Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-05-19May 19, 2026

Cyber Threats Daily — 2026-05-19

TITLE: KEV surge: Exchange XSS, Cisco SD-WAN auth bypass, and ransomware-tagged cPanel/SimpleHelp flaws dominate the queue

---

Top of the queue: fresh KEV additions with imminent deadlines

CISA's KEV catalog has absorbed a heavy batch over the past three weeks. The freshest entries are what should drive this morning's patch standups:

  • CVE-2026-42897 — A cross-site scripting flaw in Microsoft Exchange Server was added 2026-05-15 with a federal remediation deadline of 2026-05-29; pair with mailbox-server hardening since XSS in OWA contexts has historically chained into session theft and mailbox rule abuse.
  • CVE-2026-20182 — An authentication bypass in Cisco Catalyst SD-WAN Controller hit KEV on 2026-05-14 with a remediation deadline of 2026-05-17 (already past). If you operate SD-WAN fabrics and haven't patched, treat this as an incident-response trigger, not a maintenance window.
  • CVE-2026-42208 — A SQL injection in BerriAI's LiteLLM proxy is the first AI-gateway entry in this batch; given LiteLLM frequently fronts internal model APIs with privileged keys, exploitation risks credential and prompt-log exposure. Deadline 2026-05-11.
  • CVE-2026-6973 and CVE-2026-1340 — Two separate Ivanti EPMM bugs (improper input validation and code injection) are now both KEV-listed. EPMM has been an exploitation magnet all year; if you still run it internet-facing, audit for webshells regardless of patch status.
  • CVE-2026-0300 — A Palo Alto PAN-OS out-of-bounds write was added 2026-05-06 (deadline 2026-05-09). Confirm management plane isolation in addition to patching.
  • CVE-2026-31431 — A Linux kernel "incorrect resource transfer between spheres" issue is in active exploitation; container-escape and namespace-bypass implications make this priority for multi-tenant hosts.

Ransomware-tagged entries (treat as P0)

CISA flagged five additions as observed in ransomware operations:

  • CVE-2026-41940 in WebPros cPanel & WHM / WP2 — missing authentication on a critical function, deadline 2026-05-03. Mass-hosting environments are the obvious target set.
  • CVE-2024-1708 in ConnectWise ScreenConnect — path traversal, deadline 2026-05-12. Yes, still being exploited two years on; MSP supply-chain risk persists.
  • CVE-2024-57728 and CVE-2024-57726 in SimpleHelp — path traversal and missing authorization, both deadline 2026-05-08. SimpleHelp has become a recurring ransomware initial-access vector; if you can't immediately patch, take instances off the public internet.
  • CVE-2023-27351 in PaperCut NG/MF — improper auth, deadline 2026-05-04. Print servers remain a soft underbelly with domain-credential access.
  • CVE-2023-21529 in Microsoft Exchange Server (deserialization) and CVE-2024-27199 in JetBrains TeamCity (path traversal) round out the ransomware list — both classic post-auth-to-RCE pivots into build pipelines and mail infrastructure.

Network edge and remote access — the recurring theme

The Cisco SD-WAN Manager cluster is notable: CVE-2026-20122 (privileged-API misuse), CVE-2026-20133 (sensitive info exposure), and CVE-2026-20128 (recoverable password storage) were all added together on 2026-04-20 with a tight 2026-04-23 deadline. Combined with the Controller auth bypass above, assume a complete trust review of any Cisco SD-WAN deployment is warranted — these chain trivially.

Other edge/remote-access entries to verify against your inventory:

  • CVE-2026-3055 (Citrix NetScaler OOB read), CVE-2025-53521 (F5 BIG-IP stack overflow), and CVE-2026-21643 / CVE-2026-35616 (Fortinet FortiClient EMS SQLi and access control) — the standard ADC/VPN exploitation surface, all now KEV-listed within the last six weeks.
  • CVE-2025-29635 (D-Link DIR-823X command injection) and CVE-2024-7399 (Samsung MagicINFO 9 path traversal) — SOHO and digital-signage gear that botnet operators continue to weaponize; deadlines 2026-05-08.

Microsoft, Adobe, and the long-tail revivals

CISA added several *very* old Microsoft bugs back into operational focus, which usually signals fresh telemetry from incident response:

  • CVE-2009-0238 (Office RCE), CVE-2012-1854 (VBA insecure library loading), CVE-2020-9715 (Acrobat UAF), CVE-2023-36424 (Windows OOB read), and CVE-2025-60710 (Windows link following) all landed in mid-April with deadlines clustered around 2026-04-27/28. Unpatched legacy endpoints are clearly being hit in the wild — re-run your XP/7/legacy-Office exposure sweep.
  • CVE-2026-32201 (SharePoint improper input validation), CVE-2026-32202 (Windows protection-mechanism failure), and CVE-2026-33825 (Microsoft Defender access-control granularity) are the current-version Microsoft entries. The Defender issue in particular deserves attention — EDR-of-the-EDR bugs degrade your detection posture, not just the host.
  • CVE-2026-34621 — Adobe Acrobat/Reader prototype-pollution exploitation indicates the PDF-as-initial-access tradecraft remains very much alive.

Software supply chain and developer tooling

Three items together suggest attackers continue to target the build path:

  • CVE-2026-33634 — Aquasecurity Trivy shipped with embedded malicious code; if you pulled affected versions into CI, treat scanner hosts as compromised, not just vulnerable. Deadline 2026-04-09.
  • CVE-2026-39987 — Marimo (Python notebook framework) RCE, KEV-added 2026-04-23. Notebook servers exposed to internal networks are common pivot points.
  • CVE-2026-3502 — TrueConf Client downloads code without integrity checks, enabling supply-chain substitution against conferencing endpoints.

Also on the radar (single-line context)

  • CVE-2025-2749 (Kentico Xperience path traversal), CVE-2025-48700 (Zimbra ZCS XSS), CVE-2025-32975 (Quest KACE SMA improper auth), and CVE-2026-34197 (Apache ActiveMQ input validation) round out the CMS/collab/middleware additions — all standard internet-facing app-server hygiene targets with deadlines now passed or imminent.
  • CVE-2026-5281 — Google Dawn (WebGPU) use-after-free; browser-delivered exploitation chain, patch through Chrome channel updates.

SOC action items for today

1. Pull a delta of KEV entries added since 2026-03-26 against your CMDB; anything past deadline goes to incident triage, not patch backlog.

2. Prioritize the five ransomware-tagged CVEs and the Cisco SD-WAN cluster above all else.

3. For Ivanti EPMM, SimpleHelp, ScreenConnect, and ConnectWise estates: assume breach-until-proven-otherwise and hunt before you patch.