← Back to Blog
Security Briefing3 min read2026-04-18

Security Briefing, April 18 2026: ActiveMQ Exploitation, Windows Zero-Days, and LSASS Patch Fallout

Today’s security briefing tracks three concrete signals: CISA has flagged Apache ActiveMQ exploitation, Huntress is seeing leaked Windows privilege-escalation zero-days used in real intrusions, and Microsoft has confirmed LSASS crash loops on some patched domain controllers.


Top line: This morning is about defensive sequencing. One flaw is already being exploited, two Windows privilege-escalation paths still lack full fixes, and one official patch can destabilize domain controllers in some PAM environments. Security teams need separate queues for patch now, contain now, and pause rollout now.


1. ActiveMQ moved from patch queue to active exploitation

CISA added CVE-2026-34197 to the KEV catalog after active exploitation was confirmed. The bug affects Apache ActiveMQ Classic, stems from improper input validation, and allows authenticated remote code execution. Apache patched it in versions 6.2.3 and 5.19.4, but exposed brokers are still a soft target, with Shadowserver tracking more than 7,500 internet-facing systems.


2. Leaked Windows zero-days are now part of hands-on intrusions

Huntress reported seeing BlueHammer, RedSun, and UnDefend exploitation techniques in the wild. BlueHammer was patched in April, but RedSun and UnDefend still do not have full vendor fixes. The observed activity included a compromised SSL VPN user followed by interactive attacker behavior, which means these are no longer just researcher proofs of concept sitting on GitHub.


3. April’s server patching also carries an availability trap

Microsoft confirmed that KB5082063 can trigger LSASS crashes and reboot loops on some non-Global Catalog domain controllers in Privileged Access Management environments. That turns a routine security rollout into an identity outage risk. The issue matters because authentication instability can erase the operational gains of fast patching if rollout discipline is weak.


What security teams should do today

  1. Finish emergency ActiveMQ triage first, especially for exposed brokers and older Classic deployments.
  2. Hunt for BlueHammer, RedSun, and UnDefend artifacts anywhere recent VPN access or admin escalation looks suspicious.
  3. Validate whether any PAM domain controllers are in scope before expanding KB5082063 rollout.
  4. Send leadership one plain update that separates exploit pressure from patch-instability risk.

Bottom line: Mature defense today means moving at three speeds at once: patch the internet-facing broker, hunt the Windows foothold, and slow down any rollout that can take identity offline.

Separate emergency patching from dangerous patching

KENSAI helps security teams verify exposed systems, active exploit paths, and operational rollout risk before urgency turns into avoidable downtime.

Start Free Scan →

Stay sharp.

🗡️ KENSAI Security Team