Cisco Catalyst SD-WAN Controller Authentication Bypass — CVSS 10.0, Actively Exploited by State-Sponsored Threat Actor UAT-8616
CVE-2026-20182 is a maximum-severity (CVSS 10.0) authentication bypass in Cisco Catalyst SD-WAN Controller (vSmart) and Manager (vManage) that allows an unauthenticated remote attacker to gain administrative privileges by exploiting broken peering authentication logic. Successful exploitation gives the attacker NETCONF access and the ability to manipulate SD-WAN fabric configuration across the entire enterprise network. CISA issued Emergency Directive 26-03 requiring federal agencies to remediate by May 17, 2026; Cisco Talos attributes active exploitation to state-sponsored cluster UAT-8616, which has targeted SD-WAN infrastructure since at least 2023.
Fortinet FortiSandbox Critical Unauthenticated Authorization Bypass (CVE-2026-26083)
A critical missing authorization vulnerability (CWE-306) in the FortiSandbox GUI allows an unauthenticated remote attacker to access restricted functionality and sensitive malware analysis data without any credentials. This is the highest-priority issue in Fortinet's May 12 PSIRT release of five advisories, carrying a Critical severity rating. The unauthenticated attack surface exposes sandboxed malware analysis workflows and could allow an attacker to manipulate sandbox verdicts or exfiltrate intelligence critical to downstream security operations.
Microsoft Exchange Server XSS Zero-Day — CVE-2026-42897, CVSS 8.1, Arbitrary JavaScript Execution via Malicious Email in OWA
CVE-2026-42897 is a high-severity (CVSS 8.1) Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) vulnerability in Microsoft Exchange Server that allows an attacker to execute arbitrary JavaScript in the browser context by sending a specially crafted email to a target user who opens it in Outlook Web Access (OWA). This stored/reflected XSS flaw was added to the CISA KEV catalog, indicating confirmed exploitation in the wild. The vulnerability enables session hijacking, credential theft, and potential lateral movement against any organization running on-premises Exchange.
Microsoft Windows Netlogon Stack-Based Buffer Overflow — CVE-2026-41089, Critical RCE on Domain Controllers
CVE-2026-41089 is a critical stack-based buffer overflow in the Windows Netlogon service that allows an unauthenticated attacker to execute arbitrary code over the network by sending a specially crafted network request to a Windows server acting as a domain controller. As domain controllers sit at the heart of enterprise authentication, successful exploitation could allow complete Active Directory compromise without any user interaction. This vulnerability was addressed as part of the May 2026 Patch Tuesday cycle; no active exploitation was confirmed by Microsoft at time of release.
Ivanti EPMM Zero-Day Authenticated RCE — Actively Exploited, CISA KEV (CVE-2026-6973)
A high-severity improper input validation zero-day in Ivanti Endpoint Manager Mobile (EPMM) on-premises allows a remotely authenticated user with administrative access to achieve remote code execution on the EPMM appliance. Attackers have chained this with credentials stolen via January 2026 EPMM zero-days (CVE-2026-1281, CVE-2026-1340) to establish a multi-stage attack chain — initial unauthenticated compromise followed by credential reuse for RCE. CISA added CVE-2026-6973 to KEV on May 7 with a 3-day federal remediation deadline of May 10, 2026. Shadowserver tracked over 800 internet-exposed EPMM instances at time of disclosure.
Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation — Authenticated Admin RCE Zero-Day, Actively Exploited, CISA KEV
CVE-2026-6973 is a high-severity (CVSS 7.2) improper input validation vulnerability in on-premises Ivanti EPMM (versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1) that allows a remotely authenticated user with administrative access to achieve remote code execution on the underlying appliance OS. Ivanti and the Belgian Centre for Cyber Security confirmed exploitation against a limited number of customers at the time of disclosure, making it a zero-day. Threat actors are chaining this flaw with stolen admin credentials harvested from January 2026 EPMM vulnerabilities (CVE-2026-1281/CVE-2026-1340). CISA added it to the KEV catalog with a May 10 federal remediation deadline; over 800 EPMM instances remain internet-exposed.
Palo Alto PAN-OS Captive Portal Buffer Overflow — CVSS 9.3, Unauthenticated RCE with Root Privileges, Actively Exploited by Likely State-Sponsored Actors
CVE-2026-0300 is a critical buffer overflow in the User-ID Authentication Portal (Captive Portal) service of PAN-OS, allowing an unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets. Palo Alto Networks confirmed limited in-the-wild exploitation targeting internet-exposed Captive Portal instances. Unit 42 tracks exploitation under cluster CL-STA-1132, a likely state-sponsored group that deployed tunneling tools (EarthWorm, ReverseSocks5) and conducted Active Directory enumeration post-compromise. CISA added it to the KEV catalog on May 6, 2026 with a federal remediation deadline of May 9.