Cyber Threats Daily — 2026-05-30

TITLE: Cyber Threats Daily — PAN-OS auth bypass headlines KEV surge; supply-chain malware in Nx, Daemon Tools

---

Top of the queue: Palo Alto PAN-OS auth bypass, 48-hour clock

• CVE-2026-0257 lands on KEV with a brutal 2026-06-01 remediation deadline — a PAN-OS authentication bypass in Palo Alto Networks' flagship NGFW platform. Federal agencies have roughly 48 hours; enterprises should treat this as edge-emergency given PAN-OS's exposure profile. This is the second PAN-OS entry this month after CVE-2026-0300 (out-of-bounds write), suggesting active campaigns probing perimeter firewalls.

Supply-chain malware: trusted tooling weaponized

Three KEV additions point to attackers compromising legitimate developer and consumer software at the source rather than exploiting bugs:

• CVE-2026-48027 flags embedded malicious code in the Nx Console developer extension, tied to known ransomware activity — any dev workstation or CI runner with Nx installed during the affected window needs IOC sweeps before the 2026-06-10 deadline.
• CVE-2026-45321 in TanStack (the popular JS data/query library family) is similarly linked to ransomware deployment; lock package versions and audit recent installs.
• CVE-2026-8398 covers embedded malicious code in Daemon Tools Lite — consumer disk-imaging software likely riding shadow-IT installs into corporate endpoints. Deadline was 2026-05-30 (today); EDR hunt and uninstall.

Microsoft Defender weaponized against itself

CISA added three Defender flaws this cycle, all due 2026-06-03 — unusual concentration suggesting an exploit chain in the wild:

• CVE-2026-41091 (link-following), CVE-2026-45498 (DoS), and CVE-2026-33825 (insufficient access-control granularity, due 2026-05-06) together let adversaries blind or sidestep the very EDR enterprises rely on. Verify Defender platform/engine updates are flowing; assume bypass possible on unpatched fleets.
• Companion Windows additions CVE-2026-32202 (protection mechanism failure) and an unusual revival of legacy CVE-2008-4250, CVE-2009-1537, CVE-2010-0249, CVE-2010-0806, CVE-2009-3459 (Adobe), and CVE-2009-0238 (Office) suggest CISA is sweeping in attacks against still-deployed legacy systems — likely OT/embedded Windows. Inventory legacy estate now.

Exchange and Microsoft Office surface

• CVE-2026-42897 is a stored XSS in Microsoft Exchange Server with a 2026-05-29 deadline (already past). If unpatched, assume mailbox compromise potential through admin/OWA sessions.

Edge appliances and SD-WAN: Cisco cluster

A four-CVE cluster hit Cisco Catalyst SD-WAN around 2026-04-20, with deadlines now expired — anything still unpatched is overdue:

• CVE-2026-20182 (Controller authentication bypass, due 2026-05-17), plus Manager-side CVE-2026-20122 (privileged API misuse), CVE-2026-20133 (sensitive info exposure), and CVE-2026-20128 (recoverable password storage). Combined, these allow unauthenticated takeover of SD-WAN control planes — check Manager logs for anomalous API calls and rotate any credentials that were ever stored.

Ransomware-tagged backlog — verify patch status

Several recent KEV additions explicitly cite ransomware exploitation; all deadlines are in the past, so missed patches are now overdue incidents waiting to happen:

• CVE-2026-41940 — WebPros cPanel & WHM / WP2 missing-auth on a critical function; mass-hosting impact.
• CVE-2024-1708 — ConnectWise ScreenConnect path traversal, still being exploited two years on by RMM-targeting crews.
• CVE-2024-57728 and CVE-2024-57726 — SimpleHelp path traversal and missing authorization, the duo behind multiple MSP-led ransomware incidents.
• CVE-2023-27351 — PaperCut NG/MF auth bypass, a perennial Cl0p/LockBit favorite.
• CVE-2024-27199 — JetBrains TeamCity path traversal, used to pivot into build pipelines.

If you operate any of these and missed the deadlines, treat as suspected-compromise, not just patch-pending.

Web stack and CMS

• CVE-2026-9082 — SQL injection in Drupal Core (deadline 2026-05-27, past). High-volume scanning expected; audit web logs for `UNION`/`SLEEP` patterns against Drupal endpoints.
• CVE-2026-48172 — LiteSpeed cPanel Plugin privilege escalation (deadline 2026-05-29), pairs naturally with the cPanel/WHM ransomware bug above for full hosting-stack takeover.
• CVE-2025-2749 (Kentico Xperience path traversal) and CVE-2025-48700 (Zimbra ZCS XSS) round out the CMS/collab additions.

AI/LLM tooling enters KEV mainstream

A notable trend: three AI-adjacent tools added in a single cycle, signaling attackers are now actively monetizing the AI stack.

• CVE-2025-34291 — Langflow origin validation error (due 2026-06-04).
• CVE-2026-42208 — BerriAI LiteLLM SQL injection (deadline 2026-05-11, past).
• CVE-2026-39987 — Marimo notebook RCE (deadline 2026-05-07, past).

Inventory shadow AI tooling on dev networks; these stacks often run with broad data access and weak segmentation.

Other high-priority items

• CVE-2026-34926 — Trend Micro Apex One (On-Premise) directory traversal hitting an endpoint security product itself; due 2026-06-04.
• CVE-2026-6973 — Ivanti EPMM improper input validation (deadline 2026-05-10, past), continuing Ivanti's run of mobile-management exploitation.
• CVE-2026-31431 — Linux kernel incorrect resource transfer between spheres (deadline 2026-05-15), relevant for container escape and multi-tenant hosts.
• CVE-2026-34197 — Apache ActiveMQ improper input validation (deadline 2026-04-30, past); ActiveMQ remains a recurring ransomware entry point.
• CVE-2025-29635 (D-Link DIR-823X command injection), CVE-2024-7399 (Samsung MagicINFO 9 path traversal), and CVE-2025-32975 (Quest KACE SMA auth bypass) — all overdue, all viable initial-access for botnets and intrusion crews.

Analyst takeaway

This cycle's signal is concentration: edge firewalls (PAN-OS, Cisco SD-WAN), endpoint defenses (Defender, Apex One), and the developer supply chain (Nx, TanStack, TeamCity, LiteLLM, Marimo) are all under simultaneous active exploitation. Prioritize the PAN-OS bypass and the Defender trio inside the next 72 hours; treat any missed past-due ransomware-tagged CVE as a hunt trigger, not a patch task.