Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-05-29May 29, 2026

KEV surge: Nx/TanStack supply-chain implants, Defender chain, and Cisco SD-WAN trifecta lead urgent patch queue

Top of the Watch: Supply-Chain Implants in Developer Tooling

CISA's KEV catalog this week is dominated by malicious-code implants in widely consumed developer dependencies, with ransomware crews already in the loop.

  • CVE-2026-48027 (Nx Console) and CVE-2026-45321 (TanStack) were both added 2026-05-27 as embedded malicious code with confirmed ransomware use; federal remediation deadline is 2026-06-10. Any CI/CD pipeline, IDE, or developer workstation pulling these packages should be treated as potentially compromised — rotate tokens, audit npm/pnpm lockfiles, and hunt for outbound C2 from build agents.
  • CVE-2026-8398 in Daemon Tools Lite is another embedded-malicious-code finding with an aggressive 2026-05-30 deadline — that's tomorrow. Endpoint teams should block the installer and sweep for existing installs on user-managed Windows hosts.
  • Older but relevant: CVE-2024-1708 (ConnectWise ScreenConnect path traversal) was re-elevated on 2026-04-28 with ransomware tagging — RMM exposure remains the soft underbelly of MSP-managed estates.

Past-Due and Imminent Deadlines

Several KEV entries hit their remediation date this week. If you haven't closed these, you're already non-compliant under BOD 22-01 and exposed to active exploitation:

  • CVE-2026-48172 (LiteSpeed cPanel Plugin, privilege escalation) and CVE-2026-42897 (Microsoft Exchange Server XSS) both carry 2026-05-29 deadlines — today. Exchange XSS chained with admin session theft remains the standard on-prem mail compromise path.
  • CVE-2026-9082 (Drupal Core SQL injection) was due 2026-05-27 and should already be patched; assume probing against any unpatched public Drupal install.
  • CVE-2026-41940 in WebPros cPanel & WHM / WP2 (missing authentication on a critical function, ransomware-linked) was due 2026-05-03 — hosting providers and shared-hosting tenants who deferred this are likely already encrypted candidates.

Microsoft Defender Cluster

A notable concentration of Defender flaws landed 2026-05-20 with a 2026-06-03 deadline, suggesting an exploitation chain rather than isolated bugs:

  • CVE-2026-41091 (link following), CVE-2026-45498 (denial of service), and CVE-2026-33825 (insufficient access control granularity, added 2026-04-22, due 2026-05-06 — past due) together let an attacker disable or bypass Defender on a foothold host. Prioritize Defender platform updates and verify tamper protection is enforced via Intune/Group Policy.
  • CVE-2026-32202 (Windows protection mechanism failure) and the SharePoint input-validation flaw CVE-2026-32201 round out the Microsoft patch stack with 2026-04-28/2026-05-12 deadlines now elapsed.

Cisco Catalyst SD-WAN Trifecta

Three Cisco SD-WAN Manager issues landed together on 2026-04-20 with a tight 2026-04-23 deadline — all now overdue:

  • CVE-2026-20122 (incorrect use of privileged APIs), CVE-2026-20133 (sensitive information exposure), and CVE-2026-20128 (recoverable password storage) form a credential-harvest-to-privilege-escalation kill chain against SD-WAN management planes. A separate CVE-2026-20182 (Catalyst SD-WAN Controller authentication bypass, due 2026-05-17) compounds the risk. Network teams running Cisco SD-WAN should assume manager credentials are recoverable from compromised backups and rotate now.

Edge, RMM, and Network Appliance Exploitation

Threat actors continue to favor edge-management software:

  • CVE-2024-57728 and CVE-2024-57726 (SimpleHelp path traversal + missing authorization) were added 2026-04-24 with ransomware tagging — these are the same class of RMM bugs that fueled 2024's MSP-to-tenant compromises.
  • CVE-2026-0300 (Palo Alto PAN-OS out-of-bounds write, due 2026-05-09) and CVE-2026-6973 (Ivanti EPMM improper input validation, due 2026-05-10) round out the perimeter-device list — both are past due and should be considered exploited in unpatched estates.
  • CVE-2025-29635 (D-Link DIR-823X command injection) and CVE-2024-7399 (Samsung MagicINFO 9 Server path traversal) continue the long-running pattern of SOHO and digital-signage devices conscripted into botnets.

AI/ML Stack Under Attack

The AI tooling supply chain is now a first-class KEV category:

  • CVE-2025-34291 (Langflow origin validation, due 2026-06-04), CVE-2026-42208 (BerriAI LiteLLM SQL injection, due 2026-05-11), and CVE-2026-39987 (Marimo remote code execution, due 2026-05-07) all target the glue layer between LLM endpoints and enterprise data. Treat self-hosted AI gateways with the same scrutiny as internet-facing APIs — auth, egress filtering, and patch SLAs.

Legacy CVEs Re-Listed

CISA back-filled a batch of pre-2011 Microsoft and Adobe CVEs (CVE-2008-4250, CVE-2009-1537, CVE-2009-3459, CVE-2010-0249, CVE-2010-0806, CVE-2009-0238) on 2026-05-20 / 2026-04-14, all with early-June deadlines. These typically indicate ongoing exploitation against unpatched ICS, OT, or air-gapped Windows XP/7 enclaves — relevant to manufacturing, utilities, and healthcare imaging environments where legacy hosts persist.

Also On the Radar

  • CVE-2023-27351 (PaperCut NG/MF authentication bypass) and CVE-2024-27199 (JetBrains TeamCity path traversal) were re-listed 2026-04-20 with ransomware tagging and 2026-05-04 deadlines — both have been weaponized by Cl0p-adjacent crews historically.
  • CVE-2025-2749 (Kentico Xperience), CVE-2025-32975 (Quest KACE SMA improper authentication), CVE-2025-48700 (Zimbra ZCS XSS), CVE-2026-31431 (Linux kernel resource transfer), CVE-2026-34926 (Trend Micro Apex One directory traversal), and CVE-2026-34197 (Apache ActiveMQ input validation) round out a heavy month — all deadlines have now lapsed or land within days. If your patch cadence hasn't cleared these, escalate.

SOC Action Items

1. Treat Nx Console and TanStack as confirmed supply-chain incidents — audit developer endpoints and CI runners regardless of federal mandate.

2. Close the Defender cluster before 2026-06-03; verify tamper protection telemetry is reaching your SIEM.

3. Rotate all Cisco SD-WAN Manager credentials and review backup access — passwords are recoverable per CVE-2026-20128.

4. Inventory any LiteLLM, Langflow, or Marimo deployments; these are now KEV-grade exposure.