Jordan: Three zero-days in Microsoft Defender. All three being exploited right now. One of them lets a standard user turn Defender off entirely. No patch. Happy Friday.

Alex: Welcome to Cleartext. It's Friday, April 17th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Today we've got a lot of ground to cover and it matters. Three unpatched Defender zero-days actively in the wild. CISA operating at 40% capacity and warning about it publicly. The federal vulnerability database quietly breaking. North Korean operatives embedded at over a hundred US companies, and the people who helped them just got sentenced to nearly a decade in prison. We'll also hit a new AI-powered vishing platform that's industrializing social engineering, a piece of OT malware purpose-built to sabotage water systems, and four critical Cisco patches including one that's a 9.8. Let's get into it.

Jordan: So the Defender zero-days. This is the lead for a reason. A researcher dropped a PoC earlier this month for a privilege escalation flaw in Microsoft Defender. This week, they came back with two more. The first new one, called RedSun, is another privilege escalation that gets you to SYSTEM level. The second, called UnDefend, lets a standard user block Defender from receiving signature updates entirely. Huntress has confirmed active exploitation of all three. There are no patches.

Alex: Let me be direct about the business impact here. Microsoft Defender is the default endpoint protection in most enterprise environments. When your EDR can be silenced by a standard user account, your entire detection and response capability is potentially gone before you even know an intrusion is happening. If you're running Defender as a standalone solution, that is a gap you need to close today. This is the argument for layered EDR. It's also the argument for having that conversation with your board not as a future initiative but as an emergency budget item this quarter. Talk to your vendors, look at compensating controls, and review what telemetry you have outside of Defender that would catch lateral movement if your endpoint protection is dark.

Jordan: Related note before we move on: Cisco patched four critical vulnerabilities this week across Identity Services and Webex. The one that stands out is CVE-2026-20184, CVSS 9.8, improper certificate validation in Webex SSO that allows an attacker to impersonate any user in the service. Cisco has said this one requires additional customer action beyond applying the patch. That's the phrase that should be jumping out at you. Pull the advisory, read the full remediation steps, don't assume patching is sufficient.

Alex: Now let's talk about CISA, because this one has systemic implications for every enterprise security team in this country. The acting director came out this week and publicly warned of what she called detrimental capacity impacts. CISA is operating at 40% staffing. Forty percent. The FY budget request is $2.5 billion, which tells you the scale of the strain they're acknowledging.

Jordan: Here's what that actually means operationally. CISA is the connective tissue for federal threat intelligence sharing. They run the advisories, they coordinate incident response for critical infrastructure, they operate the information sharing mechanisms that private sector security teams depend on. At 40% capacity, the cadence slows, the depth decreases, and response times stretch. The question every CISO should be asking is: how dependent is my program on that flow of government intelligence, and what's my plan if it degrades further?

Alex: This isn't political commentary. It's a resource planning conversation. The organizations that built their threat intelligence capability entirely on government feeds are more exposed right now than they should be. If you haven't already diversified into commercial threat intel, sector-specific ISACs, and direct vendor relationships, this is the moment that argument wins internally.

Jordan: Directly related: NIST announced this week that it's limiting vulnerability enrichment in the National Vulnerability Database. CVE submissions surged 263% and the NVD simply can't keep up. Going forward, they'll only enrich vulnerabilities that meet new prioritization criteria. Pre-March 2026 vulnerabilities will no longer receive NVD enrichment at all.

Alex: The NVD is the backbone of most commercial vulnerability management platforms. Scoring, CVSS data, patch context—a significant portion of that flows from NVD enrichment. If you have a vuln management program that's essentially a wrapper around NVD data, you now have gaps you can't see. This is the week to have a frank conversation with your vuln management vendor about where their data comes from and what their alternative enrichment strategy looks like. It's also the week to look at whether you're subscribed to CISA's KEV catalog as a parallel prioritization mechanism, because that's not going away.

Jordan: Alright, let's talk North Korea, because this week's sentencing is a useful data point in a broader threat picture. Two US nationals—Kejia Wang and Zhenxing Wang—got eight to nine years for running shell companies and laptop farms that helped DPRK IT operatives get hired at over a hundred US companies. The scheme generated more than five million dollars for the North Korean government.

Alex: What strikes me about this case is the infrastructure required. Shell companies. Physical laptop farms to make remote workers appear domestic. Intermediaries managing the persona maintenance. This isn't a few clever individuals with fake LinkedIn profiles. This is an organized, state-sponsored employment fraud operation at scale. And the fact that it penetrated over a hundred companies tells you that standard hiring checks are insufficient against a well-resourced adversary.

Jordan: The geopolitical context is that this revenue stream directly funds DPRK's weapons programs. These aren't just cybercriminals running a hustle. They're executing a state economic priority. Which means the program isn't going away because two facilitators got sentenced. The sentences are a deterrent signal to US-based enablers, but the DPRK side of this operation is unchanged.

Alex: Practical implication for your hiring pipeline: if you have remote contractors or vendors, especially in software development, your identity verification process needs to go beyond what a videoconference can tell you. Device fingerprinting, out-of-band verification, anomalous access pattern monitoring for new hires—these aren't paranoid. They're appropriate given what we now know happened at a hundred companies.

Jordan: Two more geopolitical items worth flagging. ZionSiphon is a new piece of OT-specific malware designed to sabotage water treatment and desalination systems. Purpose-built for operational technology disruption. If you have any OT environment or you have exposure through third-party suppliers who do, this is a signal about the direction of threat actor investment. ICS segmentation, network monitoring between IT and OT, and tabletop exercises that include OT disruption scenarios—not optional anymore.

Alex: And separately, Ukrainian hospitals and emergency services were hit with a new espionage campaign using malware called AgingFly. The spillover risk from wartime cyber operations into global healthcare infrastructure is real and documented. If you're in healthcare or you have European operations, that threat landscape is active and evolving.

Jordan: Finally, the ATHR vishing platform. This is a crimeware-as-a-service product that automates voice phishing using both human operators and AI voice agents. Fully automated credential harvesting via phone. The significance is commoditization. AI-powered vishing is no longer a sophisticated nation-state technique. It's a platform someone can rent.

Alex: Your help desk is the target. That's always been true, but now the scale and polish of the attack has increased dramatically. Out-of-band authentication for sensitive requests, callback verification protocols, and yes, updated security awareness training that specifically addresses AI voice impersonation—these need to be on the short list. The classic "my boss called and needs access reset" scenario just got a lot more convincing.

Jordan: So zooming out, the theme this week is infrastructure erosion. Not dramatic single breaches, but a systematic degradation of the foundations security teams rely on. CISA at 40%. NVD enrichment contracting. Microsoft's default endpoint tool sitting unpatched with active exploits. These aren't isolated incidents. They're cumulative stress on the ecosystem.

Alex: And the organizations that built resilient, redundant security capabilities—layered EDR, diversified intel sources, strong identity verification, hardened OT environments—those teams are better positioned to absorb these shocks. The ones that outsourced their thinking to a single government feed or a single endpoint tool are finding out why that was a risk. The board conversation this quarter isn't about new threats. It's about whether your foundation is solid enough to handle the ones you already knew about.

Jordan: Watch the Microsoft Defender patch timeline. Watch CISA's budget negotiation. And watch whether the ATHR platform starts showing up in incident reports, because that will be the signal it's gone mainstream.

Alex: That's Cleartext for Friday, April 17th. If this was useful, share it with a peer. We'll be back Monday. Stay sharp.