Exploited Flaws Added to CISA KEV: Drupal SQL Injection; cPanel Plugin Privilege Escalation; Apex One Path Traversal

For five years, the SANS.edu college has curated a research journal featuring our graduate students' best research papers. This last volume, no surprise, features a large AI section. As in prior years, the research papers present cutting-edge, applicable research. All of our students are cybersecurity practitioners, and the research topics reflect their hands-on "real world" approach.

A critical vulnerability in the Drupal content management system is being exploited in the wild, and the US Cybersecurity and Infrastructure Security Agency has added the flaw to its Known Exploited Vulnerabilities catalog (CISA KEV). CVE-2026-9082, CVSS score 9.8, allows an anonymous attacker to perform arbitrary SQL injection by sending specially crafted requests, due to improper neutralization of special elements in the Drupal core database extraction API. This flaw only affects sites using PostgreSQL. The flaw was disclosed along with patches on May 20; Drupal updated the advisory on May 22 to announce evidence of exploit attempts, and CISA issued a remediation deadline of May 27 for Federal Civilian Executive Branch (FCEB) agencies. Imperva Security has observed more than 15,000 exploitation attempts, primarily targeting US sites in gaming, financial services, computing and IT, and business sectors. Drupal urges users to upgrade to the latest supported software version indicated in the advisory, but has also backported patches for unsupported end-of-life versions due to the severity of the issue.

On May 19, 2026, LiteSpeed issued a security update for a critical flaw in the user-end cPanel plugin between v2.3 and v2.4.4, known at the time of disclosure to have already been actively exploited as a zero-day. CVE-2026-48172, CVSS score 9.8, allows any cPanel user to escalate privileges to root by exploiting mishandling of features in the lsws[.]redisAble function. Users should remediate by upgrading to the latest version of the cPanel plugin, which at the time of this writing is v2.4.7; this is packaged with LiteSpeed WHM plugin v5.3.1.0, though the WHM plugin is unaffected by this flaw. Users can uninstall the user-end cPanel plugin if upgrading is not possible yet. LiteSpeed also recommends users run a console command provided in the advisory to check if their server has been affected, then block any unauthorized IPs returned and examine the system logs for actions taken by those IPs. The US Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities (KEV) catalog on May 26, with a remediation deadline of May 29 for Federal Civilian Executive Branch (FCEB) agencies.

Trend Micro has issued a security bulletin addressing eight vulnerabilities in its Apex One enterprise endpoint security software for Windows, one of which has already been exploited in the wild. The exploited flaw, CVE-2026-34926, carries the lowest CVSS score in the bulletin at 6.7, and allows a local, pre-authenticated attacker to inject and deploy malicious code to agents by modifying a key table on the server, due to a directory traversal vulnerability. This only affects the on-premises version of Apex One, and exploitation requires that "a potential attacker must have access to the Apex One Server and [have] already obtained administrative credentials to the server via some other method." Users should upgrade to Apex One on-premises SP1 CP Build 18012 (for existing SP1 users) or SP1 Build 17079 (for new installs), with at least agent build 14.0.0.17079, or Apex One SaaS Security Agent build 14.0.20731. This flaw was added to the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog (CISA KEV) on May 21, with a remediation deadline of June 4 for Federal Civilian Executive Branch (FCEB) agencies.

Ubiquiti has published a security advisory addressing five vulnerabilities in UniFi OS, including three that are maximum-severity, one critical-severity, and one high-severity. The flaws carrying CVSS score 10.0 are exploitable by an attacker with network access: CVE-2026-34908 allows unauthorized system changes due to improper access control; CVE-2026-34909 allows access to an underlying account and files on the underlying system due to path traversal; and CVE-2026-34910 allows command injection due to improper input validation. CVE-2026-33000, CVSS score 9.1, is also an improper input validation flaw allowing command injection, but is only exploitable by an attacker with high privileges. CVE-2026-34911, CVSS score 7.7, allows an attacker with low privileges to obtain sensitive information by accessing and manipulating files on the underlying system, due to a path traversal vulnerability. The CVE Numbering Authority (CNA) for all five flaws is HackerOne, indicating that they were reported through a bug bounty program. Users of Ubiquiti products running UniFi OS should check the security advisory bulletin to update software to the most current fixed versions.

The US Federal Bureau of Investigation has issued a FLASH advisory warning of ongoing social engineering attacks targeting law firms, in which threat actors have been stealing data by posing as IT support staff, both via remote access tools and by appearing in person. The FBI states that the threat actor (called "Silent Ransom Group," or SRG) has been stealing data and extorting organizations since 2022, and relies on rapid threats to sell or leak data after the theft, rather than using ransomware. In attacks observed in 2026, SRG began by contacting targets via email or directly by phone, impersonating IT staff and coercing employees into granting access to company systems through legitimate remote access software. If this tactic failed, a threat actor posing as IT support would arrive in person, insert a storage device into the target's computer, and claim that in order to mitigate impact from a phishing email, "they need to image the device or create a backup file." The threat actor then escalates privileges and immediately exfiltrates data without encryption, using WinSCP, Rclone, Google Drive, or OneDrive, or exfiltrating directly onto the in-person attacker's USB storage. Ransom demands follow via email with threats to leak or sell the stolen data, as well as phone calls to the target's clients and employees to pressure the company into negotiating. The FBI advisory notes that many components of these attacks exploit legitimate tools that will not be flagged by detection software, and recommends that organizations take defensive steps: verify all visitor credentials including physical ID cards, limit remote access to sensitive data, develop and communicate policies for how IT support communicates and authenticates with employees, train staff against phishing, maintain regular backups, require phishing-resistant MFA, and if possible, block port 22 and disable remote access and external drive installation permissions on company computers with access to sensitive data. The FBI is seeking any specific information from victims of SRG attacks that may be legally shared.

The US Federal Bureau of Investigation has issued a Public Service Announcement warning of Kali365, an emerging phishing-as-a-service platform. According to the alert, "Through the Kali365 platform subscription, cyber threat actors can capture 'OAuth' tokens and gain persistent access to targeted individuals/entities' Microsoft 365 environments." The attackers lure targets with a phishing email that appears to come from trusted cloud productivity and document-sharing services. The email includes a device code, which targets are instructed to enter on a legitimate Microsoft verification page. Once the provided code is entered, the attackers are able to capture OAuth access and refresh tokens, giving them access to the target's Microsoft 365 accounts. The FBI advises users to "Restrict... device code flow to limit or block device authentication codes can help prevent or limit this style of attack." Kali365 is often spread via Telegram, and was first detected in April 2026. Researchers at Arctic Wolf published an analysis of the campaign in late April; they found that Kali365 also has adversary-in-the-middle attack capabilities.

Canadian authorities arrested Jacob Butler in Ottawa, Canada earlier this week in response to an extradition warrant filed by the US Department of Justice. Butler allegedly operated the KimWolf botnet, which has been used to conduct distributed denial-of-service (DDoS) attacks "which were measured at nearly 30 Terabits per second, a record in recorded DDoS attack volume," according to prosecutors. The botnet's services were sold in a cybercrime as a service model. Law enforcement authorities in Canada, Germany, and the US disrupted the botnet's infrastructure in March 2026 as part of a larger operation. Other botnets disrupted in that operation include Aisuru, JackSkid and Mossad. KimWolf used compromised IoT devices, including digital photo frames, TV streaming boxes, and webcams. Cybersecurity journalist Brian Krebs identified Butler as the botnet's likely operator in February 2026; at that time, Butler denied the allegation. According to court documents, Butler's IP address, account information, transactions, online messages, and other evidence point to Butler as KimWolf's administrator. He has been charged with one count of aiding and abetting computer intrusion, and could face up to 10 years in prison if he is convicted.

The CrowdStrike Counter Adversary Operations team, in collaboration with Google and the Shadowserver Foundation, disrupted the Glasswork botnet, taking down all four of the botnet's command-and-control (C2) channels simultaneously. The Glassworm infrastructure was built for resilience, relying on C2 server addresses hidden in the memo fields of Solana blockchain transactions, the BitTorrent Distributed Hash Table (DHT), Google Calendar event titles as dead-drop locations, and direct server connections. In its report, CrowdStrike writes, "Since at least early 2025, Glassworm operators have systematically targeted software developers, a population with access to source code repositories, cloud platforms, CI/CD pipelines, and package registries." The Glasswork operators took advantage of the situation with "trojanized VSCode extensions ... published to the OpenVSX marketplace, disguised as popular tools like time trackers and code formatters; compromised npm and Python packages [that] introduced malicious code through postinstall hooks and setup scripts;" and poisoning more than 300 GitHub repositories with the help of stolen credentials. Glassworm has been operational since early 2025.

Dutch Authorities carried out arrests and seizures in two separate cybersecurity cases at the end of this month. On *May 18, 2026*, the Netherlands Fiscal Information and Investigation Service (FIOD) arrested two men on suspicion of making economic resources available to entities sanctioned by the EU, specifically by acting as a cover for a Russian web hosting company sanctioned since May 2025. 57-year-old Youssef Zinad, arrested in Amsterdam, owns the Dutch company alleged to have assumed control of the sanctioned technical infrastructure, and 39-year-old Andrey Nesterenko, arrested in The Hague, owns another Dutch company that handles the operation's internet connectivity. Brian Krebs reports that the original sanctioned entity, "Stark Industries," was used "to carry out cyberattacks, influence operations and disinformation campaigns inside the European Union" starting shortly before Russia's invasion of Ukraine. FIOD searched three businesses and two data centers, seizing laptops, phones, and more than 800 servers. Unrelatedly, on *May 26, 2026*, Dutch National Police in Buren arrested a 35-year-old man suspected of multiple instances of unauthorized access to the computer systems of professional Amsterdam football club AFC Ajax. When Ajax disclosed the breach in March, RTL news reported that a now-patched security flaw gave the attacker access to over 300,000 fans' private data and control over more than 42,000 season tickets and 500 stadium bans, as well as the ability to view the personal details and incident information of banned fans.

The personal data of thousands of people who applied for UK immigration visas through a website called UK Visa Portal has been exposed through a misconfigured Amazon bucket. The website is not affiliated with the UK government. The compromised information includes passport data and photographs; in all, more than 100,000 documents were exposed. The website has addressed the issue that allowed others to view the uploaded photos and passport scans. The company has not stated publicly whether they plan to notify the people whose data were exposed, nor whether they plan to notify US and EU regulators, as required by law. TechCrunch has asked a partner in a US law firm who claims to represent UK Visa Portal "how long the Amazon-hosted bucket was exposed, the reason it was exposed, ... if the company had any logs to determine if anyone accessed or downloaded the exposed data, ... [and] who at UK Visa Portal is responsible for cybersecurity." At the time of writing, TechCrunch had not received a reply. Visa applicants are advised to apply through the UK government website.