🛡️ CISO Intel — Sunday, 24-05-2026

By Marcus Reed | 23-05-2026 08:00 IST → 24-05-2026 08:00 IST | Sources cross-referenced

Executive Summary

This weekend’s intelligence paints a stark picture: the software supply chain is under a multi-pronged, sophisticated assault, and AI is rapidly emerging as both a formidable weapon for defenders and a significant new attack surface for adversaries. Critical zero-day exploits in widely deployed infrastructure like LiteSpeed cPanel and Microsoft Defender demand immediate attention, while novel TTPs like Underminr and advanced Git-based supply chain attacks are reshaping the threat landscape. The CISA contractor leak serves as a painful reminder that fundamental security hygiene remains non-negotiable, even as AI discovers decades-old vulnerabilities at an unprecedented pace.

🔴 Critical Threats — Act Now

LiteSpeed User-End cPanel Plugin — Privilege Escalation to Root (CVE-2026-48172)

What happened: A critical privilege escalation vulnerability, tracked as CVE-2026-48172 with a maximum CVSS score of 10.0, has been disclosed in the LiteSpeed User-End cPanel Plugin. This flaw is under active exploitation in the wild, allowing any authenticated cPanel user to execute arbitrary scripts with root privileges on the server. The vulnerability was reported by security researcher David Strydom on May 19, 2026.

Source verification: This incident is widely reported and confirmed across multiple reputable security news outlets, LiteSpeed’s own advisories, and the NVD. There is no conflicting information; all sources align on the severity, active exploitation, and remediation steps. GitHub also lists an advisory for this CVE.

Technical breakdown: The vulnerability stems from an incorrect privilege assignment within the lsws.redisAble function of the LiteSpeed User-End cPanel Plugin. This function, exposed via the plugin, mishandles Redis enable/disable features. An attacker, needing only a valid cPanel user account (even a low-privileged one or a compromised tenant account), can make a specially crafted API call to this function. This allows them to bypass intended privilege boundaries and execute arbitrary commands or scripts with root-level access on the underlying Linux hosting server. This represents a classic privilege escalation (MITRE ATT&CK T1068: Exploitation for Privilege Escalation, under TA0004: Privilege Escalation). The simplicity of exploitation—requiring no race condition or authentication gap beyond a valid cPanel session—makes it particularly dangerous.

Blast radius: The impact is severe, especially for shared hosting environments where a single compromised cPanel account can lead to a full server takeover, affecting potentially hundreds of other tenants. Millions of shared-hosting servers worldwide that utilize the LiteSpeed User-End cPanel plugin for its caching features are at risk. Successful exploitation can lead to complete system compromise, widespread data exfiltration, backdoor installation, and lateral movement. This vulnerability affects LiteSpeed cPanel user-end plugin versions from v2.3 up to, but not including, v2.4.5. While initial reports suggested the LiteSpeed WHM plugin was unaffected, a broader security review led to additional patches for both cPanel and WHM plugins, though these secondary issues are not reported as actively exploited.

Marcus’s verdict:

This is a textbook “drop everything and patch” scenario. A CVSS 10.0, actively exploited zero-day in a widely deployed component like the LiteSpeed cPanel plugin is as bad as it gets for hosting providers and anyone running cPanel. The fact that any authenticated user can get root means your blast radius is effectively your entire customer base if you’re a shared host, or your entire server if you’re dedicated. The vendor’s response, including cPanel’s emergency automated uninstall, underscores the gravity. This isn’t just about patching a bug; it’s about understanding the systemic risk of third-party plugins in critical infrastructure. This is also a brutal reminder that cPanel is a frequent target, with this being the third emergency release in just over three weeks.

What to do:

1. Immediate Detection: Run the following command on your cPanel servers immediately to check for signs of exploitation: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null If any output is returned, assume compromise. Investigate the source IP addresses, block suspicious ones, and initiate a full incident response, including reviewing system logs for post-compromise activity, rotating all credentials (including root and SSH keys), and auditing cron jobs and authorized_keys for unauthorized additions.
2. Patch Immediately: Upgrade your LiteSpeed cPanel plugin to version 2.4.7 or higher. If you’re using the LiteSpeed WHM Plugin, update to version 5.3.1.0, which bundles cPanel plugin v2.4.7.
3. Temporary Mitigation: If immediate patching is not feasible, uninstall the user-end plugin as a temporary containment measure: /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall Be aware that this will likely impact caching features.
4. Review Supply Chain: This incident highlights the inherent risk of third-party plugins. Conduct a review of all third-party components in your critical infrastructure, ensuring they are regularly audited and have clear patch management processes.

Microsoft Defender — Two Zero-Days Under Active Exploitation (CVE-2026-41091, CVE-2026-45498)

What happened: Microsoft has disclosed two zero-day vulnerabilities in Microsoft Defender, both of which are being actively exploited in the wild. The first, CVE-2026-41091 (CVSS 7.8), is a privilege escalation flaw in the Microsoft Malware Protection Engine. The second, CVE-2026-45498 (CVSS 4.0), is a denial-of-service (DoS) vulnerability in the Microsoft Antimalware Platform. CISA has added both CVEs to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies patch these by June 3rd.

Source verification: Confirmed by Microsoft’s official security advisories, NVD entries for both CVEs, and CISA’s KEV catalog. Multiple security news outlets also reported on these vulnerabilities. All sources are consistent.

Technical breakdown:

• CVE-2026-41091 (CVSS 7.8): This is a privilege escalation vulnerability affecting the Microsoft Malware Protection Engine. While specific technical details on the exploitation method are often withheld for actively exploited zero-days, such flaws typically involve an attacker crafting a malicious file or input that, when scanned by Defender, triggers a vulnerability in the engine’s parsing or processing logic. This can lead to the execution of arbitrary code with elevated privileges, potentially SYSTEM-level, on the affected system. This aligns with MITRE ATT&CK T1068: Exploitation for Privilege Escalation.
• CVE-2026-45498 (CVSS 4.0): This is a denial-of-service vulnerability in the Microsoft Antimalware Platform. A DoS flaw in an antimalware product can be particularly insidious, as it could allow an attacker to temporarily disable or degrade the endpoint protection, creating a window for further, more impactful attacks. This could involve an attacker presenting a specially crafted file or network stream that causes the antimalware service to crash or become unresponsive.

Blast radius: Microsoft Defender is a ubiquitous endpoint protection solution, deployed across millions of Windows endpoints in enterprises, government agencies, and individual machines globally. The privilege escalation vulnerability (CVE-2026-41091) is the more critical of the two, as it can lead to full system compromise. The DoS vulnerability (CVE-2026-45498), while lower CVSS, can create critical security gaps. The inclusion in CISA’s KEV catalog signifies confirmed active exploitation and a high likelihood of significant risk to federal agencies and, by extension, other organizations.

Marcus’s verdict:

Zero-days in your primary endpoint protection are always a gut punch. While Microsoft Defender generally has a strong track record for automatic updates, the fact that these made it to CISA’s KEV catalog means they’re being actively weaponized. The privilege escalation is the real concern here; a DoS on an AV is bad, but a path to SYSTEM on an endpoint is a full compromise. Don’t assume “automatic updates” means you’re safe. Verify. The June 3rd deadline for federal agencies should be a wake-up call for everyone else. If the Feds are scrambling, you should be too.

What to do:

1. Verify Defender Updates: Ensure your Microsoft Defender Antimalware Platform and Malware Protection Engine are updated to the patched versions.
   • Malware Protection Engine version 1.1.26040.8
   • Antimalware Platform version 4.18.26040.7 While automatic updates are the default, perform a manual check or push updates via your endpoint management solution to confirm.
2. Monitor Endpoints: Pay close attention to endpoint detection and response (EDR) alerts, especially for privilege escalation attempts or unusual process activity, even after patching. Attackers exploiting these zero-days may have already gained a foothold.
3. CISA KEV Compliance: If you are a Federal Civilian Executive Branch agency or a contractor working with one, prioritize patching these CVEs by the June 3rd deadline.

🛡️ CVEs — Full Analysis

CVE-2026-5194 — wolfSSL

Summary: This is a critical vulnerability (CVSS 9.1) in wolfSSL, a lightweight TLS/SSL library, that allows attackers to forge certificates. This enables an adversary to impersonate legitimate services, leading to man-in-the-middle attacks or unauthorized access to systems relying on wolfSSL for secure communication. CVSS/Details: CVSS 9.1 (Critical). A Proof-of-Concept (PoC) exploit is available. The vulnerability was notably discovered by Anthropic’s Mythos AI. Patch information is expected from wolfSSL. Marcus take: A certificate forgery flaw in a widely used embedded TLS library is a big deal, especially with a PoC out there. The fact that Anthropic’s AI found it is a testament to AI’s bug-hunting prowess, but also a warning that these types of deep-seated crypto flaws exist in foundational components. Anything using wolfSSL—IoT devices, embedded systems, VPNs, industrial control systems—is potentially vulnerable. This requires a diligent supply chain audit to identify where wolfSSL is used in your environment and ensure updates.

CVE-2026-9299 — omec-project amf v2.1.1 and earlier

Summary: This critical memory corruption vulnerability affects omec-project amf v2.1.1 and earlier, a component within 5G core network infrastructure. It allows for remote exploitation, leading to arbitrary code execution or denial of service. CVSS/Details: CVSS score is not explicitly stated in the provided briefing, but described as “Critical memory corruption.” A public exploit is available. Marcus take: Any RCE in 5G core network infrastructure is a five-alarm fire. The omec-project’s AMF (Access and Mobility Management Function) is a critical control plane component. Memory corruption leading to RCE means an attacker could gain deep control over network operations, impacting availability, integrity, and confidentiality across a 5G network. The public exploit makes this an immediate threat for telecommunication providers and enterprises deploying private 5G networks. Patching is paramount.

CVE-2026-5950 — BIND 9 Recursive Resolver

Summary: This medium-severity vulnerability affects BIND 9 Recursive Resolver, allowing it to be tricked into unbounded resend loops. This can lead to resource exhaustion and availability issues, effectively causing a denial of service. CVSS/Details: CVSS score is not explicitly stated in the briefing but described as “Medium.” Fixed in releases 9.18.49, 9.20.23, and 9.21.22. No public PoC is available. Marcus take: While a “medium” CVSS might make some yawn, a remotely reachable, unauthenticated denial of service against a DNS resolver is still a significant availability risk. DNS is the backbone of pretty much everything. An attacker doesn’t need to compromise data to cause massive disruption; taking down DNS is often enough. Patching BIND is always a priority, even for “medium” issues, because the blast radius of a DNS outage is global for your services.

Ubiquiti UniFi OS — Path Traversal leading to RCE

Summary: A path traversal vulnerability in Ubiquiti UniFi OS exposes internal routes without authentication. When chained with other flaws, this can lead to pre-authentication Remote Code Execution (RCE) on UniFi Dream Machine (UDM), UniFi Network Video Recorder (UNVR), and other UniFi devices. CVSS/Details: Described as “High (when chained).” Specific CVE IDs are not detailed in the briefing, but the vulnerability is confirmed. Firmware updates are required. Marcus take: UniFi devices are incredibly popular, both in SMBs and home offices. A pre-authentication RCE, even if chained, is a critical threat. These devices are often internet-facing, making them prime targets. Path traversal is a classic flaw, and its combination with other vulnerabilities to achieve RCE highlights the importance of defense-in-depth. If you’re running UniFi, firmware updates are not optional; they are essential to prevent your network edge from becoming an attacker’s entry point.

⚡ TTPs & Attack Research — Deep Dives

Underminr Vulnerability: A New Evolution of Domain Fronting

The “Underminr” vulnerability represents a nasty evolution of domain fronting, weaponizing the shared nature of Content Delivery Network (CDN) infrastructure to bypass traditional DNS filtering and mask C2 traffic. This isn’t just a theoretical concept; it impacts an estimated 88 million domains globally.

How it works:

1. Traditional Domain Fronting: Attackers hide malicious traffic behind legitimate, high-reputation domains (e.g., Google, Amazon) by manipulating the Host header in HTTP requests. The initial DNS request resolves to the legitimate CDN, but the HTTP request specifies the attacker’s true C2 domain. The CDN routes the traffic based on the Host header, effectively “fronting” the malicious connection.
2. Underminr’s Innovation: Underminr takes this a step further by abusing how CDNs handle domain mapping and certificate validation. Instead of just relying on the Host header, Underminr exploits misconfigurations or inherent design choices in shared CDN environments. It leverages the fact that many CDNs serve multiple customer domains through the same IP addresses and often use wildcard certificates or certificates covering numerous domains. An attacker can craft requests that appear to be destined for a legitimate domain hosted on the CDN, but subtly redirect the traffic to their C2 server, which is also hosted on the same CDN infrastructure or a closely related one. This is achieved by manipulating various HTTP headers, request paths, or even specific CDN-provider-specific routing mechanisms.
3. Bypassing Defenses: Because the initial DNS resolution and TLS handshake are with a legitimate, trusted CDN IP and certificate, traditional DNS filtering, IP blacklisting, and even some TLS inspection solutions are often bypassed. The malicious traffic is effectively “hidden in plain sight” among the legitimate traffic flowing through the CDN.

Attack Chain:

• Initial Access: Phishing, drive-by download, or exploiting a vulnerability to gain a foothold.
• C2 Establishment: Malicious payload attempts to communicate with its C2 server.
• Underminr Evasion: Instead of directly connecting to a blacklisted C2 IP, the malware crafts HTTP requests designed to leverage the Underminr technique. These requests appear to target a legitimate domain (e.g., www.trustedcorp.com) that is known to use a specific CDN.
• CDN Routing: The request hits the CDN’s edge server. Due to the Underminr flaw, the CDN, instead of routing to www.trustedcorp.com, inadvertently forwards the traffic to the attacker’s C2 server, which is also configured on the CDN or a related endpoint.
• Data Exfiltration/Commands: Encrypted C2 traffic flows, bypassing network perimeter defenses.

Detection Opportunities:

• Deep Packet Inspection (DPI) & TLS Inspection: While challenging, DPI that can analyze HTTP Host headers after TLS decryption might spot discrepancies between the SNI (Server Name Indication) and the actual Host header, or other unusual header combinations.
• Behavioral Analytics: Look for anomalous traffic patterns from endpoints, especially connections to CDN IPs that