Cyber Threats Daily2026-06-04June 4, 2026

Cyber Threats Daily — 2026-06-04

TITLE: KEV surge: PAN-OS auth bypass, Defender flaws, and supply-chain malware in Nx/TanStack lead June 4 digest

---

Top of the stack: actively exploited, deadlines now

CISA's KEV catalog has absorbed a heavy backlog of exploited bugs over the past six weeks, with several remediation deadlines either just passed or hitting this week. Federal agencies (and pragmatically, everyone else) should treat the following as patch-now items.

CVE-2026-0257 — a Palo Alto Networks PAN-OS authentication bypass — was added on 2026-05-29 with a remediation deadline of 2026-06-01, which has already lapsed; pair this with CVE-2026-0300, a PAN-OS out-of-bounds write added on 2026-05-06, for a full PAN-OS sweep.
CVE-2024-21182 in Oracle WebLogic Server (deadline 2026-06-04, i.e. today) joins CVE-2026-45247, a deserialization flaw in Mirasvit's Magento Full Page Cache Warmer plugin (due 2026-06-06), as the freshest enterprise app exposures on the list.
CVE-2022-0492, the long-known Linux kernel cgroups improper-authentication bug enabling container escape, was finally KEV-listed on 2026-06-02 with a 2026-06-05 deadline — implying fresh in-the-wild abuse against unpatched hosts.
CVE-2025-48595 is an Android Framework integer overflow added 2026-06-02 (due 2026-06-05); expect mobile fleet managers to push emergency OEM patches.

Supply-chain malware in dev tooling

Two unusual KEV entries flag *embedded malicious code* in widely used developer packages, both tagged as known ransomware vectors with a 2026-06-10 deadline:

CVE-2026-48027 covers a compromised Nx Console release, and CVE-2026-45321 covers a TanStack package issue — both indicate that attackers are continuing to weaponize the JavaScript build/IDE ecosystem to seed ransomware staging on developer endpoints. Audit lockfiles and CI caches for the affected versions.
CVE-2026-8398 flags malicious code shipped in Daemon Tools Lite (deadline already passed on 2026-05-30) — a reminder that consumer-grade utilities on corporate endpoints remain a soft underbelly.

Microsoft: Defender and Exchange take a beating

A cluster of Microsoft issues landed in KEV on 2026-05-20 (all due 2026-06-03):

CVE-2026-41091 (Defender link-following) and CVE-2026-45498 (Defender DoS) join earlier CVE-2026-33825 (Defender access-control granularity, due 2026-05-06) — three Defender bugs in six weeks suggests adversaries are actively targeting the EDR itself to blind responders.
CVE-2026-42897, an Exchange Server XSS, was added 2026-05-15 with a 2026-05-29 deadline now passed; on-prem Exchange operators should verify CU level immediately.
CVE-2026-32202, a Windows protection-mechanism failure (deadline 2026-05-12), and a batch of legacy re-adds — CVE-2008-4250, CVE-2009-1537, CVE-2009-3459 (Adobe Reader), CVE-2010-0249, CVE-2010-0806 — round out the Microsoft/Adobe block; the legacy re-additions almost always trace back to fresh telemetry from ICS or air-gapped environments still running unpatched XP/Win7.

Network edge and remote-access appliances

Edge gear continues to dominate exploitation:

CVE-2026-20182 (Cisco Catalyst SD-WAN Controller auth bypass, deadline 2026-05-17) plus CVE-2026-20122, CVE-2026-20133, and CVE-2026-20128 in Cisco Catalyst SD-WAN Manager (all due 2026-04-23) form a coordinated batch — operators running SD-WAN fabrics should assume controller compromise until inventories are verified.
CVE-2026-6973 in Ivanti EPMM (deadline 2026-05-10) keeps Ivanti's streak of MDM-platform exploitation alive; CVE-2024-1708 in ConnectWise ScreenConnect (ransomware-linked, due 2026-05-12) and CVE-2024-57728 / CVE-2024-57726 in SimpleHelp (both ransomware-linked, due 2026-05-08) signal continued ransomware focus on RMM tooling.
CVE-2025-29635 (D-Link DIR-823X command injection, due 2026-05-08) is botnet bait — expect Mirai-derivative recruitment.

Web apps, hosting panels, and CMS

A heavy CMS/hosting-panel cohort points at mass-exploitation tooling:

CVE-2026-9082 (Drupal Core SQL injection, deadline 2026-05-27 already passed) is the highest-impact CMS item; CVE-2025-2749 (Kentico Xperience path traversal) and CVE-2025-48700 (Zimbra ZCS XSS) round out the CMS/groupware risk.
CVE-2026-41940 in cPanel & WHM / WP2 — missing auth on a critical function, ransomware-linked, deadline 2026-05-03 — and CVE-2026-48172 (LiteSpeed cPanel plugin privilege escalation, due 2026-05-29) together expose shared-hosting infrastructure; expect downstream tenant compromise.
CVE-2023-27351 in PaperCut NG/MF (ransomware-linked) re-surfaces with a 2026-05-04 deadline — a reminder that print management remains a Cl0p/LockBit favorite.

AI/ML tooling enters the KEV mainstream

The AI stack is now a first-class target:

CVE-2025-34291 (Langflow origin-validation flaw, due today 2026-06-04), CVE-2026-42208 (BerriAI LiteLLM SQL injection, deadline 2026-05-11 passed), and CVE-2026-39987 (Marimo notebook RCE, due 2026-05-07) confirm that LLM gateways, agent frameworks, and notebook servers are being mass-scanned. If you've deployed any of these inside a corporate network, assume internet-exposed instances are already probed.

Also worth tracking

CVE-2026-34926 — Trend Micro Apex One (On-Premise) directory traversal, due 2026-06-04. Endpoints managed by Apex One should be patched today.
CVE-2026-31431 — Linux kernel resource-transfer flaw (due 2026-05-15) and CVE-2024-7399 — Samsung MagicINFO 9 Server path traversal (due 2026-05-08) close out the older portion of the catch-up batch.

Analyst note

Three trends define this digest: (1) ransomware affiliates are leaning on RMM and shared-hosting platforms (ScreenConnect, SimpleHelp, cPanel, PaperCut); (2) developer supply chains (Nx, TanStack, LiteLLM, Langflow, Marimo) are an accelerating attack surface; and (3) edge appliances from Cisco, Palo Alto, and Ivanti remain the most reliably exploited class of asset. Prioritize PAN-OS, Defender, WebLogic, and the Nx/TanStack supply-chain items in the next 24 hours.