April 2026 Patch Tuesday: Critical Vulnerabilities in SAP, Adobe, Microsoft SharePoint, Fortinet, and ColdFusion Threaten Enterprise Security

April 2026’s Patch Tuesday has introduced a critical wave of security updates from leading vendors including SAP, Adobe, Microsoft, and Fortinet. This month’s coordinated patch release addresses multiple high-severity vulnerabilities, several of which are already being actively exploited in the wild. The vulnerabilities span a range of attack vectors, including SQL injection, remote code execution, authentication bypass, and sensitive data exposure. Organizations leveraging these platforms are at heightened risk of data exfiltration, business disruption, and lateral movement by advanced persistent threat (APT) actors and cybercriminal groups. This advisory provides a comprehensive technical breakdown of the vulnerabilities, exploitation evidence, threat actor activity, affected product versions, and actionable mitigation guidance.

The April Patch Tuesday advisories encompass a diverse set of vulnerabilities across enterprise-critical platforms. The most severe issues include:

SAP Business Planning and Consolidation and SAP Business Warehouse are affected by CVE-2026-27681, a critical SQL injection vulnerability with a CVSS score of 9.9. The flaw resides in an ABAP program that allows low-privileged users to upload files containing arbitrary SQL statements. These statements are executed by the system, enabling attackers to manipulate, exfiltrate, or destroy sensitive business data. The attack vector is particularly dangerous due to the potential for stealthy data theft and business process manipulation. While no public proof-of-concept (PoC) exploit has been released, the vulnerability’s ease of exploitation and criticality make it a prime target for both APT and financially motivated actors. The vulnerability aligns with MITRE ATT&CK techniques T1190 (Exploit Public-Facing Application) and T1565 (Data Manipulation).

Adobe Acrobat Reader is impacted by CVE-2026-34621, a remote code execution (RCE) vulnerability with a CVSS score of 8.6. This flaw is under confirmed active exploitation. Attackers craft malicious PDF files that, when opened in vulnerable versions of Acrobat Reader, trigger arbitrary code execution on the victim’s system. This vector is commonly used for initial access, malware delivery, and privilege escalation. The vulnerability is being exploited in the wild, as confirmed by Adobe and independent security researchers. MITRE ATT&CK techniques T1204 (User Execution) and T1059 (Command and Scripting Interpreter) are relevant here.

Adobe ColdFusion (versions 2023 and 2025) received patches for multiple critical vulnerabilities, including CVE-2026-34619 (path traversal, security feature bypass), CVE-2026-27304 (improper input validation, arbitrary code execution, CVSS 9.3), CVE-2026-27305 (path traversal, arbitrary file system read), CVE-2026-27282 (improper input validation, security feature bypass), and CVE-2026-27306 (improper input validation, arbitrary code execution). These vulnerabilities allow attackers to execute arbitrary code, bypass security controls, read sensitive files, and potentially cause denial-of-service conditions. The attack surface is significant for organizations exposing ColdFusion to the internet, and exploitation could result in full system compromise.

Fortinet FortiSandbox is affected by two critical vulnerabilities: CVE-2026-39813 (path traversal in JRPC API, authentication bypass, CVSS 9.1) and CVE-2026-39808 (OS command injection, unauthenticated code execution, CVSS 9.1). Attackers can send specially crafted HTTP requests to bypass authentication or execute arbitrary system commands. These flaws enable remote attackers to gain unauthorized access, escalate privileges, and move laterally within the network. The vulnerabilities are present in all versions prior to 4.4.9 and 5.0.6 for the JRPC API issue, and prior to 4.4.9 for the OS command injection.

Microsoft SharePoint Server is vulnerable to CVE-2026-32201, a medium-severity (CVSS 6.5) spoofing and sensitive data exposure flaw. This vulnerability allows attackers to view sensitive internal documents and data, which can be leveraged for double extortion ransomware attacks or further lateral movement. The flaw is under active exploitation, and organizations running unpatched SharePoint servers are at immediate risk.

Across these platforms, the vulnerabilities enable a range of attack scenarios, including unauthorized data access, privilege escalation, lateral movement, and business process manipulation. The technical complexity of exploitation varies, but several flaws (notably in Adobe Acrobat Reader and Microsoft SharePoint Server) are already being leveraged in real-world attacks.

Active exploitation has been confirmed for CVE-2026-34621 in Adobe Acrobat Reader and CVE-2026-32201 in Microsoft SharePoint Server. In both cases, attackers are leveraging these vulnerabilities to gain initial access, execute arbitrary code, and exfiltrate sensitive data. The exploitation of Adobe Acrobat Reader is particularly concerning due to the ubiquity of the product and the ease with which malicious PDFs can be distributed via phishing campaigns and drive-by downloads.

For SAP, Fortinet, and Adobe ColdFusion, there are currently no public reports of exploitation in the wild. However, the criticality of these vulnerabilities, combined with the historical interest of APT and ransomware groups in these platforms, significantly elevates the risk of imminent exploitation. Security researchers and vendors have emphasized the urgency of patching, as these vulnerabilities are likely to be weaponized in the near future.

While there is no direct attribution for these specific CVEs as of this writing, historical patterns indicate that similar vulnerabilities have been exploited by a range of sophisticated threat actors:

SAP vulnerabilities have previously been targeted by APT10 (China-based, targeting global enterprises) and FIN7 (financially motivated, global reach). These groups have leveraged SAP flaws for data theft and business process manipulation.

Adobe Acrobat Reader zero-days have been exploited by APT28 (Russia-based, targeting government, defense, and critical infrastructure in Europe and the US) and TA505 (financial and retail sectors, global). These actors use malicious documents for initial access and malware delivery.

Adobe ColdFusion vulnerabilities have been targeted by APT41 (China-based, dual espionage and financially motivated) and other cybercriminal groups, often for web shell deployment and lateral movement.

Fortinet vulnerabilities have been exploited by APT29 (Cozy Bear, Russia-based, targeting government and critical infrastructure in the US and Europe) and ransomware groups for persistence and lateral movement.

Microsoft SharePoint flaws have been leveraged by APT34 (Iran-based, targeting Middle East, energy, and government sectors) and ransomware operators for initial access and data exfiltration.

Given the criticality and attack surface of these vulnerabilities, it is highly likely that multiple APT and cybercriminal groups are actively developing or deploying exploits.

The following product versions are confirmed to be affected:

SAP Business Planning and Consolidation and SAP Business Warehouse: All supported versions as of April 2026 are vulnerable to CVE-2026-27681.

Adobe Acrobat Reader: All supported versions prior to the April 2026 security update are affected by CVE-2026-34621. This includes Acrobat Reader DC, Acrobat Reader 2020, and Acrobat Reader 2017.

Adobe ColdFusion: Versions 2023 and 2025, all builds prior to the April 2026 patches, are affected by CVE-2026-34619, CVE-2026-27304, CVE-2026-27305, CVE-2026-27282, and CVE-2026-27306.

Fortinet FortiSandbox: All versions prior to 4.4.9 and 5.0.6 are vulnerable to the JRPC API path traversal (CVE-2026-39813), and all versions prior to 4.4.9 are vulnerable to the OS command injection (CVE-2026-39808).

Microsoft SharePoint Server: All supported versions prior to the April 2026 security update are affected by CVE-2026-32201, including SharePoint Server 2016, 2019, and Subscription Edition.

Immediate patching is the most effective mitigation strategy for all affected products. Organizations should prioritize the following actions:

For SAP, apply the latest security patches without delay and monitor for unauthorized file uploads and anomalous SQL activity. Implement strict access controls on upload functionalities and review audit logs for suspicious behavior.

For Adobe Acrobat Reader and Adobe ColdFusion, update to the latest versions as provided in the April 2026 security bulletins. Block suspicious PDF files at the email gateway and educate users on the risks of opening unsolicited attachments. For ColdFusion, restrict external access to administrative interfaces and monitor for unexpected code execution or file system access.

For Fortinet FortiSandbox, upgrade to versions 4.4.9 or 5.0.6 as appropriate. Monitor for unauthorized API calls, unexpected system commands, and new user creation events. Restrict network access to management interfaces and enforce strong authentication.

For Microsoft SharePoint Server, apply the April 2026 security update immediately. Audit document access logs, monitor for lateral movement originating from SharePoint servers, and implement network segmentation to limit the blast radius of a potential compromise.

In addition to patching, organizations should monitor for indicators of compromise (IOCs) associated with these vulnerabilities. For SAP, look for unusual SQL queries and unauthorized file uploads. For Adobe Acrobat Reader, monitor for malicious PDF hashes and suspicious process launches. For ColdFusion, watch for unexpected code execution and file reads. For FortiSandbox, track unauthenticated API calls and system command execution. For SharePoint, review unauthorized document access and weaponized uploads.

The Hacker News: April Patch Tuesday Fixes Critical Flaws, Adobe Security Bulletins, Fortinet PSIRT, Microsoft Security Update Guide, Onapsis SAP Advisory, Pathlock SAP Analysis

Rescana’s Third-Party Risk Management (TPRM) platform empowers organizations to continuously monitor, assess, and manage the cybersecurity posture of their vendors and supply chain partners. Our platform delivers actionable intelligence, automated risk scoring, and real-time alerts to help you stay ahead of emerging threats. While this advisory focuses on the latest vulnerabilities from SAP, Adobe, Microsoft, and Fortinet, Rescana’s solutions are designed to provide holistic visibility and proactive defense across your entire digital ecosystem. For any questions or further guidance, our team is ready to assist at ops@rescana.com.

• Cybersecurity Incident Analysis