Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-06-05June 5, 2026

Cyber Threats Daily — 2026-06-05

TITLE: Cyber Threats Daily — KEV surge: Palo Alto auth bypass, Cisco SD-WAN cluster, fresh supply-chain malware in Nx & TanStack

---

Top of the stack: actively exploited, deadlines passed or imminent

  • CVE-2026-0257, an authentication bypass in Palo Alto Networks PAN-OS, was added to KEV on 2026-05-29 with a federal remediation deadline of 2026-06-01 — that deadline has now lapsed, so any unpatched edge firewalls should be treated as presumed-compromised pending IR review.
  • CVE-2026-0300, an out-of-bounds write in PAN-OS, sits alongside it (KEV added 2026-05-06, due 2026-05-09); the two together mean Palo Alto perimeter gear is the single hottest exploitation surface this cycle.
  • CVE-2024-21182 in Oracle WebLogic Server was added 2026-06-01 with a 2026-06-04 due date — patch immediately or pull WebLogic off the public internet; historical pattern is rapid commodity exploitation.
  • CVE-2026-45247, a deserialization-of-untrusted-data flaw in Mirasvit Full Page Cache Warmer (Magento extension), hits KEV with a 2026-06-06 deadline; e-commerce shops running Magento with Mirasvit should patch today.
  • CVE-2025-48595, an integer overflow in the Android Framework, was added 2026-06-02 (due 2026-06-05) — push the latest Android security patch level to managed fleets now.
  • CVE-2022-0492, the long-known Linux Kernel cgroups privilege flaw, was finally added to KEV (due 2026-06-05) — container escape territory; audit kernel versions on Kubernetes nodes and bastion hosts.

Supply-chain / malicious-code injections

A cluster of KEV entries this cycle are not traditional bugs but embedded malicious code in widely used dev and desktop tooling — treat as supply-chain incidents, not patch cycles.

  • CVE-2026-48027 flags embedded malicious code in Nx Console with known ransomware use (due 2026-06-10); developers who installed affected versions should rotate any credentials, npm tokens and SSH keys reachable from their workstation.
  • CVE-2026-45321 marks a similar issue in TanStack with known ransomware use (due 2026-06-10) — audit lockfiles and CI artifacts for tainted releases.
  • CVE-2026-8398 is embedded malicious code in Daemon Tools Lite (deadline 2026-05-30, already past); remove from corporate endpoints and hunt for persistence.

Network edge: Cisco SD-WAN trio

Cisco Catalyst SD-WAN Manager drew three coordinated KEV entries on 2026-04-20 (all due 2026-04-23, long lapsed): CVE-2026-20122 (incorrect use of privileged APIs), CVE-2026-20133 (sensitive info exposure), and CVE-2026-20128 (recoverable password storage). Separately, CVE-2026-20182 is an authentication bypass in the Catalyst SD-WAN Controller (due 2026-05-17). Combined, an attacker chaining these can move from unauthenticated controller access to credential recovery on the manager — assume any SD-WAN fabric that missed the April patch window needs credential rotation and config review.

Defender, Exchange and Windows

Microsoft attracted an unusually broad set of KEV adds:

  • CVE-2026-41091 (link following) and CVE-2026-45498 (DoS) in Microsoft Defender, plus CVE-2026-33825 (insufficient access-control granularity), collectively suggest in-the-wild abuse aimed at neutralizing EDR before follow-on actions; verify Defender platform/engine versions across the fleet.
  • CVE-2026-42897, an XSS in Microsoft Exchange Server (due 2026-05-29), is being exploited — apply the latest CU/SU and review OWA logs for suspicious script delivery.
  • CVE-2026-32202, a protection-mechanism failure in Microsoft Windows (due 2026-05-12), rounds out the Microsoft set.
  • CISA also belatedly added a batch of legacy Microsoft/Adobe bugs (CVE-2008-4250 MS08-067, CVE-2009-1537 DirectX, CVE-2009-3459 Acrobat, CVE-2010-0249 and CVE-2010-0806 IE use-after-free) — relevant only if you still operate unsupported XP/Win7/IE estates, in which case isolation, not patching, is the answer.

Remote-support and hosting-panel exploitation (ransomware-tagged)

Initial-access brokers are clearly leaning on hosting and remote-support tooling:

  • CVE-2026-41940 in WebPros cPanel & WHM / WP2 (missing authentication on a critical function, ransomware-linked, due 2026-05-03) and CVE-2026-48172 (LiteSpeed cPanel Plugin privilege escalation, due 2026-05-29) put shared-hosting providers squarely in the crosshairs.
  • CVE-2024-1708 in ConnectWise ScreenConnect (path traversal, ransomware-linked, due 2026-05-12) plus CVE-2024-57728 and CVE-2024-57726 in SimpleHelp (path traversal and missing authorization, both ransomware-linked, due 2026-05-08) extend the pattern to MSP tooling — MSPs and their downstream customers should hunt for unauthorized technician sessions and unexpected file drops.
  • CVE-2023-27351 in PaperCut NG/MF (improper authentication, ransomware-linked, due 2026-05-04) re-enters operational relevance; legacy PaperCut servers remain a recurring ransomware ingress.

AI/ML stack now squarely in KEV territory

Three AI-adjacent products joined KEV, confirming attacker interest in the MLOps surface:

  • CVE-2025-34291 — origin validation error in Langflow (due 2026-06-04).
  • CVE-2026-42208 — SQL injection in BerriAI LiteLLM (due 2026-05-11).
  • CVE-2026-39987 — remote code execution in Marimo notebooks (due 2026-05-07).

If your data-science teams stood any of these up on shared infrastructure, assume they were never hardened and put them behind authenticated proxies immediately.

Also worth patching this week

  • CVE-2026-34926 — directory traversal in Trend Micro Apex One (On-Premise), due 2026-06-04; an EDR bypass primitive on the very platform meant to stop these attacks.
  • CVE-2026-6973 — improper input validation in Ivanti EPMM, due 2026-05-10; Ivanti MDM continues its streak of exploited bugs.
  • CVE-2026-31431 — Linux kernel resource-transfer flaw, due 2026-05-15.
  • CVE-2026-9082 — SQL injection in Drupal Core, due 2026-05-27.
  • CVE-2025-2749 (Kentico Xperience path traversal, due 2026-05-04) and CVE-2025-48700 (Zimbra Collaboration Suite XSS, due 2026-04-23) round out the CMS/collab exposure.
  • CVE-2025-29635 (D-Link DIR-823X command injection) and CVE-2024-7399 (Samsung MagicINFO 9 Server path traversal), both due 2026-05-08, target SOHO and digital-signage estates respectively — common pivot points into flat networks.

Analyst takeaway

Three themes dominate today's digest: (1) perimeter gear — Palo Alto and Cisco SD-WAN — is being actively chained for unauthenticated access; (2) supply-chain poisoning of developer tooling (Nx, TanStack, Daemon Tools) has crossed into ransomware operations, meaning dev workstations need the same hunt discipline as servers; and (3) the AI tooling stack (Langflow, LiteLLM, Marimo) is now a KEV-grade attack surface. Prioritize Palo Alto, WebLogic, and the Mirasvit/Android entries with deadlines this week.

Cyber Threats Daily — 2026-06-05 · Cyber Threats Daily