The April Patch Tuesday cycle has introduced a cluster of critical security vulnerabilities across key enterprise products from SAP, Adobe, Microsoft and Fortinet. Several flaws are already being actively exploited, significantly increasing the risk for organizations that delay patch deployment or lack mature vulnerability management processes.
Critical SAP SQL Injection (CVE-2026-27681) Puts Financial Planning at Risk
The most severe issue disclosed this month is CVE-2026-27681, a SQL injection vulnerability in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW), rated CVSS 9.9. The flaw resides in an ABAP-based application that allows a low-privilege user to upload a file containing arbitrary SQL statements, which are then executed by the database engine.
SQL injection is a class of vulnerability where an attacker manipulates database queries to run unintended commands. In this case, the impact is especially serious: an attacker can exfiltrate sensitive planning data, modify financial and operational figures, or delete and corrupt records inside BW/BPC repositories.
Security researchers at Onapsis highlight that the vulnerability is reachable via standard data upload functionality, which means an attacker operating inside a compromised network does not need specialized tools or privileged access to launch the attack. This substantially lowers the barrier to exploitation once an initial foothold has been obtained.
According to analysis from Pathlock, unauthorized manipulation of planning and consolidation data can undermine the integrity of management reporting, period-end closing and forecasting processes. For attackers, this creates a powerful tool not only for covert data theft, but also for direct business disruption—from skewing key performance indicators (KPIs) to causing misstatements in financial reports submitted to regulators and investors.
Adobe Acrobat Reader Zero-Day and ColdFusion Vulnerabilities
Adobe Acrobat Reader Remote Code Execution (CVE-2026-34621)
Another high-impact issue is CVE-2026-34621, a critical vulnerability in Adobe Acrobat Reader with a CVSS score of 8.6. The flaw allows remote code execution (RCE) when a victim opens a specially crafted PDF file. Adobe has confirmed that this vulnerability is already exploited in the wild, qualifying it as a likely zero-day at the time of patch release.
RCE vulnerabilities in widespread client applications such as Acrobat Reader are routinely used as the initial access vector in targeted campaigns. Typical delivery methods include phishing emails with malicious attachments, links to booby-trapped PDF documents hosted on compromised websites, or files shared through collaboration platforms. Once code execution is achieved, attackers can deploy malware, steal credentials, or pivot deeper into corporate networks.
ColdFusion 2025 and 2023: Server-Side Compromise Risks
Adobe also released patches for five critical vulnerabilities in ColdFusion 2025 and 2023. Successful exploitation can result in remote code execution, denial of service (DoS), arbitrary file reads and bypass of security controls. For web applications built on ColdFusion, this can translate into full server compromise, data theft from backend databases and long-term persistence in the environment.
Fortinet FortiSandbox: Authentication Bypass and Code Execution
Fortinet has addressed two critical vulnerabilities in FortiSandbox that may lead to authentication bypass and remote code execution. FortiSandbox is commonly deployed to analyze suspicious files and detect advanced threats, making it a high-value target.
If compromised, the system intended to provide protection can instead become an entry point into the network. An attacker could gain access to sensitive content processed by the sandbox, manipulate analysis results, or use the appliance as a launchpad for further attacks across the infrastructure.
Microsoft Patch Tuesday: 169 Vulnerabilities and an Exploited SharePoint Flaw
As part of its April Patch Tuesday, Microsoft released fixes for 169 vulnerabilities across its product portfolio. Of particular concern is CVE-2026-32201, a spoofing vulnerability in Microsoft SharePoint Server with a CVSS score of 6.5 that is already under active exploitation.
The flaw can enable attackers to gain access to confidential information stored in SharePoint portals and document libraries. Security specialists from Immersive Labs note that internal SharePoint sites often host data that is highly valuable for double extortion schemes—where attackers not only encrypt data, but also threaten to leak stolen documents to increase pressure on victims.
Beyond data theft, access to SharePoint content allows adversaries to replace legitimate documents with weaponized versions. This tactic leverages users’ trust in internal resources and can facilitate lateral movement, malware distribution and credential harvesting within the organization.
Given the breadth of the April security updates and the presence of actively exploited vulnerabilities in both Adobe Acrobat Reader and Microsoft SharePoint Server, organizations should act without delay. Key priorities include: deploying patches for SAP, Adobe, Microsoft, Fortinet and other in-scope products; reviewing and tightening user privileges in critical planning and document management systems; enhancing monitoring for anomalous activity in SAP BW/BPC, SharePoint and email infrastructure; conducting awareness training on the risks of opening unsolicited PDF and office documents; and validating the effectiveness of vulnerability management and backup processes. Consistent execution of these measures reduces the likelihood of a successful attack and limits the potential impact if a compromise occurs.
