The cybersecurity week of April 28, 2026 was defined by active Windows exploitation, AI-powered attack escalation, and a surge in data breaches tied to cloud credential compromise. Senthorus’s Cybersecurity Week in Review covers all the significant incidents, vulnerability disclosures, and threat intelligence from April 21–28. Here is your complete briefing.
Most Critical: Windows Shell Active Exploitation Confirmed
The week’s top priority: Microsoft confirmed that CVE-2026-32202, a Windows Shell spoofing vulnerability patched in April’s Patch Tuesday, has been actively exploited in the wild before patching. CISA added it to the Known Exploited Vulnerabilities catalog on April 28 with a mandatory federal remediation deadline. Organizations should treat this as emergency patching — the vulnerability is remotely exploitable and requires no authentication.
Data Breaches: ADT, Amtrak, Vercel, Crypto Platform
April 2026 produced 15+ significant data breach disclosures tracked by SharkStriker. The week’s notable incidents: ADT lost 5.5 million customer records to the ShinyHunters extortion group. Amtrak disclosed a CRM breach exposing 2.1–9.4 million customer records. Vercel’s breach, triggered by a compromised third-party AI tool, exposed customer accounts and internal systems. And an unnamed cryptocurrency trading platform suffered $280 million in user asset losses from a targeted attack.
AI-Powered Threats: Cloudflare Documents the Shift
The Cloudflare 2026 Threat Report documented this week that AI is now automating attacker operations at scale: real-time network mapping, automated exploit development, and deepfake creation for social engineering are all being deployed by threat actors using the same foundation models that defenders are using for detection. The asymmetry is stark — attackers adopt new AI capabilities faster than enterprise security teams, which are constrained by procurement cycles, compliance requirements, and skill gaps.
Threat Intelligence: Iranian Cyber Operations Resuming
With Iran restoring internet access following its 47-day blackout, Palo Alto Networks Unit 42 and other threat intelligence providers are warning of imminent resumption of Iranian state-sponsored cyber operations. Priority targets based on historical patterns: U.S. financial institutions, energy infrastructure, and defense contractors. Iranian threat actor CL-STA-1128 (Cyber Av3ngers) has demonstrated capability to target industrial control systems — OT security teams should ensure network segmentation is intact and ICS-specific monitoring is active.
Google Classified Agreement with DoD: AI in Defense
Google signed a classified agreement with the U.S. Department of Defense this week to deploy AI technologies in sensitive military contexts. The disclosure adds to the ongoing debate about the appropriate role of commercial AI in defense and intelligence operations. The agreement follows Microsoft’s Azure Government and AWS GovCloud expansions and suggests that cloud providers are competing aggressively for classified government AI contracts — a market worth an estimated $10 billion annually by 2027.
Patch Priority List for the Week
Security teams should prioritize in order: (1) CVE-2026-32202 Windows Shell spoofing — confirmed active exploitation; (2) Microsoft Entra ID Agent ID Administrator role — audit and restrict assignments immediately; (3) CISA’s SB26-117 bulletin covering 47 vulnerabilities from the week of April 20 — triage by CVSS score and asset exposure; (4) Any Rockwell Automation ICS equipment — review segmentation against CL-STA-1128 targeting patterns.
