The Plumb Line
2026-04-20 7 min read

The Ground Moves Off Miyako

The Plumb Line

24 hours ending 2026-04-20T12:00:00 UTC

Three things happened in the last 24 hours that operators need to track before Monday morning. A significant earthquake struck off the Japanese coast with a tsunami warning attached. CISA handed federal agencies a three-day deadline to patch four Cisco SD-WAN vulnerabilities. And a new batch of CISA-flagged exploits includes two entries explicitly tagged as ransomware vectors — PaperCut NG/MF and JetBrains TeamCity — both with two-week remediation windows that expire before May is a week old. None of these are slow-moving trends. All three have deadlines.

The earthquake is the loudest headline. The cyber deadline is the one that will hurt someone who ignored it.

The Ground Moves Off Miyako

A M7.4 struck 98 kilometers east-northeast of Miyako, Japan at 07:52 UTC — shallow at 25 kilometers depth, USGS significance score of 932, and notable for the one flag that changes the operational calculus: tsunami alert issued. A M6.0 aftershock followed four minutes later at essentially the same location, and by 10:44 UTC the USGS had logged eight additional events of M4.7 or greater in the same zone. The pattern is a classic offshore subduction sequence.

USGS marked the overall alert level green, which typically indicates limited shaking damage on land, but a tsunami flag is not a damage assessment — it's a warning that wave dynamics are in play until coastal authorities say otherwise. Miyako sits on the Sanriku coast of Iwate Prefecture, a stretch of shoreline with no tolerance for complacency after 2011. Operators with exposure in northeastern Japan — logistics, port infrastructure, energy assets — should confirm their local teams have checked in.

The seismic window was broader than Miyako. A M6.1 struck near Tonga 14 hours earlier, four separate events clustered south of the Kermadec Islands, and a M4.73 hit 20 kilometers southeast of Silver Springs, Nevada — a populated corridor between Reno and Fallon. The Nevada event carried a USGS significance score of 489, higher than its magnitude suggests, reflecting its proximity to infrastructure.

CISA's Monday Morning Problem

CISA added eight vulnerabilities to its Known Exploited Vulnerabilities catalog on April 20, with two distinct deadline tiers. Four Cisco Catalyst SD-WAN Manager flaws — covering privileged API misuse, sensitive information exposure, and passwords stored in recoverable format — carry a federal patch deadline of April 23. Three days. The fourth Cisco entry is CVE-2026-20128, the recoverable-password flaw, which is the kind of quiet credential-exposure bug that threat actors love precisely because it doesn't look alarming in a scanner report.

3 days
Federal deadline to patch four Cisco SD-WAN Manager CVEs — CVE-2026-20122, CVE-2026-20133, CVE-2026-20128, and CVE-2025-48700 (Zimbra ZCS XSS) all due April 23.

The remaining four entries have a May 4 deadline, but two of them carry explicit ransomware tags: CVE-2023-27351 in PaperCut NG/MF (improper authentication) and CVE-2024-27199 in JetBrains TeamCity (relative path traversal). PaperCut has been a ransomware delivery vector since 2023; TeamCity path traversal has been in active exploitation. The ransomware tag in a KEV entry is CISA's way of saying the exploit chain is already deployed in the wild, not theoretical.

The NVD published 30 new CVEs in this window. The highest-severity single entry — CVE-2026-6643, a CVSS 9.9 stack-based buffer overflow in VPN clients on ASUSTOR ADM devices — lacks PIE and stack canary protections, meaning memory exploitation is straightforward. The same ADM platform also carries CVE-2026-6644, a CVSS 9.1 command injection in PPTP VPN clients that lets an administrative user escape the web interface entirely. If you run ASUSTOR NAS hardware in your environment, the question isn't whether to patch — it's whether you did it before reading this.

AI Frameworks Are the New Attack Surface

Four separate CVEs in this window target modelscope agentscope up to version 1.0.18, all scoring CVSS 7.3. The vulnerabilities span server-side request forgery via audio URL processing, SSRF in a cloud tool handler, and — most critically — arbitrary code execution through the `execute_python_code` and `execute_shell_command` functions. Two additional CVEs hit TransformerOptimus SuperAGI up to version 0.0.14, covering unrestricted file upload and SSRF in a vector database management endpoint.

The pattern here is not coincidental. AI agent frameworks typically run with elevated privileges, connect to external APIs, and are deployed by teams whose security review cadence lags their shipping cadence. Langflow up to version 1.1.0 also drew a 7.3-scored file upload flaw this window. If your organization deployed any of these frameworks in the last six months and hasn't reviewed their network exposure, that review is now overdue.

Orbital Note

SpaceX launched Falcon 9 Block 5 from Vandenberg SFB on April 19 at 16:03 UTC, successfully placing Starlink Group 17-22 into low Earth orbit. Routine, but the cadence matters: this marks continued densification of the Starlink constellation at a pace that keeps the group count climbing through 2026.

The Closing Detail

Among the OpenSanctions updates this window, the vessel ASTANEH was added to the U.S. SAM exclusion list — the federal procurement debarment registry. A ship on a debarment list is a specific kind of compliance exposure: any federal contractor that knowingly engages with a debarred vessel risks its own eligibility. The ASTANEH joins two Iraqi AML-list individuals and three newly flagged British NCA press-release subjects in a window of routine but consequential compliance hygiene.

What We Can't Tell You

1. Whether the Miyako tsunami warning produced any confirmed wave activity — USGS data confirms the alert was issued; coastal impact assessment is not yet in the source window.

2. Which specific threat actors are actively exploiting the CISA-KEV-listed Cisco SD-WAN flaws — CISA confirmed exploitation in the wild but did not attribute in the available data.

3. Whether the Nevada M4.73 near Silver Springs caused infrastructure damage — USGS significance score is elevated but no damage assessment is present in this window.

By the Numbers

MetricValueContext
M7.4 earthquake depth25 kmShallow enough to maximize surface shaking and tsunami risk
Aftershocks M4.7+ near Miyako8All within 3 hours of the main shock
CISA KEV additions8Four with 3-day federal deadline; two explicitly tagged ransomware
CVEs scored CVSS 9.0+ this window2CVE-2026-6643 (9.9) and CVE-2026-6644 (9.1), both ASUSTOR ADM
AI framework CVEs (agentscope + SuperAGI + Langflow)7All 7.3, all published in this 24-hour window
Entities added to sanctions/debarment lists14Includes one vessel, two Iraqi AML designees, three UK NCA subjects
Starlink launches YTD (Group 17-22)1 this windowVandenberg launch successful, LEO insertion confirmed

Today's record covers a Japanese offshore earthquake with tsunami warning, a four-CVE Cisco SD-WAN patch deadline expiring Thursday, two ransomware-tagged exploits with two-week fuses, and seven new vulnerabilities across AI agent frameworks that most security teams haven't reviewed. The truth score on everything you just read is 1.0 — every claim traces back to a primary record on disk. If you manage Cisco SD-WAN Manager and CVE-2026-20122 through CVE-2026-20128 are new to you, you have 72 hours and a weekend.

— *The Plumb Line*. Sourced from 89 grounded events across 27 source databases.

Sources

Seismic

  • usgs_earthquakes/us6000sri7 — M7.4 Miyako, Japan; tsunami alert issued
  • usgs_earthquakes/us7000sh0a — M6.0 aftershock, 100 km E of Miyako
  • usgs_earthquakes/us6000sred — M6.1 near Hihifo, Tonga
  • usgs_earthquakes/nn00915543 — M4.73 Silver Springs, Nevada
  • usgs_earthquakes/us6000srg6, us6000srg8, us6000srez, us6000srf6, us7000sgqg — Kermadec Islands cluster
  • usgs_earthquakes/us7000sh03, us7000sgyl, us6000srih, us7000sh0d, us7000sgym, us6000sriv, us6000srj9, us7000sgyj — Miyako aftershock sequence

Cyber / Vulnerability

  • cisa_kev/CVE-2026-20122 — Cisco SD-WAN Manager privileged API; due 2026-04-23
  • cisa_kev/CVE-2026-20133 — Cisco SD-WAN Manager info disclosure; due 2026-04-23
  • cisa_kev/CVE-2026-20128 — Cisco SD-WAN Manager recoverable passwords; due 2026-04-23
  • cisa_kev/CVE-2025-48700 — Zimbra ZCS XSS; due 2026-04-23
  • cisa_kev/CVE-2023-27351 — PaperCut NG/MF improper authentication (RANSOMWARE); due 2026-05-04
  • cisa_kev/CVE-2024-27199 — JetBrains TeamCity path traversal (RANSOMWARE); due 2026-05-04
  • cisa_kev/CVE-2025-2749 — Kentico Xperience path traversal; due 2026-05-04
  • cisa_kev/CVE-2025-32975 — Quest KACE SMA improper authentication; due 2026-05-04
  • nvd_cve/CVE-2026-6643 — CVSS 9.9 ASUSTOR ADM VPN stack overflow
  • nvd_cve/CVE-2026-6644 — CVSS 9.1 ASUSTOR ADM PPTP command injection
  • nvd_cve/CVE-2026-5964, CVE-2026-5963 — Digiwin EasyFlow SQL injection (CVSS 9.8 each)
  • nvd_cve/CVE-2026-32956 — silex technology SD-330AC heap overflow (CVSS 9.8)
  • nvd_cve/CVE-2026-6603, CVE-2026-6604, CVE-2026-6605, CVE-2026-6606 — modelscope agentscope RCE/SSRF cluster
  • nvd_cve/CVE-2026-6615, CVE-2026-6582 — SuperAGI file upload / SSRF
  • nvd_cve/CVE-2026-6596 — Langflow file upload vulnerability

Space

  • launch_library/0727a92f-0a9c-4e01-9bf4-1dc698e17e6b — Falcon 9 Starlink Group 17-22, Vandenberg

Sanctions / Compliance

  • opensanctions/usgsa-e7508888c7c2466c332ea0f96114e0618268586d — Vessel ASTANEH, SAM debarment
  • opensanctions/iq-aml-069a585301102b7a7f7bcb7750b9a35d0c8cc947 — Al-Bayati, Iraq AML
  • opensanctions/iq-aml-11ffc44c8c295505e2eda583195e3ec77a7ca260 — Al-Jubouri, Iraq AML
  • opensanctions/gb-nca-pr-6aa9673decd3656eae0884cf3646db419c193bfb — Ali Khdir, UK NCA
  • opensanctions/gb-nca-pr-986eda62d9432d8a6da92574d77747cb0fbd9f0a — Dilshad Shamo, UK NCA
  • opensanctions/gb-nca-pr-f34d8e236d8366c967bc1eb38fa1a1778895ee92 — Alnour Mohamed Ali, UK NCA