Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-05-28May 28, 2026

Cyber Threats Daily — 2026-05-28

TITLE: KEV Surge: Supply-Chain Trojans in Nx & Daemon Tools, Fresh Exchange/Defender/SD-WAN Adds, Ransomware Hits cPanel

---

Top Priority — Imminent KEV Deadlines

Two supply-chain compromises and a cPanel privilege bug top today's queue with sub-72-hour remediation windows:

  • CVE-2026-48027 flags embedded malicious code in the Nx Console (Nx build platform) — a developer-tooling supply-chain compromise; CISA requires federal remediation by 2026-06-10, but treat any Nx Console install as suspect immediately and audit CI/CD artifacts.
  • CVE-2026-8398 identifies embedded malicious code in Daemon Tools Lite, another trojanized installer scenario; KEV deadline 2026-05-30 — pull the binary from managed software catalogs now.
  • CVE-2026-48172 is a privilege escalation in the LiteSpeed cPanel Plugin with a 2026-05-29 deadline; chain risk is high on multi-tenant hosting where local cPanel users can pivot to root.
  • CVE-2026-42897, an XSS in Microsoft Exchange Server, also lands at 2026-05-29 — patch on this Patch Tuesday cadence and review OWA/ECP logs for token theft.

Newly Added This Week (KEV, 2026-05-21 to 2026-05-27)

  • CVE-2026-45321 in TanStack (popular React data/router libs) is listed as "unspecified" with a 2026-06-10 deadline — assume RCE or auth bypass until CISA details land; inventory frontend builds pulling `@tanstack/*`.
  • CVE-2026-9082 is a SQL injection in Drupal Core (deadline 2026-05-27, already lapsed) — anyone still on an unpatched branch should treat sites as potentially compromised, not merely vulnerable.
  • CVE-2025-34291 in Langflow (origin validation error) and CVE-2026-42208 in BerriAI LiteLLM (SQLi) continue the trend of AI orchestration frameworks being weaponized; both are now KEV-listed, deadlines 2026-06-04 and 2026-05-11 respectively. If you run an internal LLM gateway, this is your stack.
  • CVE-2026-34926, a directory traversal in Trend Micro Apex One (on-prem), is exploitable pre-auth in prior disclosures of this class — KEV deadline 2026-06-04; EDR servers are crown-jewel targets.

Microsoft Defender & Windows Cluster

CISA added a notable cluster of Defender and Windows protection-mechanism bugs on 2026-05-20, all due 2026-06-03:

  • CVE-2026-41091 (Defender link-following), CVE-2026-45498 (Defender DoS), and earlier CVE-2026-33825 (Defender access-control granularity, due 2026-05-06) collectively suggest active abuse of Defender's own trust boundaries to disable or bypass protection prior to follow-on payloads.
  • CVE-2026-32202 (Windows protection-mechanism failure, due 2026-05-12) and CVE-2026-32201 (SharePoint Server improper input validation, due 2026-04-28) round out the Microsoft surface — SharePoint in particular has been a recurring ransomware foothold.
  • A batch of legacy entries — CVE-2008-4250 (Windows MS08-067-class buffer overflow), CVE-2009-1537 (DirectX), CVE-2009-3459 (Adobe Reader heap overflow), CVE-2010-0249 and CVE-2010-0806 (IE use-after-free), and CVE-2009-0238 (Office RCE) — were back-added to KEV, signaling fresh telemetry of in-the-wild use, almost certainly against unmanaged or air-gapped Windows fleets. Hunt for these on OT and legacy estates.

Ransomware-Tagged Entries — Patch on Sight

CISA explicitly flagged the following as in active ransomware operator use:

  • CVE-2026-41940: missing authentication on a critical function in WebPros cPanel & WHM / WP2 — deadline 2026-05-03 has already passed. Shared hosting providers should assume exploitation and rotate WHM API tokens.
  • CVE-2024-1708 (ConnectWise ScreenConnect path traversal) is again in heavy rotation; deadline 2026-05-12. Combined with the SimpleHelp pair CVE-2024-57728 and CVE-2024-57726 (path traversal + missing authorization, deadline 2026-05-08), RMM tools remain the preferred initial-access vector.
  • CVE-2023-27351 (PaperCut NG/MF auth bypass, deadline 2026-05-04) and CVE-2024-27199 (JetBrains TeamCity path traversal, deadline 2026-05-04) round out the ransomware-tagged set — both are widely scanned and trivially weaponized.

Network Edge & SD-WAN

Cisco's Catalyst SD-WAN stack took four KEV hits with aggressive deadlines:

  • CVE-2026-20182 (SD-WAN Controller auth bypass, due 2026-05-17) is the most severe — pre-auth access to a controller compromises every managed edge.
  • CVE-2026-20122 (privileged API misuse), CVE-2026-20133 (sensitive info exposure), and CVE-2026-20128 (recoverable password storage) on SD-WAN Manager all carried 2026-04-23 deadlines and should already be remediated; if not, treat manager credentials and device certs as burned.
  • CVE-2026-0300 (Palo Alto PAN-OS out-of-bounds write, due 2026-05-09) and CVE-2026-6973 (Ivanti EPMM improper input validation, due 2026-05-10) extend the edge-device pattern; both vendors have a recent history of pre-auth exploitation chains.
  • CVE-2025-29635 (D-Link DIR-823X command injection, due 2026-05-08) is botnet fodder — likely Mirai-variant recruitment targeting SOHO routers.

Application & Platform Layer

  • CVE-2024-7399 (Samsung MagicINFO 9 Server path traversal) and CVE-2025-2749 (Kentico Xperience path traversal), both due 2026-05-08 and 2026-05-04 respectively, indicate continued exploitation of CMS/digital-signage platforms as foothold-and-pivot targets.
  • CVE-2025-48700 (Zimbra ZCS XSS, due 2026-04-23) and CVE-2025-32975 (Quest KACE SMA improper auth, due 2026-05-04) continue the collab/endpoint-management exploitation trend — Zimbra in particular remains a favorite of state-aligned actors.
  • CVE-2026-39987 is an RCE in Marimo (Python notebook platform), due 2026-05-07 — another data-science tool joining the AI/ML exploitation theme.
  • CVE-2026-34197 (Apache ActiveMQ improper input validation, due 2026-04-30) echoes the 2023 ActiveMQ ransomware wave; brokers exposed to the internet should be re-audited.
  • CVE-2026-31431 (Linux kernel, incorrect resource transfer between spheres, due 2026-05-15) is a container/namespace-escape-class flaw — prioritize on multi-tenant Kubernetes nodes.

Analyst Notes

The week's signal: supply-chain trojans are now appearing in mainstream dev tooling (Nx, TanStack ecosystem, Daemon Tools) with the same KEV urgency as edge-device RCEs. Combined with the Defender cluster, adversaries are clearly investing in defense-evasion before payload delivery. Prioritize: (1) the three sub-72-hour deadlines above, (2) any RMM/cPanel exposure given the ransomware tags, (3) SD-WAN and PAN-OS edge patching, then (4) the AI-stack CVEs (Langflow, LiteLLM, Marimo) which are early in their exploitation curve but rising fast.