Expanded Cybersecurity Advisory: Critical Vulnerabilities In Past 3 Weeks

Status: Highly Urgent / Active Exploitation Observed Across Multiple Flaws

This expanded advisory aggregates all critical security vulnerabilities (CVSS >= 9.0) identified or added to active exploitation catalogs between April 24, 2026, and May 15, 2026.

Summary of Critical Flaws

Technical Breakdowns & Direct Impact

1. NGINX Rewrite Module RCE ("NGINX Rift") — CVE-2026-42945

   • Disclosed: May 13, 2026
   • Impact: An 18-year-old flaw affecting NGINX Open Source (0.6.27 to 1.30.0) and NGINX Plus (R32 to R36). An unauthenticated attacker can send a single crafted HTTP request to trigger a heap buffer overflow in ngx_http_rewrite_module. This leads to system denial of service or full Remote Code Execution (RCE) inside the worker process.
   • Mitigation: Upgrade to NGINX Open Source 1.30.1 / 1.31.0, or NGINX Plus R32 P6 / R36 P4. Fully restart the NGINX service to reload worker binaries.

2. Palo Alto Networks PAN-OS Firewalls — CVE-2026-0300

   • Disclosed: Early May 2026 (Added to CISA KEV)
   • Impact: Allows unauthenticated remote attackers to send malicious packets to the User-ID Authentication Portal (Captive Portal), achieving immediate root-level code execution on the firewall substrate.
   • Mitigation: Isolate the portal from public-facing interfaces. Apply emergency vendor updates via the Palo Alto Networks Security Advisory Portal.

3. BerriAI LiteLLM Proxy — CVE-2026-42208

   • Disclosed: Added to CISA KEV on May 8, 2026
   • Impact: A critical SQL Injection flaw within the AI proxy application. Threat actors are actively exploiting this vulnerability to read/modify backend proxy databases and hijack stored corporate API credentials.
   • Mitigation: Update LiteLLM instances immediately per vendor guidance or restrict access via CISA KEV Mitigation Frameworks.

4. CVE-2026-41940 — Pre-Authentication Session Injection (The Zero-Day Flaw)

   • Disclosed / Exploited: Disclosed April 28, 2026; mass active exploitation tracked through May 2026.
   • CVSS Score: 9.8 (Critical)
   • Impacted Architecture: All cPanel & WHM versions after 11.40, DNSOnly, and WP Squared environments. This affects approximately 1.5 million internet-exposed hosting nodes globally.
   • The Exploit Mechanism: The vulnerability relies on a Missing Authentication flaw mixed with a Carriage Return Line Feed (CRLF) injection. An unauthenticated attacker sends a malformed Authorization HTTP header directly to the cpsrvd service daemon. The header forces the daemon to write plain text variables (like user=root and hasroot=1) directly into a session file on the host's disk. When cPanel parses this file, it instantly registers the attacker as a fully validated Root administrator. Both standard password validation and Two-Factor Authentication (2FA) mechanisms are entirely bypassed.
   • Business Risk: Mass multitenant takeover. A single compromise grants full control over the primary host system, allowing attackers to access, alter, or delete database files, email configurations, and thousands of customer websites tied to a shared hosting environment.

5. Microsoft Windows Internet Key Exchange (IKE) — CVE-2026-33824

   • Disclosed: April 14, 2026 (Widespread exploitation targeting patch gap in late April/May)
   • Impact: An unauthenticated, zero-click network vector RCE affecting Windows Server VPN and IPsec negotiations. Requires no user interaction or elevated privileges to execute host code.
   • Mitigation: Run Windows Update to apply the critical April/May cumulative updates.

References

• Rapid7 Blog on CVE-2026-41940
• Palo Alto Networks Security Advisory for CVE-2026-0300
• F5 Article on CVE-2026-33824
• Sysdig Blog on CVE-2026-42208
• Bishop Fox Blog on CVE-2026-42208
• CISA Known Exploited Vulnerabilities Catalog