Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-05-22May 22, 2026

Cyber Threats Daily — 2026-05-22

TITLE: Cyber Threats Daily — KEV surge: Langflow, Apex One added; Defender, Exchange, SD-WAN deadlines loom

---

Top of the Stack: Fresh KEV Additions (Due 2026-06-04)

CISA added two new entries to the Known Exploited Vulnerabilities catalog yesterday, both with a two-week remediation clock for federal civilian agencies — and both worth immediate SOC attention given exposure patterns.

  • CVE-2025-34291 is an origin validation flaw in Langflow, the popular open-source LLM workflow builder; exploitation here continues the trend of attackers pivoting through AI/agent tooling that's often deployed with weak network controls. Federal agencies must remediate by 2026-06-04.
  • CVE-2026-34926 is a directory traversal in Trend Micro Apex One (on-premise) — a security product compromise that, like prior EDR/AV bugs, can hand attackers SYSTEM-level footholds on managed endpoints. Patch and hunt for anomalous Apex One console access; KEV due 2026-06-04.

Microsoft-Heavy Week: Defender, Exchange, SharePoint, Windows

CISA spent the week catching up on a Microsoft backlog, including two new Microsoft Defender entries — CVE-2026-41091 (link following) and CVE-2026-45498 (DoS) — both due 2026-06-03, alongside the older CVE-2026-33825 Defender access-control bug (due 2026-05-06). Defenders should verify Defender platform versions are current and watch for tampering telemetry gaps.

  • CVE-2026-42897, a Microsoft Exchange Server XSS, carries a tight 2026-05-29 deadline — agencies have one week. Pair with the older CVE-2023-21529 Exchange deserialization bug (ransomware-linked, due 2026-04-27) for any environments still lagging on Exchange hardening.
  • CVE-2026-32201 (SharePoint Server improper input validation) and CVE-2026-32202 / CVE-2025-60710 (Windows protection bypass and link following) round out the Microsoft additions, all with late-April to mid-May deadlines that are now overdue for non-compliant agencies.
  • A cluster of legacy Microsoft entries — CVE-2008-4250 (Windows buffer overflow, the infamous MS08-067), CVE-2009-1537 (DirectX), CVE-2010-0249 and CVE-2010-0806 (IE use-after-free), CVE-2012-1854 (VBA), and CVE-2009-0238 (Office RCE) — were added retroactively, suggesting CISA is closing historical gaps; legacy-system owners should confirm these are not lurking on unmanaged hosts.

Network Edge & Management Planes

Cisco's SD-WAN stack dominates this category and the deadlines are already past — assume exploitation attempts in the wild.

  • Four Cisco Catalyst SD-WAN Manager bugs landed together: CVE-2026-20122 (privileged API misuse), CVE-2026-20133 (sensitive info exposure), CVE-2026-20128 (recoverable password storage), all due 2026-04-23, plus CVE-2026-20182 authentication bypass in the SD-WAN Controller (due 2026-05-17). Chained, these enable full management-plane takeover.
  • CVE-2026-0300 in Palo Alto Networks PAN-OS (out-of-bounds write, due 2026-05-09) and CVE-2026-6973 in Ivanti EPMM (improper input validation, due 2026-05-10) continue the long-running pattern of edge-appliance exploitation. CVE-2025-29635 (D-Link DIR-823X command injection) extends the same threat to SOHO gear that frequently shows up on enterprise edges.

Ransomware-Linked Entries — Prioritize These

CISA explicitly flagged ransomware association on several additions, which should bump them above CVSS-based triage:

  • CVE-2026-41940 in WebPros cPanel & WHM / WP2 (missing auth on a critical function, due 2026-05-03) is a hosting-provider nightmare — exploitation gives wholesale access to multi-tenant web infrastructure.
  • CVE-2024-1708 (ConnectWise ScreenConnect path traversal) and the SimpleHelp pair CVE-2024-57728 + CVE-2024-57726 target RMM tooling that ransomware affiliates routinely abuse for initial access and lateral movement; all due 2026-05-08/05-12.
  • CVE-2024-27199 (JetBrains TeamCity path traversal) and CVE-2023-27351 (PaperCut NG/MF auth bypass), both due 2026-05-04, round out the ransomware-flagged set — older bugs that affiliates still find unpatched in the wild.

AI/Data Stack and Other Notables

  • CVE-2026-42208 is a SQL injection in BerriAI LiteLLM, the widely deployed LLM proxy — another data point that the AI middleware layer is now firmly in the exploitation crosshairs. Due 2026-05-11.
  • CVE-2026-39987 RCE in Marimo (Python reactive notebooks) and CVE-2026-31431 (Linux kernel incorrect resource transfer) extend the developer-tooling and host-kernel exposure, both due in early-to-mid May.
  • Web app and appliance additions worth a sweep: CVE-2025-2749 (Kentico Xperience path traversal), CVE-2025-48700 (Zimbra Collaboration Suite XSS), CVE-2025-32975 (Quest KACE SMA improper auth), CVE-2024-7399 (Samsung MagicINFO 9 path traversal), and CVE-2026-34197 (Apache ActiveMQ input validation). Deadlines cluster around 2026-04-23 through 2026-05-08.
  • Two Adobe Acrobat bugs — CVE-2009-3459 and CVE-2020-9715 — were added as catch-ups; chase any legacy Reader installs surfaced by EDR inventory.

Analyst Takeaway

This week's KEV activity has three actionable themes: (1) the new Langflow and LiteLLM entries confirm AI infrastructure is now a routine KEV category — inventory your LLM gateways and notebook servers; (2) the Cisco SD-WAN cluster and Defender additions mean management-plane and security-tool integrity should be your top hunt priorities; (3) the ransomware-flagged RMM and hosting bugs (ScreenConnect, SimpleHelp, cPanel, PaperCut, TeamCity) demand verification today, not patching by the deadline. The retroactive 2008–2012 Microsoft additions are a useful prompt to re-run legacy-host discovery.