Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-05-21May 21, 2026

Cyber Threats Daily — 2026-05-21

TITLE: KEV surge: Cisco SD-WAN, Ivanti EPMM, Palo Alto PAN-OS, and ransomware-tagged SimpleHelp/cPanel bugs dominate this cycle

---

Top of watch: actively exploited, near-term deadlines

The KEV catalog took on 40 new entries in the last six weeks, with several carrying remediation deadlines that have already lapsed or expire within days. SOCs should treat the following as patch-or-isolate priorities.

  • CVE-2026-20182 (Cisco Catalyst SD-WAN Controller authentication bypass) was added 2026-05-14 with a remediation deadline of 2026-05-17 — already past. Pair this with CVE-2026-20122, CVE-2026-20133, and CVE-2026-20128 (all Cisco Catalyst SD-WAN Manager issues, deadline 2026-04-23, also past) for a full SD-WAN management plane review; assume credential exposure if patching slipped.
  • CVE-2026-6973 in Ivanti Endpoint Manager Mobile (EPMM) — improper input validation, KEV deadline 2026-05-10 — continues Ivanti's run as a top initial-access target. Hunt for unauthenticated requests against EPMM admin endpoints and rotate any service credentials reachable from the appliance.
  • CVE-2026-0300, an out-of-bounds write in Palo Alto Networks PAN-OS (deadline 2026-05-09, past), warrants urgent firewall firmware audit; PAN-OS edge devices are repeat ransomware staging grounds.
  • CVE-2026-42208, a SQL injection in BerriAI LiteLLM (deadline 2026-05-11), is notable as one of the first AI-gateway products to land on KEV — relevant for orgs proxying LLM traffic through self-hosted LiteLLM.

Ransomware-tagged additions

CISA explicitly flagged several recent entries as having known ransomware use — these should jump the queue regardless of CVSS.

  • CVE-2026-41940 in WebPros cPanel & WHM / WP2 (missing authentication on a critical function, deadline 2026-05-03) exposes shared-hosting fleets; hosting providers and any org running cPanel-managed WordPress should assume opportunistic scanning is ongoing.
  • CVE-2024-57728 and CVE-2024-57726 in SimpleHelp (path traversal + missing authorization, deadline 2026-05-08) are being chained for remote support takeover — same playbook seen with ConnectWise last year. Audit SimpleHelp server logs for unexpected file reads and admin role grants.
  • CVE-2024-1708 in ConnectWise ScreenConnect (path traversal, deadline 2026-05-12) is back on the active-exploit list; treat any unpatched ScreenConnect instance as presumed compromised.
  • CVE-2023-27351 (PaperCut NG/MF auth bypass), CVE-2024-27199 (JetBrains TeamCity path traversal), and CVE-2023-21529 (Exchange Server deserialization) round out the ransomware-tagged backlog, all with deadlines in early May — these are legacy bugs that affiliates clearly still find pay dirt against.

Microsoft cluster

Defender, Windows, Exchange, and SharePoint all picked up entries this cycle, suggesting active campaigns across the Microsoft stack.

  • CVE-2026-42897 (Exchange Server XSS, deadline 2026-05-29) is the freshest Exchange addition — likely chained with phishing for session hijack against OWA/ECP users.
  • CVE-2026-32201 (SharePoint Server improper input validation, deadline 2026-04-28) and CVE-2026-32202 (Windows protection mechanism failure, deadline 2026-05-12) both lapsed; verify May Patch Tuesday rollups are deployed.
  • Defender itself landed three KEV entries — CVE-2026-41091 (link following), CVE-2026-45498 (DoS), and CVE-2026-33825 (access-control granularity) — all due 2026-05-06 to 2026-06-03. Adversaries blinding EDR before payload delivery is the obvious motive; verify Defender platform/engine versions across the fleet.
  • CVE-2025-60710 (Windows link following, deadline 2026-04-27) and CVE-2023-36424 (Windows OOB read) reinforce the LPE/sandbox-escape theme.

Edge, appliance, and SaaS

  • CVE-2026-21643, a SQL injection in Fortinet FortiClient EMS (deadline 2026-04-16, well past), should already be patched — if not, treat the EMS database as compromised.
  • CVE-2024-7399 in Samsung MagicINFO 9 Server (path traversal) and CVE-2025-29635 in D-Link DIR-823X (command injection), both deadline 2026-05-08, target digital-signage and SOHO router footprints frequently overlooked in enterprise inventories.
  • CVE-2025-2749 (Kentico Xperience path traversal) and CVE-2025-32975 (Quest KACE SMA auth bypass), both deadline 2026-05-04, hit CMS and endpoint-management surfaces commonly exposed to the internet.
  • CVE-2025-48700 (Zimbra Collaboration Suite XSS, deadline 2026-04-23) and CVE-2026-34197 (Apache ActiveMQ improper input validation, deadline 2026-04-30) continue the trend of email and message-broker exploitation.
  • CVE-2026-39987 marks Marimo (Python reactive-notebook server) as a new RCE target — niche, but worth noting for data-science teams exposing notebook hosts.

Linux and Adobe

  • CVE-2026-31431 in the Linux kernel (incorrect resource transfer between spheres, deadline 2026-05-15) is the cycle's lone kernel entry — likely a container/namespace-escape primitive; prioritize on multi-tenant hosts.
  • Adobe Acrobat/Reader added two: CVE-2026-34621 (prototype pollution, deadline 2026-04-27) and the older CVE-2020-9715 (UAF), both worth confirming via endpoint Acrobat version sweeps.

Long-tail legacy re-listings

CISA re-added a batch of vintage Microsoft and Adobe bugs — CVE-2008-4250 (Windows Server Service buffer overflow, aka MS08-067), CVE-2009-1537 (DirectX), CVE-2009-3459 (Acrobat heap overflow), CVE-2010-0249 and CVE-2010-0806 (IE UAFs, the Aurora-era bugs), CVE-2009-0238 (Office RCE), and CVE-2012-1854 (VBA insecure library load), all with deadline 2026-06-03. The pattern suggests CISA is sweeping forward unpatched legacy systems exposed via recent telemetry — relevant for OT, industrial, and embedded Windows estates where these bugs genuinely still live. If you operate XP/2003/Win7 islands, this is your reminder to compensating-control them.

Editor's read

Two themes dominate this cycle: remote-management and SD-WAN appliance takeover (Cisco, Ivanti, SimpleHelp, ConnectWise, ScreenConnect, KACE) and EDR/AV blinding (three Defender CVEs in one batch). Both align with affiliate-driven ransomware tradecraft. If you triage nothing else this week, validate patch status on remote-access products and confirm Defender is running current builds across the estate.