Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-05-23May 23, 2026

KEV Surge: Drupal SQLi, Trend Micro Apex One Traversal, and a Wave of Ransomware-Linked Bugs

Top of the Stack: Fresh KEV Additions This Week

CISA's KEV catalog absorbed a heavy batch of confirmed in-the-wild exploitation entries between 2026-05-15 and 2026-05-22. Prioritize the items below — federal remediation deadlines are already tight, and several carry ransomware association tags.

  • CVE-2026-9082 — Drupal Core SQL injection added 2026-05-22 with an aggressive five-day remediation window (due 2026-05-27); patch or pull CMS instances off the perimeter immediately given the trivial exploitability profile of Drupal SQLi historically.
  • CVE-2026-34926 — Trend Micro Apex One (On-Premise) directory traversal, added 2026-05-21, due 2026-06-04; on-prem EDR consoles are high-value pivot points, so treat this as priority-one for managed security customers still running self-hosted Apex One.
  • CVE-2025-34291 — Langflow origin validation flaw added 2026-05-21 (due 2026-06-04); continued exploitation of the Langflow/LiteLLM AI-tooling stack reinforces that LLM orchestration platforms are now a routine attacker target.
  • CVE-2026-42897 — Microsoft Exchange Server XSS added 2026-05-15 with a sharp 2026-05-29 deadline; chain potential with prior Exchange deserialization bugs makes this worth emergency change-window treatment.
  • CVE-2026-20182 — Cisco Catalyst SD-WAN Controller authentication bypass added 2026-05-14, deadline 2026-05-17 already lapsed; if you haven't patched your SD-WAN control plane, assume compromise and hunt.

Ransomware-Tagged Entries — Hunt Now

CISA explicitly flagged the following as having known ransomware use. These should be top of your detection-engineering and patch backlogs regardless of agency status.

  • CVE-2026-41940 in WebPros cPanel & WHM / WP2 — missing authentication on a critical function, ransomware-associated, deadline 2026-05-03 already past. Hosting providers and shared-tenant environments are the obvious blast radius.
  • CVE-2024-1708 ConnectWise ScreenConnect path traversal and the CVE-2024-57728 / CVE-2024-57726 SimpleHelp pair — all three RMM/remote-support tools with active ransomware tradecraft tied to them; deadlines have lapsed (2026-05-08 to 2026-05-12), and these tools remain the preferred initial-access lane for affiliate crews.
  • CVE-2024-27199 JetBrains TeamCity path traversal and CVE-2023-27351 PaperCut NG/MF auth bypass — both legacy ransomware favorites re-emphasized with 2026-05-04 deadlines; if exposed, run IOC sweeps for prior compromise rather than just patching.
  • CVE-2023-21529 Microsoft Exchange Server deserialization — ransomware-tagged, deadline 2026-04-27 already past; another reminder that long-tail Exchange exposure remains exploited operationally.

Network Edge and Identity Infrastructure

The Cisco Catalyst SD-WAN Manager cluster of bugs is notable for breadth — CVE-2026-20122 (privileged API misuse), CVE-2026-20133 (sensitive info exposure), and CVE-2026-20128 (recoverable-format password storage) all landed 2026-04-20 with a 2026-04-23 deadline, meaning federal civilian networks should have remediated a month ago. Combined with the newer CVE-2026-20182 controller auth bypass, treat any unpatched SD-WAN Manager as suspect.

Other edge/identity entries worth noting:

  • CVE-2026-0300 — Palo Alto Networks PAN-OS out-of-bounds write (deadline 2026-05-09 lapsed); firewall plane RCE-class issues warrant compromise assessment.
  • CVE-2026-6973 — Ivanti EPMM improper input validation (deadline 2026-05-10 lapsed); Ivanti MDM remains a recurring n-day target.
  • CVE-2025-32975 — Quest KACE SMA improper authentication and CVE-2025-2749 Kentico Xperience path traversal, both due 2026-05-04, round out the identity/management-plane exposure list.

Microsoft Defender and Windows Cluster

A surprising trio of Microsoft Defender issues hit KEV on 2026-05-20 (CVE-2026-41091 link-following, CVE-2026-45498 DoS) and 2026-04-22 (CVE-2026-33825 access-control granularity), all due by 2026-06-03 or earlier — confirmation that attackers are actively targeting the defender stack itself to blind detection before follow-on actions. Pair this with CVE-2026-32202 (Windows protection-mechanism failure, deadline 2026-05-12) and CVE-2025-60710 (Windows link-following) for a coherent picture of attackers chaining security-bypass primitives.

Application Stack: AI, CMS, and Messaging

  • CVE-2026-42208 in BerriAI LiteLLM (SQLi) and CVE-2026-39987 Marimo RCE round out the AI-tooling KEV cluster — both already past deadline. If your data-science teams self-host these, this is your nudge to inventory.
  • CVE-2026-34197 Apache ActiveMQ improper input validation (deadline 2026-04-30) and CVE-2026-32201 SharePoint Server input validation (deadline 2026-04-28) cover the messaging/collab plane.
  • CVE-2025-48700 Zimbra XSS and CVE-2024-7399 Samsung MagicINFO 9 path traversal continue the trend of attackers harvesting low-friction app-layer bugs in widely deployed appliances.

Legacy Re-Adds Worth Noting

CISA also pulled several archaeologically old CVEs back into KEV on 2026-05-20 and 2026-04-13/14 — CVE-2008-4250 (Windows buffer overflow, the Conficker bug), CVE-2009-1537 (DirectX), CVE-2009-3459 (Adobe Reader), CVE-2010-0249 / CVE-2010-0806 (IE use-after-free), CVE-2012-1854 (VBA insecure library load), and CVE-2009-0238 (Office RCE). The re-listing pattern strongly implies these are showing up in current intrusion telemetry against unmanaged or air-gapped-but-not-really legacy systems. If you operate OT, kiosk, or healthcare fleets, scan for these specifically.

Also on the Radar

  • CVE-2026-31431 — Linux kernel "incorrect resource transfer between spheres" (deadline 2026-05-15 lapsed); kernel KEV entries are rare, so prioritize fleet kernel inventory.
  • CVE-2025-29635 D-Link DIR-823X command injection — SOHO router bug that typically feeds botnet recruitment campaigns.

Action summary for the SOC today: patch Drupal (CVE-2026-9082) and Exchange (CVE-2026-42897) before their end-of-month deadlines, hunt for ScreenConnect/SimpleHelp/TeamCity/PaperCut post-exploitation IOCs given ransomware tagging, and audit SD-WAN Manager and PAN-OS exposure where deadlines have already passed.