Welcome to the April 2026 MEDITECH Customer Security Newsletter, where we provide you with information and resources to give you insight into the security challenges facing your organization and the healthcare community as a whole. Here, we endeavor to provide some good information to help you improve your organization's security posture. This data has been gleaned from the review of public records on file with CISA, H-ISAC and Health Sector Cybersecurity Coordination Center (HC3) alerts. Please note the Talk To Us section, as we would like to tailor future editions of the newsletter to address specific concerns.
Known Exploited Vulnerabilities
Between March 13 and April 8, 2026, CISA added 18 vulnerabilities to its "Known Exploited Vulnerabilities" catalog. These additions are based on evidence of active exploitation in the wild. Because these vulnerabilities are frequent attack vectors for malicious actors, they pose a significant risk to organizational security.
| CVE-2026-35616 (Critical) | Fortinet FortiClient EMS | Improper Access Control (RCE) |
|---|---|---|
| CVE-2026-3502 (High) | TrueConf Server | Update Mechanism Hijack (RCE) |
| CVE-2026-5281 (High) | Google Chrome (Dawn) | Use After Free (RCE) |
| CVE-2026-3055 (High) | Citrix NetScaler ADC & Gateway | Out-of-Bounds Read |
| CVE-2025-53521 (Critical) | F5 BIG-IP Access Policy Manager | Unauthenticated RCE |
| CVE-2026-33634 (Critical) | Aqua Security Trivy | Embedded Malicious Code |
| CVE-2026-33017 (Critical) | Langflow (AI Framework) | Unauthenticated Code Injection (RCE) |
| CVE-2025-31277 (High) | Apple Multiple Products | Buffer Overflow |
| CVE-2025-43520 (Medium) | Apple Multiple Products | Buffer Overflow |
| CVE-2025-43510 (High) | Apple Multiple Products | Improper Locking Vulnerability |
| CVE-2025-54068 (Critical) | Laravel Livewire | Code Injection (RCE) |
| CVE-2025-32432 (Critical) | Craft CMS | Unauthenticated RCE |
| CVE-2026-20131 (Critical) | Cisco Secure FMC & SCC | Insecure Deserialization (RCE) |
| CVE-2026-20963 (Critical) | Microsoft SharePoint Server | Insecure Deserialization (RCE) |
| CVE-2025-66376 (High) | Zimbra Collaboration Suite | Stored XSS via CSS @import |
| CVE-2025-47813 (Medium) | Wing FTP Server | Information Disclosure (Path) |
| CVE-2026-3909 (High) | Google Chrome (Skia) | Out-of-bounds Write |
| CVE-2025-3910 (High) | Google Chrome | Arbitrary Code Execution |
Threat Actor Spotlight: Iranian-Affiliated APT Actors
In early April 2026, federal agencies, including the FBI, CISA, and the NSA, issued an urgent warning regarding a sophisticated campaign by Iranian-affiliated Advanced Persistent Threat actors targeting United States critical infrastructure. These actors, often identified as CyberAv3ngers or the Shahid Kaveh Group, have a history of targeting operational technology to cause disruptive effects.
The group specifically exploits internet-facing operational technology, primarily targeting Rockwell Automation and Allen-Bradley programmable logic controllers . By accessing these devices through common industrial ports (44818, 2222, 102, 22, and 502) the actors maliciously interact with project files and manipulate data displayed on supervisory control and data acquisition systems and human-machine interface screens . Since at least March 2026, this activity has resulted in documented operational disruptions and financial losses across sectors such as energy, water and wastewater systems, and government facilities .
These attacks are frequently conducted via leased third-party infrastructure to hide the actor's origin while they use configuration software to create unauthorized connections to victim controllers . The targeting of multiple ports associated with different industrial protocols suggests these actors may be expanding their reach to various branded devices beyond their primary targets . To defend against this group, CISA mandates that organizations immediately remove programmable logic controllers from direct internet exposure . For facilities using Rockwell Automation hardware, administrators should ensure the physical mode switch is set to the run position to prevent unauthorized remote programming changes .
News
The End is Just the Beginning for Better Security: Enhanced Vulnerability Management with OpenEOX
FDA Tightens Its Medical Device Cybersecurity Guidance
Additional Resources
- HHS 405(d) Aligning Health Care Industry Security Approaches - The 405(d) Program and Task Group is a collaborative effort between industry and the federal government, which aims to raise awareness, provide vetted cybersecurity practices, and move healthcare organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the sector. Their website provides the latest resources and information as well as an opportunity for involvement.
- Helpful resources CISA has provided can be found on the following pages:
Talk to us!
We at MEDITECH would love to hear your feedback about this newsletter and we’d like to know what is on your mind. Is there something you would like us to address?
We also have a question for you that is important to us. What are your largest concerns or security hopes for 2026?
Please let us know by contacting us !
Until next time, stay alert out there!