Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-05-24May 24, 2026

Cyber Threats Daily — 2026-05-24

TITLE: KEV surge: Drupal SQLi due Tuesday, fresh ransomware-linked flaws in cPanel, SimpleHelp, and PaperCut

Top of the Stack: Imminent KEV Deadlines

  • CVE-2026-9082, a SQL injection in Drupal Core added to KEV on 2026-05-22, carries the tightest federal remediation deadline on the board — agencies must patch by 2026-05-27 (Tuesday). Public-sector Drupal operators should treat this as a fire drill.
  • CVE-2026-42897, a cross-site scripting flaw in Microsoft Exchange Server, has a KEV due date of 2026-05-29; pair remediation with a sweep for stale OWA sessions and webmail abuse.
  • CVE-2025-34291 (Langflow origin validation error) and CVE-2026-34926 (Trend Micro Apex On-Prem directory traversal) both come due 2026-06-04 — Apex One is endpoint security infrastructure, so prioritize accordingly.

Ransomware-Linked Additions (Highest Priority)

CISA flagged several new and recently added KEV entries as having known ransomware tradecraft attached. Treat any internet-exposed instance as compromised until proven otherwise:

  • CVE-2026-41940 is a missing-authentication flaw in WebPros cPanel & WHM / WP2 (WordPress Squared) that allows unauthenticated access to critical functions; ransomware crews are already using it, and the federal due date has already passed (2026-05-03). Hosting providers are the obvious blast radius.
  • CVE-2024-57728 and CVE-2024-57726 in SimpleHelp (path traversal + missing authorization) form a chained foothold for remote-support compromise; both were due 2026-05-08. SimpleHelp servers continue to be a recurring intrusion vector for MSP-borne ransomware.
  • CVE-2024-1708 (ConnectWise ScreenConnect path traversal, due 2026-05-12), CVE-2023-27351 (PaperCut NG/MF auth bypass, due 2026-05-04), CVE-2024-27199 (JetBrains TeamCity path traversal, due 2026-05-04), and CVE-2023-21529 (Exchange deserialization, due 2026-04-27) round out the ransomware-flagged set — all overdue per KEV. Hunt for post-exploitation persistence, not just patch state.

Network Edge and Identity Infrastructure

  • Cisco Catalyst SD-WAN is having a rough month: CVE-2026-20182 (authentication bypass on the Controller, due 2026-05-17, already lapsed) is the headline, joined by Manager-side issues CVE-2026-20122 (privileged API misuse), CVE-2026-20133 (sensitive info exposure), and CVE-2026-20128 (recoverable password storage) — all with a 2026-04-23 deadline that has come and gone. Audit SD-WAN admin accounts and rotate any credentials handled by Manager.
  • CVE-2026-0300, an out-of-bounds write in Palo Alto PAN-OS (due 2026-05-09), and CVE-2026-6973, an Ivanti EPMM input validation bug (due 2026-05-10), both target perimeter/MDM appliances historically abused for initial access.
  • CVE-2025-29635 (D-Link DIR-823X command injection, due 2026-05-08) and CVE-2024-7399 (Samsung MagicINFO 9 Server path traversal, due 2026-05-08) extend the edge-device theme into SMB routers and digital signage — both classes routinely scraped into botnets.

Microsoft Stack: Defender, Windows, SharePoint, Office

A heavy Microsoft block hit KEV on 2026-05-20 with 2026-06-03 deadlines: CVE-2026-41091 (Defender link following), CVE-2026-45498 (Defender DoS), plus revived legacy entries CVE-2008-4250 (Windows buffer overflow), CVE-2009-1537 (DirectX), CVE-2009-3459 (Adobe Reader heap overflow), and CVE-2010-0249 / CVE-2010-0806 (IE use-after-free). The decade-old additions strongly suggest CISA is reacting to fresh exploitation against unpatched legacy estates — ICS, kiosks, and OT jump hosts are the usual suspects.

Also worth flagging: CVE-2026-33825 (Defender access-control granularity, due 2026-05-06), CVE-2026-32202 (Windows protection mechanism failure, due 2026-05-12), CVE-2025-60710 (Windows link following, due 2026-04-27), and CVE-2026-32201 (SharePoint input validation, due 2026-04-28). SharePoint exposure remains a recurring initial-access vector — confirm the patch baseline before chasing newer items.

AI/Dev Tooling Reaches KEV

The pipeline of AI-adjacent products onto KEV continues: CVE-2025-34291 (Langflow), CVE-2026-42208 (BerriAI LiteLLM SQL injection, due 2026-05-11), and CVE-2026-39987 (Marimo notebook RCE, due 2026-05-07) are now all confirmed exploited. If your data-science teams stood these up outside central IT, this is the week to find them.

Also on the Board

  • CVE-2026-31431 (Linux kernel resource transfer issue, due 2026-05-15), CVE-2026-34197 (Apache ActiveMQ improper input validation, due 2026-04-30), CVE-2025-2749 (Kentico Xperience path traversal, due 2026-05-04), CVE-2025-48700 (Zimbra Collaboration XSS, due 2026-04-23), and CVE-2025-32975 (Quest KACE SMA auth bypass, due 2026-05-04) fill out the catalog. KACE in particular is a privileged management appliance — patch with the same urgency you'd give a domain controller.

Analyst Take

The dominant signal today is the volume of *overdue* KEV items — roughly half the additions since mid-April have already blown their federal deadlines, and several (cPanel, SimpleHelp, PaperCut, ScreenConnect, TeamCity, Exchange) are explicitly ransomware-coupled. If your patch SLAs key off CISA dates, this week's standup should be triage, not status. The Drupal SQLi (CVE-2026-9082) is the only brand-new item with a deadline still in front of us — don't let it slip.