April Patch Tuesday Fixes Critical Flaws Across SAP, Adobe, Microsoft, Fortinet, and More
Patch Tuesday dyal April: Thograt khatira kat-t'attaqa f SAP, Adobe, Microsoft, u Fortinet
April Patch Tuesday: Critical Flaws Under Attack in SAP, Adobe, Microsoft, and Fortinet
The April Patch Tuesday cycle has arrived with a significant volume of security updates, addressing high-stakes vulnerabilities across several enterprise mainstays. Heading the list are critical flaws in SAP, Adobe, Fortinet, and Microsoft—some of which are already being exploited in the wild by threat actors.
TL;DR
- SAP: A near-perfect CVSS score of 9.9 for an SQL injection flaw in Business Warehouse and BPC.
- Adobe: Zero-day exploitation reported for Acrobat Reader; multiple critical flaws fixed in ColdFusion.
- Microsoft: A massive release of 169 patches, including an actively exploited SharePoint Server spoofing bug.
- Fortinet: Critical vulnerabilities in FortiSandbox allow for authentication bypass and OS command injection.
SAP: High-Stakes SQL Injection (CVSS 9.9)
The most severe vulnerability in this month's cycle impacts SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW). Tracked as CVE-2026-27681, this SQL injection flaw carries a CVSS score of 9.9.
According to security firm Onapsis, the vulnerability exists within an ABAP program that allows a low-privileged user to upload a file containing arbitrary SQL statements. Once uploaded, these statements are executed by the system. If exploited, an attacker could:
- Extract sensitive corporate data.
- Delete or corrupt database content.
- Manipulate planning figures and financial reports.
Experts at Pathlock warn that this flaw creates a "credible path to both stealthy data theft and overt business disruption," potentially undermining executive reporting and operational planning.
Adobe: Active Exploitation and ColdFusion Risks
Adobe has addressed a critical remote code execution (RCE) vulnerability in Adobe Acrobat Reader (CVE-2026-34621, CVSS 8.6). Worryingly, this flaw is confirmed to be under active exploitation in the wild. As of now, details regarding the identity of the attackers, their specific targets, or the scale of the campaign remain unknown.
Additionally, Adobe patched five critical flaws in ColdFusion (versions 2025 and 2023). These vulnerabilities could lead to arbitrary code execution, denial-of-service (DoS), and arbitrary file system reads. Notable CVEs include:
- CVE-2026-27304 (CVSS 9.3): Improper input validation leading to RCE.
- CVE-2026-34619 (CVSS 7.7): Path traversal leading to security feature bypass.
Microsoft: 169 Defects Pursued by Exploitation
Microsoft’s April release is particularly dense, covering 169 security defects. Of particular concern is CVE-2026-32201 (CVSS 6.5), a spoofing vulnerability in Microsoft SharePoint Server that is seeing active exploitation.
While Microsoft has not provided specific details on how the bug is being used in the wild, security researchers emphasize the risk. Kev Breen of Immersive notes that SharePoint servers are "treasure troves" for data theft and double-extortion ransomware. Furthermore, compromised SharePoint instances can be used to host "weaponized documents" to facilitate lateral movement throughout an organization.
Fortinet: FortiSandbox Under Fire
Fortinet released vital fixes for its FortiSandbox product, addressing two critical vulnerabilities with CVSS scores of 9.1:
- CVE-2026-39813: A path traversal flaw in the JRPC API that allows unauthenticated attackers to bypass authentication via crafted HTTP requests. (Fixed in versions 4.4.9 and 5.0.6).
- CVE-2026-39808: An OS command injection vulnerability permitting unauthorized code execution via crafted HTTP requests. (Fixed in version 4.4.9).
Broad Industry Updates
Beyond the major highlights, several dozen other vendors have released security updates or advisories over the past several weeks. This includes major cloud providers like AWS and Google Cloud, hardware manufacturers like AMD, Intel, and NVIDIA, and infrastructure giants such as Cisco, Citrix, and VMware.
Conclusion
The April Patch Tuesday highlights a dangerous trend of zero-day exploitations targeting document readers and collaboration platforms like SharePoint. Enterprise administrators should prioritize the SAP SQL injection patch due to its high CVSS score and the Adobe Acrobat/Microsoft SharePoint updates due to active threats in the wild.
Source: The Hacker News - April Patch Tuesday Fixes Critical Flaws
