SANS Stormcast Tuesday, April 21st, 2026: CVE and EPSS; Windows Server 2025 OOB; QEMU Abuse;

The latest surge of CVE entries has overwhelmed the National Vulnerability Database, leaving many new flaws without enrichment data. To fill that gap, the Exploit Prediction Scoring System (EPSS) – developed by FIRST – assigns a probability that a vulnerability will be exploited. Because EPSS scores are generated automatically, they scale far beyond manual NIST efforts. Xavier demonstrated how EPSS can be pulled directly into tools like Vazoo, enriching each record with an exploit likelihood and helping security teams prioritize remediation more effectively.

Microsoft responded to the Server 2025 fallout with an out‑of‑band update released over the weekend. The patch addresses two critical issues: a subset of installations that entered a continuous reboot loop and another group where the update failed to apply at all. Because a failed or unnoticed patch can leave systems exposed, administrators should verify which scenario applies to their environment and apply the corrective update immediately. Ignoring these signals risks prolonged vulnerability exposure on a platform that many enterprises rely on for core services.

The Sophos blog highlighted a new ransomware twist: abusing QEMO, an open‑source virtualization engine, to run a hidden Alpine Linux VM inside the victim’s host. Because traditional endpoint products do not inspect processes inside a VM, the malicious payload evades detection while establishing a reverse shell and loading additional tools. Organizations should inventory all approved virtualization solutions—QEMO, VMware, Hyper‑V, etc.—and enforce strict usage policies. Flagging unauthorized instances and monitoring VM network traffic are essential steps to prevent attackers from leveraging legitimate hypervisors as covert attack platforms.