The Plumb Line
2026-04-24 8 min read

The Ransomware Tripwire You May Already Have Missed

The Plumb Line

24 hours ending 2026-04-24T12:00:00 UTC

Two critical vulnerabilities in Microsoft infrastructure — one in Bing, one in Entra ID — both scored CVSS 10.0, the maximum possible. On the same day, CISA added four more entries to its Known Exploited Vulnerabilities catalog, including two SimpleHelp flaws already linked to active ransomware campaigns. And Flowise, the no-code AI workflow builder, shipped at least five separate critical patches in a single version bump to 3.1.0, ranging from authentication bypass to unauthenticated remote code execution. This was not a quiet Thursday for anyone running enterprise software.

The Microsoft pair is the sharpest edge. The Bing deserialization flaw (CVE-2026-33819) allows an unauthenticated attacker to execute arbitrary code over the network — no user interaction required, no foothold needed. The Entra ID SSRF (CVE-2026-35431) lets an attacker perform network-side spoofing against Microsoft's identity management layer, which sits upstream of countless corporate access control decisions. Both are remotely exploitable without credentials. At CVSS 10.0, the gap between publication and weaponization is measured in hours, not weeks.

The Flowise cluster is a different problem. Five critical flaws patched simultaneously in a tool explicitly designed to wire together large language models and production data suggests the codebase was built fast and audited late. CVE-2026-41276 is an authentication bypass; CVE-2026-41268 is unauthenticated RCE via a parameter injection; CVE-2026-41264 and CVE-2026-41265 both stem from lack of sandboxing in agent execution. If your organization stood up an AI workflow environment on Flowise before version 3.1.0, assume it was exposed.

The Ransomware Tripwire You May Already Have Missed

CISA's four new KEV additions landed at midnight UTC on April 24, all with a May 8 remediation deadline — two weeks out. The two that carry the RANSOMWARE flag are SimpleHelp CVE-2024-57728 (path traversal) and CVE-2024-57726 (missing authorization). SimpleHelp is a remote support and access tool deployed heavily in managed service provider environments. MSPs are the preferred ransomware entry point precisely because compromising one unlocks dozens of downstream clients simultaneously. CISA's KEV designation means federal civilian agencies must patch by May 8; private operators have no legal obligation, but a KEV entry is CISA's plainest signal that the vulnerability is being exploited in the wild right now.

The other two additions are a D-Link DIR-823X command injection (CVE-2025-29635) and a Samsung MagicINFO 9 Server path traversal (CVE-2024-7399). D-Link consumer routers sitting on small-business and home-office networks are a persistent soft underbelly; Samsung's MagicINFO platform manages commercial display networks, a less obvious but real attack surface for any organization running digital signage on the same network as operational systems.

CVSS 10.0
Two separate Microsoft vulnerabilities — Bing and Entra ID — both scored at the absolute ceiling, published on the same day.

Robots, Rockets, and the Infrastructure of Control

China launched four SatNet test satellites from Xichang Satellite Launch Center at 06:35 UTC on a Long March 2D, successfully placed in low Earth orbit. SatNet is China's sovereign broadband constellation project, the functional counterpart to Starlink. Four test birds in one shot is routine at this stage of a constellation buildout, but the cadence matters: each successful test compresses the timeline toward operational density.

The day's sanctions picture was broad and granular in equal measure. The EU-linked consolidated list processed through OpenSanctions showed updates across Russia, Belarus, Myanmar, Iran, North Korea, and Gaza-adjacent entities simultaneously. Entries of note include Russia's 841st Separate Electronic Warfare Center of the Baltic Fleet — a military unit designated under EU sanctions — and the Nizhny Novgorod Sokol Aircraft Plant, flagged for both sanctions and export control. Iran's Directorate for Internal Security of the Ministry for Intelligence and Security received fresh designation markers. Myanmar's Office of the Quarter Master General was updated with corporate disqualification tags alongside existing sanctions.

Korea United Development Bank, a North Korean entity, was refreshed across Belgian, U.S. OFAC, and Monaco fund-freeze datasets simultaneously — a multi-jurisdiction synchronization that typically signals coordinated enforcement action rather than routine database maintenance.

The Ground Is Moving Under Greece

The most seismically notable event in the window was a M5.7 strike 9 km east of Kentrí, Greece at 03:18 UTC, depth 16 km — shallow enough to be felt sharply at the surface. USGS rated it green alert, no tsunami. But it was followed within six hours by a M5.1 near Sitia, Greece (08:58 UTC) and a M4.7 near Kentrí again (09:26 UTC), suggesting an ongoing aftershock sequence or broader activation of the same fault system. The Kermadec Islands zone also ran a cluster of four events between M4.6 and M5.4 across the window, all at shallow depth, all no-tsunami. No USGS alert above green was issued for any event in the window.

The Closing Detail

LeRobot, HuggingFace's open-source robotics framework, made the CVE list today. CVE-2026-25874 documents that LeRobot through version 0.5.1 uses `pickle.loads()` to deserialize data received over unauthenticated gRPC channels with no TLS, in both the policy server and the robot client. In plain terms: if your robot is on a network an attacker can reach, they can execute arbitrary code on it. That's not a metaphor. The robots are on networks.

What We Can't Tell You

1. Whether the Microsoft CVSS 10.0 vulnerabilities are already being exploited — NVD publication confirms the flaw; CISA KEV addition would confirm active exploitation, and neither CVE appears there yet.

2. Which specific entities prompted the synchronized multi-jurisdiction sanctions refresh — OpenSanctions shows the dataset update timestamps but not the triggering intelligence or diplomatic action behind the coordination.

3. SatNet's operational timeline — the launch record confirms a successful test deployment; it does not disclose the total constellation architecture or projected service date.

By the Numbers

MetricValueContext
CVSS 10.0 vulnerabilities published2Microsoft Bing (RCE) and Entra ID (SSRF) — both unauthenticated, remote
Total critical CVEs (≥9.8) published30All in a single 24-hour window
CISA KEV additions4All with May 8 deadline; 2 flagged RANSOMWARE
Flowise critical patches in one release5Auth bypass, RCE, code injection, sandbox escape
Significant earthquakes (M4.4+)25Spread across Greece, Japan, Kamchatka, Kermadec, Indonesia
M5.7 Kentrí, Greece — depth16 kmShallow focal depth amplifies surface shaking
China Long March 2D launch4 SatNet test satellitesLEO, Xichang; launch successful
OpenSanctions entity updates25Spanning Russia, Belarus, Myanmar, Iran, DPRK, Gaza entities

Today's wire carried a CVSS 10.0 pair from Microsoft, five simultaneous critical patches in the AI tooling stack, four new exploited-vulnerability mandates from CISA — two of them carrying the ransomware flag — a Chinese constellation test launch, and a seismic cluster under the Greek Aegean. The truth score on everything you just read is 1.0 — every claim traces back to a primary record on disk. If you run Flowise, SimpleHelp, or Entra ID, your patch queue has a May 8 deadline whether you've opened it or not.

— *The Plumb Line*. Sourced from 85 grounded events across 27 source databases.

Sources

Vulnerabilities & Cyber

  • nvd_cve/CVE-2026-33819 — Microsoft Bing deserialization RCE, CVSS 10.0
  • nvd_cve/CVE-2026-35431 — Microsoft Entra ID SSRF, CVSS 10.0
  • nvd_cve/CVE-2026-41276 — Flowise authentication bypass, CVSS 9.8
  • nvd_cve/CVE-2026-41268 — Flowise unauthenticated RCE, CVSS 9.8
  • nvd_cve/CVE-2026-41264 — Flowise CSV_Agents sandbox escape, CVSS 9.8
  • nvd_cve/CVE-2026-41265 — Flowise Airtable_Agents sandbox escape, CVSS 9.8
  • nvd_cve/CVE-2026-41274 — Flowise GraphCypherQAChain injection, CVSS 9.8
  • nvd_cve/CVE-2026-25874 — LeRobot pickle deserialization over unauthenticated gRPC, CVSS 9.8
  • nvd_cve/CVE-2026-26210 — KTransformers unsafe deserialization, CVSS 9.8
  • nvd_cve/CVE-2026-31533 — Linux kernel net/tls use-after-free, CVSS 9.8
  • nvd_cve/CVE-2026-33076 — Roxy-WI RCE via path traversal, CVSS 9.8
  • nvd_cve/CVE-2026-33078 — Roxy-WI SQL injection, CVSS 9.8
  • nvd_cve/CVE-2026-1949 — Delta Electronics AS320T buffer size miscalculation, CVSS 9.8
  • nvd_cve/CVE-2026-1950 — Delta Electronics AS320T buffer length unchecked, CVSS 9.8
  • nvd_cve/CVE-2026-1951 — Delta Electronics AS320T directory name buffer, CVSS 9.8
  • nvd_cve/CVE-2026-1952 — Delta Electronics AS320T denial of service, CVSS 9.8
  • nvd_cve/CVE-2026-25775 — SenseLive X3050 unauthenticated firmware update, CVSS 9.8
  • nvd_cve/CVE-2026-40620 — SenseLive X3050 unauthenticated admin control, CVSS 9.8
  • nvd_cve/CVE-2026-40630 — SenseLive X3050 improper access control, CVSS 9.8
  • nvd_cve/CVE-2026-35503 — SenseLive X3050 client-side authentication bypass, CVSS 9.8
  • nvd_cve/CVE-2026-6942 — radare2-mcp OS command injection, CVSS 9.8
  • nvd_cve/CVE-2026-39087 — ntfy SSRF via unanchored regex, CVSS 9.8
  • nvd_cve/CVE-2026-41247 — elFinder command injection in resize, CVSS 9.8
  • nvd_cve/CVE-2026-31175 — ToToLink A3300R RCE stunEnable, CVSS 9.8
  • nvd_cve/CVE-2026-31177 — ToToLink A3300R RCE stunMinAlive, CVSS 9.8
  • nvd_cve/CVE-2026-31178 — ToToLink A3300R RCE stunMaxAlive, CVSS 9.8
  • nvd_cve/CVE-2026-31181 — ToToLink A3300R RCE stunServerAddr, CVSS 9.8
  • nvd_cve/CVE-2026-39440 — FunnelFormsPro remote code inclusion, CVSS 9.9
  • nvd_cve/CVE-2026-40472 — hackage-server stored XSS via .cabal metadata, CVSS 9.9
  • nvd_cve/CVE-2026-40470 — hackage-server XSS via raw HTML/JS serving, CVSS 9.9

CISA Known Exploited Vulnerabilities

  • cisa_kev/CVE-2024-57728 — SimpleHelp path traversal, RANSOMWARE, due 2026-05-08
  • cisa_kev/CVE-2024-57726 — SimpleHelp missing authorization, RANSOMWARE, due 2026-05-08
  • cisa_kev/CVE-2025-29635 — D-Link DIR-823X command injection, due 2026-05-08
  • cisa_kev/CVE-2024-7399 — Samsung MagicINFO 9 Server path traversal, due 2026-05-08

Space & Launch

  • launch_library/214b4db1-7112-4428-a999-29d2765c8306 — Long March 2D / 4x SatNet test satellites, Xichang, successful

Seismic

  • usgs_earthquakes/us6000sshc — M5.7 Kentrí, Greece
  • usgs_earthquakes/us6000ssij — M5.1 Sitia, Greece
  • usgs_earthquakes/us6000ssiq — M4.7 Kentrí, Greece (aftershock)
  • usgs_earthquakes/us6000ssiy — M5.4 Petropavlovsk-Kamchatsky, Russia
  • usgs_earthquakes/us6000ssgv — M5.4 south of Kermadec Islands
  • usgs_earthquakes/us6000ssci — M4.8 south of Kermadec Islands
  • usgs_earthquakes/us7000shah — M4.7 south of Kermadec Islands
  • usgs_earthquakes/us6000sszx — M4.6 south of Kermadec Islands

Sanctions

  • opensanctions/NK-4R9xdDotjgvec9URYfiFBB — Russia 841st Separate Electronic Warfare Center, Baltic Fleet
  • opensanctions/NK-2tFgmTGyWsoyda2acUdv6m — Nizhny Novgorod Sokol Aircraft Plant, export control + sanction
  • opensanctions/NK-2Qo8ydZ5zPR5Se5GidfVsG — Korea United Development Bank, DPRK, multi-jurisdiction
  • opensanctions/NK-3agRKCAwBXajmTVVqSTpH4 — Iran MOIS Directorate for Internal Security
  • opensanctions/NK-3e8BuefPG7RBPN3J6xkGSx — Myanmar Office of the Quarter Master General
  • opensanctions/NK-26AoxGCbHCgUqfhejBQepF — Onsong County MSS Detention Centre, North Korea
  • opensanctions/NK-3UJjcv2HXY3c9eEKJ8EX6j — Russia Main Radio Frequency Centre