Security Check-in Quick Hits: Zero-Days in Windows & Fortinet, AI Coding Agent Flaws, and Viral North Korean Unmasking Tactics Rock the Feed

For April 7, 2026

Public Windows Defender Zero-Day Exploit (BlueHammer) Drops Full SYSTEM Access PoC

A security researcher known as Chaotic Eclipse has released working exploit code for a zero-day local privilege escalation vulnerability in Windows, dubbed BlueHammer. The proof-of-concept allows a low-privileged user to escalate all the way to NT AUTHORITY\SYSTEM—the highest level on the machine—in seconds.

Screenshots circulating on X show a restricted account instantly spawning a full SYSTEM command prompt. The exploit targets Windows Defender environments but works broadly on Windows systems. Full source code is now public on GitHub, dramatically lowering the bar for attackers.

Why it matters: Any local user (think rogue insider, compromised low-priv account, or malware) can now own the entire box. Organizations relying on Defender as their primary EDR should treat this as an immediate patch-or-mitigate situation. Expect rapid weaponization in ransomware and espionage campaigns. Monitor for anomalous SYSTEM-level activity from user contexts and accelerate any pending OS updates.

CISA Adds Actively Exploited Fortinet FortiClient EMS Flaw to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has formally added CVE-2026-35616—a critical improper access control vulnerability in Fortinet FortiClient Enterprise Management Server (EMS) versions 7.4.5 and 7.4.6—to its Known Exploited Vulnerabilities list.

The pre-authentication bypass (CVSS 9.1) lets attackers escalate privileges and access the management server without credentials. Federal agencies have until April 9, 2026 to remediate. The 7.2 branch is unaffected.

Why it matters: This is already being used in live attacks. FortiClient EMS is widely deployed for endpoint management; a compromise here gives attackers control over fleets of corporate devices. Patch immediately, restrict internet exposure of EMS consoles, and enable strict access controls. If you can’t patch in time, consider temporary isolation or compensating controls.

Anthropic’s Claude Code Silently Bypasses Your Security Rules

Anthropic’s Claude Code AI coding agent contains a high-severity bypass flaw that lets attackers evade developer-configured deny rules with a simple command-padding trick (more than 50 subcommands chained with &&, ||, or ;). The root cause sits in bashPermissions.ts where a performance optimization caps analysis and falls back to a generic prompt.

This exposes hundreds of thousands of developers to credential theft and supply-chain attacks when using the agent on GitHub repos.

Why it matters: AI coding assistants are now part of the software supply chain. A single clever prompt can turn a “secure” agent into an open door. Teams should review Claude Code configurations, limit command complexity where possible, and treat AI agents with the same zero-trust scrutiny as human developers. Expect similar issues in other LLM-powered coding tools.

Viral Technique Unmasks North Korean IT Operatives—Just Ask Them to Insult Kim Jong Un

A widely shared video shows a job candidate (posing as Japanese national “Taro Aikuchi”) instantly outed as a North Korean state-sponsored IT worker when asked to insult Supreme Leader Kim Jong Un during an interview. The candidate’s visible discomfort and refusal triggered immediate red flags.

The technique is now circulating in cybersecurity and crypto hiring circles as a low-tech but effective way to detect DPRK operatives infiltrating Western organizations under fake identities.

Why it matters: North Korean IT workers have long used fake personas to land remote jobs at tech and crypto firms for espionage and revenue generation. This social-engineering litmus test highlights how human psychology remains a powerful detection layer. Recruiters and security teams should incorporate subtle loyalty-testing questions (without crossing legal/HR lines) and maintain rigorous identity verification, especially for remote technical roles.

These four stories dominated cybersecurity chatter the last 24 hours—proof that zero-days, AI supply-chain risks, and state-sponsored human intelligence ops continue to move at internet speed. Stay patched, stay skeptical, and keep an eye on your AI tools.