Trusted Software, Untrusted Activity: The Expanding Attack Surface of Modern Enterprise Environments

This week’s threat landscape reflected continued attacker focus on exposed enterprise applications, cloud-native infrastructure, developer ecosystems, and trusted software distribution channels. Multiple vulnerabilities affecting widely deployed platforms such as Langflow, Trend Micro Apex One, Drupal, LiteSpeed User-End cPanel Plugin, Nx Console, TanStack packages, and DAEMON Tools Lite were added to the CISA KEV catalpg following confirmed exploitation activity, reinforcing the growing operational risks surrounding software supply chains, AI platforms, endpoint security products, and internet-facing enterprise services.  

Active exploitation activity additionally targeted KnowledgeDeliver and Ghost deployments through campaigns focused on web-shell persistence, malicious script injection, and staged malware delivery operations.  

According to Google Mandiant, attackers exploited vulnerabilities in KnowledgeDeliver to deploy the Godzilla web shell, also tracked as BLUEBEAM, alongside fraudulent authentication lures and customized Cobalt Strike Beacon payloads to maintain long-term access within compromised enterprise learning environments. At the same time, Fortinet uncovered persistent P2Pinfect activity targeting exposed Google Kubernetes Engine environments through misconfigured Redis instances and exploitation involving CVE-2025-11953, highlighting growing attacker focus on cloud infrastructure abuse, web application exploitation, and long-term persistence operations.

Key points:

• 7 vulnerabilities added to the CISA KEV catalog  
• Active exploitation detected in GhostCMS and KnowledgeDeliver deployments
• KnowledgeDeliver vulnerability exploited to deploy BLUEBEAM Web Shell  
• Fortinet uncovers persistent P2Pinfect activity

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2026-5426 - Unauthenticated Remote Code Execution vulnerability in Digital Knowledge KnowledgeDeliver

Unauthenticated Remote Code Execution vulnerability affecting KnowledgeDeliver deployments that allows attackers to bypass ViewState validation mechanisms and execute arbitrary code through malicious ASP.NET ViewState deserialization payloads. According to Google Mandiant, the vulnerability originates from hard-coded ASP.NET machineKey values embedded within standardized web.config deployment templates distributed across vulnerable KnowledgeDeliver environments prior to February 24, 2026. Successful exploitation enables attackers to craft malicious __VIEWSTATE payloads capable of triggering unsafe deserialization operations, while reuse of identical machineKey secrets across deployments allows compromise of multiple unrelated internet-facing KnowledgeDeliver instances through the same attack technique. Active exploitation activity demonstrated the operational risks associated with shared deployment secrets and enabled large-scale compromise opportunities across enterprise, education, and professional training environments running exposed ASP.NET-based LMS infrastructure. Digital Knowledge addressed the vulnerability in KnowledgeDeliver builds released on or after February 24, 2026 while emphasizing the need for stronger deployment isolation, unique secret generation, and continuous monitoring against ViewState deserialization attacks.

CVE-2026-8398 - Embedded Malicious Code vulnerability in Daemon Tools Lite

Embedded Malicious Code vulnerability affecting Daemon Tools Lite that resulted from a supply chain attack compromising official installers distributed through the vendor's website between April and May 2026. According to the disclosure, attackers breached AVB Disc Soft build or distribution infrastructure and trojanized three signed binaries distributed as legitimate DAEMON Tools Lite installation packages. Because the malicious installers carried valid code-signing certificates, the compromised binaries appeared trustworthy and successfully bypassed multiple security validation and reputation-based detection mechanisms across affected systems. The trojanized installers enabled distribution of malicious payloads through trusted software delivery channels, significantly increasing operational risk for enterprise and consumer environments relying on signed software validation processes. This vulnerability was subsequently added to the CISA KEV catalog following confirmed malicious distribution activity.

CVE-2026-9082 - SQL Injection vulnerability in Drupal Core

A SQL Injection vulnerability affecting Drupal that allows unauthenticated remote attackers to trigger arbitrary SQL injection through specially crafted requests sent to the database abstraction API within PostgreSQL-backed Drupal deployments. Successful exploitation enables information disclosure and may further result in privilege escalation, remote code execution, and broader compromise of affected public-sector, enterprise, education, and internet-facing environments. According to the Drupal security advisory, the vulnerability specifically impacts sites using PostgreSQL databases, although third-party dependency updates included in the release apply across all Drupal installations. According to Imperva, more than 15,000 exploitation attempts targeted nearly 6,000 Drupal sites across 65 countries within two days of disclosure, with gaming and financial services organizations accounting for nearly half of the observed attack activity. Drupal released multiple patched versions on May 20 to remediate the vulnerability, and the flaw was subsequently added to the CISA KEV catalog following confirmed exploitation activity.

CVE-2026-26980 - SQL Injection vulnerability in Ghost CMS

A SQL Injection vulnerability affecting the Ghost Content API that allows unauthenticated attackers to read arbitrary database contents through crafted requests targeting vulnerable Ghost deployments between versions 3.24.0 and 6.19.0. Active exploitation activity observed by Qianxin XLab researchers impacted more than 700 domains spanning universities, AI and SaaS providers, media organizations, fintech platforms, cybersecurity websites, and personal blogs, including environments associated with Harvard University, University of Oxford, Auburn University, and DuckDuckGo. Attackers exploited the vulnerability to steal administrative API keys and inject malicious JavaScript into website articles, where second-stage payloads delivered ClickFix social engineering lures, fraudulent Cloudflare verification prompts, DLL loaders, JavaScript droppers, and Electron-based malware including UtilifySetup.exe. According to SentinelOne, multiple attacker clusters targeted vulnerable Ghost deployments simultaneously, including repeated re-infection attempts and replacement of competing malicious scripts across previously compromised websites. The vulnerability was remediated in Ghost version 6.19.1 released during February 2026 following widespread exploitation activity targeting exposed publishing environments.

CVE-2026-34926 - Directory Traversal vulnerability in Trend Micro Apex One (On-Premise)

A Directory Traversal vulnerability affecting Trend Micro Apex One that allows a pre-authenticated local attacker to modify critical server-side tables and inject malicious code for distribution to connected agents across affected enterprise environments. Successful exploitation requires attackers to first obtain administrator-level access to the Apex One server operating system through external compromise methods before abusing the vulnerable functionality to deploy malicious payloads across managed endpoints. According to Trend Micro, the vulnerability only impacts on-premises Apex One deployments and does not affect cloud-based environments such as Apex One as a Service. Trend Micro released security updates for Trend Micro Apex One (on-premise), Apex One as a Service, and Vision One Standard Endpoint Protection to remediate the vulnerability, although no additional technical details, proof-of-concept information, or threat actor attribution data were disclosed at the time of publication. The vulnerability was subsequently added to the CISA KEV catalog following confirmed exploitation activity.

CVE-2026-45321 - Authentication Bypass vulnerability in TanStack

An Authentication Bypass vulnerability affecting TanStack packages that allowed attackers to publish credential-stealing malware to the npm registry under a trusted identity. Between May 11, 2026 and approximately 19:20 – 19:26 UTC, attackers published 84 malicious versions across 42 @tanstack/* packages by abusing the legitimate GitHub Actions OIDC trusted-publisher integration associated with TanStack/router. According to the disclosure, the attackers chained multiple exploitation techniques including a pull_request_target “Pwn Request” misconfiguration, GitHub Actions cache poisoning across the fork-to-base trust boundary, and runtime memory extraction of OIDC tokens from GitHub Actions runner processes to obtain unauthorized publishing capabilities without modifying the actual publish workflow. Each affected package received two malicious releases published minutes apart, enabling distribution of credential-stealing malware through trusted npm package channels targeting downstream developer environments and CI/CD pipelines. The malicious package campaign was subsequently added to the CISA KEV catalog, following confirmed compromise activity.

CVE-2026-48027 - Embedded Malicious Code vulnerability in Nx Console

Embedded Malicious Code vulnerability affecting Nx Console that allowed a compromised extension version to distribute obfuscated malicious payloads capable of harvesting credentials from disk and in-memory sources across affected developer environments. Nx Console serves as the user interface for Nx and Lerna workflows and is widely used within modern software development ecosystems. According to the disclosure, malicious version 18.95.0 was published to the Visual Studio Marketplace on May 19, 2026 at 12:30 PM UTC and remained available for approximately 18 minutes before removal, while the compromised release persisted on OpenVSX for nearly 36 minutes before detection and takedown. The malicious extension retrieved additional obfuscated payloads designed to collect sensitive credentials and authentication material from compromised systems following installation. Users were advised to remediate exposure by upgrading to Nx Console version 18.100.0, and the vulnerability was subsequently added to the CISA KEV following confirmed compromise activity.

CVE-2026-48172 - Privilege Escalation vulnerability in LiteSpeed cPanel Plugin

A Privilege Escalation vulnerability affecting the LiteSpeed User-End cPanel Plugin that allows attackers to execute arbitrary scripts with elevated root privileges through improper privilege assignment within the vulnerable lsws.redisAble function. The vulnerability impacts plugin versions 2.3 through 2.4.4 and can be exploited by any cPanel user account, including compromised or malicious accounts, to execute attacker-controlled scripts as root across affected shared hosting and enterprise web hosting environments. According to LiteSpeed Technologies, the vulnerability was actively exploited in the wild, although no additional technical details or threat actor attribution information were disclosed at the time of publication. LiteSpeed additionally provided an indicator-of-compromise command targeting cpanel_jsonapi_func=redisAble log activity to assist administrators in identifying potential exploitation attempts across cPanel logging environments. LiteSpeed remediated the vulnerability in version 2.4.5, and the vulnerability was subsequently added to the CISA KEV catalog following confirmed exploitation activity.  

CVE-2025-34291 - Origin Validation Error vulnerability in Langflow

An Origin Validation Error vulnerability affecting Langflow that allows attackers to steal authentication tokens, impersonate users, execute arbitrary code, and achieve full system compromise across vulnerable environments. The vulnerability chain abuses overly permissive Cross-Origin Resource Sharing (CORS) configurations, missing Cross-Site Request Forgery (CSRF) protections, and unsafe token handling through SameSite=None cookie attributes to steal refresh tokens from authenticated users visiting malicious webpages. According to Obsidian Security, successful exploitation enables attackers to transition directly from account compromise into remote code execution through Langflow’s built-in Python execution functionality while additionally exposing sensitive API keys, cloud credentials, and downstream SaaS integrations stored within affected workspaces. Obsidian further assesses that the attack remains highly practical in enterprise and SaaS environments because exploitation requires only that an authenticated user visit an attacker-controlled webpage containing malicious cross-origin requests targeting vulnerable endpoints. The issue was addressed in Langflow version 1.7 and later releases, while subsequent confirmed exploitation activity resulted in inclusion within the CISA KEV catalog.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

KnowledgeDeliver vulnerability exploited to deploy BLUEBEAM Web Shell

According to Google Mandiant, threat actors exploited the vulnerability in KnowledgeDeliver, CVE-2026-5426, to deploy the Godzilla web shell, also tracked as BLUEBEAM, enabling remote command execution, payload deployment, and long-term persistence within compromised KnowledgeDeliver environments. The attackers modified web application permissions to grant unrestricted “Everyone” access to application directories and tampered with JavaScript resources to display fraudulent security alerts prompting users to install fake security authentication plugins. The malicious JavaScript additionally retrieved secondary payloads from attacker-controlled infrastructure through stealthy background requests embedded within compromised web content. The observed activity ultimately delivered Cobalt Strike Beacon malware to victim systems through malicious installers customized for targeted organizations. Mandiant assessed that the campaign demonstrated a layered post-exploitation workflow combining web-shell persistence, user deception, malicious script injection, and staged malware delivery to maintain operational access across compromised enterprise learning environments.

Fortinet uncovers persistent P2Pinfect botnet activity

According to Fortinet FortiGuard Labs, persistent P2Pinfect activity targeted exposed Google Kubernetes Engine environments across multiple organizations, with one observed compromise persisting for nearly six months following initial access through misconfigured Redis instances. The botnet activity repeatedly triggered FortiCNAPP Composite Alerts, demonstrating how exposed cloud infrastructure and insecure Redis deployments enabled long-term persistence across containerized environments. FortiGuard Labs identified a new deployment script named deployer.sh used to install updated P2Pinfect clients, while telemetry additionally revealed overlap in indicators of compromise across affected organizations. Although no second-stage payload deployment was observed during the investigated intrusions, Fortinet noted that P2Pinfect variants previously remained dormant for extended periods before delivering ransomware, cryptominers, and usermode rootkit capabilities. The investigation additionally revealed communication with P2Pinfect peers deployed through exploitation of CVE-2025-11953 during November 2025, indicating operational expansion beyond Redis-focused exploitation into React-based attack surfaces.

Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

Collectively, this week’s activity reinforced that modern threat operations no longer relied solely on zero-days, but increasingly abused trusted platforms, exposed cloud infrastructure, and legitimate software ecosystems to establish persistence and scale attacks rapidly across enterprise environments. The continued exploitation of internet-facing applications, developer tooling, and containerized infrastructure highlighted how operational complexity and interconnected services expanded the attack surface far beyond traditional perimeter security models. The observed campaigns additionally demonstrated how threat actors combined social engineering, web-shell persistence, malicious package distribution, and cloud-native abuse into highly adaptive multi-stage intrusion workflows capable of evading conventional detection mechanisms. Continuous visibility into active exploitation trends, infrastructure exposure, and emerging attacker tradecraft through platforms such as Loginsoft Vulnerability Intelligence (LOVI) remained essential for strengthening proactive defense and accelerating enterprise remediation efforts.

FAQs

1) What is Ghost CMS?

Ghost is an open-source content management and publishing platform built on Node.js and widely used for blogs, newsletters, membership platforms, and modern digital publishing operations. The platform supports headless publishing workflows and API-driven content delivery, making it popular across enterprise media, SaaS, and online publishing environments.

2) What is KnowledgeDeliver?

KnowledgeDeliver is a web-based learning management system (LMS) platform used to deliver online training, certifications, educational content, and enterprise learning services through browser-accessible environments. Built on the ASP.NET framework, the platform is commonly deployed across enterprise, education, and professional training environments to manage users, courses, and digital learning workflows.

3) Does inclusion in the CISA KEV catalog mean exploitation is widespread?

Not necessarily widespread - but confirmed. KEV inclusion indicates verified in-the-wild exploitation. While the scale may vary, the operational reality is that threat actors possess working exploits, making patch prioritization urgent regardless of observed targeting volume.

4) How does LOVI help organizations manage vulnerabilities effectively?

Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

5) What is Cytellite?

Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.