Cyber Threats Daily — 2026-06-03

TITLE: Cyber Threats Daily — PAN-OS auth bypass, supply-chain malware in Nx/TanStack, and a Cisco SD-WAN cluster headline KEV

---

Top of the Stack: Actively Exploited & Overdue

• CVE-2026-0257 is a Palo Alto Networks PAN-OS authentication bypass added to KEV on 2026-05-29 with a fast-turn remediation deadline of 2026-06-01 — federal agencies should already be patched; enterprise SOCs running PAN-OS at the perimeter should treat this as priority-zero and hunt for unauthenticated admin-plane access.
• CVE-2026-0300, an out-of-bounds write in PAN-OS, was due 2026-05-09 — pair its remediation with CVE-2026-0257 since both target the same product family and likely overlap in exploit chains.
• CVE-2026-20182 (Cisco Catalyst SD-WAN Controller auth bypass) hit KEV with a 2026-05-17 deadline, joined by CVE-2026-20122, CVE-2026-20133, and CVE-2026-20128 in Catalyst SD-WAN Manager (privileged-API misuse, info disclosure, recoverable-password storage) all due 2026-04-23 — collectively this is a full credential-and-control compromise path for SD-WAN fabrics; assume any unpatched manager is owned.

Supply-Chain & Embedded Malicious Code

• CVE-2026-48027 (Nx Console) and CVE-2026-45321 (TanStack) were both added 2026-05-27 as embedded-malicious-code issues with known ransomware association and a 2026-06-10 remediation deadline — developer workstations and CI runners pulling these packages should be triaged for IOCs and rotated secrets.
• CVE-2026-8398 flags Daemon Tools Lite as shipping malicious code (deadline 2026-05-30, already overdue) — uncommon in enterprise fleets but worth a software-inventory sweep.

Ransomware-Linked KEV Entries Still in the Window

• CVE-2026-41940 in WebPros cPanel & WHM / WP2 is a missing-authentication-on-critical-function bug with known ransomware use; deadline 2026-05-03 is past, and hosting providers running cPanel should validate patch status and review web-shell artifacts.
• CVE-2024-57728 and CVE-2024-57726 in SimpleHelp (path traversal + missing authorization) remain ransomware favorites; both due 2026-05-08 — if your MSP or internal IT uses SimpleHelp for remote support, this is a known initial-access vector.
• CVE-2024-1708 (ConnectWise ScreenConnect path traversal) and CVE-2023-27351 (PaperCut NG/MF auth bypass) round out the ransomware-tagged backlog with deadlines of 2026-05-12 and 2026-05-04 respectively — both are long-running, mass-exploited bugs that should not still be open.

Microsoft Stack: Defender, Exchange, and a Surprise Legacy Block

• A cluster of Microsoft Defender issues landed together: CVE-2026-41091 (link following), CVE-2026-45498 (DoS), CVE-2026-32202 (Windows protection-mechanism failure), and CVE-2026-33825 (insufficient access-control granularity) — deadlines span 2026-05-06 to 2026-06-03; collectively they suggest attackers are chaining Defender tamper/bypass primitives, so verify EDR integrity controls and tamper-protection telemetry.
• CVE-2026-42897 is a cross-site scripting bug in Microsoft Exchange Server (deadline 2026-05-29) — assume targeted phishing leveraging trusted Exchange origins; review OWA security headers and patch level.
• CISA also re-surfaced a batch of legacy Microsoft and Adobe bugs from 2008–2010 (CVE-2008-4250 Windows SMB/Conficker, CVE-2009-1537 DirectX, CVE-2009-3459 Acrobat heap overflow, CVE-2010-0249 and CVE-2010-0806 IE use-after-free) all due 2026-06-03 — this is almost certainly a KEV cleanup/backfill, but it’s a useful prompt to audit any embedded or OT systems still running unpatched XP/Win7-era stacks.

Web, App, and Infrastructure Patches Worth Tracking

• CVE-2024-21182 in Oracle WebLogic Server (deadline 2026-06-04) and CVE-2022-0492 in the Linux kernel (improper auth, deadline 2026-06-05) are this week’s near-term hits — WebLogic remains a perennial RCE target, and the kernel bug is a known container-escape primitive via cgroups v1.
• CVE-2025-48595 (Android Framework integer overflow, due 2026-06-05) belongs on the MDM team’s radar for fleet patch compliance.
• CVE-2026-34926 (Trend Micro Apex One on-prem directory traversal, due 2026-06-04) is notable because the affected product *is* the security control — exploitation gives attackers a foothold inside the EDR management plane.
• CVE-2026-9082 (Drupal core SQL injection, due 2026-05-27) and CVE-2026-48172 (LiteSpeed cPanel plugin privilege escalation, due 2026-05-29) round out the web-hosting attack surface; both are already overdue and trivially mass-scannable.

AI/ML and Niche Stack Exposure

• CVE-2025-34291 (Langflow origin-validation), CVE-2026-42208 (BerriAI LiteLLM SQL injection, deadline 2026-05-11, overdue), and CVE-2026-39987 (Marimo RCE, due 2026-05-07) show CISA is steadily adding LLM-orchestration tooling to KEV — if data-science teams are self-hosting these, they belong in your asset inventory and patch SLA, not in a shadow-IT blind spot.

Also on the Catch-Up List

• CVE-2026-6973 (Ivanti EPMM improper input validation, due 2026-05-10), CVE-2025-29635 (D-Link DIR-823X command injection, due 2026-05-08), CVE-2024-7399 (Samsung MagicINFO 9 Server path traversal, due 2026-05-08), CVE-2025-2749 (Kentico Xperience path traversal, due 2026-05-04), CVE-2025-48700 (Zimbra ZCS XSS, due 2026-04-23), CVE-2025-32975 (Quest KACE SMA improper auth, due 2026-05-04), and CVE-2026-31431 (Linux kernel resource-transfer flaw, due 2026-05-15) are all past-deadline KEV entries — none are headline-grabbing individually, but together they paint a familiar picture of edge appliances, MDM, and digital-signage gear lagging on patch cycles.

Analyst Note

The week’s signal is concentrated: PAN-OS and Cisco SD-WAN at the perimeter, Defender tampering in the endpoint layer, and a fresh wave of developer-toolchain supply-chain compromises (Nx, TanStack, LiteLLM, Marimo). If you only fund three workstreams this sprint, make them perimeter network OS patching, EDR integrity validation, and a software-composition sweep of developer and CI environments.