This pack covers four active threats spanning two dominant attack patterns: unauthenticated remote code execution against network-exposed management infrastructure (FortiClientEMS, TrueConf Client update chain) and identity-layer attacks that bypass MFA through OAuth token theft and open redirect abuse. Two items carry CISA KEV confirmation of active exploitation requiring emergency response, one carries KEV status with a federal remediation deadline of 2026-04-16, and the device code phishing campaign has surged 37x in early 2026 with no patch path available. Immediate priorities are patching CVE-2026-35616, blocking device code authentication flows in Entra ID, mitigating CVE-2026-3502 update traffic, and disabling the URL Shortify plugin on all public-facing WordPress instances.