Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-05-01May 1, 2026

Cyber Threats Daily — 2026-05-01

TITLE: KEV surge: cPanel, ScreenConnect, Windows, and Cisco SD-WAN top this week's exploited list

---

Top of the queue: fresh KEV adds with imminent deadlines

The past two weeks delivered an unusually heavy KEV cadence, with several federal remediation deadlines landing inside the next 72 hours. Prioritize these for emergency change windows.

  • CVE-2026-41940 — a missing-authentication flaw in WebPros cPanel & WHM and WP2 (WordPress Squared) — was added 2026-04-30 with a remediation deadline of 2026-05-03, the tightest window on the board. Hosting providers should treat this as an active perimeter incident.
  • CVE-2024-1708, the ConnectWise ScreenConnect path traversal, returned to KEV on 2026-04-28 (due 2026-05-12); paired historically with CVE-2024-1709, it remains a favorite RMM pivot for ransomware affiliates.
  • CVE-2026-32202 in Microsoft Windows (protection-mechanism failure, due 2026-05-12) and CVE-2026-32201 in SharePoint Server (improper input validation, due 2026-04-28) anchor a heavy Microsoft block this cycle — assume opportunistic exploitation against unpatched estates.

Edge devices and remote access under fire

A clear theme this week: attackers are hammering remote-access and edge-management products that sit outside EDR coverage.

  • Cisco Catalyst SD-WAN Manager took three simultaneous KEV adds — CVE-2026-20122 (privileged API misuse), CVE-2026-20133 (sensitive info exposure), and CVE-2026-20128 (recoverable password storage) — all with a now-passed 2026-04-23 deadline. If you haven't patched, you are out of compliance and likely already triaging.
  • SimpleHelp's twin flaws CVE-2024-57728 (path traversal) and CVE-2024-57726 (missing authorization) were added together on 2026-04-24, due 2026-05-08, continuing the SimpleHelp exploitation wave first reported in early 2025.
  • CVE-2025-29635 in D-Link DIR-823X routers (command injection, due 2026-05-08) and CVE-2024-7399 in Samsung MagicINFO 9 Server (path traversal, due 2026-05-08) round out the edge-device bucket — both classic botnet recruitment targets.
  • F5 and Citrix appliances also re-surfaced: CVE-2026-3055 (NetScaler OOB read) and CVE-2025-53521 (BIG-IP stack overflow) carried late-March deadlines that should already be closed out.

Ransomware-flagged vulnerabilities — patch now if you haven't

CISA explicitly tagged three KEV entries this cycle as having known ransomware association:

  • CVE-2023-27351 (PaperCut NG/MF improper authentication, due 2026-05-04) — print servers continue to be a soft underbelly for initial access.
  • CVE-2024-27199 (JetBrains TeamCity relative path traversal, due 2026-05-04) — CI/CD compromise gives attackers code-signing and supply-chain leverage.
  • CVE-2023-21529 (Microsoft Exchange Server deserialization, due 2026-04-27) — on-prem Exchange remains a ransomware on-ramp two years after disclosure.

Microsoft heavy block (April 13 batch)

CISA added an unusual cluster of older Microsoft bugs on 2026-04-13, all due 2026-04-27. Their reappearance suggests in-the-wild reuse, likely in document-borne intrusion chains:

  • CVE-2009-0238 (Office RCE) and CVE-2012-1854 (VBA insecure library loading) — decade-old bugs being exercised against unpatched legacy Office installs.
  • CVE-2025-60710 (Windows link following) and CVE-2023-36424 (Windows OOB read) — local privilege escalation primitives.
  • CVE-2026-33825 in Microsoft Defender (insufficient access-control granularity, due 2026-05-06) is the more interesting addition: a defense-evasion bug in the security product itself.

Adobe, Apple, and developer tooling

  • CVE-2020-9715 (Acrobat use-after-free) and CVE-2026-34621 (Acrobat/Reader prototype pollution) both hit KEV on 2026-04-13 with a 2026-04-27 deadline — assume malicious PDF delivery in current campaigns.
  • Apple shipped a triple-add on 2026-03-20 covering CVE-2025-43510 (improper locking), CVE-2025-43520 (classic buffer overflow), and CVE-2025-31277 (buffer overflow) across multiple products; deadlines passed 2026-04-03.
  • Developer-toolchain compromises stand out: CVE-2026-33634 in Aquasecurity Trivy is flagged as embedded malicious code — a supply-chain poisoning of the scanner itself — and CVE-2026-33017 (Langflow code injection) plus CVE-2026-39987 (Marimo RCE) reflect attackers targeting the AI/LLM developer stack. Audit Trivy binaries against vendor hashes if you pulled between the affected window.

Other notable adds

  • CVE-2026-21643 (Fortinet FortiClient EMS SQL injection) and CVE-2026-35616 (FortiClient EMS improper access control) — Fortinet management plane bugs with already-passed deadlines (2026-04-16 and 2026-04-09); confirm patch state and hunt for prior compromise.
  • CVE-2026-1340 (Ivanti EPMM code injection, due 2026-04-11) continues Ivanti's grim 18-month run on KEV.
  • CVE-2026-34197 (Apache ActiveMQ improper input validation, due 2026-04-30) — message-broker exposure remains a recurring crypto-mining and webshell vector.
  • CVE-2025-2749 (Kentico Xperience path traversal) and CVE-2025-32432 (Craft CMS code injection) plus CVE-2025-54068 (Laravel Livewire code injection) keep CMS/framework RCEs in active rotation.
  • CVE-2025-48700 (Zimbra ZCS XSS, due 2026-04-23) and CVE-2025-32975 (Quest KACE SMA improper authentication, due 2026-05-04) target collaboration and endpoint-management consoles respectively.
  • CVE-2026-3502 (TrueConf Client download-without-integrity-check) and CVE-2026-5281 (Google Dawn use-after-free) close out the list — the former enables update-channel hijack, the latter is a browser-graphics sandbox escape primitive.

Analyst takeaway

This cycle's KEV volume — 40 entries across two weeks — is well above the 2025 baseline, and the pattern is consistent: edge appliances (Cisco, F5, Citrix, Fortinet, D-Link), remote-access tools (ScreenConnect, SimpleHelp, TrueConf), and developer/AI tooling (Trivy, Langflow, Marimo, Livewire) dominate. SOCs should rebalance hunt priorities away from endpoint-only telemetry toward management-plane and CI/CD logs for the next two weeks.