Cyber Threats Daily — PAN-OS auth bypass, Nx/TanStack supply-chain implants, and a wave of KEV ransomware tags

Top of the queue: actively exploited, deadlines this week

• CVE-2026-0257 is an authentication bypass in Palo Alto Networks PAN-OS added to KEV on 2026-05-29 with a one-business-day remediation deadline (2026-06-01) — assume edge exposure and hunt for unauthenticated management-plane access now. Pair with CVE-2026-0300, the PAN-OS out-of-bounds write KEV'd a month earlier, if patching has slipped.
• CVE-2024-21182 in Oracle WebLogic Server is the freshest KEV add (2026-06-01) with FCEB remediation due 2026-06-04; treat any internet-exposed WebLogic as compromised-until-proven-otherwise given Oracle middleware's track record with deserialization chains.
• CVE-2008-4250 (MS08-067), CVE-2009-1537 (DirectX), CVE-2009-3459 (Acrobat), CVE-2010-0249 and CVE-2010-0806 (IE) were all batch-added on 2026-05-20 with 2026-06-03 deadlines — a striking signal that CISA is still seeing these in incident telemetry, likely on unmanaged OT/legacy fleets. Inventory, isolate, or decommission.

Supply-chain and developer-tooling implants

• CVE-2026-48027 flags the Nx Console VS Code extension as carrying embedded malicious code, and CVE-2026-45321 does the same class of "unspecified" tagging for TanStack — both are KEV'd with known ransomware use and a 2026-06-10 deadline. Audit developer endpoints for these extensions/packages, rotate any tokens cached by them, and review CI runners that pulled affected versions.
• CVE-2026-8398 lists Daemon Tools Lite as shipping embedded malicious code (deadline 2026-05-30, now overdue) — a reminder to police unsanctioned freeware on corp endpoints, not just servers.
• CVE-2024-1708 (ConnectWise ScreenConnect path traversal) and CVE-2024-27199 (JetBrains TeamCity path traversal) re-surface on KEV with ransomware tags and 2026-05-04/05-12 deadlines — both remain favored initial-access footholds for affiliate crews.

Hosting, cPanel, and MSP-adjacent exposure

• CVE-2026-41940 in WebPros cPanel & WHM / WP2 is a missing-auth-on-critical-function bug with confirmed ransomware use and a deadline that lapsed 2026-05-03 — any hosting tenant still unpatched should be assumed breached. Compounding risk: CVE-2026-48172, a LiteSpeed cPanel plugin privilege escalation (deadline 2026-05-29).
• CVE-2024-57728 and CVE-2024-57726 in SimpleHelp (path traversal + missing authorization) are both KEV'd with ransomware tags — MSPs running SimpleHelp for remote support should validate patch state and review session logs back to Q1.
• CVE-2023-27351 in PaperCut NG/MF returns to the spotlight with a ransomware tag and 2026-05-04 deadline; print servers remain an underestimated lateral-movement waypoint.

Network gear and edge

• Cisco Catalyst SD-WAN is having a bad month: CVE-2026-20182 (auth bypass on the Controller, deadline 2026-05-17) plus a cluster on SD-WAN Manager — CVE-2026-20122 (privileged API misuse), CVE-2026-20133 (sensitive info exposure), and CVE-2026-20128 (recoverable password storage), all with 2026-04-23 deadlines. Treat the Manager as a crown-jewel asset, rotate stored credentials, and review API audit logs.
• CVE-2025-29635 (D-Link DIR-823X command injection) and CVE-2024-7399 (Samsung MagicINFO 9 Server path traversal) round out the edge/IoT additions with 2026-05-08 deadlines — both are botnet-recruitment magnets.

Microsoft stack

• Four Microsoft Defender issues hit KEV in rapid succession: CVE-2026-41091 (link following) and CVE-2026-45498 (DoS) with 2026-06-03 deadlines, plus the earlier CVE-2026-33825 (access-control granularity). An EDR being the exploit target is the worst-case inversion — verify Defender platform/engine versions, not just signatures.
• CVE-2026-42897 is a cross-site scripting flaw in Exchange Server (deadline 2026-05-29); chainable with phishing for session theft against OWA users.
• CVE-2026-32202 is a Windows protection-mechanism failure (deadline 2026-05-12) — likely a defense-in-depth bypass being abused post-initial-access. Patch alongside the Defender set.

Application and AI/ML tooling

• AI/ML stacks keep landing on KEV: CVE-2025-34291 (Langflow origin validation, deadline 2026-06-04), CVE-2026-42208 (BerriAI LiteLLM SQL injection, overdue 2026-05-11), and CVE-2026-39987 (Marimo RCE, overdue 2026-05-07). If you stood up "prototype" LLM gateways or notebook servers without putting them behind auth, today is the day to take them offline.
• CVE-2026-34926 (Trend Micro Apex One on-prem directory traversal, deadline 2026-06-04) is notable because Apex One management consoles are typically internal but credential-rich; chain risk is high.
• CVE-2026-9082 (Drupal Core SQLi, overdue 2026-05-27), CVE-2025-2749 (Kentico Xperience path traversal), CVE-2025-48700 (Zimbra ZCS XSS), CVE-2025-32975 (Quest KACE SMA auth bypass), and CVE-2026-34197 (Apache ActiveMQ improper input validation) are all CMS/appliance-class additions worth a sweep across your external attack surface.

Other

• CVE-2026-31431 in the Linux kernel (incorrect resource transfer between spheres, deadline 2026-05-15) and CVE-2026-6973 in Ivanti EPMM (deadline 2026-05-10) are both overdue for FCEB and warrant a status check across managed fleets.

Analyst takeaways

1. The PAN-OS auth bypass plus an unusually short one-day FCEB window is the single most urgent item — escalate if not already remediated.

2. Two separate developer-tooling supply-chain entries (Nx Console, TanStack) on the same KEV batch indicate ongoing targeting of the build pipeline; revisit your SBOM and extension allowlists.

3. Defender itself being exploited (four CVEs) means EDR posture monitoring needs to include the EDR's own version state, not just its alerts.