Weekly security intelligence digest covering the most critical vulnerabilities, threats, and breach news from the past week.
🚨 Critical: CISA Known Exploited Vulnerabilities
These vulnerabilities are being actively exploited in the wild. Immediate action required.
CVE-2026-0257: Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
Vendor/Product: Palo Alto Networks PAN-OS
Description: Palo Alto Networks PAN-OS contains an authentication bypass vulnerability that allows attackers to bypass security restrictions and establish an unauthorized VPN connection.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-06-01
Reference: CVE-2026-0257 - NVD
Expert take: VPN gateways are the front door to your network, and an auth bypass on one means an attacker walks through that door without a key. This is the GlobalProtect bug, and it’s already being used in real attacks to get inside corporate networks. Edge devices like this are a favorite target for ransomware crews and initial-access brokers, because one bypass gets them past the perimeter and onto the internal network in a single step — no phishing, no malware delivery needed. The due date is basically now, so there’s no runway. Patch immediately, and don’t stop there: pull your VPN logs and look for sessions you can’t account for, because if you were exposed, someone may already be in.
CVE-2026-48027: Nx Console Embedded Malicious Code Vulnerability
Vendor/Product: Nx Nx Console
Description: Nx Console contains an embedded malicious code vulnerability that allowed a malicious version of Nx Console to be published. The compromised extension fetched an obfuscated payload that could harvested credentials from multiple sources on disk and in memory.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-06-10
Reference: CVE-2026-48027 - NVD
Expert take: This isn’t a server bug you patch — it’s a supply-chain compromise, which is a different kind of bad. A malicious version of the Nx Console extension got published, and once installed it pulled down an obfuscated payload that scraped credentials straight off disk and out of memory. So the damage isn’t “your server is vulnerable,” it’s “if one of your developers installed the bad version, their machine and every token on it is already gone.” Think SSH keys, cloud creds, npm and GitHub tokens — the keys to everything a dev touches. Patching does nothing for what’s already stolen. Find out who installed the affected version, treat those machines as compromised, and rotate every credential that lived on them. Speed matters, because stolen tokens get used fast.
CVE-2026-45321: TanStack Unspecified Vulnerability
Vendor/Product: TanStack TanStack
Description: TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-06-10
Reference: CVE-2026-45321 - NVD
Expert take: Read this one right after the Nx entry, because it’s the same story from the same wave — malicious versions of a trusted, widely used package pushed to npm under the maintainer’s own identity, carrying credential-stealing malware. TanStack libraries (Query, Router, Table) sit in a huge number of front-end projects, so the blast radius is wide. The scary part is the “trusted identity” bit: your tooling pulled it because it looked legitimate, signed off by the real publisher. That’s the whole npm trust model turned against you. So the fix isn’t just “update” — check your lockfiles for the bad versions, see if any build pulled them, and if so, rotate credentials on those build machines and CI runners. Going forward, pin versions and don’t let CI silently grab whatever’s newest.
CVE-2026-8398: Daemon Tools Lite Embedded Malicious Code Vulnerability
Vendor/Product: Daemon Daemon Tools Lite
Description: Daemon Tools contains an unspecified vulnerability that has a high impact on confidentiality, integrity, and availability.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-05-30
Reference: CVE-2026-8398 - NVD
Expert take: Daemon Tools is a consumer disk-imaging utility — the kind of thing someone installs to mount an ISO and then forgets about. So the real question this one raises isn’t “how bad is the bug,” it’s “why is this on a managed machine at all?” Utility software like this has a long history of bundling junk, and now there’s malicious code riding along with high impact across the board. If you find it in your environment, the move is simple: remove it. But the bigger takeaway is it shouldn’t have been there in the first place — this is a software-allowlisting and shadow-IT problem wearing a CVE costume. Figure out how it got installed and tighten what users can put on company devices.
CVE-2026-48172: LiteSpeed cPanel Plugin Privilege Escalation Vulnerability
Vendor/Product: LiteSpeed cPanel Plugin
Description: LiteSpeed cPanel Plugin contains privilege escalation vulnerability that is exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with root privileges.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-05-29
Reference: CVE-2026-48172 - NVD
Expert take: This is a local privilege escalation, which sounds tame until you remember what cPanel is — the control panel for shared web hosting, where lots of separate customers share one server. The flaw lets any cPanel user run scripts as root. On a shared box that’s catastrophic: one low-privilege account, maybe a customer’s, maybe a cracked password, becomes root over the entire server and every other site on it. So if you run hosting, this is a one-account-takes-all situation. Patch the plugin now, and if you’re a provider, assume any shared server could be the pivot point and check for signs someone already climbed to root. If you’re just a tenant on someone else’s hosting, ask your provider whether they’ve patched.
đź“° This Week’s Security News
WP Maps Pro bug exploited to create admin accounts on WordPress sites
Hackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without authentication. […]…
Read more: WP Maps Pro bug exploited to create admin accounts on WordPress sites
Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks
Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks. […]…
Read more: Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks
California AG sues 23andMe over 2023 breach exposing health data
California Attorney General Rob Bonta filed a lawsuit against 23andMe, now Chrome Holding Co., over the company’s failure to protect sensitive customer genetic and personal information. […]…
Read more: California AG sues 23andMe over 2023 breach exposing health data
âś… What You Should Do This Week
- Immediate: Patch CVE-2026-0257, CVE-2026-48027 (actively exploited)
- Verify: Check your systems against CISA KEV catalog
- Monitor: Review Azure AD sign-in logs for suspicious activity
- Audit: Verify MFA is enforced for all privileged accounts
- Backup: Test your disaster recovery procedures
📬 Stay Updated
Subscribe to receive weekly security digests directly in your inbox.
Questions or feedback? Contact us
GRC Vitrix provides cloud security and compliance intelligence for financial services professionals. This digest is curated from publicly available sources including CISA, Microsoft MSRC, and industry news.