Expired by Design, Exploited in Practice: KEV Additions and State-Linked Intrusions Converge

This week’s threat landscape once again demonstrated that modern cyber threats no longer depend solely on newly discovered vulnerabilities. Threat actors continued actively exploiting flaws spanning nearly two decades, while simultaneously targeting foundational enterprise technologies, internet-facing infrastructure, and critical government environments. The week highlighted a growing pattern where legacy vulnerabilities, unpatched edge devices, and high-value infrastructure platforms remained equally attractive to attackers seeking persistence, espionage access, and large-scale operational impact.  

A total of 11 vulnerabilities were added to the CISA KEV catalog, including two vulnerabilities affecting Microsoft Defender, an actively exploited Microsoft Exchange Server vulnerability, multiple legacy Microsoft Internet Explorer flaws dating back nearly 16 years, and older Microsoft vulnerabilities originating from 2008 and 2009. The additions also included a Cisco vulnerability actively exploited by threat actors, and a 2009 Adobe Acrobat vulnerability reinforcing how historically exploited flaws continue resurfacing within modern threat operations years after initial disclosure. Beyond KEV activity, active exploitation targeted several critical infrastructure and enterprise technologies including NGINX and the Four-Faith F3x36, both of which serve as foundational internet-facing infrastructure components across enterprise, cloud, industrial, and operational technology environments.  

At the same time, threat activity surrounding UAT-8616 exploitation of Cisco Catalyst SD-WAN vulnerabilities, Gamaredon spear-phishing operations targeting Ukrainian government institutions, and FamousSparrow intrusions against Azerbaijani energy infrastructure demonstrated the continued convergence of state-linked espionage, edge-device exploitation, and infrastructure-focused cyber operations across global geopolitical environments.

Key points:

• 9 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog during the week.
• Active exploitation activity was observed targeting NGINX and the Four-Faith F3x36 vulnerabilities.
• UAT-8616 exploited vulnerabilities affecting Cisco Catalyst SD-WAN Controller infrastructure.
• Gamaredon conducted spear-phishing campaigns targeting Ukrainian government institutions.
• FamousSparrow targeted Azerbaijani energy infrastructure through exploitation of Microsoft Exchange Server vulnerabilities.

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2026-20182 - Authentication Bypass vulnerability in Cisco Catalyst SD-WAN Controller

An Authentication Bypass vulnerability affecting Cisco Catalyst SD-WAN Controller allows unauthenticated remote attackers to bypass authentication controls and obtain administrative privileges on vulnerable SD-WAN environments. According to Cisco, the vulnerability originates from improper handling within the peering authentication mechanism, enabling attackers to send crafted requests that permit unauthorized access as an internal high-privileged non-root user account. Successful exploitation allows attackers to access NETCONF services and manipulate SD-WAN fabric configurations across affected deployments including On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP) environments. Cisco confirms limited in-the-wild exploitation activity during May 2026 and strongly recommends immediate application of the latest security updates and mitigations to affected systems. The vulnerability is subsequently added to the CISA KEV catalog following confirmed exploitation activity.

CVE-2026-41091 - Link Following vulnerability in Microsoft Defender

A Link Following vulnerability affecting Microsoft Defender allows an authorized local attacker to elevate privileges to SYSTEM level through improper link resolution prior to file access operations. According to Microsoft, successful exploitation enables attackers to abuse insecure handling of file links and access validation mechanisms within the Defender security architecture to obtain SYSTEM privileges on vulnerable Windows devices. Microsoft releases security updates addressing the vulnerability on May 19, 2026, but does not disclose additional technical details, proof-of-concept availability, or attribution information regarding the threat actors exploiting the flaw in the wild. The vulnerability is subsequently added to the CISA KEV catalog following confirmed evidence of active exploitation activity.

CVE-2026-42945 - Heap Buffer Overflow vulnerability in NGINX

A Heap Buffer Overflow vulnerability affecting NGINX exists within the ngx_http_rewrite_module, enabling unauthenticated attackers to trigger denial-of-service conditions and potentially achieve remote code execution through specially crafted HTTP requests against vulnerable deployments. The flaw impacts NGINX Open Source versions 0.6.27 through 1.30.0 and NGINX Plus versions R32 through R36, including multiple F5 products integrating NGINX such as NGINX Ingress Controller and F5 WAF for NGINX. According to DepthFirst, the vulnerability originates from improper rewrite processing and inconsistent handling of the is_args flag during URI escaping and memory allocation operations, resulting in deterministic heap corruption using attacker-controlled URI data. The researchers demonstrate exploitation techniques involving memory corruption, cleanup handler overwrites, forged structure spraying, and forced system() invocation during worker cleanup operations. F5 released multiple security updates addressing the vulnerability across affected NGINX and associated product deployments following confirmed active exploitation activity.

CVE-2026-42897 - Cross-Site Scripting vulnerability in Microsoft Exchange Server

A Cross-Site Scripting vulnerability affecting Microsoft Exchange Server exists during web page generation operations within Outlook Web Access (OWA), allowing arbitrary JavaScript execution in the browser context under specific interaction conditions. The vulnerability enables remote attackers to execute malicious scripts against targeted users through crafted web content and malicious requests processed by vulnerable Exchange Server environments. Microsoft confirms active zero-day exploitation of CVE-2026-42897 shortly after a major Patch Tuesday release but does not yet provide an official security patch addressing the issue. In the absence of a fix, Microsoft recommends applying interim mitigations and defensive guidance to reduce exposure against ongoing exploitation activity targeting Exchange Server deployments. The vulnerability was subsequently added to the CISA KEV catalog, following confirmed in-the-wild exploitation.

CVE-2026-45498 - Denial of Service vulnerability in Microsoft Defender

A Denial-of-Service vulnerability affecting Microsoft Defender exists within the Microsoft Defender Antimalware Platform, a security architecture composed of user-mode binaries such as MsMpEng.exe and kernel-mode drivers operating on top of Windows systems to detect and mitigate malicious activity. Microsoft confirmed active exploitation of the vulnerability in the wild but didn't disclose technical details, proof-of-concept availability, or attribution information regarding the responsible threat actors. Microsoft released security updates addressing the vulnerability on May 19, 20206, as part of its security servicing efforts for the Defender Antimalware platform. The vulnerability is subsequently added to the CISA KEV catalog following confirmed exploitation activity.  

CVE-2024-9643 - Authentication Bypass vulnerability in Four-Faith F3x36 router

An Authentication Bypass vulnerability affecting Four-Faith F3x36 version 2.0.0 allows attackers with knowledge of hard-coded credentials to gain administrator access through crafted HTTP requests targeting management endpoints such as /Status_Router.asp. The actively exploited flaw enables attackers to bypass authentication mechanisms, modify router configurations, intercept traffic, maintain persistent access, and repurpose compromised devices for botnet operations, proxy infrastructure, and lateral movement activity. According to CrowdSec, publicly available exploitation resources including Nuclei templates significantly lower the barrier for automated mass exploitation campaigns targeting internet-facing edge infrastructure. CrowdSec telemetry records exploitation activity beginning on April 20 and escalating to “Mass Exploitation” status on May 12, with approximately 76% of observed attacker objectives aligning with infrastructure takeover operations targeting commerce-sector environments. As no publicly disclosed patch version currently exists, it is recommended to contact Four-Faith or the authorized device supplier to obtain and securely deploy the latest available firmware update addressing the vulnerability.

CVE-2010-0249 - Use-After-Free vulnerability in Microsoft Internet Explorer

A Use-After-Free remote code execution vulnerability affecting Microsoft Internet Explorer exists due to improper handling of deleted objects and incorrectly initialized memory during object access operations. The vulnerability impacts Internet Explorer 6, Internet Explorer 6 SP1, Internet Explorer 7, and Internet Explorer 8 across multiple legacy Windows platforms including Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. The vulnerability is actively exploited in the wild during December 2009 and January 2010 as part of Operation Aurora campaigns targeting enterprise environments through memory corruption and invalid pointer dereference conditions within Internet Explorer object handling operations. Microsoft officially discontinued support for Internet Explorer in 2022. The vulnerability is now added to the CISA KEV catalog years after the original exploitation activity.  

CVE-2010-0806 - Use-After-Free vulnerability in Microsoft Internet Explorer

A Use-After-Free remote code execution vulnerability affecting Microsoft Internet Explorer exists within the iepeers.dll Peer Objects component due to improper handling of objects that remain uninitialized or are accessed after deletion. The vulnerability impacts Internet Explorer 6, Internet Explorer 6 SP1, and Internet Explorer 7, allowing remote attackers to execute arbitrary code through specially crafted web pages, malicious advertisements, compromised websites, ActiveX controls, or malicious Microsoft Office documents leveraging the Internet Explorer rendering engine. Successful exploitation corrupts memory through invalid pointer access and enables attackers to execute code with the privileges of the logged-on user. Microsoft officially discontinued support for Internet Explorer in 2022. The vulnerability is now added to the CISA KEV catalog, nearly 16 years after observed in-the-wild exploitation activity originally identified during March 2010.

CVE-2009-1537 - NULL Byte Overwrite vulnerability in Microsoft DirectX

A NULL Byte Overwrite vulnerability affecting Microsoft DirectX exists within the QuickTime Movie Parser Filter in the quartz.dll DirectShow component due to the improper parsing of specially crafted QuickTime media files. The vulnerability impacts Microsoft DirectX 7.0 through 9.0c on Windows 2000, Windows XP, and Windows Server 2003 systems, allowing remote attackers to execute arbitrary code through malicious QuickTime files embedded within emails, compromised websites, malicious streaming content, network shares, or attacker-controlled web applications. Though the vulnerability was actively exploited in the wild during May 2009 through socially engineered media delivery campaigns and malicious web content targeting enterprise workstations and terminal servers, it is now added to the CISA KEV catalog.

CVE-2009-3459 - Heap-Based Buffer Overflow vulnerability in Adobe Acrobat and Reader

A Heap-Based Buffer Overflow vulnerability affecting Adobe Acrobat and Adobe Reader allows remote attackers to execute arbitrary code through crafted PDF files that trigger memory corruption conditions during document parsing operations. The vulnerability impacts Adobe Reader and Acrobat 7.x prior to 7.1.4, 8.x prior to 8.1.7, and 9.x prior to 9.2, enabling exploitation through malicious PDF attachments and attacker-controlled content distributed via phishing campaigns or compromised websites. Successful exploitation executes arbitrary code within the security context of the logged-on user following heap corruption triggered by improper memory handling. The vulnerability is actively exploited in the wild during October 2009, demonstrating real-world abuse against vulnerable systems. Although no public technical details, proof-of-concept information, or threat actor attribution data are disclosed, the vulnerability is now added to the CISA KEV catalog.  

CVE-2008-4250 - Buffer Overflow vulnerability in Microsoft Windows

A Buffer Overflow vulnerability affecting Microsoft Windows exists due to improper handling of specially crafted Remote Procedure Call (RPC) requests during path canonicalization operations within the Windows Server service. The vulnerability impacts Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 systems, allowing remote attackers to execute arbitrary code by sending malicious network packets that trigger memory corruption conditions within RPC request processing routines. Though the vulnerability was actively exploited in the wild in October 2008, it is now added to the CISA KEV catalog.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

UAT-8616 exploits Cisco Catalyst SD-WAN vulnerability

According to Cisco Talos, active exploitation targeted CVE-2026-20182 affecting Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage. Successful exploitation allowed unauthenticated remote attackers to bypass authentication mechanisms and obtain administrative privileges on affected systems through crafted requests targeting vulnerable SD-WAN infrastructure. Talos clustered the observed exploitation activity under UAT-8616 with high confidence, although the exploitation activity appeared limited in scale at the time of reporting.

Gamaredon Spear-Phishing Campaign Targeting Ukrainian Government Institutions

According to HarfangLab, the Russia-affiliated Gamaredon conducted a spear-phishing campaign targeting Ukrainian state institutions beginning in September 2025. The operation delivered the GammaDrop and GammaLoad malware families through malicious RAR archives exploiting CVE-2025-8088. The phishing emails spoofed or originated from compromised government accounts to increase delivery success and trustworthiness among targeted recipients. The attack chain deployed persistent multi-stage VBScript downloaders designed to profile infected systems and retrieve additional malicious payloads from attacker-controlled infrastructure. HarfangLab assessed that the campaign demonstrated limited technical sophistication but reflected Gamaredon’s consistent operational scale, persistence, and high-frequency targeting activity against Ukrainian government environments.

FamousSparrow targeting Azerbaijani energy infrastructure through Microsoft Exchange vulnerabilities

According to Bitdefender, FamousSparrow conducted a multi-wave intrusion targeting an Azerbaijani oil and gas company between December 2025 and February 2026, with operational overlaps observed with the Earth Estries ecosystem. The threat group exploited unpatched Microsoft Exchange Server systems using the ProxyNotShell exploit chain involving CVE-2022-41040 and CVE-2022-41082 to obtain unauthenticated remote code execution and deploy multiple web shells including key.aspx, log.aspx, errorFE_.aspx, and signout_.aspx. The operation deployed the Deed RAT and Terndoor backdoor families through a DLL sideloading chain disguised as legitimate LogMeIn Hamachi VPN software using LMIGuardianDll.dll. The malware payload stored within .hamachi.lng was decrypted in memory using AES-128 and RC4 encryption techniques, while a malicious Windows service masquerading as LogMeIn Hamachi established persistent access across system reboots. Bitdefender additionally observed repeated re-compromise attempts against the same Exchange infrastructure, with attackers modifying malware families and operational tactics during each intrusion wave to maintain long-term espionage access within the targeted South Caucasus energy environment.

Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

This week’s threat activity reinforced how both legacy vulnerabilities and newly disclosed flaws continued driving real-world exploitation across enterprise, government, and critical infrastructure environments. Active campaigns targeting NGINX, Microsoft Exchange Server, Cisco Catalyst SD-WAN Controller, and the Four-Faith F3x36 highlighted the growing operational focus on internet-facing infrastructure and edge technologies. The continued addition of actively exploited vulnerabilities to the Cybersecurity and Infrastructure Security Agency further emphasized the importance of rapid vulnerability visibility, patch prioritization, and continuous threat monitoring across modern environments. Stay updated with emerging exploitation trends, threat intelligence, and vulnerability tracking through Loginsoft Vulnerability Intelligence (LOVI) to strengthen proactive cyber defense and infrastructure security operations.

FAQs

1) What is Cisco Catalyst SD-WAN Controller?

Cisco Catalyst SD-WAN Controller is a centralized software-defined networking platform that manages and controls SD-WAN infrastructure across enterprise branch networks, cloud environments, and remote sites. It enables organizations to securely route traffic, automate network policies, optimize application performance, and manage connectivity between distributed locations through a centralized management architecture.

2) What are Four-Faith F3x36?

Four-Faith F3x36 is an industrial-grade cellular router designed to provide secure remote connectivity for field equipment, operational technology environments, distributed offices, and industrial infrastructure. The router supports cellular-based networking, remote management, edge communication, and data transmission across sectors such as utilities, transportation, retail, and industrial automation environments.

3) Does inclusion in the CISA KEV catalog mean exploitation is widespread?

Not necessarily widespread - but confirmed. KEV inclusion indicates verified in-the-wild exploitation. While the scale may vary, the operational reality is that threat actors possess working exploits, making patch prioritization urgent regardless of observed targeting volume.

4) How does LOVI help organizations manage vulnerabilities effectively?

Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

5) What is Cytellite?

Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.