Threat Intelligence Brief — May 25, 2026
Coverage: May 24–25, 2026
Previous reports: May 23, 2026 | May 22, 2026 | May 21, 2026
New vulnerability entries are listed first. Items from earlier reports that carry a material update or are newly added to the CISA KEV catalog are summarised in the updates section at the bottom, with links to the original detailed entries.
Ghost CMS — CVE-2026-26980
Software affected: Ghost CMS (Node.js content management system), npm package ghost, versions 3.24.0 through 6.19.0. Fixed in version 6.19.1.
CVE: CVE-2026-26980 | CVSS 9.4 Critical (GitHub CNA) | CWE-89 (SQL Injection) | Actively exploited in the wild — over 700 sites compromised
Fixable: Yes. Update Ghost to version 6.19.1 or later. The fix is available on npm and via the Ghost GitHub repository.
Business impact: This is a SQL injection vulnerability in Ghost’s Content API that requires no authentication and no user interaction. An attacker can query the database and extract the site’s Admin API Key without any credentials. Once that key is obtained, the attacker uses the Ghost Admin API to bulk-inject malicious JavaScript into every article on the site. Security researchers at QiAnXin XLab detected an active exploitation campaign beginning May 7, 2026, in which attackers compromised over 700 websites, including those belonging to universities, blockchain companies, AI firms, SaaS providers, security research organisations, media outlets, and fintech companies. The injected JavaScript acts as a loader that fingerprints visitors using a commercial traffic distribution service, filters out security scanners and researchers, and serves genuine visitors a fake CAPTCHA page. This is a ClickFix attack: victims are instructed to paste a Base64-encoded command into the Windows Run dialog, which downloads and executes a multi-stage payload culminating in a persistent Electron-based backdoor that polls the attacker’s infrastructure for commands every 30 seconds. Visitors to a compromised Ghost site during the attack window may have had malicious code presented to them. The CVE was originally discovered by Anthropic using its Claude AI model, illustrating the emerging role of AI-assisted vulnerability research.
How to fix: Update Ghost to version 6.19.1 immediately. After updating, rotate all Ghost Admin API keys and Content API keys from the Ghost admin panel under Settings, Integrations. Audit all published articles for unexpected JavaScript injections — check page source for unfamiliar script tags or inline scripts, particularly at the bottom of article content. Review Ghost and web server access logs for suspicious Content API requests around May 7, 2026 and beyond. If your site served visitors during the compromise window, consider notifying them. Block the known C2 domains at your DNS and network level: clo4shara[.]xyz and web-telegram[.]ug.
Recommended action: Urgent for all Ghost CMS deployments. The attack chain leads directly to code execution on visitor machines and persistent compromise of the server. Update, rotate API keys, and audit content immediately. Self-hosted Ghost installations are at most risk; check whether your hosting provider offers managed updates if you are on a managed plan.
Official source: GitHub Security Advisory GHSA-w52v-v783-gw97 | NVD — CVE-2026-26980 | Ghost v6.19.1 Release
SEPPMail Secure E-Mail Gateway — CVE-2026-2743
Software affected: SEPPMail Secure E-Mail Gateway appliance, all versions up to and including 15.0.2.1. The vulnerability is in the large file transfer feature of the user web interface. Fixed in version 15.0.3, released March 3, 2026. The current latest release is 15.0.5.
CVE: CVE-2026-2743 | CVSS 9.8 Critical | CWE-22 (Path Traversal) and CWE-434 (Unrestricted File Upload) | No confirmed active exploitation at time of reporting
Fixable: Yes. Update to SEPPMail version 15.0.3 or later. Version 15.0.5 is the current release.
Business impact: An unauthenticated remote attacker can exploit a path traversal vulnerability in the large file transfer component of the SEPPMail user web interface to upload an arbitrary file to an arbitrary location on the server, and then trigger its execution to achieve remote code execution with the privileges of the application. SEPPMail is a widely deployed secure email gateway used by organisations to enforce email encryption and data loss prevention policies. Compromise of the email gateway gives an attacker a position in the network to intercept all inbound and outbound email, exfiltrate sensitive communications, redirect mail flow, and pivot to internal systems. This CVE is one of a cluster of four RCE vulnerabilities in SEPPMail discovered by InfoGuard Labs (CVE-2026-2743, CVE-2026-7864, CVE-2026-44127, CVE-2026-44128). Patches for all four are included in the 15.0.3 and later releases.
How to fix: Update the SEPPMail appliance to version 15.0.3 or later (15.0.5 recommended as the current release). Updates are available via the SEPPMail management interface or from SEPPMail support. If an immediate update is not possible, restrict access to the large file transfer feature and ensure the SEPPMail web interface is not exposed directly to the internet — it should be accessible only from trusted networks or via VPN.
Recommended action: High priority. CVSS 9.8 with an unauthenticated network vector and remote code execution outcome. Patch promptly. If your SEPPMail appliance has been internet-facing without this patch since before March 2026, treat the system as potentially compromised and conduct a forensic review of access logs.
Official source: SEPPMail Release Notes — version 15.0.3 security section | NVD — CVE-2026-2743
Apache OFBiz — CVE-2026-45434
Software affected: Apache OFBiz, all versions before 24.09.06. Fixed in version 24.09.06.
CVE: CVE-2026-45434 | CVSS 9.8 Critical (CISA-ADP) | CWE-287 (Improper Authentication) | No confirmed active exploitation at time of reporting, though Apache OFBiz has a strong history of rapid post-disclosure weaponisation
Fixable: Yes. Upgrade to Apache OFBiz version 24.09.06.
Business impact: A flaw in OFBiz’s password-change logic allows an unauthenticated remote attacker to bypass authentication controls and achieve remote code execution on the server. Apache OFBiz is an open-source enterprise resource planning and e-commerce framework used by organisations for order management, inventory, accounting, and customer management. Full server compromise from an unauthenticated position means an attacker can exfiltrate business data, manipulate financial records, access customer and supplier information, and use the compromised server as a pivot point into the broader network. Apache OFBiz has a documented pattern of critical authentication bypass vulnerabilities being rapidly weaponised — CVE-2023-51467 and CVE-2024-38856 were both mass-exploited within days of disclosure. This history warrants treating this CVE as an active risk even in the absence of confirmed exploitation at time of writing.
How to fix: Upgrade Apache OFBiz to version 24.09.06. The release is available from the Apache OFBiz project. Review the OFBiz upgrade documentation for your version branch. After upgrading, audit web server access logs for any unusual requests to authentication or password-reset endpoints, particularly from external IP addresses.
Recommended action: High priority. Upgrade immediately if your organisation runs Apache OFBiz. If an immediate upgrade is not possible, restrict external access to the OFBiz application to known IP ranges and do not expose the management interface to the public internet. Given the product’s exploitation history, assume active exploitation attempts are underway.
Official source: Apache OFBiz Security Page | Apache Mailing List Advisory | NVD — CVE-2026-45434
Google Chrome — CVE-2026-8511 through CVE-2026-8522 (12 Critical CVEs)
Software affected: Google Chrome on Windows and macOS, all versions prior to 148.0.7778.168. Google Chrome on Linux, all versions prior to 148.0.7778.167. Microsoft Edge (Chromium-based) is also affected — monitor Microsoft’s Edge release notes for the corresponding patch.
CVEs: CVE-2026-8511 (use-after-free in UI, CVSS 9.6, potential sandbox escape), CVE-2026-8512 (use-after-free in FileSystem), CVE-2026-8513 (use-after-free in Input), CVE-2026-8514 (use-after-free in Aura), CVE-2026-8515 (use-after-free in HID), CVE-2026-8516 (insufficient validation in DataTransfer), CVE-2026-8517 (object lifecycle issue in WebShare), CVE-2026-8518 (use-after-free in Blink), CVE-2026-8519 (integer overflow in ANGLE), CVE-2026-8520 (race condition in Payments), CVE-2026-8521 (use-after-free in Tab Groups), CVE-2026-8522 (use-after-free in Downloads). All 12 are rated Critical by the Chromium security team. No confirmed in-the-wild exploitation at time of reporting.
Fixable: Yes. Chrome updates automatically. A manual check accelerates delivery.
Business impact: The majority of these CVEs are use-after-free vulnerabilities across multiple Chrome subsystems. The leading CVE, CVE-2026-8511, is specifically classified as a potential sandbox escape, meaning a successful exploit could allow an attacker to break out of Chrome’s sandboxed renderer process and execute code at the OS level on the victim machine, simply by directing the user to a crafted webpage. This is a drive-by attack scenario requiring no file download and no more user interaction than visiting a malicious or compromised page. This batch brings the total number of Critical Chrome CVEs in 2026 to 33 — a historically unprecedented rate, widely attributed to the adoption of AI-assisted vulnerability research tools. Organisations that do not enforce browser auto-update policies are likely to have a significant proportion of endpoints running vulnerable Chrome versions at any given time.
How to fix: In Chrome, open the menu, go to Help, then About Google Chrome. Chrome will check for updates and prompt a restart if an update is available. Confirm the version shown is 148.0.7778.168 or later on Windows and macOS, or 148.0.7778.167 or later on Linux. In enterprise environments, push the Chrome update through Google Chrome Browser Cloud Management, group policy, or your endpoint management tool. For Edge, monitor the Microsoft Edge security release notes and apply when the corresponding patch is available.
Recommended action: Apply the Chrome update across all endpoints. Given the volume of critical Chrome CVEs being released in 2026 and the drive-by exploitation risk, enforce browser auto-update via policy if not already configured. Consider this an ongoing hygiene priority rather than a one-time action.
Official source: Chrome Stable Channel Update — May 12, 2026 | NVD — CVE-2026-8511
Splunk Enterprise and Splunk Cloud Platform — CVE-2026-20239
Software affected: Splunk Enterprise versions 10.2.0 through 10.2.1 (fixed in 10.2.2) and 10.0.0 through 10.0.4 (fixed in 10.0.5). Splunk Enterprise versions 9.3.x and 9.4.x are not affected. Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13.
CVE: CVE-2026-20239 | CVSS 6.5 Medium (NVD) / 7.5 High (Splunk CNA) | CWE-532 (Insertion of Sensitive Information into Log File) | No active exploitation reported
Fixable: Yes. Upgrade Splunk Enterprise to 10.2.2 or 10.0.5. Splunk Cloud Platform instances are patched by Splunk. On-premises customers must upgrade manually.
Business impact: A missing output buffer sanitisation in Splunk’s TcpChannel component causes it to log the full contents of I/O buffers at WARN level when discarding data during socket errors. These log entries are written to the _internal index. Any Splunk user whose role grants access to the _internal index — which is not an unusual permission in many Splunk deployments — can view log entries that may contain session cookies and HTTP response bodies from other users’ sessions. In a Splunk environment that ingests sensitive data or hosts dashboards used by multiple teams, this can expose authentication tokens, session identifiers, and the contents of responses to sensitive queries. The vulnerability requires an authenticated Splunk user with _internal index access, which limits the exposure compared to an unauthenticated vector, but internal threats and over-privileged accounts make this relevant in enterprise environments.
How to fix: Upgrade Splunk Enterprise to version 10.2.2 (if on the 10.2 branch) or 10.0.5 (if on the 10.0 branch). If an immediate upgrade is not possible, audit which roles have access to the _internal index and remove that access from any role where it is not strictly required. See Splunk’s role capability documentation for guidance. Splunk Cloud Platform customers do not need to take action — Splunk handles patching for managed instances.
Recommended action: Medium priority. Patch at next available maintenance window for on-premises Splunk Enterprise deployments on affected versions. In the interim, audit _internal index access permissions and restrict them.
Official source: Splunk Security Advisory SVD-2026-0503 | NVD — CVE-2026-20239
Four-Faith F3x36 Industrial Cellular Router — CVE-2024-9643 (Actively Exploited, No Vendor Patch)
Software affected: Four-Faith F3x36 industrial cellular router, firmware version 2.0.0. No vendor-confirmed patch has been identified as of this report. This is an industrial IoT device commonly used for remote monitoring and machine-to-machine communication in operational technology environments.
CVE: CVE-2024-9643 | CVSS 9.8 Critical (VulnCheck) | CWE-798 (Hard-coded Credentials) | Actively exploited by botnets from May 12, 2026
Fixable: No confirmed vendor patch available. Mitigations only.
Business impact: The F3x36 router contains hard-coded administrative credentials in its web management interface. An attacker with network access to the device can use these credentials to gain full administrative control without any authentication. Since May 12, 2026, threat actors have been actively exploiting this vulnerability to incorporate vulnerable devices into botnets, likely for use in distributed denial-of-service attacks and as proxy infrastructure. Industrial cellular routers of this type are frequently deployed in operational technology environments — factories, utilities, remote monitoring stations, and logistics — often with limited visibility and patching cadence. A compromised router in an OT environment can be used to intercept or manipulate data flowing between field devices and control systems, disrupt communications, or serve as a pivot point into the broader corporate network.
How to fix: Contact Four-Faith for firmware updates for the F3x36. If no patch is available or applicable, implement the following mitigations: disable remote management access to the device from the internet entirely; place the device on a dedicated OT network segment with strict ingress and egress controls; use a separate, strong password for the management interface if the firmware allows credential changes; and monitor the device for anomalous outbound traffic indicative of botnet activity. Consider replacing end-of-support devices with alternatives that have an active security patching programme.
Recommended action: High priority for any organisation with Four-Faith F3x36 devices in their environment. Given confirmed active botnet exploitation and no vendor patch, network isolation is the primary control. Inventory all industrial routers in your environment and audit which are internet-facing or reachable from untrusted networks.
Official source: NVD — CVE-2024-9643 | VulnCheck Advisory
ASUS AsusWRT Routers — CVE-2018-5999 (Newly Exploited by RondoDox Botnet)
Software affected: ASUS routers running AsusWRT firmware before version 3.0.0.4.384_10007. This vulnerability was originally disclosed in January 2018 and has been re-weaponised by a new botnet campaign beginning May 17, 2026. Many legacy ASUS router models have not received firmware updates since the vulnerability was originally patched, and some may be end-of-support.
CVE: CVE-2018-5999 | CVSS 9.8 Critical | Actively exploited by the RondoDox botnet from May 17, 2026
Fixable: Yes, if a supported firmware update is available for your specific ASUS router model. Fixed in AsusWRT 3.0.0.4.384_10007. However, many models on this firmware line are end-of-support and may not have received updates.
Business impact: A flaw in the HTTP request handler in AsusWRT allows POST requests to be processed and acted upon even if authentication fails. This means an unauthenticated attacker on the network — or from the internet if the router’s management interface is publicly exposed — can send crafted POST requests to execute administrative operations, including arbitrary command execution on the router. The RondoDox botnet campaign active from May 17, 2026 is targeting these routers to build out botnet infrastructure. A compromised router is typically used for DDoS amplification, traffic proxying, and credential harvesting from devices behind it. End-of-life home routers and small business routers are frequently forgotten in patching cycles and left internet-facing, making them persistent targets for botnet operators. Organisations that issue home routers to remote workers, or that have branch offices using consumer-grade ASUS hardware, are particularly exposed.
How to fix: Log in to the ASUS router management interface and update the firmware to the latest available version for your specific model via the Administration, Firmware Upgrade section. Check the ASUS support site for your model to confirm the current supported firmware version. If no update is available and the model is end-of-support, ensure the router’s remote management interface (WAN-side administration) is disabled — this is accessible under Advanced Settings, Administration, System in AsusWRT. Consider replacing end-of-support devices with currently supported hardware. Block access to the router management interface from WAN by default and from any untrusted network segment.
Recommended action: Check all ASUS routers in your environment, particularly those used by remote workers or in branch offices, and confirm firmware is up to date. Disable WAN-side management access. End-of-support devices should be replaced. This is a low-cost check with meaningful risk reduction given confirmed active botnet exploitation.
Official source: NVD — CVE-2018-5999 | ASUS Support — Firmware Downloads
Supply Chain Incident: TrapDoor — npm, PyPI, and Crates.io (Cross-Ecosystem Credential Stealer)
Software affected: Multiple packages across three package ecosystems published from May 22, 2026. Approximately 34 malicious packages spanning 384 or more versions were published in coordinated waves. The campaign primarily targets developers in the cryptocurrency, DeFi, Solana blockchain, and AI communities, but the credential theft payload is general-purpose. No CVE has been assigned.
Fixable: Remove and avoid all affected packages. Treat any environment that installed one of the malicious packages as compromised and rotate all credentials. Socket Security has published IOC lists and package identifiers for the campaign.
Business impact: The TrapDoor campaign, tracked by Socket Security, is a coordinated multi-ecosystem supply chain attack running across npm (JavaScript), PyPI (Python), and Crates.io (Rust). The npm component uses a shared payload called trap-core.js that, once executed, scans the local machine for developer secrets, validates AWS and GitHub API tokens via live API calls to determine which are active, creates persistence mechanisms via cron jobs, systemd services, Git hooks, and shell hooks, performs SSH lateral movement to other machines the developer can reach, and plants hidden AI configuration files (.cursorrules and CLAUDE.md) containing instructions designed to manipulate AI coding assistants into exfiltrating secrets during normal development sessions. The Rust component targets Sui and Move blockchain developers specifically, using malicious build scripts that execute at compile time to locate local keystores, encrypt them with a hardcoded XOR key, and exfiltrate them to GitHub Gists. The Python component auto-executes on import and downloads a JavaScript payload from an attacker-controlled GitHub Pages domain for execution via Node.js, allowing the attacker to update the payload without releasing new package versions. The AI manipulation component is particularly novel: the attacker opened legitimate pull requests against major open-source repositories including browser-use, langchain, and langflow to introduce the hidden AI-poisoning files into widely trusted codebases, potentially affecting any developer who then used those projects as a base or dependency. Stolen data includes developer secrets, cryptocurrency wallet keys, SSH keys, cloud credentials for AWS and GitHub, browser session data, and environment variables.
How to fix: Review recently installed npm, PyPI, and Crates.io packages — particularly those installed from May 22, 2026 onward — against the IOC list published by Socket Security at socket.dev. Remove any flagged packages, delete and rebuild the relevant dependency trees from a clean state, and clear package caches. Block the attacker’s known infrastructure domain ddjidd564.github[.]io at DNS and network level. If a compromised package was installed and your application ran with it: rotate all secrets accessible from that environment, including AWS IAM credentials, GitHub tokens, SSH keys, cryptocurrency wallet seed phrases and private keys, and any API keys found in environment variables or configuration files. Check for unexpected cron jobs, systemd services, and shell hook entries added around the installation date. Review all AI configuration files (.cursorrules, CLAUDE.md, .cursor/mcp.json) in your project directories and repositories for unexpected or unfamiliar content.
Recommended action: Urgent for development teams working in the affected ecosystems. Audit package installs from May 22 onward. The AI poisoning vector is particularly insidious because it operates through legitimate developer workflow tools rather than direct execution, making it harder to detect through standard process monitoring. Share the Socket Security IOC list with your development team and raise awareness of this novel attack vector.
Official source: Socket Security Research (socket.dev) | The Hacker News — TrapDoor Supply Chain Attack
Ongoing Threat: Router Botnets Exploiting Legacy Vulnerabilities
Context from the THN Weekly Recap published May 25, 2026: Two active botnet campaigns targeting unpatched routers have been confirmed in the past two weeks. The RondoDox botnet has been exploiting CVE-2018-5999 in ASUS AsusWRT routers (covered above) since May 17, 2026. Separately, threat actors have been mass-exploiting CVE-2024-9643 in Four-Faith F3x36 industrial cellular routers (also covered above) since May 12, 2026. Both CVEs carry CVSS 9.8 scores and allow unauthenticated remote compromise. These campaigns underscore a persistent pattern: vulnerability exploitation has now overtaken compromised credentials as the primary initial access vector in data breaches for the first time in nearly two decades, according to Verizon DBIR data cited this week. Only 26% of CISA KEV-listed vulnerabilities were fully remediated by organisations in 2025, with a median remediation time of 43 days. Botnets deliberately target the long tail of unpatched devices in this window.
Updates on Items from Previous Reports
The following items were covered in full in earlier reports. Updates where new information is available are noted below. For full technical details and remediation steps, refer to the linked original entries.
Drupal Core — CVE-2026-9082 — CISA KEV, exploitation confirmed widespread: Covered in the May 23 report with exploitation update. As of the weekly recap published May 25, this remains an active threat with over 15,000 attack attempts across 6,000 sites in 65 countries confirmed. The FCEB remediation deadline is May 27, 2026. If you have not yet patched, do so now. Affected versions and fixed versions are in the May 21 report.
LiteSpeed User-End cPanel Plugin — CVE-2026-48172 (CVSS 10.0, actively exploited): Covered in the May 23 report. Confirmed ongoing active exploitation. Patch to cPanel plugin version 2.4.7 / WHM plugin 5.3.1.0 immediately. Run the IoC grep command to check for prior exploitation.
Microsoft Defender — CVE-2026-41091 and CVE-2026-45498 (actively exploited, CISA KEV): Covered in the May 21 report. CISA deadline June 3, 2026. Confirm Malware Protection Engine version 1.1.26040.8 or later on all Windows endpoints. The same engine update also addresses CVE-2026-45584 (RCE, covered in the May 22 report).
Windows BitLocker — CVE-2026-45585 (YellowKey, no full patch yet): Covered across the May 21 and May 22 reports. Apply the PowerShell mitigation script from Microsoft MSRC, enforce TPM+PIN, and monitor for the upcoming security patch. Still no full patch available as of this report.
Linux Kernel — CVE-2026-46333 (ssh-keysign-pwn): Covered in the May 21 and May 22 reports. Apply kernel updates from your distribution and set kernel.yama.ptrace_scope = 2 as an interim measure.
NGINX — CVE-2026-42945 (NGINX Rift, actively exploited): Covered in the May 21 report. Update to NGINX Open Source 1.30.1 or 1.31.0, or NGINX Plus R36 P4 / R32 P6. Still actively exploited.
Ubiquiti UniFi OS — CVE-2026-34908, CVE-2026-34909, CVE-2026-33000: Covered in the May 23 report. Apply UniFi OS 5.1.12 for most hardware. Two of the three CVEs are CVSS 10.0 with no authentication required.
TanStack / Nx Console / Megalodon GitHub supply chain (TeamPCP): Covered across the May 21, May 22, and May 23 reports. The TrapDoor campaign listed above is operated by a related or the same threat actor group and continues the pattern of coordinated developer ecosystem attacks. If you have not yet audited your CI/CD secrets and npm/PyPI dependencies following the earlier incidents, do so now — these campaigns are ongoing.
Laravel-Lang PHP supply chain compromise: Covered in the May 23 report. Remove any of the four affected packages (laravel-lang/lang, http-statuses, attributes, actions) published on May 22–23 and rotate all credentials if those versions were ever installed and running.
Langflow — CVE-2025-34291 (CISA KEV, MuddyWater): Covered in the May 22 report. CISA deadline June 4, 2026. Upgrade to Langflow 1.7.0 or later.
Trend Micro Apex One — CVE-2026-34926 (actively exploited, CISA KEV): Covered in the May 22 report. CISA deadline June 4, 2026. Apply SP1 CP Build 18012 for on-premise and agent build 14.0.20731 for SaaS.
Cisco Secure Workload — CVE-2026-20223 (CVSS 10.0): Covered in the May 22 report. Update to 3.10.8.3 or 4.0.3.17. Release 3.9 requires migration. No workarounds.
This report is compiled from official advisories and primary sources. Verify all remediation steps against official vendor documentation before applying changes in production environments.
