Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-05-26May 26, 2026

Cyber Threats Daily — 2026-05-26

TITLE: Cyber Threats Daily — Drupal SQLi, Trend Micro Apex One, and a heavy KEV backlog

---

Top of the queue: imminent KEV deadlines

  • CVE-2026-9082 is a SQL injection in Drupal Core added to KEV on 2026-05-22 with a remediation deadline of 2026-05-27 — federal agencies and prudent enterprise operators have under 24 hours to patch CMS instances before the deadline lapses.
  • CVE-2026-42897, a cross-site scripting flaw in Microsoft Exchange Server, carries a 2026-05-29 KEV due date; given Exchange's history as a ransomware on-ramp, prioritize patching alongside mailbox auditing for webmail-themed phishing chains.
  • CVE-2026-34926, a directory traversal in Trend Micro Apex One (on-premise), must be remediated by 2026-06-04; exploitation of an endpoint product is doubly painful since the EDR itself becomes the initial access vector.
  • CVE-2025-34291, an origin validation flaw in Langflow, shares the 2026-06-04 deadline and continues a 2026 trend of AI/LLM tooling (LiteLLM, Marimo, Langflow) landing in KEV — treat these dev-facing services as production attack surface.

Ransomware-linked entries to triage first

CISA explicitly tagged the following recent additions as having known ransomware use. If they exist in your environment and are not patched, assume they are pre-staging targets:

  • CVE-2026-41940 — missing authentication on a critical function in WebPros cPanel & WHM / WP2 (WordPress Squared); KEV deadline 2026-05-03 has already passed. Hosting providers and shared-tenant environments are the primary risk.
  • CVE-2024-1708 — path traversal in ConnectWise ScreenConnect, a recurring favorite for affiliate crews to pivot from MSP tooling into customer estates. Deadline 2026-05-12, past due.
  • CVE-2024-57728 and CVE-2024-57726 — paired path traversal and missing authorization bugs in SimpleHelp, another remote support tool in the ScreenConnect mold; both due 2026-05-08.
  • CVE-2023-27351 — authentication bypass in PaperCut NG/MF, still being weaponized years after the Cl0p/LockBit campaigns; deadline 2026-05-04.
  • CVE-2024-27199 — relative path traversal in JetBrains TeamCity, due 2026-05-04; CI/CD compromise remains a high-leverage foothold for supply-chain abuse.
  • CVE-2023-21529 — deserialization in Microsoft Exchange Server, due 2026-04-27; if you still have unpatched Exchange on-prem, this is your second alarm clock today.

Network edge and management plane

  • Cisco's Catalyst SD-WAN stack accounts for four KEV entries this cycle: CVE-2026-20182 (authentication bypass on the Controller, due 2026-05-17), and the Manager trio CVE-2026-20122 (misuse of privileged APIs), CVE-2026-20133 (sensitive info exposure), and CVE-2026-20128 (recoverable password storage), all with a 2026-04-23 deadline. Combined, they enable unauthenticated reach into the SD-WAN control plane plus credential harvesting from the orchestrator — assume compromise if unpatched and rotate device credentials.
  • CVE-2026-0300 is an out-of-bounds write in Palo Alto Networks PAN-OS (deadline 2026-05-09, past due); PAN-OS edge bugs have repeatedly converted into in-the-wild RCE within weeks of disclosure.
  • CVE-2026-6973, improper input validation in Ivanti Endpoint Manager Mobile (EPMM), was due 2026-05-10 — Ivanti products remain a persistent KEV regular, and EPMM access typically yields MDM-pushed code execution on managed mobiles.
  • CVE-2025-29635 in the D-Link DIR-823X is a command injection (due 2026-05-08); SOHO routers are a botnet conscription pipeline, especially relevant for remote-worker netblocks.

Microsoft platform sweep

  • A trio of Microsoft Defender flaws landed together: CVE-2026-41091 (link following) and CVE-2026-45498 (DoS), both due 2026-06-03, plus CVE-2026-33825 (insufficient access control granularity, due 2026-05-06). Coverage gaps in your own EDR are the worst kind of blind spot — confirm Defender platform updates are current, not just signature pushes.
  • CVE-2026-32202 (Windows protection-mechanism failure, due 2026-05-12) and CVE-2025-60710 (Windows link-following, due 2026-04-27) cover local privilege/abuse primitives commonly chained after initial access.
  • CVE-2026-32201 is improper input validation in Microsoft SharePoint Server (due 2026-04-28) — SharePoint exposure remains a top-five enterprise pivot target.
  • CISA also re-surfaced a batch of legacy Microsoft bugs (CVE-2008-4250 SMB, CVE-2009-1537 DirectX, CVE-2010-0249 / CVE-2010-0806 IE UAFs, CVE-2009-0238 Office, CVE-2012-1854 VBA, plus CVE-2009-3459 Adobe Reader), all due 2026-06-03. The reissue is a strong signal that legacy estate scans — ICS jump hosts, kiosks, lab Win7/Server 2008 boxes — are seeing renewed exploitation; hunt rather than dismiss.

Application, AI, and developer-tooling layer

  • CVE-2026-42208 — SQL injection in BerriAI LiteLLM (deadline 2026-05-11, past due) and CVE-2026-39987 — RCE in Marimo (deadline 2026-05-07) both reinforce that internal "AI gateway" and notebook services are now first-class KEV targets; inventory shadow LLM proxies the same way you'd inventory Jenkins.
  • CVE-2026-34197 in Apache ActiveMQ (improper input validation, due 2026-04-30) follows the long tail of the 2023 ActiveMQ RCE campaigns; brokers reachable from app tiers should be re-scanned.
  • CVE-2025-2749 (path traversal in Kentico Xperience), CVE-2025-32975 (improper auth in Quest KACE SMA), CVE-2024-7399 (path traversal in Samsung MagicINFO 9 Server), and CVE-2025-48700 (XSS in Zimbra Collaboration Suite) round out the application-layer additions — none individually flashy, but Kentico, KACE, and Zimbra in particular tend to sit on internet-exposed management interfaces.
  • CVE-2026-31431 is an incorrect resource-transfer flaw in the Linux Kernel (due 2026-05-15); pair with your usual container-escape and LPE hardening review.

Editor's note

Today's signal is overwhelmingly a KEV-catchup story: roughly half the entries on this digest are already past their CISA deadlines, and several (the SD-WAN Manager trio, LiteLLM, cPanel) are pushing a month overdue. If your patch SLA dashboards aren't already screaming about these, that's the finding — not the CVEs themselves.