Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: cisa-kev (33 articles)Clear

CISA adds three to KEV: TanStack CVE-2026-45321 and Nx Console CVE-2026-48027 (TeamPCP) plus Daemon Tools Lite CVE-2026-8398

CISA has added three vulnerabilities to its Known Exploited Vulnerabilities catalog based on active-exploitation evidence. Two formally recognize the TeamPCP supply-chain wave that dominated mid-May: CVE-2026-45321 (TanStack) and CVE-2026-48027 (Nx Console embedded malicious code), the latter tied to the trojanized VS Code extension that led to GitHub's own 3,800-repo internal breach. The third, CVE-2026-8398, is an embedded-malicious-code flaw in the Daemon Tools Lite disc-imaging utility. FCEB agencies must remediate all three by the BOD 22-01 deadline; CISA urges all organizations to prioritize them. The additions confirm the supply-chain compromises moved from disclosure to documented in-the-wild exploitation.

Check
Confirm TanStack (CVE-2026-45321) and Nx Console (CVE-2026-48027) remediation from the mid-May supply-chain wave is complete. Inventory Daemon Tools Lite installs for CVE-2026-8398.
Affected
Organizations exposed to the TeamPCP supply-chain compromises (TanStack, Nx Console) and any endpoint running a vulnerable Daemon Tools Lite disc-imaging build. Federal agencies bound by BOD 22-01.
Fix
Remediate all three by CISA's KEV deadline. Verify Nx Console is 18.100.0+ and TanStack dependencies are clean. Remove or update Daemon Tools Lite. Rotate credentials from the supply-chain incidents.

CISA emergency directive: federal agencies must patch Drupal CVE-2026-9082 by midnight May 27; Imperva sees 15K attacks across 65 countries

CISA has given US federal civilian agencies a midnight Wednesday May 27 deadline to patch CVE-2026-9082, the highly critical Drupal SQL injection added to its Known Exploited Vulnerabilities catalog on Friday. Imperva says it has now observed 15,000+ attack attempts targeting nearly 6,000 individual Drupal sites across 65 countries since disclosure, with gaming and financial services taking almost half. Shadowserver tracks ~670 unpatched Drupal instances still exposed online (272 in North America, 273 in Europe). CISA's directive is mandatory only for FCEB agencies under BOD 22-01, but the agency strongly urges all organizations to patch immediately.

Check
Inventory Drupal sites by branch and version, especially PostgreSQL-backed deployments. FCEB agencies: confirm patch is applied by midnight May 27. Check Imperva and Shadowserver data for any of your IPs.
Affected
All supported Drupal 11.x and 10.x branches before the patched releases (11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, 10.4.10). 6,000 sites already targeted across 65 countries.
Fix
Patch immediately. Apply WAF rules blocking Drupal SQL injection patterns. FCEB agencies must remediate by midnight tonight per BOD 22-01. Prioritize PostgreSQL-backed deployments.

Drupal critical SQL injection CVE-2026-9082 now actively exploited in PostgreSQL sites, added to CISA KEV - patch immediately

Drupal has issued an update to its highly critical PSA-2026-05-18 advisory confirming that exploit attempts for CVE-2026-9082 are now being detected in the wild. The bug is an SQL injection in Drupal's database abstraction API that lets unauthenticated requests trigger arbitrary SQL on sites running PostgreSQL, with possible escalation to RCE, privilege escalation, and information disclosure. Drupal rates it 23 out of 25 internally though NIST's CVSS v3 score is a mismatched 6.5. CISA added it to KEV on May 22. Affected versions cover Drupal 8.9.x and all 10.x and 11.x branches up to 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10.

Check
Inventory Drupal sites, confirm core version, and identify PostgreSQL deployments (highest impact). Search web access logs for unusual database errors or SQL-pattern requests since 2026-05-20.
Affected
Drupal core 8.9.x, 10.4.x before 10.4.10, 10.5.x before 10.5.10, 10.6.x before 10.6.9, and all 11.x before 11.1.10/11.2.12/11.3.10. PostgreSQL backends face RCE; MySQL still needs the upgrade for Symfony/Twig.
Fix
Upgrade to the patched branch immediately. FCEB agencies must remediate by June 12 per CISA KEV. Apply WAF rules blocking suspicious SQL injection patterns until the patch lands.

CISA adds two to KEV: Langflow CVE-2025-34291 (Flodric botnet) and Trend Micro Apex One CVE-2026-34926 (directory traversal)

CISA has added two new entries to its Known Exploited Vulnerabilities catalog. CVE-2025-34291 is an origin-validation/CORS chain in Langflow, a popular open-source AI agent framework, that lets a malicious webpage exfiltrate refresh tokens and reach the code-validation endpoint for full RCE. Active exploitation began on January 23, 2026, and threat actors have been deploying the Flodric botnet through compromised instances. CVE-2026-34926 is a directory-traversal flaw in Trend Micro Apex One (On-Premise) that allows file read or write outside the intended path. FCEB agencies must remediate by June 11 per BOD 22-01; CISA urges all organisations to do the same.

Check
Inventory Langflow deployments and confirm version is 1.9.3 or later (CVE-2025-34291 patched). Inventory Trend Micro Apex One On-Premise deployments and check patch level for CVE-2026-34926.
Affected
Langflow before 1.9.3 (Flodric botnet seen exploiting in the wild). Trend Micro Apex One On-Premise (specific affected versions per Trend's KA-0023430 advisory). Internet-facing instances are at highest risk.
Fix
Upgrade Langflow to 1.9.3+ and Apex One per Trend Micro's KA-0023430. FCEB agencies must remediate by June 11. Restrict the affected admin consoles to management networks behind VPN.

Microsoft Defender zero-days CVE-2026-41091 (SYSTEM LPE) and CVE-2026-45498 (DoS) exploited in attacks, added to CISA KEV

Microsoft has rolled out fixes for two Defender vulnerabilities that have been exploited in zero-day attacks. CVE-2026-41091 is a link-following local privilege escalation in Microsoft Malware Protection Engine 1.1.26030.3008 and earlier that lets attackers gain SYSTEM. CVE-2026-45498 affects Defender Antimalware Platform 4.18.26030.3011 and earlier and triggers denial-of-service. Updates land automatically in Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. CISA has added both to its KEV catalog and ordered FCEB agencies to patch within two weeks, by June 3. The same KEV update also added five legacy 2008-2010 Internet Explorer, DirectX, Acrobat, and Windows bugs that CISA suggests are seeing fresh exploitation.

Check
Open Windows Security > Virus & threat protection > Protection Updates and click Check for updates. Verify Antimalware Platform >= 4.18.26040.7 and Malware Protection Engine >= 1.1.26040.8.
Affected
Windows endpoints running Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, or Defender Antimalware Platform 4.18.26030.3011 and earlier. Default config auto-updates, but air-gapped or restricted networks may lag.
Fix
Confirm Defender definitions and platform updates auto-install. FCEB agencies must patch by June 3 per CISA BOD 22-01. Investigate any KEV-listed legacy CVE-2008-4250/2009-1537/2009-3459/2010-0249/2010-0806 hits.

Second maximum-severity Cisco Catalyst SD-WAN auth bypass exploited as a zero-day by sophisticated UAT-8616 actor - CISA gives federal agencies until May 17 to patch (CVE-2026-20182)

Cisco disclosed and patched a second perfect-score authentication bypass in its Catalyst SD-WAN Controller and Manager (formerly vSmart and vManage). The bug, CVE-2026-20182 (CVSS 10.0), was found by Rapid7 while investigating the earlier CVE-2026-20127 wave, and lives in the same vdaemon service over DTLS port 12346. An unauthenticated attacker can become a trusted peer of the controller, log in as a privileged internal account, hit the NETCONF interface, and rewrite the entire SD-WAN fabric. Cisco Talos already attributes limited in-the-wild exploitation to UAT-8616, an actor with operational-relay-box ties that has been targeting Cisco SD-WAN since 2023.

Check
Identify on-prem and cloud Cisco Catalyst SD-WAN Controller and Manager instances, compare any successful peer IPs to the configured System IPs under WebUI > Devices > System IP, and open a Cisco TAC case for unknown peers.
Affected
Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and Cisco-managed SD-WAN Cloud deployments. Maximum severity (CVSSv3 10.0).
Fix
Upgrade to the fixed releases listed in Cisco advisory cisco-sa-sdwan-rpa2-v69WY2SW immediately - CISA Emergency Directive 26-03 set the federal deadline at May 17, 2026. Restrict internet exposure of UDP/12346 to trusted peers only.

One unpatched Quest KACE box at a Boston MSP exposed 60+ named client organizations - law enforcement, schools, healthcare, and government on one MariaDB dump (CVE-2025-32975)

Quest KACE has a year-old maximum-severity authentication bypass (CVE-2025-32975, CVSS 10.0). Hunt.io researchers now report that an attacker exploited an unpatched KACE appliance at a Boston-area managed services provider called HIQ - then left their entire toolkit on a publicly accessible server with directory listing turned on. The exfiltrated 512 MB MariaDB dump turned out to contain the full appliance-managed endpoint list for over 60 named client organizations spanning law enforcement, government, healthcare, education, and private companies. None of those 60-plus organizations had any KACE relationship of their own - they were just customers of the MSP that ran it unpatched.

Check
Inventory Quest KACE SMA instances reachable from the public internet, check their version against the May 2025 patched build, and review helpdesk tickets and asset records for sensitive material that would surface in a database dump.
Affected
Quest KACE Systems Management Appliance (SMA) instances at or below the pre-May 2025 patched version. CVSS 10.0 unauthenticated SSO impersonation. CISA KEV-listed since April 2026.
Fix
Apply Quest's May 2025 patched version immediately. Remove KACE SMA from direct internet exposure (place behind VPN or firewall), rotate KACE admin credentials, and audit for unauthorized accounts created via runkbot.exe.

Ivanti EPMM zero-day actively exploited - attackers are getting admin-level RCE on mobile device management servers (CVE-2026-6973)

Ivanti disclosed Wednesday that attackers are exploiting a zero-day in Endpoint Manager Mobile (EPMM) to gain admin-level remote code execution on enterprise MDM servers. CVE-2026-6973. Successful exploitation gives the attacker control over the MDM platform that pushes apps and configurations to managed mobile fleets - a foothold that can pivot into managed devices and the corporate identity layer. CISA added the flaw to its Known Exploited Vulnerabilities catalog the same day with a federal patch deadline next week. Ivanti products have a long history of zero-day exploitation.

Check
Inventory Ivanti EPMM (formerly MobileIron Core) instances and check whether any are internet-reachable. Hunt EPMM admin logs for unusual admin actions, new admin accounts, or unfamiliar OAuth tokens issued since April.
Affected
Ivanti Endpoint Manager Mobile (EPMM) installations on versions before the May 6 patch. Acute risk for internet-reachable EPMM instances. The MDM context means a successful exploit can push tampered apps or profiles to every managed mobile device. Federal agencies under BOD 22-01 must patch by mid-May.
Fix
Upgrade Ivanti EPMM to the patched release per Ivanti's advisory. Restrict EPMM admin access to internal networks or VPN-only paths until patched. Rotate EPMM admin credentials and any API tokens issued for downstream integrations (SCEP, certificate authorities, identity providers). Audit managed mobile devices for unfamiliar configuration profiles or VPN configurations pushed since April.

cPanel ransomware attackers are now hunting government agencies and the IT companies that manage them

Update on the cPanel ransomware wave covered May 3: attackers have shifted focus and are now targeting governments and managed service providers exploiting CVE-2026-41940. Security Affairs reports the operation is no longer just opportunistic mass-encryption of small business websites - the actors are deliberately looking for hosting accounts owned by government agencies and IT firms that manage downstream customers. CISA added the cPanel flaw to its KEV catalog Friday with a federal patch deadline of May 21. With 44,000 cPanel hosts already compromised in the initial wave, the secondary phase targeting MSPs has the potential to multiply impact through customer-tenant relationships - much like the 2023 Kaseya VSA campaign.

Check
Audit /var/cpanel/sessions/raw/ for entries created since February 23, 2026. Search for files with the .sorry extension across hosted sites. Check authentication logs for unusual successful logins between February 23 and April 28.
Affected
Government agencies, MSPs, and hosting companies running unpatched cPanel infrastructure. Particularly acute: MSPs whose cPanel instances host downstream customer accounts - a single compromise spreads to many tenants. Federal agencies under BOD 22-01 must patch by May 21. State and local governments without that mandate face the same active threat without the same enforcement.
Fix
Patch cPanel to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5. Restore from backups predating February 23 rather than just resuming operations. Rotate root, admin, and customer credentials. For MSPs: notify customers proactively before they discover compromise from a ransom note.

CISA adds four more flaws to KEV - SimpleHelp authorization bypass (CVSS 9.9), Samsung MagicINFO, and the D-Link DIR-823X bug already powering fresh Mirai botnets

CISA added four flaws to KEV on April 24 with a May 8 federal deadline. The headline is CVE-2024-57726 (CVSS 9.9), a missing authorization in SimpleHelp RMM that lets a low-privileged technician mint API keys above their role and escalate to server admin; companion CVE-2024-57728 (CVSS 7.2) chains a path traversal for RCE. SimpleHelp featured in DragonForce and Akira ransomware campaigns last year. CVE-2024-7399 (CVSS 8.8) is a Samsung MagicINFO 9 path traversal with a public PoC since 2024. The fourth, CVE-2025-29635, is the D-Link DIR-823X bug we covered last week.

Check
Inventory exposed instances of SimpleHelp, Samsung MagicINFO 9 Server, and any remaining D-Link DIR-823X routers. SimpleHelp is the priority - it sits inside the IT trust boundary.
Affected
SimpleHelp before 5.5.8 against CVE-2024-57726 and CVE-2024-57728 (chained to RCE as the SimpleHelp server user). Samsung MagicINFO 9 Server unpatched against CVE-2024-7399. D-Link DIR-823X firmware 240126 and 24082 against CVE-2025-29635 - the product line is discontinued and no vendor patch exists.
Fix
Upgrade SimpleHelp to 5.5.8+ and rotate every API key issued by every technician account, since unprivileged techs could have minted privileged keys during the vulnerable window. Audit SimpleHelp session logs for anomalies. Patch Samsung MagicINFO and remove its internet exposure. For D-Link DIR-823X, replace the hardware - there is no fix. Treat May 8 as your own deadline.