SANS Internet Storm Center Highlights Cybersecurity Threats and Updates

30 Apr 2026

CybersecurityVulnerabilitiesPatch ManagementSupply Chain Security

The April 30, 2026, SANS Internet Storm Center Stormcast highlighted two suspicious web requests detected via honeypots: one targeting Broadcom API Gateway for reconnaissance or fingerprinting, and another probing ESP32 devices, potentially for firmware flashing. Microsoft’s Patch Tuesday update addressed a zero-day link file vulnerability (exploited by Fancy Bear against Ukraine) that triggers credential leakage via SMB without user interaction, marking the second attempt to patch it. Microsoft also warned that Secure Boot certificates issued in 2011 will expire in June 2026, with Defender updated to help enterprises identify affected systems. Additionally, Microsoft will disable TLS 1.0 and 1.1 for Exchange POP3 and IMAP4 connections in July 2026, requiring upgrades to TLS 1.2 or 1.3. A supply chain compromise involved malicious npm packages interfacing with SAP, using pre-install hooks to execute code on developer systems during installation. The episode noted these packages were not official SAP releases but widely used.