Cyber Threats Daily2026-05-31May 31, 2026

Cyber Threats Daily — 2026-05-31

TITLE: KEV surge: PAN-OS auth bypass, Nx Console supply-chain malware, and a wave of legacy Microsoft re-adds

---

Top of the watch: imminent KEV deadlines

CVE-2026-0257 drops a Palo Alto Networks PAN-OS authentication bypass into KEV with a remediation deadline of tomorrow, 2026-06-01 — patch or isolate management planes today; this is the second PAN-OS entry this cycle after the CVE-2026-0300 out-of-bounds write (deadline already passed 2026-05-09).
CVE-2026-8398 (Daemon Tools Lite embedded malicious code) carried a 2026-05-30 deadline that has now lapsed — federal civilian agencies running this consumer-grade tool on managed endpoints should treat it as overdue and hunt for execution artifacts.
CVE-2026-42897, a Microsoft Exchange Server XSS, and CVE-2026-48172, a LiteSpeed cPanel Plugin privilege escalation, both hit their 2026-05-29 deadline two days ago; verify patch posture and review web-server auth logs for abuse.

Supply-chain and developer-tooling poisoning

A cluster of KEV additions points at attackers continuing to compromise the JavaScript/Python developer pipeline:

CVE-2026-48027 flags embedded malicious code in Nx Console, with confirmed ransomware use and a 2026-06-10 deadline — dev workstations and CI runners with the Nx VS Code extension installed need package-integrity review and credential rotation.
CVE-2026-45321 is an unspecified TanStack vulnerability also linked to ransomware actors (deadline 2026-06-10); given TanStack's footprint in React data layers, assume any build artifact pulled during the exposure window is suspect.
CVE-2026-39987 delivers RCE in Marimo (Python reactive notebooks), and CVE-2025-34291 is an origin-validation flaw in Langflow — both reinforce that AI/data-science tooling is now squarely in the exploited-in-the-wild bucket.
CVE-2026-42208, a SQL injection in BerriAI LiteLLM, was added with an aggressive 2026-05-11 deadline that has long lapsed; if you proxy LLM traffic through LiteLLM, audit the DB and API-key store.

Ransomware-flagged additions worth prioritizing

CISA explicitly tagged the following as having known ransomware use — treat as elevated regardless of CVSS:

CVE-2026-41940 — missing auth on a critical function in WebPros cPanel & WHM / WP2 (deadline 2026-05-03, lapsed). Hosting providers are the obvious blast radius.
CVE-2024-1708 — ConnectWise ScreenConnect path traversal, re-emphasized with a 2026-05-12 deadline; pairs with the SimpleHelp duo CVE-2024-57728 (path traversal) and CVE-2024-57726 (missing authorization), both added 2026-04-24. RMM platforms remain the #1 ransomware ingress.
CVE-2024-27199 — JetBrains TeamCity relative path traversal, and CVE-2023-27351 — PaperCut NG/MF improper auth. Both are old, both still being weaponized; if you haven't patched, assume compromise and hunt.

Network and edge gear

Cisco took heavy fire this cycle with four Catalyst SD-WAN Manager / Controller entries:

CVE-2026-20182 (authentication bypass on the SD-WAN Controller, deadline 2026-05-17) is the highest-impact of the set.
CVE-2026-20122 (privileged-API misuse), CVE-2026-20133 (sensitive-info exposure), and CVE-2026-20128 (recoverable password storage) all share a 2026-04-23 deadline — agencies running SD-WAN Manager should already have rotated credentials and reviewed admin-session logs.
CVE-2026-6973 (Ivanti EPMM improper input validation) and CVE-2025-29635 (D-Link DIR-823X command injection) round out the edge picture; the D-Link router class continues to feed botnet operators.

Microsoft: new bugs plus a striking legacy re-add

Microsoft Defender takes three hits on a single 2026-05-20 batch — CVE-2026-41091 (link following), CVE-2026-45498 (DoS), and CVE-2026-33825 (insufficient access-control granularity, added 2026-04-22). For an endpoint product to appear three times in five weeks suggests active tampering chains targeting the EDR itself; verify tamper-protection telemetry.

More unusually, CISA added a batch of late-2000s Microsoft and Adobe bugs on 2026-05-20 with a 2026-06-03 deadline — CVE-2008-4250 (Windows buffer overflow, the Conficker bug), CVE-2009-1537 (DirectX), CVE-2009-3459 (Adobe Reader heap overflow), CVE-2010-0249 and CVE-2010-0806 (IE use-after-free), plus CVE-2009-0238 (Office RCE). The re-add pattern almost certainly reflects fresh exploitation against unmanaged OT/ICS or air-gapped legacy hosts; inventory anything still running pre-Win7-era stacks.

Also on the Microsoft side: CVE-2026-32202 (Windows protection-mechanism failure, deadline 2026-05-12, lapsed) deserves follow-up given how often these bypasses chain with the Defender bugs above.

Web platforms and the long tail

CVE-2026-9082 — SQL injection in Drupal Core (deadline 2026-05-27, lapsed) — assume probing of any unpatched Drupal estate.
CVE-2026-34926 — directory traversal in Trend Micro Apex One (on-prem) (deadline 2026-06-04) — a security product as an attack surface, again.
CVE-2025-2749 (Kentico Xperience path traversal), CVE-2025-32975 (Quest KACE SMA improper auth), CVE-2024-7399 (Samsung MagicINFO 9 path traversal), and CVE-2025-48700 (Zimbra ZCS XSS) all landed 2026-04-20 with early-May deadlines now overdue.
CVE-2026-34197 (Apache ActiveMQ improper input validation, deadline 2026-04-30) and CVE-2026-31431 (Linux kernel improper resource transfer, deadline 2026-05-15) round out the server-side picture — both have lapsed deadlines and warrant compromise assessment, not just patching.

Analyst take

Three signals dominate this cycle: (1) developer and AI tooling — Nx, TanStack, Langflow, LiteLLM, Marimo — is now a routine KEV category, not an edge case; (2) RMM and hosting-control-panel software (ScreenConnect, SimpleHelp, cPanel) continues to be the preferred ransomware on-ramp; (3) the re-addition of decade-old Microsoft/Adobe CVEs strongly implies CISA is seeing exploitation against neglected legacy fleets. Prioritize the 2026-06-01 PAN-OS deadline today, then sweep the lapsed-deadline list for evidence of compromise rather than just confirming patch state.