This Week's Cyber Pulse — April 28, 2026

Your weekly intelligence brief for small and mid-size businesses. Sourced, rated, and written in plain English.

Threat Roundup

🔴 CRITICAL: Apache ActiveMQ RCE — Federal Deadline April 30

CVE-2026-34197 is a remote code execution vulnerability in Apache ActiveMQ Classic with active exploitation confirmed. An attacker can invoke a management operation through ActiveMQ's Jolokia API to execute arbitrary OS commands — no user interaction required. On versions 6.0.0–6.1.1, a related flaw (CVE-2024-32114) exposes the Jolokia API without authentication, making this an unauthenticated RCE.

CISA added this to the Known Exploited Vulnerabilities (KEV) catalog on April 16, 2026, with a federal agency remediation deadline of April 30 — two days after this issue publishes.

What to do right now:

• Check if your organization runs Apache ActiveMQ (it's a common message broker in enterprise Java stacks and many SaaS platforms)
• If found, upgrade to ActiveMQ 5.19.4 or 6.2.3 immediately
• If you can't patch, disable the Jolokia JMX-HTTP API endpoint at /api/jolokia/ — block it at the firewall
• Audit your network for ActiveMQ instances: default ports are 61616 (OpenWire) and 8161 (web console)

Severity: Critical | CVSS: 8.8 | Affected: Organizations running Apache ActiveMQ Classic | Source: CISA KEV, The Hacker News, Horizon3.ai, Fortinet FortiGuard Labs

🔴 CRITICAL: Microsoft SharePoint RCE — Deadline Passed, Exploitation Ongoing

CVE-2026-32201 was added to CISA KEV on April 28 with a federal deadline of April 28, 2026. Active exploitation is confirmed — this means it's past the federal deadline and organizations running unpatched SharePoint on-premises servers are operating without compliance cover.

The vulnerability is a deserialization flaw (CVSS 9.8) requiring no user interaction. Organizations running on-premises Microsoft SharePoint Server should treat this as an emergency.

What to do:

• Microsoft released a patch for CVE-2026-32201 in the April 2026 security update


• Run the SharePoint admin health checker to confirm patch status: Test-SPContentDatabase and Get-SPProductVersion


• If you can't patch immediately, disable SharePoint Workflow (a known attack vector) via PowerShell


• SharePoint remains a top attack target — CISA KEV now lists nine SharePoint vulnerabilities total

Severity: Critical | CVSS: 9.8 | Affected: On-premises Microsoft SharePoint servers | Source: CISA KEV, SecurityWeek, BleepingComputer

🔴 CRITICAL: Ivanti Endpoint Manager Mobile — Two KEV Entries

CVE-2026-1281 and CVE-2026-1340 both affect Ivanti Endpoint Manager Mobile (EPMM). CVE-2026-1281 (CVSS 9.8) allows authenticated attackers to execute arbitrary code via improper input validation. CVE-2026-1340 (CVSS 9.8) is a code injection vulnerability enabling unauthenticated remote code execution.

Both were added to CISA KEV on April 8, 2026 — well over the standard 21-day window. Ivanti has released patches for both.

What to do:

• If your organization uses Ivanti EPMM, confirm you're on version 11.12 or later


• The U.S. election infrastructure community was specifically targeted via EPMM vulnerabilities in past campaigns — if you're in that sector, treat this as highest priority

Severity: Critical | CVSS: 9.8 | Affected: Ivanti EPMM users | Source: CISA KEV (April 8, 2026), Ivanti Security Advisory

Compliance Deadline Watch

Regulation S-P — Customer Data Third-Party Risk Program (June 3, 2026)

SEC Regulation S-P requires broker-dealers, investment companies, and investment advisors to implement written policies and procedures addressing the protection of customer information. The 2023 amendments added a specific requirement for a customer data third-party risk program — policies, contractual requirements, and ongoing monitoring for all service providers with access to customer data.

The compliance date for these amendments is June 3, 2026. If you haven't mapped your third-party data flows and added contractual protections, you have roughly five weeks.

What to do:

• Inventory all vendors and service providers with access to customer PII or financial data


• Update contracts to include required data protection provisions (check SEC guidance for specifics)


• Implement ongoing monitoring for high-risk third parties — annual attestations are the baseline


• If you haven't done so, document your third-party risk program in writing

The FTC Safeguards Rule (16 CFR Part 314) has the same requirements for smaller financial institutions — same controls apply, and FTC enforcement in January 2026 confirmed they're actively penalizing organizations without documented programs.

CMMC Level 2 — Third-Party Assessment Window Is Open

C3PAOs (CMMC Third-Party Assessment Organizations) are booking Q3 and Q4 2026 assessments. If you hold a DoD contract requiring CMMC Level 2, the assessment window is now — not October 31 (the contract deadline). C3PAO availability is limited. Book now if you haven't.

Insurance Market Update

Three patterns SMBs are running into during underwriting right now:

• ActiveMQ / SharePoint exposure flagged in applications — Carriers are aware of the CVE activity. If you run either product and can't demonstrate patching status, expect follow-up questions and potentially a coverage exclusion.

• EDR + immutable backups now hard requirements, not preferences — Chubb, AIG, Hartford, and Travelers are all requiring EDR at most SMB tier now. Immutable backups (offline or cloud-native with immutability lock) are increasingly required. Neither is optional at standard rates anymore.

• Coverage denial triggers are expanding — Beyond EDR and backups, carriers are now flagging MFA gaps, absence of an incident response plan, and supply chain documentation gaps as potential denial triggers. An incident response plan is no longer just a best practice — it's increasingly a coverage condition.

The market is still available and rates have stabilized vs. 2024, but the bar for coverage conditions is higher. If your policy renewal is within 90 days, run CyberStackHub's Cyber Insurance Readiness Tool to see which gaps might affect your coverage.

Tool Spotlight: Incident Response Plan

Given this week's threat landscape — multiple active KEV exploits, tight federal deadlines, and active exploitation confirmed — an incident response plan is your most important document right now.

Our Incident Response Plan Tool generates a customized plan for your organization covering:

• Who does what during a security incident (roles, escalation path, contacts)
• Initial containment steps for common attack scenarios (ransomware, data breach, account compromise)
• Evidence preservation instructions (what to do and not do before forensics arrives)
• Communication templates for employees, customers, and regulators
• Recovery steps and lessons learned documentation

For organizations running ActiveMQ, SharePoint, or Ivanti — or any company with a cyber insurance policy — a documented incident response plan is increasingly a coverage condition, not a nice-to-have.

→ Build your incident response plan free

Run The Cyber Pulse Stack — Free

Active CVE activity and tight deadlines are exactly the scenario the Cyber Pulse Stack was built for. Get a personalized security brief covering the threats most relevant to your industry, your compliance deadlines, and your insurance readiness score.

Delivered by email, SMS, or PDF — your choice.

→ Run The Cyber Pulse Stack free

Frequently Asked Questions

What does it mean if CISA adds a vulnerability to KEV?

The CISA Known Exploited Vulnerabilities catalog lists CVEs with confirmed evidence of active exploitation in the wild — not theoretical risk. Federal Civilian Executive Branch agencies are required to patch or document compensating controls within the deadline CISA specifies. For private-sector organizations, KEV listing means the vulnerability is actively targeted by threat actors. Treat KEV deadlines as your own.

My company doesn't run Apache ActiveMQ. Am I affected?

ActiveMQ is embedded in many SaaS platforms and enterprise Java applications — it's not always obvious. Check with your IT team or vendor if you use any business-critical software built on Java middleware. Even if you're not directly affected, the CVE activity underscores the importance of patching discipline and having an incident response plan.

What is an immutable backup and how do I know if I have one?

An immutable backup cannot be deleted or modified by ransomware — it's stored in a format that the operating system treats as read-only, or it's stored in a cloud service with an immutability lock feature. If your backup solution uses a Windows or Linux agent on the same network as your primary systems, it's almost certainly not immutable. Cloud-native backup services (Backblaze B2 with Object Lock, AWS S3 with Object Lock, Veeam Cloud Connect) offer immutability by design. Check with your backup vendor.

Does the FTC Safeguards Rule apply to my company if I'm not a bank?

The FTC Safeguards Rule covers financial institutions under FTC jurisdiction — this includes finance companies, mortgage brokers, payday lenders, and many other non-bank financial services companies that don't have a bank charter. If you handle customer financial data and receive regular inquiries from customers about their accounts or financial products, check whether you fall under FTC Safeguards Rule jurisdiction.

What is an incident response plan and what does it need to include?

A basic incident response plan covers: who owns the response (role assignments), initial detection and containment steps, evidence preservation, legal and regulatory notification obligations (varies by industry and data type), customer communication, and post-incident review. CyberStackHub's Incident Response Plan tool generates one customized for your company's size and industry. You don't need a 50-page plan — a clear 5-page plan with actual phone numbers and role assignments is far better than a 50-page plan no one reads.

More editions: This Week's Cyber Pulse Archive