The headlines this week were BlueHammer, the Windows Defender local-privilege-escalation zero-day with a working public exploit. It's a good story — your EDR is the privilege escalation. But the more interesting story is what sits next to it on the KEV ledger.
Here is the full April 20–24 batch, sorted by what the affected product actually does in your network:
The management plane (7 of 13)
- CVE-2026-33825 — Microsoft Defender insufficient access control. SYSTEM-level LPE via a TOCTOU race in Defender's remediation engine. Public PoC ("BlueHammer") since April 7. Your EDR.
- CVE-2024-57726 — SimpleHelp RMM missing authorization (CVSS 9.9). Lets a Technician-tier user mint API keys with admin permissions. Your remote-management tool.
- CVE-2024-57728 — SimpleHelp RMM path traversal. Admin-level zip-slip → arbitrary code execution as the SimpleHelp server user. Already weaponized by Medusa and DragonForce affiliates. Same tool.
- CVE-2025-32975 — Quest KACE Systems Management Appliance improper authentication. Your endpoint-management appliance.
- CVE-2026-20122 / -20128 / -20133 — Three separate flaws in Cisco Catalyst SD-WAN Manager. Your network control plane.
Everything else (6 of 13)
- CVE-2023-27351 — PaperCut NG/MF (print management — borderline)
- CVE-2024-27199 — JetBrains TeamCity (CI/CD)
- CVE-2025-2749 — Kentico Xperience (web CMS)
- CVE-2025-48700 — Synacor Zimbra (mail)
- CVE-2024-7399 — Samsung MagicINFO (digital signage)
- CVE-2025-29635 — D-Link DIR-823X (consumer router)
Two columns, one obvious tilt. And this isn't cherry-picking — I just walked the KEV additions in date order and asked one question: does this product administer other things, or is it administered?
Why this is structural, not coincidence
A management tool is, by definition, a piece of software with privileged trust paths into everything it manages. That's literally what it does. SD-WAN Manager talks to every router. KACE talks to every endpoint. SimpleHelp talks into customer environments. Defender runs as SYSTEM on every Windows host you own.
For an attacker, this is the cheat code. One compromise of the manager and you're not breaking into the fleet — you're using its own trust paths to deploy yourself into the fleet. No lateral movement detection, no anomaly score, because the traffic looks exactly like the operations the management tool does every day. And the audit trail, if any, lives inside the system you just compromised.
The economics flipped a couple of years ago and most defenders didn't update their threat model. When edge appliances became the dominant initial-access vector circa 2023 (Fortinet, Citrix, Ivanti — repeat), there was at least the small mercy that the appliance was at the perimeter and could be isolated. The management plane has no perimeter to it. The whole point is that it reaches everything.
What to do this week
- Patch Defender first. Microsoft's April 2026 Patch Tuesday includes the fix for CVE-2026-33825. Validate that your fleet shows Defender platform version
4.18.26030.3011or later. The federal due date is May 6 — assume your auditor will treat that as the bar for everyone. - Audit which RMM is in your environment, and on which hosts. If you discover SimpleHelp running anywhere — IT admins, MSP integrations, contractor workstations — get it to 5.5.8 or kill it. Both SimpleHelp CVEs are chained in active ransomware campaigns; a deploy of either Medusa or DragonForce starts here.
- Pull every management appliance to a separately-monitored zone. SD-WAN Manager, KACE, SCCM, Tanium, JumpCloud, your AD admin tier — they should not be in the same observability bucket as the workloads they manage. If your only telemetry of "is the manager owned?" comes from the manager itself, you have no telemetry.
- Add a "manager-originated lateral push" detection. A SimpleHelp or KACE agent installing a binary on 200 endpoints in 90 seconds is either a software rollout you authorized or a ransomware deployment. Both look the same in EDR. The only way to tell them apart is whether your change-management system says it should be happening. Wire that up.
critical with recommended action contain, not investigate. The reasoning
the model gives is exactly the argument above — these aren't endpoints you patch on a 30-day cycle. Drop one of the seven CVEs
above into demo.syberops.com and watch it walk through the logic itself.
The verdict
Stop ranking your KEV queue by CVSS. Rank it by trust radius. A 7.8 LPE on the EDR running across 30,000 endpoints is more urgent than a 9.8 RCE on a single web app — because the EDR has paths into everything you own and the web app only has paths into itself. Every tool listed above earns a higher slot than the raw score implies. Triage accordingly.
The pattern won't reverse. The next quarterly batch will look the same, because attackers have correctly figured out that trust-path compromise is the highest-leverage move available. The defenders who notice this first are the ones who'll still be writing post-incident reviews instead of starring in them.