Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-06-01June 1, 2026

Cyber Threats Daily — 2026-06-01

TITLE: KEV surge: PAN-OS auth bypass due today, supply-chain malware in Nx & Daemon Tools, 2009-era Office/IE bugs back on the board

---

Top of the watch: actively exploited, deadline today

  • CVE-2026-0257 — a Palo Alto Networks PAN-OS authentication bypass — has a CISA remediation deadline of today, 2026-06-01. Federal agencies must patch or pull affected firewalls offline; private SOCs running PAN-OS should treat this as priority-zero given the perimeter blast radius.
  • Separately, CVE-2026-0300 (PAN-OS out-of-bounds write, KEV-listed 2026-05-06) remains a recent reminder that PAN-OS edge devices are under sustained exploitation; if you missed the 2026-05-09 deadline, audit for compromise, don't just patch.

Supply-chain malware embedded in dev tooling

Three KEV entries flag malicious code shipped inside trusted packages — a pattern operators should hunt retroactively, not just block going forward.

  • CVE-2026-48027 — embedded malicious code in Nx Console, with confirmed ransomware use and a remediation due 2026-06-10. Developer workstations and CI runners that pulled poisoned versions need credential rotation and endpoint review, not just an upgrade.
  • CVE-2026-8398 — embedded malicious code in Daemon Tools Lite (due 2026-05-30, now overdue). Treat any host with this installer as suspect.
  • CVE-2026-45321 — an unspecified TanStack vulnerability also tied to ransomware activity (due 2026-06-10); minimal public detail, so monitor vendor advisories and pin known-good versions.

Edge, identity, and management-plane exploitation

  • CVE-2026-20182 (Cisco Catalyst SD-WAN Controller auth bypass) was added 2026-05-14 with a 2026-05-17 deadline — agencies had three days, underscoring CISA's view that exploitation is widespread. Companion Catalyst SD-WAN Manager issues CVE-2026-20122, CVE-2026-20133, and CVE-2026-20128 (privileged-API misuse, info disclosure, recoverable password storage) were all KEV-listed 2026-04-20 with 2026-04-23 deadlines — chain potential is high.
  • CVE-2026-6973 — Ivanti EPMM improper input validation (due 2026-05-10) — continues the Ivanti edge-appliance pattern; assume MDM is a primary target.
  • CVE-2026-42897, a stored XSS in Microsoft Exchange Server (due 2026-05-29), is being exploited against on-prem Exchange admins; mitigate alongside ongoing OWA hardening.
  • CVE-2024-1708 (ConnectWise ScreenConnect path traversal) and CVE-2024-57728 / CVE-2024-57726 (SimpleHelp path traversal + missing authorization) are all flagged for known ransomware use — remote-support tooling remains the soft underbelly for MSP-to-client lateral movement.

Microsoft Defender turned against the host

An unusual cluster of Defender-targeting CVEs landed in May:

  • CVE-2026-41091 (link following), CVE-2026-45498 (DoS), and CVE-2026-33825 (insufficient access-control granularity) all hit KEV with deadlines between 2026-05-06 and 2026-06-03. Attackers are weaponizing the EDR itself — verify Defender platform versions, not just signature feeds, and watch for tamper-protection bypass telemetry.
  • CVE-2026-32202 — a Windows protection-mechanism failure (due 2026-05-12) — pairs naturally with the Defender bugs for end-to-end evasion.

Web stack, AI tooling, and hosting panels

  • CVE-2025-34291 (Langflow origin validation) and CVE-2026-42208 (BerriAI LiteLLM SQL injection) confirm that AI-orchestration frameworks are now in the active-exploitation tier. LiteLLM's deadline (2026-05-11) has passed; audit any LLM gateways exposed to the internet.
  • CVE-2026-39987 — RCE in the Marimo notebook platform (due 2026-05-07) — extends the pattern to data-science tooling.
  • CVE-2026-48172 (LiteSpeed cPanel plugin privilege escalation), CVE-2026-41940 (WebPros cPanel & WHM / WP2 missing auth, ransomware-linked), and CVE-2025-2749 (Kentico Xperience path traversal) round out a bad month for shared-hosting and CMS operators.
  • CVE-2026-9082 — SQL injection in Drupal Core (due 2026-05-27, now overdue) — should be triaged immediately on any unpatched site.
  • CVE-2026-34926 (Trend Micro Apex One on-prem directory traversal, due 2026-06-04) is exploitable against the security console itself; segment management interfaces.

Infrastructure and embedded targets

  • CVE-2026-31431 — a Linux kernel "incorrect resource transfer between spheres" issue — was KEV-listed 2026-05-01 (due 2026-05-15). Kernel KEV entries are rare; prioritize patching multi-tenant and container hosts.
  • CVE-2026-34197 (Apache ActiveMQ improper input validation, due 2026-04-30) continues the ActiveMQ exploitation arc that began in 2023.
  • CVE-2025-29635 (D-Link DIR-823X command injection) and CVE-2024-7399 (Samsung MagicINFO 9 path traversal) keep SOHO and digital-signage devices on the botnet-recruitment radar.

Legacy CVEs reappearing on KEV

CISA added a striking batch of pre-2011 bugs on 2026-05-20, all with 2026-06-03 deadlines: CVE-2008-4250 (Windows buffer overflow — the original Conficker vector), CVE-2009-1537 (DirectX), CVE-2009-3459 (Adobe Reader heap overflow), CVE-2010-0249 and CVE-2010-0806 (IE use-after-free), plus CVE-2009-0238 (Office RCE, added 2026-04-14). The implication: threat actors are still finding unpatched, unmanaged Windows estates — likely OT/ICS jump hosts, kiosks, and forgotten VMs. Run discovery, not just patching.

Also overdue, worth a sweep

CVE-2023-27351 (PaperCut NG/MF, ransomware-linked), CVE-2024-27199 (JetBrains TeamCity path traversal, ransomware-linked), CVE-2025-48700 (Zimbra XSS), and CVE-2025-32975 (Quest KACE SMA improper auth) all had April–May deadlines and all have documented in-the-wild abuse. If your asset inventory shows any of these, assume "patch and hunt" rather than "patch and move on."

SOC takeaways

1. PAN-OS, Cisco SD-WAN, Ivanti EPMM, and Exchange — the edge/identity quadrant — drove this cycle; perimeter posture reviews are overdue.

2. Three separate embedded-malware KEV entries (Nx, Daemon Tools, TanStack) signal a sustained supply-chain campaign against developer endpoints.

3. Defender-targeting CVEs warrant explicit EDR-integrity monitoring, not just trust in the agent's verdicts.

4. The 2008–2010 CVE batch is a tell: somebody is finding and exploiting truly ancient hosts. Find yours before they do.