CVE Watch

The Top CVEs of May 2026: Edge Devices Under Active Attack While Patch Tuesday Goes Quiet

Microsoft shipped its first zero-day-free Patch Tuesday since June 2024 — but the month's real action was elsewhere: a CISA Emergency Directive for Cisco SD-WAN, exploited PAN-OS flaws, and a Drupal core SQL-injection, all under active attack.

Nicholas Robert

Nicholas Robert

6 min read
Share
Editorial line-art illustration showing a shield, bug, calendar, lock, and ranked vulnerability list with a red marker, representing the top CVEs and cyber threats of May 2026.

Microsoft shipped its first zero-day-free Patch Tuesday since June 2024 — but the month's real action was elsewhere: a CISA Emergency Directive for Cisco SD-WAN, two exploited PAN-OS flaws, and a Drupal core SQL-injection, all under active attack.

Key Takeaways

  • The exploited bugs were on the edge, not in Patch Tuesday. May's most urgent flaws are the ones attackers were already using: Cisco Catalyst SD-WAN (CVE-2026-20182, CVSS 10.0, under a CISA Emergency Directive), two Palo Alto PAN-OS flaws (CVE-2026-0300, CVSS 9.8, unauthenticated root RCE; and CVE-2026-0257, CVSS 9.1, auth-bypass added to KEV May 29), and Drupal core (CVE-2026-9082, CVSS 9.8, SQLi to RCE).
  • Microsoft had no zero-days for the first time since June 2024 — ~138 fixes, 30 Critical — but two unauthenticated CVSS 9.8 RCEs in Windows Netlogon (CVE-2026-41089) and DNS (CVE-2026-41096), plus a 9.9 Dynamics 365 code-injection (CVE-2026-42898), are the patch priorities once the exploited edge bugs are closed.
  • Severity is the wrong sort key. A KEV-listed Trend Micro Apex One bug sits at CVSS 6.7 while several unexploited Patch Tuesday flaws score 9.8+. Rank by what's being exploited and exposed, not by the number.

How we rank (the CyberSignal method)

We do not sort by CVSS. A 6.7 attackers are using today is a bigger problem than a 9.8 nobody has touched. Each month we weight four signals: (1) confirmed active exploitation (CISA KEV listing or credible vendor/researcher evidence), (2) attacker value and exposure (internet-facing, unauthenticated, widely deployed), (3) patch availability (a critical bug with no fix is worse than one with a one-click update), and (4) blast radius (edge devices, domain controllers, identity platforms, and CI/CD beat single endpoints). The result is a list ordered by what to do Monday morning, not by what scores highest.

The May 2026 ranked list

# CVE Product CVSS Status Do this
1 CVE-2026-20182 Cisco Catalyst SD-WAN Controller & Manager 10.0 Exploited · CISA KEV · Emergency Directive ED-26-03 Follow ED-26-03 hunt/hardening guidance now; patch immediately
2 CVE-2026-0300 Palo Alto PAN-OS (User-ID Auth Portal) 9.8 Exploited · CISA KEV Patch; restrict Auth Portal to trusted zones / disable if unused
3 CVE-2026-0257 Palo Alto PAN-OS 9.1 Exploited · CISA KEV (added May 29) Apply PAN-OS fix; review GlobalProtect/VPN logs for unauthorized sessions
4 CVE-2026-9082 Drupal Core 9.8 Exploited · CISA KEV Apply SA-CORE-2026-004 to all Drupal sites
5 CVE-2026-48172 LiteSpeed cPanel Plugin 10.0 Exploited · CISA KEV Patch the plugin; review for unauthorized root activity
6 CVE-2026-5426 Digital Knowledge KnowledgeDeliver LMS Exploited (Google TIG) Rotate machineKey; hunt for Godzilla web shell + Cobalt Strike — patch alone is insufficient
7 CVE-2025-34291 Langflow 9.4 Exploited · CISA KEV Update to 1.9.3+; restrict network exposure of AI tooling
8 CVE-2026-34926 Trend Micro Apex One (on-prem) 6.7 Exploited · CISA KEV Apply Trend Micro fix (KA-0023430) — note: low score, real attacks
9 CVE-2026-42898 Microsoft Dynamics 365 (on-prem) 9.9 Critical — patch available Patch on-prem Dynamics first among internet-facing apps
10 CVE-2026-41089 Windows Netlogon 9.8 Critical — patch available Patch domain controllers immediately — a compromised DC is a compromised domain
11 CVE-2026-41096 Windows DNS 9.8 Critical — patch available Deploy May cumulative update; prioritize exposed/resolver hosts
12 CVE-2026-27771 Gitea (< 1.26.2) Critical — patch available Upgrade to 1.26.2+; treat any exposed image as potentially leaked
13 (no CVE assigned) Gogs 9.4 (v4) Unpatched (Rapid7) Restrict authenticated access; consider taking exposed instances offline until a fix ships
CVE-2026-40361 Microsoft Word 8.4 Critical — patch available Patch Office; triggers without a click (preview-pane class)

CVSS shown as "—" where the CNA had not published a base score at time of writing; rank reflects exploitation and exposure, not the missing number. Vulnerability type for each entry is detailed in the tiers below.

Tier 1 — Actively exploited (fix these first)

CVE-2026-20182 — Cisco Catalyst SD-WAN Controller & Manager, CVSS 10.0. An authentication bypass that hands an unauthenticated remote attacker administrative control. CISA escalated this to Emergency Directive ED-26-03 with hunt-and-hardening guidance — the agency's strongest signal that exploitation is real and widespread. If you run Catalyst SD-WAN, the ED workflow, not just the patch, is the requirement.

CVE-2026-0300 and CVE-2026-0257 — Palo Alto PAN-OS (two flaws, both exploited). CVE-2026-0300 (CVSS 9.8) is an out-of-bounds write in the User-ID Authentication Portal that lets an unauthenticated attacker run code as root on PA-Series and VM-Series firewalls via crafted packets. CVE-2026-0257 (CVSS 9.1), added to CISA's KEV catalog on May 29, is an authentication bypass that lets an attacker establish an unauthorized VPN connection. Two actively-exploited PAN-OS bugs in a single month is itself the story: patch both, restrict or disable the Auth Portal until you have, and review GlobalProtect/VPN logs for unauthorized sessions.

CVE-2026-9082 — Drupal core, CVSS 9.8. A SQL injection in the database abstraction API that can escalate to RCE — and Drupal core's install base makes this a broad-exposure event. Apply SA-CORE-2026-004 everywhere.

CVE-2026-48172 (LiteSpeed cPanel Plugin, CVSS 10.0), CVE-2025-34291 (Langflow, 9.4), CVE-2026-34926 (Trend Micro Apex One, 6.7) round out the confirmed-exploitation set added to CISA's KEV catalog in May. The Apex One entry is the month's clearest illustration of the ranking method: at CVSS 6.7 it would be buried on a severity-sorted list, yet it is under active attack and carries a federal patch deadline.

CVE-2026-5426 — KnowledgeDeliver LMS. Google's Threat Intelligence Group caught attackers forging ViewState payloads against a hardcoded ASP.NET machineKey, dropping the Godzilla web shell and staging Cobalt Strike. The operational point: the vendor patch does not evict an attacker who already forged a key — rotate the machineKey and hunt the host. (CyberSignal coverage)

The CyberSignal Analysis

Signal 01 — The exploited bugs bypassed Patch Tuesday entirely

The headline writes itself as "quiet month, no zero-days" — and that framing is a trap. Every flaw with confirmed in-the-wild abuse in May lived outside the Microsoft release: Cisco SD-WAN, PAN-OS, Drupal, LiteSpeed, Langflow, Apex One. Teams that organize their month around Patch Tuesday alone patched the wrong calendar. The edge and the open-source/SaaS stack are where the attacks were.

Signal 02 — The KEV catalog is your priority queue, not the CVSS column

Trend Micro Apex One at 6.7 is under active attack with a federal deadline; multiple unexploited Microsoft criticals score 9.8+. Sort by evidence of exploitation first, exposure second, and CVSS last — which is exactly how CISA's KEV deadlines and the Cisco Emergency Directive are constructed.

Signal 03 — Self-hosting moved your attack surface, it didn't remove it

Gitea and Gogs both put an authorization or injection RCE one exposed port away from the crown jewels, and a "no zero-day" Patch Tuesday changes nothing about that. Self-hosted Git, registries, and CI/CD deserve the same internet-exposure discipline as any SaaS edge.

Defender Checklist — May 2026

  • Run the CISA ED-26-03 hunt/hardening workflow for Cisco Catalyst SD-WAN (CVE-2026-20182) — not just the patch.
  • Patch both PAN-OS flaws (CVE-2026-0300 and CVE-2026-0257) and apply Drupal SA-CORE-2026-004 (CVE-2026-9082) across all sites.
  • Clear remaining KEV deadlines: LiteSpeed cPanel (CVE-2026-48172), Langflow (CVE-2025-34291), Trend Micro Apex One (CVE-2026-34926).
  • Rotate the KnowledgeDeliver machineKey (CVE-2026-5426) and threat-hunt for Godzilla/Cobalt Strike — don't assume the patch closed it.
  • Patch domain controllers (Netlogon CVE-2026-41089), Windows DNS (CVE-2026-41096), and on-prem Dynamics 365 (CVE-2026-42898).
  • Upgrade Gitea to 1.26.2+ (CVE-2026-27771); isolate exposed Gogs instances until a fix ships. Deploy the Office update for the no-click Word RCE (CVE-2026-40361).

Sources

Type Source
Primary CISA Known Exploited Vulnerabilities Catalog
Primary CISA Emergency Directive ED-26-03 — Cisco SD-WAN
Primary Microsoft MSRC — May 2026 release notes
Reporting The Hacker News — Microsoft patches 138 vulns, DNS & Netlogon RCE
Reporting BleepingComputer — May 2026 Patch Tuesday
Reporting Malwarebytes — May 2026 Patch Tuesday
CyberSignal KnowledgeDeliver CVE-2026-5426 · Gitea CVE-2026-27771 · Gogs RCE

Read more