Two threats landed in security feeds this week that every small business owner and IT admin needs to understand — not because they're theoretical, but because they're active right now, and they target the exact tools sitting on your employees' desktops.
Before we unpack them, let's settle a question that causes real confusion in small business security conversations: What's the actual difference between a zero-day exploit and an unpatched vulnerability — and which one should scare you more?
The short answer: both should. But for completely different reasons.
Defining the Terms Without the Jargon
A zero-day exploit is an attack that takes advantage of a vulnerability the software vendor doesn't know about yet — or has known about but hasn't released a fix for. There is no patch. There is nothing to install. You are exposed whether you're diligent about updates or not.
An unpatched vulnerability is the opposite problem. The vendor knows. A fix exists. You just haven't applied it yet — and that delay is doing the attacker's job for them.
Think of it this way: a zero-day is a lock with no key ever made. An unpatched vulnerability is a lock where you've had the key sitting on your desk for weeks.
This Week Made the Distinction Impossible to Ignore
On April 9, 2026, two stories broke that illustrate both sides of this equation with uncomfortable clarity.
First, a researcher publicly released a proof-of-concept exploit for an unpatched Windows vulnerability dubbed BlueHammer — a flaw capable of enabling full system takeover. According to Security News, the release has raised serious questions about Microsoft's bug disclosure process, because the PoC dropped before any patch was available. Every Windows machine in every small business running that version is exposed right now, with no fix to apply even if you wanted to.
Second, The Hacker News reported that a zero-day in Adobe Reader has been actively exploited via malicious PDFs since December 2025 — four months before public disclosure. The delivery mechanism? PDF invoices. The kind your accounts payable team opens every single day without a second thought.
That's the brutal reality of zero-days: by the time you hear about them, you may already be compromised.
The 10-Hour Window That Closes the Argument
If BlueHammer and Adobe Reader represent the zero-day side of the equation, a third story published April 10 closes the argument on unpatched vulnerabilities.
The Hacker News reported that CVE-2026-39987, a remote code execution flaw in Marimo, was exploited within 10 hours of public disclosure. A patch existed. The CVE was published. And attackers were already weaponizing it before most IT teams had even read the advisory.
This is the modern patching reality: the window between "known vulnerability" and "actively exploited" is no longer measured in weeks. It's measured in hours. Treat an unpatched CVE like a zero-day — because the moment it's published, it functionally becomes one.
This is also why nation-state actors continue to thrive. Security News reported this week that Russia's Fancy Bear APT continues its global campaign, with analysts explicitly noting that patching and zero trust are now non-negotiable baseline defenses — not advanced security measures. If state-sponsored threat actors are exploiting unpatched systems at scale, small businesses are absolutely in the blast radius.
What Small Businesses and IT Admins Should Do Right Now
Understanding the distinction matters because it changes your response:
For zero-days (no patch exists): - Enable application-layer controls — restrict Adobe Reader from executing JavaScript or accessing the network where possible - Apply compensating controls: endpoint detection, email filtering that strips or sandboxes PDFs from unknown senders - Monitor vendor channels and security advisories daily during active exploitation windows - Segment networks so a compromised endpoint can't pivot laterally - Assume breach posture: know what data sits on endpoints and limit access accordingly
For unpatched vulnerabilities (patch exists, clock is ticking): - Prioritize CVSS scores of 7.0 and above for same-day or next-day patching - Don't wait for your monthly patch cycle when active exploitation is confirmed - Use automated patch management to close the gap between disclosure and deployment - Run vulnerability scans after patching to confirm the fix applied correctly — not just that it was pushed
As we covered in our deep dive on vulnerability scanning vs. penetration testing, many small businesses assume patching is enough. It's not — you need visibility into what's actually exposed in your environment before and after patches are applied.
For government contractors, this isn't optional. CMMC Level 1 requires basic vulnerability remediation as a foundational practice. Our CMMC Level 1 compliance guide walks through exactly what's required — and unmanaged patch cycles are one of the fastest ways to fail an assessment.
The Honest Truth About Small Business Risk
Small businesses aren't targeted because attackers know their name. They're targeted because attackers know their posture: Windows machines, Adobe Reader, unpatched CVEs, no dedicated security team. BlueHammer and the Adobe Reader PDF exploit aren't enterprise problems. They live inside the exact toolchain small businesses run every day.
You don't need a six-figure security stack to reduce your exposure. You need visibility — knowing what's running, what's unpatched, and what's exposed — so you can act before an attacker does.
Take Action
The gap between "disclosed" and "exploited" is now measured in hours. Waiting for your quarterly review isn't a strategy — it's an invitation.
Oscar Six Security's Radar gives small businesses and MSPs continuous vulnerability scanning for $99 — so you know what's exposed in your environment before attackers find it first. Whether you're managing your own shop or a client's infrastructure, Radar surfaces the unpatched CVEs and misconfigurations that make you an easy target.
Focus Forward. We've Got Your Six.