Today's picture
Medtronic confirmed a breach of its corporate IT systems last week after ShinyHunters claimed to have stolen over 9 million records including personal data and internal files. The listing has since disappeared from the group's leak site, suggesting negotiation or payment is underway. This is the same group that hit ADT earlier this month. Separately, CrowdStrike disclosed a CVSS 9.8 unauthenticated path traversal in the self-hosted version of its LogScale platform. No exploitation confirmed, but a security tool that ingests your most sensitive log data with a critical unauthenticated flaw deserves immediate attention.
Threat snapshot
3 new · 2 monitoring
New
Breach
Healthcare
Medtronic confirms breach. ShinyHunters claims 9 million records including PII and internal corporate data.
SEC filing confirmed. Incident contained. ShinyHunters listing removed from leak site. Ransom deadline passed April 21. Investigation and notifications ongoing.
New
CVSS 9.8
Security Tool
CrowdStrike LogScale CVSS 9.8 unauthenticated path traversal. Self-hosted deployments need immediate patching.
CVE-2026-40050. Unauthenticated remote attacker reads arbitrary files from server. SaaS and Next-Gen SIEM customers already protected. Self-hosted must patch now.
New
Now Exploited
Microsoft updates April Patch Tuesday advisory to confirm Windows Shell CVE-2026-32202 is being actively exploited.
CVSS 4.3 spoofing flaw. Patched April 14 but exploitation status not confirmed until today. Attacker sends malicious file to view sensitive information. Patch already shipped.
Detailed intelligence
Full analysis
01 New Breach Healthcare
Medtronic confirms breach. ShinyHunters claims 9 million records including personal data and internal corporate files.
Medtronic · Apr 24
What happened
Medtronic, the world's largest medical device manufacturer, disclosed a security breach in an SEC filing on April 24, 2026, confirming that an unauthorized party accessed data in certain corporate IT systems. The disclosure followed ShinyHunters claiming the intrusion on April 18, posting on their dark web leak site that they had stolen over 9 million records containing personally identifiable information plus terabytes of additional internal corporate data. ShinyHunters set a ransom deadline of April 21. The listing has since been removed from the group's site, which typically signals either payment or active negotiation.
Medtronic confirmed it contained the breach and has engaged external cybersecurity experts for the investigation. The company said it will notify and support affected individuals if data exposure is confirmed. Medtronic develops and manufactures medical devices including cardiac monitors, insulin pumps, neuromodulation systems, and surgical tools, with products deployed in hospitals and with patients globally. The company did not specify what categories of personal data were involved in the breach beyond confirming access to certain corporate IT systems. This is the second major medical device company to suffer a significant breach since the Iran-Israel conflict escalated earlier this year, following the Stryker attack in March.
CyberSip Take
ShinyHunters has been on a sustained campaign this month. ADT, Medtronic, and Vercel all confirmed breaches after ShinyHunters claimed them. The group has been systematically targeting high-value organizations across healthcare, security monitoring, and cloud infrastructure, using data extortion as the primary leverage mechanism rather than file encryption. The pattern matters because data extortion attacks do not need to disrupt operations to create significant harm. They simply need to acquire data the organization cannot afford to have published.
For Medtronic specifically, the intersection of personal health data, device operational data, and clinical information creates a category of exposure with consequences beyond financial notification costs. Patients with active Medtronic cardiac or neurological devices should be aware that their device-related data may be in scope. Healthcare organizations that use Medtronic systems should monitor for any follow-on phishing or social engineering attempts that leverage device or patient details as credibility props, which is the same pattern we flagged after the Booking.com breach in Issue 5. The removal of the listing from ShinyHunters' site does not mean the data is secure. It means the negotiation dynamics have shifted.
Recommended actions
- Healthcare organizations using Medtronic systems should monitor for phishing and social engineering attempts that reference device or patient details as establishing context.
- Review whether any employee or patient data shared with Medtronic falls under your own breach notification obligations and consult with legal counsel on disclosure timelines.
- Watch for Medtronic's formal notification process to affected individuals and cross-reference against your own patient or employee populations as appropriate.
- Monitor Medtronic's security bulletin page for updates on data categories confirmed as exposed as the investigation progresses.
Derived from Medtronic SEC filing, ShinyHunters threat actor reporting, and independent security research
02 New CVSS 9.8 Security Tool
CrowdStrike LogScale CVSS 9.8 unauthenticated path traversal. Self-hosted deployments need immediate patching.
CVE-2026-40050
What happened
CrowdStrike disclosed CVE-2026-40050, a critical unauthenticated path traversal vulnerability in its LogScale self-hosted platform, with a CVSS score of 9.8. LogScale, formerly known as Humio, is a log management and observability platform that ingests, stores, and enables real-time search of high-volume machine data. Organizations running self-hosted LogScale deployments typically use it as a central repository for security logs, application telemetry, and infrastructure events.
The vulnerability exists in a specific cluster API endpoint. If this endpoint is reachable, an unauthenticated remote attacker can send crafted requests that traverse the server directory structure and read arbitrary files from the underlying filesystem. The types of files potentially accessible include configuration files, credential stores, internal certificates, and log data. The flaw is categorized under CWE-22 path traversal and CWE-306 missing authentication for a critical function.
CrowdStrike confirmed no evidence of exploitation in the wild. The company discovered the vulnerability internally through its own product testing program. LogScale SaaS customers and Next-Gen SIEM customers are not affected. SaaS deployments received network-layer protection on April 7. Self-hosted deployments running GA versions 1.224.0 through 1.234.0 and LTS versions 1.228.0 or 1.228.1 need to upgrade to patched versions immediately.
CyberSip Take
Security tools occupy a uniquely sensitive position in infrastructure. A log management platform knows everything. It holds security alerts, authentication events, network flow records, application errors, and in many deployments the actual content of sensitive transactions. A path traversal vulnerability that lets an unauthenticated attacker read arbitrary files from the server is not just a confidentiality risk against one application. It is a potential window into the entire security stack.
The good news here is meaningful. CrowdStrike found this internally before any external researcher or attacker did. There is no evidence of exploitation. SaaS customers are already protected. The disclosure is handled responsibly. The action item for self-hosted LogScale customers is straightforward: patch immediately and verify the cluster API endpoint is not exposed to untrusted networks. For organizations evaluating whether to run security tooling in self-hosted versus SaaS configurations, this incident illustrates one of the real tradeoffs. Self-hosted deployments give you data control but put patch urgency entirely on your team. SaaS deployments shift that responsibility to the vendor, who in this case responded within their own infrastructure before the flaw was publicly known.
Recommended actions
- Self-hosted LogScale customers on GA versions 1.224.0 through 1.234.0 should upgrade to 1.234.1 or later. LTS customers on 1.228.0 or 1.228.1 should upgrade to 1.228.2 or later.
- Verify the LogScale cluster API endpoint is not reachable from untrusted networks. If it must be accessible, implement network-level authentication controls in front of it as an additional layer.
- SaaS and Next-Gen SIEM customers do not need to take action. The fix was applied at the infrastructure level on April 7.
- Review what data your LogScale deployment ingests and confirm that any sensitive configuration files or credential stores on the server are appropriately protected at the filesystem level as a defense-in-depth measure.
Derived from CrowdStrike security advisory and independent vulnerability analysis
03 New Now Exploited
Microsoft confirms Windows Shell CVE-2026-32202 is being actively exploited. Patch shipped April 14.
CVE-2026-32202
What happened
Microsoft revised its advisory for CVE-2026-32202 today to acknowledge active exploitation in the wild. The vulnerability is a spoofing flaw in Windows Shell rated CVSS 4.3. It was included in the April 14 Patch Tuesday update without an initial exploitation flag. The flaw allows an attacker to send a victim a malicious file. When the victim executes it, the attacker can view sensitive information accessible to that user. The exploitation vector requires user interaction, which accounts for the relatively low CVSS score compared to remote code execution flaws, but active exploitation confirmation moves it from a routine patch priority to a confirmed active threat. Microsoft describes the protection mechanism failure as allowing an unauthorized attacker to perform spoofing over a network.
CyberSip Take
The CVSS score of 4.3 will lead some patch managers to deprioritize this, but CVSS scores measure potential severity, not attacker interest. Active exploitation confirmed two weeks after patch release means attackers evaluated this flaw, built a working exploit, and are using it now. A spoofing vulnerability in Windows Shell that exposes sensitive information through a malicious file execution is a usable tool for reconnaissance and credential harvesting in targeted attack chains. The patch shipped with April Patch Tuesday on April 14. Any Windows system that has not received that update is exposed to a confirmed active threat today. The action is the same as it has been for every April Patch Tuesday item: confirm the April cumulative update is applied across your Windows fleet.
Recommended actions
- Confirm the April 2026 cumulative update has been applied across Windows systems in your environment. CVE-2026-32202 was addressed in that update and no additional action is required beyond applying it.
- Treat any unexpected file attachments or requests to execute files from external or unfamiliar sources with heightened scrutiny given confirmed active exploitation.
- Check Microsoft's revised advisory at MSRC for any additional indicators of compromise or exploitation details published alongside today's update.
Derived from Microsoft Security Response Center advisory update and April 2026 Patch Tuesday analysis
Still watching
Aging items · days 2–6
Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.
FIRESTARTER Cisco firewall backdoor (Issue 15). Federal hard power cycle deadline is today, April 30. If you run Cisco Firepower 1000, 2100, 4100, 9300 or Secure Firewall 200, 1200, 3100, 4200, or 6100 series devices, review CISA Emergency Directive 25-03 updated guidance immediately.
Day 2
LMDeploy CVE-2026-33626 (Issue 15). Update to version 0.12.1. Restrict outbound connections from model serving infrastructure and configure IMDSv2 with hop limit 1 on EC2 instances.
Day 2
PhantomRPC unpatched Windows RPC design flaw (Issue 14). No patch, no CVE, research tools public. No confirmed exploitation. Watch Microsoft MSRC for patch announcement.
Day 3
Cross-source standouts
What connects this week
01
ShinyHunters ran a coordinated campaign across April and the targets were not random
ADT, Medtronic, Vercel. All confirmed breaches this month. All claimed by ShinyHunters. The three organizations share a characteristic: they hold data that is either operationally sensitive, physically consequential, or used as trust infrastructure by a large downstream population. A security monitoring company knows who has alarms and when. A medical device manufacturer holds patient and device operational data. A cloud infrastructure platform holds deployment credentials for thousands of organizations. The group is selecting targets with data that produces leverage, not just volume. That selection logic is worth understanding when assessing your own organization's exposure profile.
02
Security tools are high-value targets and need to be treated that way
CrowdStrike LogScale joins the Azure SRE Agent and the nginx-ui MCP platform as security and observability tools that disclosed critical vulnerabilities this month. Each of these products sits in a privileged position inside the infrastructure it is supposed to protect. A log management platform holds your security event data. An AI SRE agent holds your credentials and deployment commands. An Nginx management interface controls your web traffic. When the tool that watches everything has a critical flaw, the attacker is not just accessing one application. They are accessing the record of everything that has happened across the systems it monitors. Patching security tooling with the same urgency as the infrastructure it watches is the right response.
Past issues · 7-day archive