Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-05-25May 25, 2026

KEV surge: Drupal SQLi due 5/27, fresh ransomware-linked flaws in cPanel, SimpleHelp, ScreenConnect

Top of the stack: imminent KEV deadlines

  • CVE-2026-9082 (Drupal Core SQL injection) was added to KEV on 2026-05-22 with a remediation deadline of 2026-05-27 — federal agencies have roughly 48 hours, and any internet-facing Drupal estate should be patched or pulled offline now.
  • CVE-2026-42897, a Microsoft Exchange Server XSS, carries a 2026-05-29 KEV deadline; pair patching with a review of OWA session integrity and admin account activity.
  • CVE-2026-34926 (Trend Micro Apex One On-Premise directory traversal) and CVE-2025-34291 (Langflow origin validation error) are both due 2026-06-04 — note Apex One being the *security tool itself* makes this a priority for endpoint teams.

Ransomware-linked additions (treat as actively exploited)

CISA flagged six entries this cycle as having known ransomware use — these deserve emergency-change handling regardless of FCEB applicability:

  • CVE-2026-41940 in WebPros cPanel & WHM / WP2 (missing auth on a critical function) was added 2026-04-30 with a remediation date already past (2026-05-03); shared-hosting providers are a soft target for mass compromise here.
  • CVE-2024-1708 (ConnectWise ScreenConnect path traversal) re-enters scrutiny as ransomware crews continue weaponizing MSP tooling — KEV due 2026-05-12.
  • CVE-2024-57728 and CVE-2024-57726 in SimpleHelp (path traversal + missing authorization) form a chain commonly observed in intrusion sets pivoting through remote-support software; both due 2026-05-08.
  • CVE-2023-27351 (PaperCut NG/MF auth bypass) and CVE-2024-27199 (JetBrains TeamCity path traversal) round out the ransomware-tagged set, both due 2026-05-04 — older bugs, but still being chained for initial access and CI/CD pivoting respectively.
  • CVE-2023-21529 (Exchange Server deserialization) is also tagged ransomware-use with a 2026-04-27 deadline already expired; if your Exchange isn't on the latest CU, assume exposure.

Network edge and management plane

Cisco's Catalyst SD-WAN stack dominated this window with four KEV entries — strongly suggesting an active exploitation cluster against SD-WAN operators:

  • CVE-2026-20182 (Catalyst SD-WAN Controller authentication bypass, due 2026-05-17) is the highest-impact of the set, allowing unauthenticated access to the control plane.
  • CVE-2026-20122, CVE-2026-20133, and CVE-2026-20128 affect Catalyst SD-WAN Manager — covering privileged API misuse, info disclosure, and recoverable password storage. All carried a 2026-04-23 deadline (now lapsed); audit Manager hosts for unauthorized admin creation and credential exfil.
  • CVE-2026-0300 (Palo Alto PAN-OS out-of-bounds write) was due 2026-05-09; treat any unpatched firewall as compromised pending forensics.
  • CVE-2026-6973 (Ivanti EPMM improper input validation) is another mobile-management-plane bug — Ivanti's track record means assume in-the-wild abuse beyond what's been disclosed.
  • CVE-2025-29635 (D-Link DIR-823X command injection) is consumer-grade but routinely absorbed into botnets; ISPs and SMBs should sweep.

Microsoft cluster

A notable batch of Microsoft entries landed mid-month, including several Defender-targeting bugs — the security product attack surface remains a growing focus:

  • CVE-2026-41091 (Defender link following) and CVE-2026-45498 (Defender DoS) were added 2026-05-20 with 2026-06-03 deadlines; CVE-2026-33825 (Defender access-control granularity) is due 2026-05-06.
  • CVE-2026-32202 (Windows protection-mechanism failure) and CVE-2025-60710 (Windows link following) point at continued ACL/symlink abuse paths used by post-exploitation tooling.
  • CVE-2026-32201 (SharePoint Server input validation) joins a recurring theme of SharePoint as initial-access surface — due 2026-04-28.
  • A surprising tranche of *legacy* Microsoft CVEs returned to KEV: CVE-2008-4250 (MS08-067, Conficker-era), CVE-2009-1537 (DirectX), CVE-2010-0249 and CVE-2010-0806 (IE use-after-frees), CVE-2009-0238 (Office RCE), and CVE-2012-1854 (VBA insecure library load). Their reappearance typically signals fresh observed exploitation against unmanaged or air-gapped legacy systems — worth a discovery sweep for end-of-life hosts.

App and infrastructure layer

  • CVE-2026-42208 (BerriAI LiteLLM SQL injection) and CVE-2026-39987 (Marimo RCE) signal continued targeting of the AI/LLM tooling stack — both already past deadline. Inventory any LiteLLM proxies or Marimo notebook deployments exposed to untrusted users.
  • CVE-2026-34197 (Apache ActiveMQ input validation) is the latest in a long-running ActiveMQ exploitation thread; deadline 2026-04-30.
  • CVE-2026-31431 (Linux kernel cross-sphere resource transfer) was due 2026-05-15 — patch cadence on kernel updates needs to absorb this for container hosts in particular.
  • CVE-2024-7399 (Samsung MagicINFO 9 Server path traversal), CVE-2025-2749 (Kentico Xperience path traversal), CVE-2025-32975 (Quest KACE SMA auth bypass), and CVE-2025-48700 (Zimbra ZCS XSS) round out the application-layer adds — all with deadlines in the late-April / early-May window that have now passed.

Editor's take

This cycle's KEV firehose is unusually large (40 entries) and skewed toward two themes: management-plane compromise (SD-WAN, EPMM, KACE, ScreenConnect, SimpleHelp, cPanel) and security-tool-as-target (Defender ×3, Apex One). If your patch backlog forces triage, prioritize anything that an attacker reaches *before* EDR fires — the management plane — over endpoint-resident bugs. The legacy Microsoft re-adds also suggest CISA is seeing exploitation of unmanaged estate; run a discovery pass for Windows hosts that haven't reported to inventory in 90+ days.