CISA has added three vulnerabilities to its Known Exploited Vulnerabilities catalog based on active-exploitation evidence. Two formally recognize the TeamPCP supply-chain wave that dominated mid-May: CVE-2026-45321 (TanStack) and CVE-2026-48027 (Nx Console embedded malicious code), the latter tied to the trojanized VS Code extension that led to GitHub's own 3,800-repo internal breach. The third, CVE-2026-8398, is an embedded-malicious-code flaw in the Daemon Tools Lite disc-imaging utility. FCEB agencies must remediate all three by the BOD 22-01 deadline; CISA urges all organizations to prioritize them. The additions confirm the supply-chain compromises moved from disclosure to documented in-the-wild exploitation.
CISA has given US federal civilian agencies a midnight Wednesday May 27 deadline to patch CVE-2026-9082, the highly critical Drupal SQL injection added to its Known Exploited Vulnerabilities catalog on Friday. Imperva says it has now observed 15,000+ attack attempts targeting nearly 6,000 individual Drupal sites across 65 countries since disclosure, with gaming and financial services taking almost half. Shadowserver tracks ~670 unpatched Drupal instances still exposed online (272 in North America, 273 in Europe). CISA's directive is mandatory only for FCEB agencies under BOD 22-01, but the agency strongly urges all organizations to patch immediately.
Drupal has issued an update to its highly critical PSA-2026-05-18 advisory confirming that exploit attempts for CVE-2026-9082 are now being detected in the wild. The bug is an SQL injection in Drupal's database abstraction API that lets unauthenticated requests trigger arbitrary SQL on sites running PostgreSQL, with possible escalation to RCE, privilege escalation, and information disclosure. Drupal rates it 23 out of 25 internally though NIST's CVSS v3 score is a mismatched 6.5. CISA added it to KEV on May 22. Affected versions cover Drupal 8.9.x and all 10.x and 11.x branches up to 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10.
CISA has added two new entries to its Known Exploited Vulnerabilities catalog. CVE-2025-34291 is an origin-validation/CORS chain in Langflow, a popular open-source AI agent framework, that lets a malicious webpage exfiltrate refresh tokens and reach the code-validation endpoint for full RCE. Active exploitation began on January 23, 2026, and threat actors have been deploying the Flodric botnet through compromised instances. CVE-2026-34926 is a directory-traversal flaw in Trend Micro Apex One (On-Premise) that allows file read or write outside the intended path. FCEB agencies must remediate by June 11 per BOD 22-01; CISA urges all organisations to do the same.
Microsoft has rolled out fixes for two Defender vulnerabilities that have been exploited in zero-day attacks. CVE-2026-41091 is a link-following local privilege escalation in Microsoft Malware Protection Engine 1.1.26030.3008 and earlier that lets attackers gain SYSTEM. CVE-2026-45498 affects Defender Antimalware Platform 4.18.26030.3011 and earlier and triggers denial-of-service. Updates land automatically in Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. CISA has added both to its KEV catalog and ordered FCEB agencies to patch within two weeks, by June 3. The same KEV update also added five legacy 2008-2010 Internet Explorer, DirectX, Acrobat, and Windows bugs that CISA suggests are seeing fresh exploitation.
Cisco disclosed and patched a second perfect-score authentication bypass in its Catalyst SD-WAN Controller and Manager (formerly vSmart and vManage). The bug, CVE-2026-20182 (CVSS 10.0), was found by Rapid7 while investigating the earlier CVE-2026-20127 wave, and lives in the same vdaemon service over DTLS port 12346. An unauthenticated attacker can become a trusted peer of the controller, log in as a privileged internal account, hit the NETCONF interface, and rewrite the entire SD-WAN fabric. Cisco Talos already attributes limited in-the-wild exploitation to UAT-8616, an actor with operational-relay-box ties that has been targeting Cisco SD-WAN since 2023.
Quest KACE has a year-old maximum-severity authentication bypass (CVE-2025-32975, CVSS 10.0). Hunt.io researchers now report that an attacker exploited an unpatched KACE appliance at a Boston-area managed services provider called HIQ - then left their entire toolkit on a publicly accessible server with directory listing turned on. The exfiltrated 512 MB MariaDB dump turned out to contain the full appliance-managed endpoint list for over 60 named client organizations spanning law enforcement, government, healthcare, education, and private companies. None of those 60-plus organizations had any KACE relationship of their own - they were just customers of the MSP that ran it unpatched.
Ivanti disclosed Wednesday that attackers are exploiting a zero-day in Endpoint Manager Mobile (EPMM) to gain admin-level remote code execution on enterprise MDM servers. CVE-2026-6973. Successful exploitation gives the attacker control over the MDM platform that pushes apps and configurations to managed mobile fleets - a foothold that can pivot into managed devices and the corporate identity layer. CISA added the flaw to its Known Exploited Vulnerabilities catalog the same day with a federal patch deadline next week. Ivanti products have a long history of zero-day exploitation.
Update on the cPanel ransomware wave covered May 3: attackers have shifted focus and are now targeting governments and managed service providers exploiting CVE-2026-41940. Security Affairs reports the operation is no longer just opportunistic mass-encryption of small business websites - the actors are deliberately looking for hosting accounts owned by government agencies and IT firms that manage downstream customers. CISA added the cPanel flaw to its KEV catalog Friday with a federal patch deadline of May 21. With 44,000 cPanel hosts already compromised in the initial wave, the secondary phase targeting MSPs has the potential to multiply impact through customer-tenant relationships - much like the 2023 Kaseya VSA campaign.
CISA added four flaws to KEV on April 24 with a May 8 federal deadline. The headline is CVE-2024-57726 (CVSS 9.9), a missing authorization in SimpleHelp RMM that lets a low-privileged technician mint API keys above their role and escalate to server admin; companion CVE-2024-57728 (CVSS 7.2) chains a path traversal for RCE. SimpleHelp featured in DragonForce and Akira ransomware campaigns last year. CVE-2024-7399 (CVSS 8.8) is a Samsung MagicINFO 9 path traversal with a public PoC since 2024. The fourth, CVE-2025-29635, is the D-Link DIR-823X bug we covered last week.