Week that Was for 04.18.26

Top stories.

1. NVD shifts strategy to deal with a CVE backlog.
2. US House extends FISA Section 702 for ten days.
3. CISA recalls furloughed employees amid funding lapse.
4. New malware strain targets Israeli water facilities.
5. US and Indonesian law enforcement shut down multi-million-dollar phishing operation.
6. Patch Tuesday notes.

NVD shifts strategy to deal with a CVE backlog.

The NIST-hosted National Vulnerability Database (NVD) is shifting to a risk-based prioritization model as the NVD team struggles to keep up with the number of newly reported flaws, Infosecurity Magazine reports. Harold Booth, a NIST computer scientist, said at VulnCon26 this week that the NVD will not be enriching vulnerability descriptions for any CVEs reported before March 1st, 2026. The NVD will prioritize enriching vulnerabilities found in software used by the US Federal government and flaws added to CISA's Known Exploited Vulnerabilities (KEV) list. Booth stated, "All submitted CVEs will still be added to the NVD. However, those that do not meet the criteria above will be categorized as ‘Not Scheduled.'"

US House extends FISA Section 702 for ten days.

The US House voted unanimously on Friday to extend Section 702 of the Foreign Intelligence Surveillance Act (FISA) until April 30th, NPR reports. The controversial surveillance program was set to expire this coming Monday. Lawmakers failed to reach an agreement on either a five-year renewal or the 18-month plan requested by President Trump. According to the New York Times, libertarian-leaning Republicans have demanded a vote on adding new privacy limits to any long-term extension.

FISA Section 702 allows the government to spy on foreign persons located outside the United States, but the law has been criticized for its incidental collection of American citizens' data. The intelligence community maintains that the broad scope is necessary for national security.

CISA recalls furloughed employees amid funding lapse.

The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered all furloughed employees to return to work, despite the ongoing funding lapse at the Department of Homeland Security, according to BankInfoSecurity. A DHS spokesperson stated, "Secretary Mullin will be utilizing available funding to recall the entire DHS workforce to get our patriotic employees back to work," noting that backpay is being processed. CISA had been operating with only mission-essential staff since the funding standoff began in February.

Nick Andersen, acting director of the US Cybersecurity and Infrastructure Security Agency (CISA), continues to warn of "detrimental capacity impacts" caused by the lapse in funding, BankInfoSecurity says. Andersen testified on Thursday before the House Appropriations Subcommittee on Homeland Security, defending the Trump administration's request for a reduced $2.5 billion budget for the agency. Andersen says the pared-down budget will support CISA's core statutory mission, with $1.4 billion going to the agency's cybersecurity division.

New malware strain targets Israeli water facilities.

Darktrace warns that an OT-focused strain of malware dubbed "ZionSiphon" is targeting Israeli water facilities. The malware "combines several familiar host-based capabilities, including privilege escalation, persistence, and removable-media propagation, with targeting logic themed around water treatment and desalination environments." The payload is designed to activate "only when both a geographic condition and an environment-specific condition related to desalination or water treatment are met."

The researchers don't attribute the malware to any particular threat actor, though some strings offer evidence that the hackers are seeking to cause harm. One Base64-encoded string embedded in the binary decodes to "Poisoning the population of Tel Aviv and Haifa."

US and Indonesian law enforcement shut down multi-million-dollar phishing operation.

The US Federal Bureau of Investigation's (FBI's) Atlanta field office and Indonesian law enforcement took down a popular phishing platform called "W3LL" that was used to steal more than $20 million, Fox 5 Atlanta reports. The FBI and Indonesian National Police also said the developer of the phishing kit has been identified and detained.

The kit sold for $500 through the W3LL Store, which was active from 2019 to 2023, and investigators believe the marketplace facilitated the sale of over 25,000 compromised accounts. Activity continued after the store's closure via encrypted messaging apps, with more than 17,000 victims targeted between 2023 and 2025. The W3LL operation was analyzed by researchers at Group-IB in 2023, who noted that the platform was "specifically designed to compromise corporate email accounts" for use in business email compromise (BEC) attacks.

Patch Tuesday notes.

Microsoft on Tuesday issued fixes for 167 vulnerabilities, including two zero-day flaws, BleepingComputer reports. One of the zero-days (CVE-2026-32201), which is being actively exploited, is an "[i]mproper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network." The other zero-day (CVE-2026-33825), which was publicly disclosed before a patch was available, is an elevation-of-privilege flaw in Microsoft Defender. This latter flaw, dubbed "BlueHammer," was exposed along with exploit code by a disgruntled researcher who grew exasperated with Microsoft, KrebsOnSecurity reports.

Adobe released patches for vulnerabilities affecting Illustrator, Reader, Acrobat, Photoshop, Bridge, ColdFusion, AdobeConnect, FrameMaker, AEM, InCopy, and InDesign. The patches include a fix for a recently disclosed zero-day in Acrobat Reader that's been exploited since December.

Fortinet patched eleven flaws, including two critical vulnerabilities affecting FortiSandbox.

SecurityWeek has a round-up of fixes issued by ICS vendors, including Siemens, Schneider Electric, Aveva, Rockwell Automation, ABB, Phoenix Contact, Mitsubishi Electric, and Moxa.