Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-05-20May 20, 2026

Cyber Threats Daily — 2026-05-20

TITLE: Cyber Threats Daily — KEV surge: Exchange XSS, Cisco SD-WAN auth bypass, ransomware crews still riding SimpleHelp & cPanel

---

Top of the stack: fresh KEV additions with tight clocks

CISA's KEV catalog has been busy over the last six weeks. The newest entries — all confirmed exploited in the wild — are where SOCs should be looking first.

  • CVE-2026-42897 lands a Microsoft Exchange Server cross-site scripting flaw on KEV (added 2026-05-15); federal remediation due 2026-05-29, and given Exchange's history as a ransomware on-ramp, treat this as priority one for any internet-exposed OWA.
  • CVE-2026-20182 is an authentication bypass in Cisco Catalyst SD-WAN Controller — added 2026-05-14 with an aggressive 2026-05-17 deadline that has already passed; if you run SD-WAN Controller and haven't patched, assume compromise and hunt.
  • CVE-2026-42208 (BerriAI LiteLLM SQL injection) is a notable signal that AI middleware is now squarely in the exploited-in-the-wild bucket; due 2026-05-11. Anyone running LiteLLM as an LLM gateway should audit immediately.
  • CVE-2026-6973 and CVE-2026-1340 stack two Ivanti EPMM bugs (improper input validation and code injection) on KEV inside six weeks — EPMM remains a persistent target; due 2026-05-10 and 2026-04-11 respectively.
  • CVE-2026-0300 is an out-of-bounds write in Palo Alto Networks PAN-OS, added 2026-05-06 with a 2026-05-09 deadline; patch state on perimeter firewalls should be verified now.
  • CVE-2026-31431 in the Linux kernel (incorrect resource transfer between spheres) was added 2026-05-01 with a 2026-05-15 due date — relevant for container hosts and multi-tenant infrastructure where sphere boundaries matter.

Ransomware-flagged entries — assume operator interest

CISA explicitly tagged several recent additions as having known ransomware use. These are the ones extortion crews are already turning into payloads:

  • CVE-2026-41940 in WebPros cPanel & WHM / WP2 — missing authentication on a critical function, KEV-added 2026-04-30 with a 2026-05-03 ransomware-flagged deadline. Hosting providers and shared-hosting customers are squarely in scope.
  • CVE-2024-1708 (ConnectWise ScreenConnect path traversal) is back on the radar with a fresh KEV listing and ransomware flag; due 2026-05-12. RMM tools continue to be a top initial-access vector.
  • CVE-2024-57728 and CVE-2024-57726 are paired SimpleHelp flaws (path traversal + missing authorization), both ransomware-flagged with a 2026-05-08 deadline — chain them and you get unauthenticated RCE-equivalent on remote-support infrastructure.
  • CVE-2024-27199 (JetBrains TeamCity relative path traversal) and CVE-2023-27351 (PaperCut NG/MF improper authentication) round out the ransomware set, both due 2026-05-04. Build servers and print servers remain favorite footholds.
  • CVE-2023-21529, a Microsoft Exchange deserialization bug, also carries a ransomware flag (due 2026-04-27) — pair with the new CVE-2026-42897 above when scoping Exchange exposure.

Network edge: Cisco SD-WAN Manager triple-hit

Three Catalyst SD-WAN Manager CVEs landed together on 2026-04-20 with a 2026-04-23 deadline — all now overdue for federal civilian agencies:

  • CVE-2026-20122 (incorrect use of privileged APIs), CVE-2026-20133 (sensitive information exposure), and CVE-2026-20128 (recoverable-format password storage) chain into a credible privilege-escalation and credential-theft path on SD-WAN management planes. If you operate Catalyst SD-WAN Manager, treat this cluster as a single incident-response scope.

Also overdue at the edge: CVE-2026-3055 in Citrix NetScaler (OOB read, due 2026-04-02), CVE-2025-53521 F5 BIG-IP stack buffer overflow (due 2026-03-30), and CVE-2026-21643 / CVE-2026-35616 in Fortinet FortiClient EMS (SQLi and improper access control, deadlines in mid-April). The pattern is unchanged: ingress appliances continue to dominate the exploited-edge category.

Microsoft, Adobe, and the long tail

Microsoft contributed a heavy block of additions on 2026-04-13–14:

  • CVE-2026-32202 (Windows protection mechanism failure, due 2026-05-12), CVE-2026-32201 (SharePoint Server improper input validation, due 2026-04-28), CVE-2026-33825 (Defender access-control granularity, due 2026-05-06), CVE-2025-60710 (Windows link-following, due 2026-04-27), and CVE-2023-36424 (Windows OOB read, due 2026-04-27) form a coherent endpoint-and-collab patch wave.
  • Notably, CISA also re-added two very old bugs — CVE-2009-0238 (Office RCE) and CVE-2012-1854 (VBA insecure library loading) — indicating in-the-wild use against unpatched legacy estates. If you still have Office 2007/2010-era footprints, this is your warning.
  • Adobe CVE-2020-9715 (Acrobat UAF) and CVE-2026-34621 (Acrobat/Reader prototype pollution) round out the document-handler exposure, both due 2026-04-27.

Supply chain and developer tooling

Two entries deserve specific attention from AppSec and platform teams:

  • CVE-2026-33634 flags Aquasecurity Trivy as shipping embedded malicious code — a scanner itself becoming the threat is a supply-chain inversion worth a full pipeline audit; due 2026-04-09 and now overdue.
  • CVE-2026-39987 (Marimo RCE) and CVE-2026-5281 (Google Dawn use-after-free) extend the pattern of developer-facing tooling being actively targeted; both deadlines have passed.

Lower-priority but worth tracking

A handful of additions are less broadly exposed but high-impact in their niches: CVE-2025-29635 (D-Link DIR-823X command injection), CVE-2024-7399 (Samsung MagicINFO 9 path traversal — digital-signage networks), CVE-2025-2749 (Kentico Xperience path traversal), CVE-2025-48700 (Zimbra ZCS XSS), CVE-2025-32975 (Quest KACE SMA improper auth), CVE-2026-34197 (Apache ActiveMQ improper input validation), and CVE-2026-3502 (TrueConf Client integrity-check failure on downloaded code). All have May-window deadlines that have either just passed or are imminent — sweep your CMDB for these by product name, not just CVE.

Analyst takeaway

The dominant theme this cycle is the *edge-and-management-plane* compromise pattern: Cisco SD-WAN, Palo Alto, Citrix, F5, FortiClient EMS, Ivanti EPMM, and SimpleHelp/ScreenConnect together represent the bulk of the ransomware-flagged and tight-deadline entries. If you only have time for one workstream this week, it's auditing patch state on remote-access and network-management infrastructure — and confirming that the Cisco SD-WAN Manager trio (already past deadline) is closed in your environment.