Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-05-18May 18, 2026

Cyber Threats Daily — 2026-05-18

TITLE: Cyber Threats Daily — Exchange XSS joins KEV; Cisco SD-WAN cluster, ransomware-tagged cPanel & SimpleHelp flaws lead remediation queue

---

Top of the Stack: Fresh KEV Additions

  • CVE-2026-42897 lands on KEV as a cross-site scripting flaw in Microsoft Exchange Server; CISA set a remediation deadline of 2026-05-29, giving federal agencies just under two weeks to patch what is typically a pivot point for session hijack and mailbox takeover.
  • CVE-2026-20182, an authentication bypass in Cisco Catalyst SD-WAN Controller, carries an aggressive 2026-05-17 deadline — already past as of today's publication, so any unpatched controller should be treated as presumed-compromised pending hunt.
  • CVE-2026-42208 flags SQL injection in BerriAI LiteLLM, a popular LLM gateway proxy — notable as one of the first AI-infrastructure CVEs to hit KEV; remediation was due 2026-05-11. Audit LiteLLM deployments fronting internal model endpoints.
  • CVE-2026-6973 (improper input validation) in Ivanti EPMM continues Ivanti's bad-run on KEV, with a 2026-05-10 deadline; pair with the earlier CVE-2026-1340 EPMM code-injection bug (due 2026-04-11) when scoping MDM exposure.
  • CVE-2026-0300 is an out-of-bounds write in Palo Alto Networks PAN-OS (deadline 2026-05-09) — perimeter device, expect mass scanning; verify management-plane exposure is locked down regardless of patch state.
  • CVE-2026-31431 in the Linux kernel (incorrect resource transfer between spheres) was due 2026-05-15; relevant for container escape and confidentiality boundary scenarios — confirm distro kernel rolls have shipped.

Ransomware-Tagged Vulnerabilities — Prioritize

CISA flagged several recent additions as having known ransomware use, which should bump them above routine patch SLAs:

  • CVE-2026-41940 in WebPros cPanel & WHM and WP2 is a missing-authentication-for-critical-function bug actively used by ransomware crews; deadline was 2026-05-03. Shared-hosting providers are the obvious blast radius.
  • CVE-2024-1708 (ConnectWise ScreenConnect path traversal) remains a ransomware favorite over a year after disclosure; KEV deadline 2026-05-12. If you operate or are managed by an MSP using ScreenConnect, demand attestation.
  • CVE-2024-57728 and CVE-2024-57726 in SimpleHelp (path traversal + missing authorization) are paired ransomware vectors against remote-support tooling; both due 2026-05-08. Treat as a kill-chain, not two independent fixes.
  • CVE-2023-27351 (PaperCut NG/MF improper authentication) and CVE-2023-21529 (Microsoft Exchange Server deserialization) — both older, both still being weaponized by ransomware affiliates per CISA; deadlines 2026-05-04 and 2026-04-27 respectively.
  • CVE-2024-27199 (JetBrains TeamCity relative path traversal, deadline 2026-05-04) closes out the ransomware-tagged set; CI/CD compromise gives attackers signing keys and pipeline access, so treat TeamCity exposure as a crown-jewel issue.

Cisco Catalyst SD-WAN: A Cluster Worth Naming

Four Cisco SD-WAN Manager/Controller bugs landed on KEV in the 2026-04-20 batch and need coordinated remediation: CVE-2026-20122 (improper privileged API use), CVE-2026-20133 (sensitive info exposure), CVE-2026-20128 (recoverable password storage), plus this week's CVE-2026-20182 auth bypass on the Controller. Original deadlines (2026-04-23) are past — if SD-WAN management isn't already upgraded, escalate.

Microsoft Patch Backlog on KEV

Beyond the Exchange XSS noted above, KEV is carrying a stack of Microsoft items that round out a typical hardening sprint:

  • CVE-2026-32202 (Windows protection mechanism failure, due 2026-05-12) and CVE-2025-60710 (Windows link-following, due 2026-04-27) are local-privilege/AV-bypass class bugs useful in post-exploitation chains.
  • CVE-2026-32201 (SharePoint Server improper input validation, due 2026-04-28) deserves attention given SharePoint's recurring role in initial access.
  • CVE-2026-33825 (Microsoft Defender insufficient access-control granularity, due 2026-05-06) is unusual — EDR itself as the weak link; review tenant-side Defender role assignments.
  • CISA also re-surfaced legacy entries CVE-2009-0238 (Office RCE), CVE-2012-1854 (VBA insecure library load), and CVE-2023-36424 (Windows OOB read), all due 2026-04-27 — likely added because of observed in-the-wild reuse in commodity loader chains.

Network Edge and Appliance Round-up

  • CVE-2026-21643 (Fortinet FortiClient EMS SQLi, due 2026-04-16) and CVE-2026-35616 (FortiClient EMS improper access control, due 2026-04-09) target the endpoint-management server — a high-value lateral pivot.
  • CVE-2026-3055 (Citrix NetScaler OOB read, due 2026-04-02) and CVE-2025-53521 (F5 BIG-IP stack buffer overflow, due 2026-03-30) — both load-balancer/edge appliances with deadlines well past; if not patched, assume probing.
  • CVE-2025-29635 (D-Link DIR-823X command injection, due 2026-05-08) and CVE-2024-7399 (Samsung MagicINFO 9 Server path traversal, due 2026-05-08) round out the SOHO/IoT exposure.

Supply-Chain and Developer-Tooling Watch

  • CVE-2026-33634 in Aquasecurity Trivy (embedded malicious code, due 2026-04-09) is the standout — a compromised scanner means attackers see your vulnerability picture before you do; verify Trivy binaries against known-good hashes and rotate any registry credentials handled by affected versions.
  • CVE-2026-39987 (Marimo RCE, due 2026-04-23) targets the Marimo Python notebook runtime — relevant where data-science workloads expose notebook servers.
  • CVE-2026-3502 (TrueConf Client download without integrity check, due 2026-04-16) is a classic update-channel hijack vector for collaboration software.

Also on the Radar

Remaining KEV adds — CVE-2025-2749 (Kentico Xperience), CVE-2025-48700 (Zimbra ZCS XSS), CVE-2025-32975 (Quest KACE SMA auth bypass), CVE-2026-34197 (Apache ActiveMQ), CVE-2020-9715/CVE-2026-34621 (Adobe Acrobat), and CVE-2026-5281 (Google Dawn UAF) — are lower priority than the items above but should be folded into the next patch cycle; all carried deadlines between late March and early May that are now expired.

Bottom Line for SOC Leads

The week's signal is concentrated, not scattered: Exchange and Cisco SD-WAN are the fresh urgent items; the ransomware-tagged cluster (cPanel, ScreenConnect, SimpleHelp, PaperCut, TeamCity) is where overdue remediation creates real business risk; and the Trivy supply-chain entry should trigger a tooling-integrity review independent of patch cadence.