🛡️ CISO Intel — Monday, 25-05-2026

By Marcus Reed | 24-05-2026 08:00 IST → 25-05-2026 08:00 IST | Sources cross-referenced

Executive Summary

This Monday’s intelligence brief is a stark reminder that the fundamentals still kill us, but AI is accelerating everything. We’re seeing a critical convergence of known exploitation techniques targeting widely deployed software like Microsoft Defender and Drupal, alongside sophisticated supply chain attacks on developer ecosystems. The overarching theme is a relentless focus on initial access and privilege escalation, often leveraging compromised identities or vulnerable web applications. CISOs must prioritize immediate patching of actively exploited flaws, secure their software supply chains, and critically re-evaluate identity and access management strategies, especially as AI tools become new targets and vectors.

🔴 Critical Threats — Act Now

Microsoft Defender Zero-Days: Privilege Escalation and DoS

What happened: CISA has added two Microsoft Defender vulnerabilities, CVE-2026-41091 (CVSS 7.8) and CVE-2026-45498 (CVSS 4.0), to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2026-41091 is a privilege escalation flaw that allows a local attacker to achieve SYSTEM-level privileges by exploiting a link-following vulnerability. CVE-2026-45498 is a denial-of-service (DoS) vulnerability. Both are confirmed to be under active exploitation in the wild, indicating a serious and immediate threat to Windows endpoints running Defender.

Source verification: Confirmed by CISA KEV, Microsoft Security Response Center (MSRC) advisories, and multiple security news outlets (e.g., BleepingComputer, The Hacker News). The specific threat actor group “Chaotic Eclipse” (also known as “Nightmare-Eclipse”) has been linked to the discovery and exploitation of these zero-days, along with another Defender flaw, CVE-2026-33825 (BlueHammer).

Technical breakdown: CVE-2026-41091 is described as a privilege escalation vulnerability. While full technical details are often withheld for actively exploited flaws, the “link-following” description suggests an attacker might trick Defender into performing privileged operations on an attacker-controlled file or directory. This could involve symbolic links or junction points, a common technique for local privilege escalation on Windows. An attacker with low-level access could craft a malicious file or path that, when scanned or processed by Defender, leads to its privileged process operating on an arbitrary file with SYSTEM permissions. This could allow for arbitrary file writes, DLL hijacking, or other methods to achieve SYSTEM. CVE-2026-45498 is a DoS vulnerability. This could manifest as Defender crashing, becoming unresponsive, or consuming excessive resources, potentially impacting system stability or leaving the system unprotected for a period. MITRE ATT&CK mapping for CVE-2026-41091 would primarily fall under TA0004: Privilege Escalation, specifically T1068: Exploitation for Privilege Escalation or potentially T1548: Abuse Elevation Control Mechanism.

Blast radius: All Windows endpoints running Microsoft Defender are potentially affected if they have not applied the latest updates. Given Defender’s ubiquitous deployment across enterprise and consumer Windows environments, the potential blast radius is enormous. This impacts both on-premise and cloud-managed Windows virtual machines and workstations.

Marcus’s verdict:

This is a classic “patch now or pay later” scenario. Microsoft Defender is a cornerstone of endpoint security for millions, and active exploitation of privilege escalation flaws means attackers are already inside networks, looking to move laterally and solidify their foothold. The CVSS 7.8 for privilege escalation is significant because it grants SYSTEM, effectively handing over the keys to the kingdom once initial access is gained. The DoS is less critical but still an availability concern. Don’t wait for your regular patch cycle; push these updates immediately. This isn’t just about the vulnerability; it’s about the threat actors (“Chaotic Eclipse”) who are clearly targeting Defender.

What to do:

1. Immediate Patching: Update Microsoft Defender Antimalware Platform to versions 1.1.26040.8 or 4.18.26040.7 or later. Prioritize all Windows endpoints.
2. Verify Patch Application: Use your endpoint management tools (SCCM, Intune, etc.) to confirm successful deployment across your fleet.
3. Endpoint Monitoring: Enhance monitoring for unusual activity originating from Defender processes or SYSTEM accounts, especially post-patching, to detect any lingering compromise attempts or post-exploitation activity.

LiteSpeed User-End cPanel Plugin — Root Privilege Escalation

What happened: A critical privilege escalation vulnerability, CVE-2026-48172 (CVSS 10.0), has been discovered and is actively exploited in the LiteSpeed User-End cPanel Plugin. This flaw allows attackers to execute arbitrary scripts as the root user, granting complete control over the affected server. The vulnerability impacts plugin versions 2.3 through 2.4.4.

Source verification: Confirmed by LiteSpeed Technologies advisory, cPanel security announcements, and multiple security news outlets. Active exploitation is widely reported.

Technical breakdown: While specific technical details of the exploit are often kept under wraps when actively exploited, a CVSS 10.0 for privilege escalation typically indicates an unauthenticated or easily exploitable path to root. In a cPanel plugin context, this often involves:

• Insecure file handling: The plugin might process user-supplied input in a way that allows for directory traversal or arbitrary file writes to sensitive locations.
• Command injection: Improper sanitization of user input passed to shell commands, allowing an attacker to inject arbitrary commands that are then executed with the plugin’s (often elevated) privileges.
• Deserialization vulnerabilities: If the plugin processes serialized data, a malicious payload could lead to arbitrary code execution. Given the “arbitrary scripts as root” description, command injection or an arbitrary file write leading to a webshell or cron job installation are highly probable attack vectors. MITRE ATT&CK mapping: TA0004: Privilege Escalation, specifically T1068: Exploitation for Privilege Escalation and potentially TA0002: Execution via T1059: Command and Scripting Interpreter.

Blast radius: Any server running cPanel with the LiteSpeed User-End cPanel Plugin in versions 2.3 to 2.4.4 is at extreme risk. This includes a vast number of shared hosting providers and individual web servers globally.

Marcus’s verdict:

A CVSS 10.0 with active exploitation is the kind of alert that should have CISOs pulling people out of bed. Full root access means total compromise. If you’re running this plugin, consider your server compromised until proven otherwise. This is not a “patch next week” situation; this is an “emergency maintenance window right now” situation. The impact on web hosting environments, where multiple tenants might share a server, is catastrophic.

What to do:

1. Immediate Patching: Update the LiteSpeed User-End cPanel Plugin to the latest secure version (2.4.5 or higher) immediately.
2. Compromise Assessment: After patching, conduct a thorough compromise assessment on all affected servers. Look for:
   • Unusual processes running as root.
   • New or modified files in web roots or system directories.
   • New users or SSH keys.
   • Outbound connections to suspicious IPs.
   • Webshells or backdoors.
3. Credential Rotation: Rotate all administrative credentials, API keys, and database passwords associated with the compromised servers.

Drupal Core SQL Injection

What happened: A SQL injection vulnerability, CVE-2026-9082 (CVSS 6.5), affecting all supported versions of Drupal Core, has been added to CISA’s KEV catalog due to active exploitation. This web application flaw could allow attackers to extract sensitive information from the database or manipulate data.

Source verification: Confirmed by CISA KEV, Drupal Security Advisories, and reputable security news outlets.

Technical breakdown: SQL injection vulnerabilities (T1190: Exploit Public-Facing Application leading to T1505: Server Software Component or T1567: Exfiltration Over Web Service) occur when an application constructs SQL queries using unsanitized user-supplied input. An attacker can inject malicious SQL code into input fields (like search boxes, login forms, or URL parameters) that is then executed by the database. Depending on the database permissions, this can lead to:

• Information disclosure: Reading arbitrary data from the database (e.g., user credentials, sensitive business data).
• Data manipulation: Modifying or deleting data.
• Authentication bypass: Logging in as an administrator without credentials.
• Remote Code Execution (RCE): In some cases, if the database user has sufficient privileges and specific database functions are enabled, SQL injection can lead to RCE. Given the CVSS 6.5, this is likely a high-impact information disclosure or data manipulation, potentially leading to administrative access.

Blast radius: All websites running any supported version of Drupal Core are at risk if not patched. This includes a significant portion of government, enterprise, and educational websites globally.

Marcus’s verdict:

SQL injection is a classic web application nightmare, and seeing it in Drupal Core, actively exploited, is a serious concern. While the CVSS 6.5 might not scream “critical,” the impact of a successful SQLi on a content management system can be devastating – full database compromise, defacement, or even complete takeover. If your Drupal site handles any sensitive data, this is an immediate priority.

What to do:

1. Immediate Patching: Apply the security updates released by Drupal for CVE-2026-9082 to all supported Drupal Core installations.
2. Web Application Firewall (WAF): Ensure your WAF rules are updated and configured to detect and block SQL injection attempts. While not a substitute for patching, a WAF can provide an additional layer of defense.
3. Database Monitoring: Monitor database logs for unusual queries, especially those containing common SQL injection keywords or patterns.
4. Code Review: For custom Drupal modules, conduct a security review to ensure proper input sanitization and parameterized queries are used.

Google Chrome / Chromium-based Browsers — Zero-Day RCE

What happened: A zero-day use-after-free (UAF) vulnerability, CVE-2026-5281, in Google Dawn (a cross-platform graphics API) is being actively exploited. This flaw allows for remote code execution (RCE) and affects Google Chrome and other Chromium-based browsers.

Source verification: Confirmed by Google Chrome Releases blog, CISA advisory, and multiple security news outlets.

Technical breakdown: A use-after-free (UAF) vulnerability occurs when a program attempts to use memory after it has been freed, leading to unpredictable behavior, crashes, or, critically, arbitrary code execution. In the context of a browser’s graphics API like Dawn, an attacker could craft a malicious webpage or web application that, when rendered, triggers this UAF condition. This could allow the attacker to:

• Execute arbitrary code: Gain control over the browser process, potentially allowing them to install malware, steal data, or further compromise the user’s system.
• Bypass sandbox: Depending on the severity and specific exploit chain, it might be possible to escape the browser’s sandbox, leading to full system compromise. MITRE ATT&CK mapping: TA0001: Initial Access via T1189: Drive-by Compromise or T1204: User Execution (if social engineering is involved), leading to TA0002: Execution via T1059: Command and Scripting Interpreter or T1203: Exploitation for Client Execution.

Blast radius: All users of Google Chrome and other Chromium-based browsers (e.g., Microsoft Edge, Brave, Opera) are at risk if they have not updated to the patched versions. This affects a vast majority of internet users globally.

Marcus’s verdict:

A browser zero-day leading to RCE is as bad as it gets for end-user security. Browsers are the primary interface to the internet, and a compromise here means direct access to user data, credentials, and potentially the entire endpoint. “Actively exploited” means the bad guys are already using it. This is not just for your employees; it’s for everyone in your organization who uses a browser.

What to do:

1. Immediate Browser Update: Update Google Chrome and all other Chromium-based browsers to the latest available version immediately. Enable automatic updates where possible.
2. User Awareness: Remind users about the importance of keeping their browsers updated and to be cautious of suspicious links or websites, although this zero-day could be triggered by merely visiting a malicious site.
3. Endpoint Security: Ensure endpoint detection and response (EDR) solutions are up-to-date and configured to detect post-exploitation activity.

Laravel-Lang Packages — Software Supply Chain Attack

What happened: A sophisticated software supply chain attack targeted multiple laravel-lang PHP packages: laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. Attackers compromised the GitHub repositories, rewriting over 700 version tags to point to malicious commits. These malicious versions deliver a cross-platform credential stealer.

Source verification: Confirmed by official Laravel-Lang team announcements, GitHub security advisories, and extensive reporting by security researchers and news outlets.

Technical breakdown: This attack is a prime example of T1195: Supply Chain Compromise, specifically T1195.002: Compromise Software Dependencies and Development Tools. By rewriting Git tags, attackers effectively poisoned historical versions of the packages. When developers or CI/CD pipelines pulled these specific (now malicious) tagged versions, they unknowingly integrated the credential stealer. The stealer itself is described as “cross-platform,” implying it could target various operating systems where PHP projects are developed or deployed. This could involve:

• Environment variable exfiltration: Stealing cloud API keys, database credentials, or other secrets stored as environment variables.
• SSH key theft: Compromising developer workstations or deployment servers.
• GitHub token exfiltration: Gaining access to further GitHub repositories. The subtlety of rewriting historical tags is particularly insidious, as it bypasses checks that only look for new malicious releases.

Blast radius: Any organization or individual developer using affected laravel-lang packages, especially if their build processes rely on specific Git tags for versioning, is at high risk. Given the popularity of Laravel, this could be a widespread compromise across many web applications and development environments.

Marcus’s verdict:

This is a nightmare scenario for DevSecOps. Rewriting Git tags to inject malware into historical versions is a highly sophisticated and stealthy supply chain attack. It bypasses typical “new release” monitoring and makes forensics incredibly difficult. If you use these packages, you must assume compromise and act aggressively. This highlights the critical need for robust source code integrity checks and software bill of materials (SBOM) validation.

What to do: 11. Assume Compromise: If you have used any of the affected laravel-lang packages (versions 2.3 to 2.4.4 for LiteSpeed, or any affected laravel-lang package with rewritten tags), assume your development environments and potentially production systems are compromised. 12. Identify Affected Systems: Scan your codebase and CI/CD pipelines to identify if and when these specific malicious package versions were pulled and deployed. 13. Credential Rotation: Immediately rotate all associated cloud keys (AWS, Azure, GCP), GitHub tokens, database credentials, SSH keys, and any other secrets that could have been exposed from development machines or deployment pipelines. 14. Rebuild from Clean Source: Rebuild your applications from known good, verified source code, ensuring all dependencies are fetched from trusted sources and their integrity is validated (e.g., via checksums). 15. Implement Supply Chain Security Controls: * Pin Dependencies: Use exact version pinning for all dependencies. * Source Code Integrity: Implement checks (e.g., Git commit signing, SBOM generation and validation) to detect unauthorized changes to dependencies. * 2FA for Maintainers: Require 2FA for all repository maintainers and package publishers. * Dependency Scanning: Use automated tools to scan for known vulnerable or malicious dependencies.

F5 BIG-IP Exploited for SSH Access

What happened: Threat actors are actively exploiting internet-facing F5 BIG-IP edge appliances to gain initial access for widespread, identity-focused attacks into Linux networks. The specific vulnerability or method of exploitation has not been publicly detailed, but the outcome is SSH access.

Source verification: Confirmed by F5 security advisories and multiple threat intelligence reports from reputable security firms.

Technical breakdown: F5 BIG-IP devices are widely deployed as load balancers, web application firewalls (WAFs), and access management solutions (e.g., APM). Gaining SSH access to these devices is a critical breach. This could stem from:

• Exploitation of a known but unpatched vulnerability: F5 has a history of critical vulnerabilities (e.g., CVE-2020-5902, `CVE