WEEKLY TOP TEN: June 1, 2026, 16:00 GMT
- Palo Alto GlobalProtect VPN Auth Bypass Flaw Now Exploited in Attacks
Palo Alto Networks is warning that hackers are actively exploiting a PAN-OS GlobalProtect authentication bypass flaw (CVE-2026-0257) in attacks against corporate networks. The attacks began on May 18 using forged authentication override cookies targeting local administrator accounts. A second wave followed on May 21. The flaw, which requires devices to have authentication override cookies enabled, was added to the CISA Known Exploited Vulnerabilities catalog on May 29. Organizations running Palo Alto GlobalProtect should apply patches and audit VPN logs immediately. - Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment
A new report on the KnowledgeDeliver zero-day (CVE-2026-5426) provides additional enterprise risk context, noting that the learning management system built by Digital Knowledge is widely used across Japanese corporate and educational sectors. The hardcoded machineKey values in the standardized web.config file enabled ViewState deserialization attacks yielding remote code execution. After gaining initial access, attackers modified an application JavaScript file to trick users into installing a malicious browser plugin. All KnowledgeDeliver deployments prior to February 24, 2026 are considered potentially at risk, and organizations are urged to audit their deployments and investigate for indicators of compromise including suspicious plugin installation prompts. - Over 40,000 Servers Compromised in Ongoing cPanel Exploitation
More than 40,000 cPanel and WebHost Manager (WHM) servers were compromised as attackers aggressively exploited CVE-2026-41940, a critical authentication bypass zero-day that grants unauthenticated attackers full administrative access to the affected hosting platform. Shadowserver’s scans revealed accelerating attack activity persisting well after cPanel released patches on April 28, 2026. The flaw enables attackers to take over all websites, databases, and configurations hosted on a compromised cPanel server, and the platform’s use across hosting infrastructure for banks, healthcare organizations, and millions of websites makes the scale of exploitation especially significant. Affected versions span multiple cPanel/WHM releases, with fixes published across all supported branches. - FBI Warns of Silent Ransom Group Targeting Law Firms
The FBI issued a formal warning that Silent Ransom Group, also tracked as Luna Moth, had intensified targeted attacks against law firms across the United States. The group employs callback phishing and social engineering techniques to gain access to sensitive legal records, client data, and privileged communications, then threatens to publish the stolen material unless a ransom is paid. Law firms are considered high-value targets due to the sensitive nature of the information they hold, including merger and acquisition strategy, litigation files, and protected client data. The FBI advised law firms to strengthen email security controls, enforce multi-factor authentication across all users, and train staff on recognizing callback phishing lures. - Actively Exploited Trend Micro Apex One Flaw Gets CISA Warning
Help Net Security’s May 26 coverage confirmed CISA’s addition of CVE-2026-34926 to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of June 4, 2026. The relative directory path traversal flaw in Trend Micro’s Apex One platform was detected during active exploitation by TrendAI’s own incident response team. Apex One is a core endpoint security platform used by organizations to defend laptops, desktops, and servers against malware, ransomware, and fileless attacks, making the zero-day especially impactful for enterprises relying on it as a primary security layer. Organizations running the on-premises version of Apex One were urged to apply the available patch without delay. - Charter Communications Data Breach Could Impact Nearly 5 Million
The ShinyHunters extortion group published data allegedly stolen from Charter Communications, the telecom giant operating under the Spectrum brand. The group claimed it gained access through a vishing attack that compromised an employee’s Microsoft Entra account, then pivoted to the company’s Salesforce environment and exported over 42 million customer records. Charter confirmed the incident but disputed that sensitive personal information or customer proprietary network information was exfiltrated. The data was published after Charter reportedly refused to meet the group’s ransom deadline of May 27, 2026. - FortiClient EMS Flaw CVE-2026-35616 Actively Exploited in Malware Attacks
Microsoft began rolling out patches for two Microsoft Defender zero-day vulnerabilities — UnDefend and RedSun — that were already being actively exploited in the wild. UnDefend allows attackers with standard user permissions to block Defender definition updates, effectively disabling antivirus protection. RedSun is a local privilege escalation flaw that Microsoft silently patched without initially assigning a CVE identifier. Both vulnerabilities were publicly disclosed by disgruntled researcher Chaotic Eclipse (also known as Nightmare Eclipse) in protest of Microsoft’s vulnerability disclosure process. All three previous disclosures from the same researcher — BlueHammer, YellowKey, and GreenPlasma — were also exploited in attacks. - CISA Orders Feds to Patch Actively Exploited Drupal Vulnerability
CISA added CVE-2026-9082, a critical SQL injection vulnerability in Drupal Core’s database abstraction API, to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by May 27, 2026. Cybersecurity firm Imperva reported over 15,000 exploitation attempts targeting nearly 6,000 Drupal sites across 65 countries, with gaming and financial services organizations as the primary targets. Shadowserver tracked nearly 670 unpatched Drupal installations still exposed online. Discovered by a Google/Mandiant researcher, the flaw can enable privilege escalation and remote code execution through specially crafted requests sent to PostgreSQL-backed Drupal deployments. - Ghost CMS SQL Injection Flaw Exploited in Large-Scale ClickFix Campaign
A critical SQL injection vulnerability in the Ghost CMS content management system, tracked as CVE-2026-26980 (CVSS 9.4), was exploited in an active large-scale campaign that compromised over 700 websites, including those belonging to Harvard University, Oxford University, Auburn University, and DuckDuckGo. The compromised sites were used to push malware to visitors through fake Cloudflare verification prompts using ClickFix techniques. At least two competing threat groups were simultaneously conducting attacks, with some sites being targeted by both groups on the same day. The flaw requires no authentication and affects Ghost CMS versions 3.24.0 through 6.19.0. A patch had been available since February 2026, but many operators had not applied it. - KnowledgeDeliver Zero-Day Exploited to Deploy Godzilla Web Shell
Hackers exploited a zero-day vulnerability (CVE-2026-5426) in KnowledgeDeliver, a learning management system developed by Digital Knowledge and widely used in Japanese enterprise and educational environments, to install Godzilla web shells on compromised servers. The flaw existed because all KnowledgeDeliver deployments used identical pre-shared ASP.NET machine keys hardcoded into a standard web.config file, enabling ViewState deserialization attacks leading to remote code execution. Mandiant researchers first responded to an attack in late 2025 and found that threat actors also modified JavaScript files to trick users into installing a malicious browser plugin. All deployments prior to February 24, 2026 are considered potentially compromised and at risk.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.