Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-05-27May 27, 2026

Cyber Threats Daily — 2026-05-27

TITLE: KEV Surge: LiteSpeed, Drupal, Trend Micro Apex One Hit Deadlines This Week; Ransomware Crews Riding cPanel and SimpleHelp Bugs

---

Top of the Stack: Deadlines Inside 72 Hours

Two KEV entries hit their CISA remediation deadlines within this reporting window — patch or compensating-control these first.

  • CVE-2026-9082 (Drupal Core SQL injection) carries a remediation deadline of today, 2026-05-27. Federal civilian agencies and any org following BOD 22-01 should already be on mitigation; SOCs should hunt for anomalous DB queries and webshell drops on Drupal-fronted assets.
  • CVE-2026-48172 (LiteSpeed cPanel Plugin privilege escalation) and CVE-2026-42897 (Microsoft Exchange Server XSS) both fall due 2026-05-29. Shared-hosting providers running LiteSpeed and any on-prem Exchange tenants need eyes on this before the long weekend.

Active Ransomware Exploitation — Prioritize Above Defender Bugs

CISA flagged five KEV entries with confirmed ransomware use; treat as P1 regardless of CVSS:

  • CVE-2026-41940 in WebPros cPanel & WHM / WP2 (WordPress Squared) is a missing-authentication-for-critical-function flaw with known ransomware tradecraft; remediation was due 2026-05-03 — late patchers are now well past grace.
  • CVE-2024-57728 and CVE-2024-57726 (SimpleHelp path traversal and missing authorization) continue to be chained by ransomware affiliates against MSP-deployed remote support servers; deadline was 2026-05-08. If SimpleHelp is in your estate or a vendor's, audit for unauthorized technician accounts and outbound C2.
  • CVE-2024-1708 (ConnectWise ScreenConnect path traversal) and CVE-2024-27199 (JetBrains TeamCity relative path traversal) round out the ransomware-linked RMM/CI exposure — both with May deadlines already passed.
  • CVE-2023-27351 (PaperCut NG/MF improper authentication) and CVE-2023-21529 (Exchange Server deserialization) are older but freshly re-listed with ransomware association; deadlines 2026-05-04 and 2026-04-27 respectively.

Network Edge and Management Planes

Cisco's Catalyst SD-WAN stack dominates this batch, suggesting clustered exploitation research or an active campaign:

  • CVE-2026-20182 (SD-WAN Controller authentication bypass) had the tightest window — remediation due 2026-05-17. Pair with CVE-2026-20122 (privileged API misuse), CVE-2026-20128 (passwords stored recoverably), and CVE-2026-20133 (sensitive info exposure), all SD-WAN Manager flaws with deadlines that have lapsed; assume credential compromise on any unpatched Manager and rotate.
  • CVE-2026-0300 in Palo Alto Networks PAN-OS is an out-of-bounds write with deadline 2026-05-09 — perimeter exposure, treat any unpatched device as suspect.
  • CVE-2026-6973 (Ivanti EPMM improper input validation, due 2026-05-10) extends the long-running Ivanti exploitation pattern; check MDM enrollment logs.
  • CVE-2025-29635 (D-Link DIR-823X command injection) and CVE-2024-7399 (Samsung MagicINFO 9 path traversal) — both due 2026-05-08 — round out SOHO and digital-signage attack surface that frequently ends up in botnets.

Endpoint and Server: Microsoft-Heavy Week

Microsoft accounts for the largest single-vendor share of this KEV batch:

  • CVE-2026-41091 and CVE-2026-45498 target Microsoft Defender (link following and DoS), with CVE-2026-33825 adding an access-control granularity flaw — all due 2026-06-03 and 2026-05-06 respectively. Adversaries blinding the EDR before staging is the expected play.
  • CVE-2026-32201 (SharePoint Server input validation) and CVE-2026-32202 (Windows protection mechanism failure) extend the on-prem Microsoft burn-down; deadlines 2026-04-28 and 2026-05-12 have passed.
  • CVE-2025-60710 (Windows link following) due 2026-04-27 — common LPE primitive, expect inclusion in commodity loaders soon.
  • A surprise cluster of legacy CVEs from 2008–2012 (CVE-2008-4250, CVE-2009-1537, CVE-2009-3459, CVE-2010-0249, CVE-2010-0806, CVE-2009-0238, CVE-2012-1854) was re-added with 2026-04-27 / 2026-06-03 deadlines. CISA only re-lists when exploitation re-emerges — likely tied to unpatched ICS/OT or air-gapped Windows XP/7 estates being rediscovered by threat actors.

Application and Data Layer

  • CVE-2026-34926 (Trend Micro Apex One on-prem directory traversal) is due 2026-06-04 — EDR management consoles are a recurring breach pivot, treat as urgent.
  • CVE-2025-34291 (Langflow origin validation) and CVE-2026-42208 (BerriAI LiteLLM SQL injection) and CVE-2026-39987 (Marimo RCE) mark a continuing trend of AI/ML tooling landing on KEV — these often run with broad data-source credentials and minimal segmentation.
  • CVE-2026-31431 (Linux kernel resource-transfer flaw, due 2026-05-15) is the lone kernel entry; container escape and multi-tenant risk apply.
  • CVE-2026-34197 (Apache ActiveMQ input validation, due 2026-04-30), CVE-2025-2749 (Kentico Xperience path traversal), CVE-2025-32975 (Quest KACE auth bypass), and CVE-2025-48700 (Zimbra ZCS XSS) close out the application-tier exposure — all with April/May deadlines now passed.

Analyst Take

This batch is unusually large (40+ entries) and skews toward management-plane and security-tooling compromise — Defender, Apex One, EPMM, KACE, SD-WAN Manager, ScreenConnect, SimpleHelp. The pattern is consistent with adversaries (both ransomware affiliates and state-aligned crews) prioritizing the consoles that defenders trust. If your patch SLA can't keep up, rank by: (1) known ransomware use, (2) internet-exposed management interfaces, (3) deadlines already lapsed. The re-listed 2008–2012 Microsoft entries are the wild card — worth a quick sweep of any forgotten legacy Windows hosts before someone else finds them.