CISA

Blogs Security Advisory

Attackers May Exploit SQL Injection Vulnerability in Drupal’s Database

Key Highlights from Drupal Core SQL Injection Vulnerability: CVE-2026-9082

Severity: Highly Critical

CVSSv3: 6.5 : Medium

  1. CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core’s database abstraction API
  2. Can be exploited by unauthenticated attackers on sites using PostgreSQL.
  3. No exploitation has been observed in the wild, but a detection PoC was published on the same day as the advisory and the patch diff was shared publicly within hours.
  4. Patches are available across six supported Drupal branches, including two exceptional releases for end-of-life versions.

Critical SQL injection Vulnerability in Drupal core Affects sites running PostgreSQL

As per Tenable, this vulnerability only affects Drupal sites using PostgreSQL as their database backend. Sites running MySQL, MariaDB, or SQLite are not affected. The vulnerable code resides in Drupal’s PostgreSQL EntityQuery condition handler, which is only invoked on PostgreSQL configurations. No  in-exploitation in the wild reported.

Threat Mitigation: Drupal Core SQL Injection Vulnerability

This means older versions of Drupal — specifically Drupal 8.9 and 9.5 — are no longer officially supported and will not receive normal security update packages anymore because they have reached end-of-life (EOL).

  • Drupal has still released special emergency “hotfix” files for:
    • Drupal 9.5.11
    • Drupal 8.9.20

These hotfixes help protect vulnerable websites from the reported security issue. The update also includes security fixes from third-party components used inside Drupal, including:

  • Symfony
  • Twig

Even if organizations are not using PostgreSQL databases, Drupal still recommends updating because other security vulnerabilities are also fixed in these releases.

Affected Environments by  CVE-2026-9082

The vulnerability only affects certain versions of Drupal when the website uses a PostgreSQL database.

In simple terms:

  • Vulnerable versions:
    • Drupal 8.9.0 to 11.3.9
  • Affected only if:
    • The site uses PostgreSQL as its database backend

The issue exists in the PostgreSQL-specific code used by Drupal to process database queries.

Websites using: MySQL, MariaDB and SQLite are not affected by this particular vulnerability because they use different database handling code.

Additionally: Drupal 7 is completely unaffected by this issue.

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-9082 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Drupal estimates that under 5% of installations run on PostgreSQL. Across the hundreds of thousands of public Drupal sites, that still leaves thousands of internet-reachable targets, concentrated in the segments where Drupal adoption is strongest.

Drupal Patches:

Drupal released fixes across all six supported branches on May 20: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10. The security team also published exceptional patches for the end-of-life 8.9 and 9.5 branches, given the severity and the volume of legacy installations.

The advisory recommends upgrading to the patched release matching the current branch (11.3.x to 11.3.10, 11.2.x to 11.2.12, 11.1.x or 11.0.x to 11.1.10, 10.6.x to 10.6.9, 10.5.x to 10.5.10, 10.4.x or earlier to 10.4.10). Drupal 8 and 9 sites should treat the exceptional patches as a stopgap rather than a long-term position, because other unpatched issues remain in those branches.

Defenders should verify patch status directly with their hosting provider rather than assume any specific platform-level fix is in place.

CISA Adds  CVE-2026-9082 in its KEV Catalogue

The vulnerability was officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 22, 2026, indicating confirmed exploitation activity.

Federal agencies and organizations are required to remediate the issue by May 27, 2026, under Binding Operational Directive (BOD) 22-01.

Conclusion: Because of improper input validation, attackers can insert harmful SQL commands into input fields such a application. If unchecked or not sanitized on time, user input before sending it to the database, attackers may manipulate backend database operations potentially bypassing authentication controls. This may lead to accessing sensitive database information and modify or delete data.

If patching is not applicable or not matching with application, organizations should consider temporarily turning off affected services until mitigation measures are in place. The active exploitation of CVE-2026-9082 underscores the ongoing risk posed by SQL injection vulnerabilities in widely used platforms such as Drupal.

Security Advisory

Microsoft Defender Vulnerability Leveraged in 0-Day Attacks; Patches Rolled Out

Microsoft has released security updates to fix two vulnerabilities in Microsoft Defender that attackers were already exploiting in real-world zero-day attacks. This exploitation was confirmed by CISA, which has added the security flaws to its known exploited vulnerability(KEV) catalogue.

As per Microsoft, they addressed the two security defects in Microsoft Defender Antimalware Platform version 4.18.26040.7. According to the company, systems with Microsoft Defender disabled are not exploitable, even though Defender’s files remain on disk.

 CVE-2026-41091, vulnerability affects older versions of the Microsoft Malware Protection Engine used by Microsoft antivirus and anti-malware products.

(CVE-2026-45498,) affects systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier.

CVE IDAffected ProductVulnerability DescriptionPotential ImpactSeverity Rating
CVE-2026-41091Microsoft Malware Protection EngineVulnerability affecting older versions of the Microsoft antivirus and anti-malware scanning enginePrivilege escalation allowing attackers to gain SYSTEM-level access🔴 Critical
CVE-2026-45498Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlierVulnerability affecting Microsoft Defender and related endpoint protection platformsSecurity risk impacting endpoint protection systems and enterprise security tools🟠 High

CVE-2026-41091 vulnerability affects:

  • The flaw allows attackers to trick the antivirus engine into accessing files incorrectly.
  • By exploiting this weakness, attackers can gain SYSTEM-level privileges, which is the highest level of access on a Windows system.
  • With this access, attackers could potentially take full control of the affected device.

CVE-2026-45498 vulnerability affects:

Attackers can exploit the flaw to make affected Windows systems stop responding or crash. This creates a Denial-of-Service (DoS) condition, where the device or security service becomes unavailable temporarily.

As a result, users may experience:

  • System slowdowns or freezes
  • Security services stopping unexpectedly

CISA Adds the vulnerability in its KEV

For Malware attacks the vulnerability fits well and attackers are in advantageous position. In first to prevent detection if the system relies only on Microsoft endpoint protection and second to gain full control over the system.

On Wednesday, the United States Cybersecurity and Infrastructure Security Agency (CISA), added the two vulnerabilities, tracked as CVE-2026-41091 and CVE-2026-45498, to its Known Exploited Vulnerabilities (KEV) catalog, signaling that exploitation was detected in the wild.

Privilege Escalation Flaw:

The vulnerability CVE-2026-41091 is a Privilege Escalation (PE) flaw affecting mpengine.dll, a core component of the Microsoft Malware Protection Engine used by Microsoft Defender and other Microsoft security products.

mpengine.dll (Microsoft Malware Protection Engine) is responsible for:

  • Malware scanning
  • Threat detection
  • File inspection
  • Cleaning and remediation operations
  • The vulnerability arises from an improper link resolution before file access issue, commonly referred to as a link following vulnerability.
  • During scanning or file operations, the engine may improperly handle symbolic links, junctions, or reparse points before validating the target file path.
  • An attacker can exploit this behavior by crafting malicious file links that redirect privileged operations to unintended system locations.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the U.S. cybersecurity agency warned.

“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

On Tuesday, also shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day flaw that allows attackers to access protected drives.

CISA gave federal agencies until June 3 to ensure mitigation measures are in place.

Threat Mitigation advice from Microsoft:

“For enterprise deployments as well as end users,” Microsoft said, “the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically,” and as such no action is required as the update that is now rolling out will get applied without user input.

Most Windows systems using Microsoft Defender are configured to update automatically. What happens if automatic updates are enabled, users usually do not need to manually install the security fix.

It is assumed Microsoft Defender should automatically download and apply the updated malware protection engine and required security update in the background.

One can ensure that all the latest updates are installed and configures device protection against the recently disclosed vulnerabilities.

The April 2026 vulnerabilities identified in Defender:

Few months back we have witnessed how a zero-day vulnerability in Microsoft Defender, dubbed “RedSun,” allowed an unprivileged user to escalate privileges to full SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems.

RedSun was the second zero-day exploit published within a two-week span in April 2026 by the security researcher known as “Chaotic Eclipse” 

For threat mitigation it was advised that security teams should closely watch for suspicious activity involving Microsoft Defender until Microsoft releases an official fix. Attackers may try to misuse certain Windows files and Defender processes to gain higher access or modify protected system files.

RakshaOne from Intrucept helps simplify workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

SIEM Helps Detect Exploitation

 Privilege Escalation Detection (CVE-2026-41091)

The SIEM can correlate:

  • Suspicious file write activity
  • Abnormal SYSTEM privilege assignments
  • Unexpected execution of privileged processes
  • Defender engine (mpengine.dll) anomalies
  • Unauthorized access attempts to protected system directories

DoS & Security Service Monitoring (CVE-2026-45498)

The SIEM can detect:

  • Unexpected Microsoft Defender crashes
  • Antimalware service restarts
  • Endpoint protection failures
  • Repeated system instability events
  • Disabled or unavailable Defender services

This helps security teams identify attempts to disrupt endpoint protection mechanisms

Sources: Security Update Guide – Microsoft Security Response Center

Sources:

Security Advisory

PAN-OS Firewall of PaloAlto Vulnerability Exploited for RCE

CVE 2026-0300 is a critical vulnerability with CVSS score of 9.3

PaloAlto Networks has issued strict advisory for its customers after an actively exploited zero-day vulnerability, affected its firewall operating system, PAN-OS. CVE 2026-0300 allows attackers to gain full control of affected systems without authentication.

The zero-day bug stems from a buffer overflow weakness, allowing unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls via specially crafted packets.

Active Exploitation Observed in the Wild

Palo Alto Networks confirmed that exploitation attempts have already been observed in its advisory and urged its customers and organizations to mitigate exposure immediately.

What did the vulnerability affect:

  • PAN-OS 10.2 below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6
  • PAN-OS 11.1 below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15
  • PAN-OS 11.2 below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, 11.2.12
  • PAN-OS 12.1 below 12.1.4-h5, 12.1.7

Excluded from vulnerability are Prisma Access, Cloud Next-Generation Firewall (Cloud NGFW), and Panorama appliances are not impacted by this vulnerability.

PoC of CVE 2026-0300

PaloAlto published a PoC on May 6, showing how an unauthenticated request to the User-ID Authentication Portal can reliably trigger the buffer overflow and achieve root-level RCE on affected PAN-OS versions.

While the repository is framed as research code and includes legal disclaimers, it materially lowers the barrier to exploitation by validating exploit mechanics.

Palo Alto Networks has not shared details about who is behind the attacks and has not released indicators of compromise at the time of writing.

Patching & Remediation

Since security patches takes time, PaloAlto recommends reducing exposure is the most effective way to contain risk. Palo Alto Networks proactively alerted customers to the zero-day, a step that allowed defenders to take action on potentially exposed instances. 

If the User-ID Authentication Portal is not required for business operations, Palo Alto Networks recommends disabling it entirely. Firewalls that do not have the Authentication Portal enabled are not affected by this vulnerability.

The company has stated that security fixes will be released in stages between May 13-28, depending on the PAN‑OS version in use.

In advance of these patches, Palo Alto released a Threat Prevention signature on May 5 for PAN-OS 11.1 and newer to help detect or block exploitation attempts. Applying this signature, where supported, provides interim protection but does not replace the need to reduce exposure and deploy patches once available.

For security teams, immediate focus should be on identifying PA-Series and VM-Series firewalls with the User-ID Authentication Portal enabled, confirming whether those services are reachable from untrusted networks, and scheduling timely deployment of Palo Alto’s fixes as they are released.

Monitoring unexpected firewall behavior or unplanned configuration changes provides additional awareness during the period of active exploitation.

A similar authentication bypass vulnerability (CVE-2025-0108) was discovered in Palo Alto Networks PAN-OS allows unauthenticated attackers with network access to bypass authentication on the management web interface on 20 feb 2025. https://intruceptlabs.com/2025/02/palo-alto-firewall-vulnerabilities-under-active-exploitation/

Firewall infrastructure attack increased in recent years so are the Stakes for Enterprise and Critical Infrastructure

Firewalls are the prime targets because if firewall can be controlled the entire network is in hands of hackers. In recent years, the frequency and success of exploits targeting firewall vulnerabilities have been alarmingly high. Threat actors take on management interfaces, login pages and authentication portals as most common targets for both opportunistic and targeted campaigns.

A successful compromise in the firewall can allow attackers to:

  • Intercept entire network traffic
  • Disable security protections
  • Move laterally inside corporate networks
  • Establish persistent backdoors

For stronger defense allow Intrucept to proactively test your defenses by identifying vulnerabilities fast. You can start the process to enhance your security posture and protect your digital assets from evolving threats.

Call us for a demohttps://intruceptlabs.com/contact/

Sources: https://fieldeffect.com/blog/palo-alto-firewall-zero-day-unauthenticated-root-access#:~:text=On%20May%205%2C%202026%2C%20Palo,systems%20accessible%20from%20untrusted%20networks.

Sources: https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-actively-exploited-firewall-zero-day

Cybersecurity News

Surge in CVE Volume lead NIST to Prioritizes NVD Program

NIST’s NVD program aimed to analyze all CVEs to add details — such as severity scores and product lists that mostly assisted cybersecurity professionals prioritize and mitigate vulnerabilities.

Continue Reading
Security Advisory

Apache ActiveMQ Vulnerability CVE-2026-34197 Exploited in the Wild

CVE-2026-34197, an Apache ActiveMQ flaw

Continue Reading
Cybersecurity News Security Advisory

2 Cyber security Vulnerabilities Affecting Hikvision & Rockwell Automation-CVSS 9.8 Flaws

CISA emphasized the urgency of addressing these vulnerabilities

Continue Reading
Cybersecurity News

CISA added FileZen CVE-2026-25108 to its KEV Catalog; Patch Now

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-25108 to its Known Exploited Vulnerabilities (KEV) catalog, that is being exploited in the wild.

Findings from CISA also confirmed about the flaw, that it affects Soliton Systems K.K. FileZen, a file transfer product. It has been included in KEV, sensing urgency for organizations still running vulnerable versions of the product.

“Soliton Systems K.K FileZen contains an OS command injection vulnerability when a user logs-in to the affected product and sends a specially crafted HTTP request,” CISA said.

Key Findings from FileZen CVE-2026-25108 vulnerability added in CISA’s KEV list

The primary reason after evaluation by threat researcher’s were –

FileZen CVE-2026-25108 is an OS command injection vulnerability. According to NVD, when the FileZen Antivirus Check Option is enabled, a logged-in user can send a specially crafted HTTP request and execute arbitrary operating system commands. In such scenario an attacker with valid access could potentially run commands on the underlying server, creating serious risk to confidentiality, integrity, and availability.

  • The vulnerability carries a CVSS v4 score of 8.7 (High) from JPCERT/CC, and NVD also lists a CVSS v3.1 score of 8.8 (High).
  • Being a high-severity, actively exploited flaw tied to direct command execution and class of bug occurs when an application improperly handles input that ends up being interpreted by the operating system as a command.
  • For attackers it becomes easy to manipulate server behavior and potentially execute arbitrary commands

Why CISA added FileZen CVE-2026-25108 to its KEV

  • The vulnerability is not unauthenticated and any exploitation by attackers will requires a user to be logged in and it’s still not safe.
  • What we witnessed in case of many real-world attacks always begins with stolen credentials or weak passwords or previously compromised accounts of less privileged.
  • Any availability of any valid account could escalate the flaw like FileZen CVE-2026-25108 can pave way for an deeper compromise in future.
  • This is exactly why CISA’s KEV addition matters so much. A KEV listing means the issue has moved beyond theoretical risk and into confirmed real-world exploitation.
Impact of the Vulnerability as assessed by vendor JVN (Japan Vulnerability Notes)

JVN states that if a user logs in to the affected product and sends a specially crafted HTTP request, an arbitrary OS command may be executed.

Soliton similarly says there is a possibility that a remote third party could execute arbitrary OS commands within FileZen.

The practical impact of that can be severe. Depending on server configuration and user privileges, successful exploitation could allow an attacker to:

  • Run unauthorized commands on the server
  • Manipulate files or processes
  • Establish persistence
  • Access sensitive transferred data
  • Use the compromised FileZen environment as a pivot point into internal systems

Technical Analysis of CVE-2026-25108

OS command injection occurs when an application transmits unsafe data-such as cookies, form fields, or HTTP headers-to an operating system shell. In the case of FileZen, the vulnerability manifests during the file processing phase when the Antivirus Check Option is active. The system’s internal logic processes HTTP requests in a manner that allows an attacker to append shell commands to legitimate parameters.

Remediation & understanding why it is essential to integrate with threat intelligence monitoring platform

Organizations utilizing these versions must prioritize the transition to version 5.0.11 or later. When vendor platform Soliton indicated that simply disabling the Antivirus Check Option may reduce the immediate attack surface but does not replace the requirement for a full firmware update.

As per vendor’s suggestion a resetting of password for all users if an organization suspects a compromise. Integration with cyber threat intelligence platform will provide early warning indicators of exploitation as cyber threat intelligence platforms collect data from various sources to provide early warning indicators of exploitation.

CISA has set a deadline of March 17, 2026, for Federal Civilian Executive Branch (FCEB) agencies to remediate CVE-2026-25108. This mandate specifically applies to federal agencies, it serves as a stark reminder for private sector organizations. The inclusion in the KEV catalog implies that the vulnerability is being used in the wild, likely by state-sponsored actors or organized cybercriminal groups.




Sources; CVE-2026-25108 CISA Confirms Active Exploitation of FileZen

Blogs Security Advisory

Ransomware attackers Exploit VMware ESXi arbitrary-write vulnerability

VMware ESXi VMware vulnerabilities

Continue Reading
Security Advisory

Critical Solar Winds Vulnerabilities being Exploited by Threat Actors

Critical Solar Winds Vulnerabilities being Exploited by Threat Actors

Continue Reading
Security Advisory

Critical Ivanti EPMM Attacks Exploited RCE; Security Updates Released

Ivanti has disclosed two critical code injection vulnerabilities in its Endpoint Manager Mobile (EPMM) product that enable unauthenticated remote code execution and have been exploited in zero-day attacks.

Continue Reading
Scroll to top