Wednesday War Room – 04/08/2026

This Wednesday's threat landscape reveals a pattern that is ugly but predictable: management planes are getting actively exploited, AI builder platforms are getting popped, and supply chain loaders keep showing up where developers least expect them (inside “normal” functions, not install scripts).

Author

J.W. Croley
April 08, 2026

In partnership with

We killed RAG and sandboxes. Here's what we built instead.

Our documentation assistant had a problem. RAG pipelines only sent the model fragments of pages, never the full picture, making responses feel half-baked. The fix was obvious: give the agent a real sandbox with full doc access. Quality jumped, but startup hit 46 seconds and costs ballooned to $70K+ per year.

The insight: the agent doesn't need a real filesystem. It just needs to think it's in one.

We built ChromaFs, a virtual filesystem that translates standard UNIX commands into queries against our existing Chroma database. Every doc page becomes a file, every section a directory. The agent explores documentation the way a developer explores a codebase.

The results:

  • Session startup: 46s to ~100ms

  • Marginal compute cost: $0 per conversation

  • Output quality: on par with full sandbox

  • Access control: built-in, zero infrastructure overhead

ChromaFs now powers our documentation assistant across 30,000+ conversations a day for hundreds of thousands of users. No containers, no cold starts, no invoice surprises.

The convergence of social engineering sophistication, unpatched critical vulnerabilities, and coordinated criminal collaboration signals a new phase of threat actor maturity that demands immediate executive attention and strategic response.

FortiClient EMS Pre-Auth Bypass Actively Exploited

Risk Level: Critical  

Business Impact: Compromise of endpoint management infrastructure can enable fleet-wide policy tampering, remote command execution, and rapid credential pivoting.

What You Need to Know:

CISA issued a remediation push after confirmed exploitation of FortiClient Enterprise Management Server CVE-2026-35616, described as a pre-auth API access bypass that can allow attackers to sidestep authentication/authorization and execute code or commands via crafted requests; Fortinet released emergency hotfixes and advised upgrading once the fixed version is available, per CISA remediation order and the exploit details cited in that coverage.

Why This Matters

  • EMS is a blast-radius multiplier: one foothold can become thousands of endpoints.

  • Pre-auth access means attackers don’t need stolen creds to start doing damage.

  • “Management-plane compromise” often looks like normal admin behavior until it’s too late.

Executive Actions

🧯 Patch/apply hotfixes immediately and verify the running EMS build matches the fixed release.

🔒 Restrict EMS access to VPN/allowlists only; eliminate direct internet exposure.

🕵️ Review EMS logs for abnormal API calls, suspicious admin sessions, and unexpected policy pushes.

🔑 Rotate high-value creds/tokens used by EMS integrations if the server was exposed while vulnerable.

Flowise AI Builder CVSS 10 RCE Under Active Exploitation

Risk Level: Critical

Business Impact: Full takeover of AI workflow servers can lead to command execution, file access, and exfiltration of secrets powering chatbots/agents.

What You Need to Know

Threat actors are actively exploiting Flowise CVE-2025-59528, a code injection → RCE issue in the CustomMCP node where user-supplied configuration can be evaluated as JavaScript, enabling access to sensitive Node.js capabilities like process execution and file system access; the fix is in version 3.0.6+ and exploitation activity has been observed, per Flowise exploitation report and additional technical context in VulnCheck/Flowise details.

Why This Matters

  • “Low-code AI” platforms tend to be internet-facing and under-governed.

  • RCE on an agent server often equals immediate secret leakage (API keys, connectors, tokens).

  • Attackers love AI tooling because it’s new, fast-moving, and commonly misconfigured.

Executive Actions

🩹 Upgrade Flowise to a patched version and verify the deployed package/build is current.

🔐 Rotate any API keys/tokens stored or used on the Flowise host (assume exposure if exploited).

🌐 Restrict access (private networking, auth, allowlists) and lock down admin interfaces.

🧪 Add monitoring for unexpected outbound connections, abnormal workflow execution, and suspicious node configuration changes.

Docker Engine AuthZ Bypass Enables Privileged Container Host Access

Risk Level: High

Business Impact: Attackers who can reach the Docker API may bypass authorization plugins and create privileged containers that can mount the host filesystem.

What You Need to Know

A high-severity Docker Engine issue CVE-2026-34040 allows attackers to bypass AuthZ plugins in certain cases by sending an oversized/padded request where the request body may not be forwarded to the plugin—potentially allowing a restricted actor to create a privileged container and access host files; Docker says it’s fixed in version 29.3.1, per the Docker AuthZ bypass advisory write-up.

Why This Matters

  • “Restricted Docker API access” isn’t safe if the enforcement layer can be bypassed.

  • Privileged containers can expose cloud creds, SSH keys, kubeconfigs, and production access paths.

  • This is a clean example of “control plane assumptions” failing under edge-case inputs.

Executive Actions

🧩 Upgrade Docker Engine to the fixed version and validate engine versions across fleet/server pools.

🔒 Limit Docker API reachability (socket permissions, network ACLs, allowlists, remove exposure).

🧱 Remove/limit privileged container usage and enforce guardrails at orchestration level.

🕵️ Monitor for abnormal container-creation behavior: privileged flags, host mounts, and API call bursts.

Leadership Insight:

This week’s lesson: your “helpers” are now your hazards

Endpoint management, AI builders, container control planes, and package ecosystems.

Attackers aren’t trying to brute force the front door; they’re abusing the tools you trust to operate the business.

The winning posture is boring, disciplined, and effective:

Patch fast, restrict exposure, and reduce “one-to-many” control surfaces.

88% resolved. 22% loyal. Your stack has a problem.

Those numbers aren't a CX issue — they're a design issue. Gladly's 2026 Customer Expectations Report breaks down exactly where AI-powered service loses customers, and what the architecture of loyalty-driven CX actually looks like.

Ninja Forms File Uploads Bug Actively Exploited for RCEe Confirms 2.5 Million Customer Records Exposed in Salesforce Breach

Risk Level: High

Business Impact: Unauthenticated file upload can lead to webshells, site takeover, credential harvesting, and downstream pivoting from compromised web infrastructure.

What You Need to Know

Attackers are exploiting CVE-2026-0740 in the Ninja Forms File Uploads add-on, where insufficient validation allows unauthenticated uploads of arbitrary files (including PHP) and potential path traversal into webroot—Wordfence reports blocking thousands of attempts, and the flaw impacts versions up to 3.3.26, per active exploitation report and the Wordfence details referenced within that coverage.

Why This Matters

  • Web plugin ecosystems are high-scale targets: one flaw hits many sites quickly.

  • “File upload” bugs are a straight line to persistent webshell access.

  • Compromised sites often become staging points for phishing, redirects, and credential theft.

Executive Actions

🧯 Patch/upgrade the affected add-on immediately and validate the installed version everywhere it exists.

🔎 Hunt for indicators of compromise: unexpected PHP files, new admin users, unknown plugins/themes.

🧱 Add WAF rules and restrict upload directories; block execution in upload paths where feasible.

🔐 Rotate WordPress admin creds and review access logs if exploitation is suspected.

North Korea “Contagious Interview” Expands to 1,700+ Malicious Packages

Risk Level: High 

Business Impact: Malicious packages across multiple ecosystems can act as loaders/stealers, siphoning browser data, password manager creds, and developer secrets.

What You Need to Know

The North Korea-linked campaign known as “Contagious Interview” has expanded by publishing malicious packages across npm, PyPI, Go, Rust, and Packagist, designed to impersonate developer tooling while functioning as malware loaders that fetch second-stage payloads with infostealer/RAT capabilities; Socket attributed over 1,700 packages to the activity, and the code is often hidden in seemingly legitimate functions rather than install scripts, per campaign report and the Socket analysis referenced in that coverage.

Why This Matters

  • Cross-ecosystem reach means it can slip into diverse build stacks and toolchains.

  • “Hidden in normal functions” defeats basic install-time scanning assumptions.

  • Dev compromise is enterprise compromise when tokens and keys are within reach.

Executive Actions

📦 Enforce dependency allow-lists and verified publishers for build pipelines (block unknown by default).

🔑 Rotate CI/CD tokens and developer secrets on any systems that pulled suspect packages.

🧱 Restrict CI runner egress and secrets exposure (only the job that needs it gets it).

🧠 Brief engineering: treat “tiny utility packages” as untrusted until verified and pinned.

“BlueHammer” Windows Priv-Esc Zero-Day Exploit Code Leaked

Risk Level: High 

Business Impact: Local privilege escalation can turn a foothold into SYSTEM-level control, enabling credential theft and full host compromise.

What You Need to Know

Exploit code for an unpatched Windows local privilege escalation dubbed “BlueHammer” was publicly released; analysis indicates it combines TOCTOU/path confusion to access the SAM database (local password hashes) and can be used to escalate to SYSTEM under the right conditions, per BlueHammer exploit leak coverage and the technical validation referenced there.

Why This Matters

  • LPE becomes the “second stage” after phishing, malware, or stolen credentials.

  • Hash access enables rapid lateral movement via credential abuse.

  • Public exploit code compresses the time from “research” to “weaponized.”

Executive Actions

🛡️ Tighten local admin: remove standing admin rights and enforce least privilege broadly.

🔎 Watch for SAM access attempts, unusual service installs, and unexpected elevation behavior.

🧱 Increase hardening on endpoints: credential protection controls and attack-surface reduction rules.

🧯 Assume LPE chaining: if you have initial access indicators, expand scope to privilege escalation checks.

⚙️ Immediate Leadership Checklist ⚙️

🩹 Patch and validate FortiClient EMS and Flowise first; confirm fixed versions are running

🔒 Remove unnecessary management-plane exposure (VPN/allowlists only, no public admin consoles)

📦 Enforce dependency controls (allowlists/pinning/verified publishers) and rotate CI secrets if exposed

🧩 Upgrade Docker Engine and audit for privileged container creation + host mount patterns

🧠 Assume exploit chaining: user foothold + BlueHammer-style LPE = fast SYSTEM compromise

💡 If your “trusted” platform can run code, fetch packages, or push policies… attackers will treat it like a remote admin tool.

… Because it is. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

Are you tracking agent views on your docs?

AI agents already outnumber human visitors to your docs — now you can track them.