(TLP:CLEAR) Weekly Vulnerabilities to Prioritize – April 23, 2026
Created: Thursday, April 23, 2026 - 15:31
Categories: Cybersecurity, Security Preparedness
The below vulnerabilities have been identified by WaterISAC analysts as important for water and wastewater utilities to prioritize in their vulnerability management efforts. WaterISAC shares critical vulnerabilities that affect widely used products and may be under active exploitation. WaterISAC draws additional awareness in alerts and advisories when vulnerabilities are confirmed to be impacting, or have a high likelihood of impacting, water and wastewater utilities. Members are encouraged to regularly review these vulnerabilities, many of which are often included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
Microsoft Defender Insufficient Granularity of Access Control Vulnerability
CVSS v3.1: 7.8
CVE: CVE-2026-33825
Description: Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally. CISA added this vulnerability to its KEV catalog.
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825
Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default
CVSS: N/A
CVE: CVE-2026-29146
Description: Padding Oracle vulnerability in Apache Tomcat’s EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
Source: https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
Additional Reading:
ASP.NET Core Elevation of Privilege Vulnerability
CVSS v3.1: 9.1
CVE: CVE-2026-40372
Description: Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372
D-Link DIR-823X series routers
CVSS 3.1: 8.8
CVEs: CVE-2025-29635
Description: A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function, triggering remote command execution.
Original Source: https://nvd.nist.gov/vuln/detail/CVE-2025-29635
Additional Reading
Microsoft SharePoint Server Spoofing Vulnerability
CVSS 3.1: 6.5
CVEs: CVE-2026-32201
Description: Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
Original Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32201
Additional Reading
Cisco Catalyst SD-WAN Manager Vulnerabilities
CVSS 3.1: 5.4, 7.5, 6.5
CVEs: CVE-2026-20122, CVE-2026-20128, CVE-2026-20133
Description: Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager and Cisco Catalyst SD-WAN Software could allow both authenticated and unauthenticated remote attackers to escalate privileges, access sensitive information, and manipulate the underlying system. These issues stem from improper file handling in the API, exposure of credential files associated with the Data Collection Agent (DCA), and insufficient file system restrictions. An attacker could exploit these weaknesses by uploading malicious files, issuing crafted HTTP requests to retrieve credentials, or accessing system shells with elevated privileges. Successful exploitation could result in unauthorized file overwrites, credential compromise, lateral movement to other systems, and access to sensitive operating system data. CISA added this vulnerability to its KEV catalog.
Original Source: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v