Threat Brief | Patch or Pay: Zero-Days, Healthcare Under Fire, and the CVE System Getting Trimmed
Your weekly executive-level briefing on what happened in cybersecurity this week — and what it means for your business.
Microsoft Defender Zero-Days Are Being Exploited Right Now — Two Still Have No Fix
Three vulnerabilities in Microsoft Defender were released publicly this week by a researcher who got fed up waiting for Microsoft to act. They go by the names BlueHammer, RedSun, and UnDefend. BlueHammer was patched in this week's Patch Tuesday — the vulnerability is tracked as CVE-2026-33825. However, the other flaws do not have a fix as of writing. The Hacker News All three are being actively exploited in the wild.
What this means for you: If your organization runs Windows endpoints — and it does — your antivirus software itself is the attack surface this week. Two of the three flaws are privilege escalation vulnerabilities (attackers use them to go from "I'm in" to "I own everything"). The third blocks Defender from receiving definition updates, which is essentially like cutting the phone lines before breaking in. Patch Tuesday patches are out — apply them now. For the two without patches, increase endpoint monitoring and limit local admin privileges wherever possible.
Why Your Built-In Antivirus Isn't Enough Anymore
The Defender zero-day story isn't just about three specific bugs — it's about a structural problem. Windows Defender is a native, Microsoft-managed tool. When Microsoft is the one that's late to patch its own security software, you're left exposed and waiting.
This is exactly where next-generation endpoint detection and response (EDR) platforms like SentinelOne outperform traditional antivirus. The difference comes down to how threats are detected:
Defender relies heavily on signature-based detection — it looks for known malware patterns. If the attack is new (or deliberately blocks definition updates, as UnDefend does), Defender is flying blind.
SentinelOne uses AI-driven behavioral analysis. It watches how processes behave, not just what they look like. An attacker escalating privileges or tampering with security tooling gets flagged based on the activity itself — no signature required.
When one of this week's zero-days (UnDefend) specifically targets Defender's ability to receive updates, running Defender as your only line of defense is a little like using a smoke detector that the burglar can unplug on the way in.
SentinelOne also provides autonomous threat response — it can isolate a compromised endpoint in seconds without waiting for a human to notice. That matters when the average dwell time for an attacker in an unmonitored environment is measured in weeks.
netMethods deploys and manages SentinelOne for clients across Orange County. If you're still relying on built-in Windows security, let's talk about a real endpoint protection upgrade →
April Patch Tuesday: 150+ Vulnerabilities, Including Critical Cisco and Apache ActiveMQ Flaws
A recently disclosed high-severity security flaw in Apache ActiveMQ Classic has come under active exploitation in the wild. CISA has added the vulnerability, tracked as CVE-2026-34197 (CVSS score: 8.8), to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply fixes by April 30, 2026. The Hacker News
Also patched: Cisco disclosed four critical vulnerabilities in its Identity Services Engine and Webex Services, including CVE-2026-20184 (CVSS 9.8) — an SSO flaw that could allow an unauthenticated attacker to impersonate any user within Webex — and CVE-2026-20147 (CVSS 9.9), allowing remote code execution via crafted HTTP requests. The Hacker News
What this means for you: If your organization uses Cisco ISE (common in enterprise and government networks) or Webex for communications, this is a drop-everything patch scenario. ActiveMQ is widely used in manufacturing and enterprise middleware — it's been quietly exploitable for 13 years and attackers know it.
Healthcare Gets Hit Every 10 Hours — and Keeps Paying Ransoms
Healthcare organizations are being hit by cyberattacks at an alarming rate — about every 10 hours — and attackers are succeeding using vulnerabilities that are already known and fixable, according to new research from Securin. Ransom payment rates range from 68% to 72%, making the sector one of the most reliable and profitable targets for cybercriminals. Galvnews
What this means for you: Healthcare is the most reliably profitable industry for ransomware operators — and Orange County has a dense concentration of medical groups, specialty practices, and health systems. The playbook hasn't changed: attackers exploit known, unpatched vulnerabilities and bet that you'd rather pay than go dark. The answer is vulnerability management, not luck.
NIST Pumps the Brakes on CVE Enrichment
NIST announced it will only enrich CVEs that meet certain conditions, driven by a surge in vulnerability submissions that increased 263% between 2020 and 2025. CVEs that do not meet the criteria will still be listed in NVD but will not be automatically enriched. The Hacker News Priority goes to CISA KEV entries and software used in federal systems.
What this means for you: Your vulnerability scanner is going to return more "unknown severity" results. Tools that relied on NVD enrichment for scoring may be less accurate. Lean on CISA's KEV catalog as your first-priority patch list, and lean on your security partner to interpret the gaps.
Ready to take vulnerability management off your plate? netMethods provides continuous vulnerability assessment, patch advisory, and remediation support tailored for Orange County businesses. Learn more about our Cybersecurity Risk Assessments →
— netMethods Security Team | Lake Forest, CA