TL;DR

This week's cybersecurity landscape packs a punch for Australian SMBs: Microsoft's latest Patch Tuesday closes 137 vulnerabilities including an actively-exploited SQL Server zero-day, Fortinet firewalls have a privilege escalation flaw, a major IT distributor got hit by ransomware disrupting supply chains, APT28 is hijacking DNS viaSOHO routers, and malicious Chrome extensions are stealing credentials at scale. Patch now, check your Fortinet firmware, and brief your team on browser-based phishing.​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Microsoft Patch Tuesday: 137 Flaws and a SQL Server Zero-Day

Microsoft's April 2026 Patch Tuesday addresses 137 vulnerabilities, including 14 rated critical and one SQL Server zero-day under active exploitation. The zero-day enables remote code execution against database servers — the kind of infrastructure Australian SMBs commonly expose for web applications and internal tools.

What this means for SMBs: If you run SQL Server (and most on-premises SMBs do), this is not a "patch next month" situation. Attackers are already using it. Pair this with the 14 critical Remote Code Execution fixes across Windows and Office, and your Monday morning priority is clear: push these updates via WSUS or auto-deploy. If you're running Windows 10 2

1H2, also grab KB5062554 — it's mandatory. If you outsource IT, confirm your MSP has applied these by end of week.​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

FortiOS Buffer Overflow: Your Firewall Might Have a Gap

Fortinet disclosed CVE-2025-24477, a heap-based buffer overflow in FortiOS's cw_stad daemon. CVSS 4.0 sounds medium, but authenticated attackers can exploit it for arbitrary code execution and privilege escalation. Fortinet firewalls are the backbone of Australian SMB perimeter defences — if yours is running unpatched firmware, your front door has a weaker lock than you think.

What this means for SMBs: Log into your FortiGate dashboard and check firmware versions. If you're on a version prior to the patched release, schedule the update outside business hours tonight. This requires authenticated access, which limits the blast radius — but if an attacker already has a foothold via phishing (see below), they've got the credentials they need. Layer your defences: patch the firewall and enforce MFA on admin accounts.

Ingram Micro Ransomware: Supply Chain Disruption Hits Home

Global IT distributor Ingram Micro was hit by the SafePay ransomware group over a holiday weekend, disrupting ordering systems and the MS Xvantage platform across multiple regions. Operations are mostly restored, but the incident exposed how a single supplier compromise cascades through the channel. Australian resellers and their SMB customers felt delays in hardware procurement and licence provisioning.

What this means for SMBs: If your business depends on a single IT distributor or supplier for hardware, software, or cloud licences, you need a Plan B. Identify alternate suppliers now, before an incident. More broadly: map your critical vendor dependencies and ask them about their incident response timelines. If they can't answer, assume they'll be down for at least a week during a crisis. Also verify your own backups aren't sitting on the same supply chain — offline, immutable copies are non-negotiable.

APT28 DNS Hijacking: SOHO Routers in the Crosshairs

Russia-linked APT28 is exploiting vulnerableSOHO routers to carry out DNS hijacking and adversary-in-the-middle attacks, primarily targeting Microsoft Outlook credentials. They redirect DNS queries, intercept login traffic, and harvest credentials — all without touching your endpoints. Australian NBN-connected businesses with default or unpatched router firmware are prime targets.

What this means for SMBs: Change your router admin password from default immediately. Check firmware updates for your ISP-supplied or office router — Telstra, Optus, and Vocus gateways have had known issues. Enable DNS-over-HTTPS where possible. If your router hasn't had a firmware update in over a year, replace it. The ACSC's Essential Eight Maturity Model explicitly calls for hardening network devices — this is why. Consider routing DNS through a filtered resolver like Cloudflare (1.1.1.2) or Quad9 to block known-malicious domains at the network edge.

Malicious Chrome Extensions: The Phishing Threat Hiding in Plain Sight

A weaponised Chrome extension is delivering LummaC2 stealer, which harvests browser profiles, cryptocurrency wallets, saved passwords, session cookies, and screenshots — then exfiltrates everything to a command-and-control server. Distributed via malicious HTA scripts and RAR archives (NordDragonScan variant), these campaigns explicitly target Windows users in business environments. AI-powered phishing is making the lure emails nearly indistinguishable from legitimate correspondence.

What this means for SMBs: CrowdStrike's 2025 SMB Cybersecurity Report found high awareness but lagging protection among small businesses — and browser-based attacks exploit exactly that gap. Audit your team's Chrome extensions using chrome://extensions — remove anything not business-essential. Deploy a browser extension allowlist via Group Policy or your MDM. Train staff that no browser extension request is urgent, and never install from unverified sources. This is also a timely reminder: the Australian Privacy Act amendments now carry heavier penalties for data breaches involving credentials. An extension harvesting your customers' data is now your regulatory headache.

FAQ

Q: How quickly should SMBs apply Patch Tuesday updates? A: Critical and actively-exploited flaws within 48 hours. The ACSC recommends patching within 48 hours for exploited vulnerabilities and two weeks for the rest. If you lack in-house IT, your MSP should have a Service Level Agreement covering this.

Q: Is my Australian business really a target for APT28? A: APT28 casts a wide net via compromised infrastructure. You don't need to be the target — your router can become the stepping stone. Australian businesses are frequently used as relay nodes due to our relatively high bandwidth and lower security investment compared to enterprises.

Q: What's the Essential Eight and does it apply to my SMB? A: The Essential Eight is the ACSC's baseline cybersecurity framework — eight mitigation strategies from application control to patching. It now applies to any organisation handling government data, and the Privacy Act amendments are pushing it toward broader relevance. Start with Maturity Level One: it's achievable for any SMB.

Q: How do I check if a Chrome extension is malicious? A: Check chrome://extensions, remove anything you don't recognise, and verify publishers. Extensions requesting broad permissions (clipboard, all URLs, file access) are highest risk. Use Group Policy to enforce an allowlist.

Conclusion

This week's threat landscape reinforces what Australian SMBs keep hearing but too rarely act on: patching, hardening, and layered defences aren't optional extras — they're the baseline. The SQL zero-day is being exploited right now. Your Fortinet firewall has a known gap. A major distributor's ransomware incident rippled through the channel. A nation-state group is hijacking the routers you probably haven't updated since installation. And browser-based credential theft is getting better at fooling your team every week.

Start here: Patch SQL Server and Windows today. Update your Fortinet firmware tonight. Audit your router passwords and DNS settings. Review your Chrome extensions. And if you want a professional assessment of where your SMB actually sits against the Essential Eight — visit consult.lil.business for a free cybersecurity assessment.

References

  1. Microsoft Security Response Center — April 2026 Patch Tuesday
  2. Fortinet PSIRT Advisory — CVE-2025-24477
  3. Australian Cyber Security Centre — Essential Eight Maturity Model
  4. CISA Advisory — Zimbra Collaboration Suite Active Exploitation

TL;DR

  • A popular tool that programmers use has a serious security problem
  • The problem is called CVE-2026-28292 and it's very dangerous (score 9.8 out of 10)
  • It lets attackers run commands on computers that use certain versions of the tool
  • Anyone who uses this tool needs to update it right away

What Is simple-git and Why Do Programmers Use It?

Imagine you have a robot that helps you organize your school projects. The robot keeps track of every change you make, lets you go back to older versions, and helps you work with friends on the same project. That's what git does for computer programmers—it's like a super-powered "undo" button and collaboration tool [1].

Simple-git is a popular tool that lets programs talk to git automatically. Think of it like a translator: your program says "save this work" in English, and simple-git translates it into git-language so git understands what to do [2].

Programmers use simple-git all the time in web applications, tools that help other programmers, and systems that automatically update websites. It's everywhere in modern software.

What's the Problem?

Someone found a way to trick simple-git into running bad commands instead of just translating for git. It's like if you told your translator robot "say hello" but instead it started opening doors and turning off lights [3].

The scary part is that this trick doesn't need a password or special access. If an application uses simple-git in the wrong way, an attacker could send a specially crafted message that makes the application do whatever the attacker wants [4].

The problem affects versions 3.15.0 through 3.32.2 of simple-git. Version 3.23.0 fixes the problem, so everyone needs to update to that version or a newer one [5].

How Could This Hurt a Business?

Imagine a company has a website that lets programmers share their code. The website uses simple-git to manage all the shared projects. If an attacker knows about this vulnerability, they could:

  • Send a specially crafted project name to the website
  • The website passes that name to simple-git
  • Simple-git gets tricked into running bad commands
  • The attacker now has control over the website's computer [6]

This is called "remote code execution"—the attacker can run commands on a computer without even being in the same building. It's like giving someone the keys to your house through the mail slot [7].

Why This Happened Twice Before

The really concerning part is that this same kind of problem was found and fixed in simple-git in 2022 (CVE-2022-25860 and CVE-2022-25912) [8]. But the fix wasn't complete—attackers found a different way to do the same trick.

It's like patching a hole in a tire, but the patch wasn't big enough. The air is still leaking out, just through a different spot.

What Businesses Need to Do Right Now

1. Check If You Use simple-git

Any business that has programmers or uses web applications should check if they depend on simple-git. Programmers can run a command to see if it's installed in their projects [9].

2. Update to Version 3.23.0 or Newer

If version 3.15.0 through 3.32.2 is installed, update it immediately. This is critical—not something to put off until next week [10].

3. Check Your Dependencies

Your business might not directly use simple-git, but the tools you use might depend on it. It's like your backpack has a pocket, and that pocket has a smaller pocket—you need to check all the layers [11].

4. Set Up Automatic Checks

There are tools that can automatically watch for problems like this and alert you when they're found. It's like having a security guard that checks all your doors and windows every night [12].

The Big Lesson: We All Depend on Each Other's Code

Modern software is built like a tower of blocks. Each block is a piece of code written by someone else. When one block has a crack, the whole tower can wobble [13].

That's why security isn't just about writing good code yourself—it's about making sure all the blocks you use are solid too. When a popular tool like simple-git has a problem, it affects everyone who uses it, even if they wrote perfect code themselves.

FAQ

No, you need to update to the fixed version (3.23.0 or newer). The problem is in how the tool was written, so the people who make simple-git had to fix it and release a new version [14].

If your business has programmers who work with Node.js (a popular programming system), ask them to check if any projects use simple-git. If they're not sure, that's a problem—not knowing what you're using is risky [15].

Not necessarily. The attack comes through normal web traffic—it looks like a regular request until simple-git processes it. Firewalls are like locks on your doors, but this attack uses the doorbell [16].

Programming is complicated, and it's hard to think of every possible way someone might try to trick your code. That's why security updates happen constantly—it's not that the programmers were bad, it's that attackers are always finding new tricks [17].

References

[1] TheHackerWire, "Critical RCE in simple-git (CVE-2026-28292)," TheHackerWire, March 10, 2026. [Online]. Available: https://www.thehackerwire.com/critical-rce-in-simple-git-cve-2026-28292/

[2] npm, "simple-git package," npm, 2026. [Online]. Available: https://www.npmjs.com/package/simple-git

[3] TheHackerWire, "Critical RCE in simple-git," 2026.

[4] CWE, "CWE-78: OS Command Injection," MITRE, 2025. [Online]. Available: https://cwe.mitre.org/data/definitions/78.html

[5] TheHackerWire, "Critical RCE in simple-git," 2026.

[6] OWASP, "Command Injection," OWASP Foundation, 2025. [Online]. Available: https://owasp.org/www-project-command-injection/

[7] CWE, "CWE-78: OS Command Injection," 2025.

[8] TheHackerWire, "Critical RCE in simple-git," 2026.

[9] npm Documentation, "Troubleshooting dependency trees," npm, 2025. [Online]. Available: https://docs.npmjs.com/cli/v9/commands/npm-ls

[10] TheHackerWire, "Critical RCE in simple-git," 2026.

[11] GitHub, "About Dependabot alerts," GitHub, 2025. [Online]. Available: https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

[12] Ibid.

[13] CISA, "Software Supply Chain Security," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/software-supply-chain-security

[14] TheHackerWire, "Critical RCE in simple-git," 2026.

[15] Flashpoint, "Navigating 2026's Converged Threats: Insights from Flashpoint's Global Threat Intelligence Report," Flashpoint, March 11, 2026. [Online]. Available: https://flashpoint.io/blog/global-threat-intelligence-report-2026/

[16] OWASP, "Command Injection," 2025.

[17] Flashpoint, "Navigating 2026's Converged Threats," 2026.

Worried about your software dependencies? Book a free cybersecurity consultation at consult.lil.business—we'll help you understand and secure your code.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation