CVSS scores of 9.0+. Here's what's being exploited right now and what your team needs to patch immediately.
April 2026 has delivered an unusually dense wave of critical vulnerabilities across widely deployed infrastructure — several of which are already being actively exploited in the wild. Security teams need to prioritize patching immediately.
CVE-2026-33032 — nginx-ui (CVSS 9.8)
The most severe of the current wave. This authentication bypass flaw in nginx-ui allows unauthenticated attackers to take complete control of an Nginx web server via a vulnerable MCP endpoint. With 2,600+ instances confirmed exploited in active attacks, this is not theoretical. If you're running nginx-ui, patch or take it offline now.
CVE-2026-21643 — Fortinet FortiClient EMS (CVSS 9.1)
A SQL injection vulnerability in Fortinet's Enterprise Management Server allows unauthenticated remote code execution. Active exploitation has been confirmed since March 24, 2026. CISA's patch deadline was April 16 — if your organization missed it, you're in the window of maximum risk.
CVE-2026-20131 — Cisco Firewall Management Center
The Interlock ransomware group exploited this zero-day as early as January 26, 2026 — nearly three months before public disclosure. Attackers gain root access to Cisco FMC, effectively compromising the security infrastructure that's supposed to protect everything else. The pattern of ransomware groups hoarding zero-days for extended periods before public disclosure is a growing and deeply concerning trend.
CVE-2026-6309 — Google Chrome (High severity)
The fourth actively exploited Chrome zero-day of 2026, this use-after-free vulnerability in the Viz component enables memory corruption and code execution. Patch to v147+ immediately — this affects both Chrome and Microsoft Edge on Windows.
CVE-2026-40478/40477 — Thymeleaf (CVSS 9.0)
Server-side template injection flaws in the popular Java templating engine. Unauthenticated attackers can bypass protections and achieve full application compromise. Disclosed April 17, 2026 — expect active exploitation to begin within days.
The bigger picture
The velocity of critical vulnerability disclosure and exploitation in 2026 has reached a new high. Security teams are being asked to patch faster than ever, often with incomplete information about exploitation status. Automated patch management, continuous exposure monitoring, and a zero-trust posture aren't best practices anymore — they're survival requirements.
