VYPR
AI Brief2026-05-29· generated May 29, 2026

Supply-Chain Attacks Lead KEV Additions

CISA flags two supply-chain compromises as actively exploited, while critical RCEs hit IBM, Fortinet, and Gladinet enterprise tools.

CISA adds two supply-chain compromises to KEV — Nx Console and DAEMON Tools Lite — both abused to drop backdoors during brief software-update windows. CVE-2026-48027 involves a malicious version of Nx Console (VS Code extension, version 18.95.0) published to the Visual Studio Marketplace for just 18 minutes on May 19 before being pulled. During that window, the extension exfiltrated source code, secrets, and credentials from developer environments, and as Infosecurity Magazine reported, the incident is linked to a broader GitHub breach. CISA confirmed active exploitation and added both CVEs to its Known Exploited Vulnerabilities catalog on May 27, per CISA's alert. Separately, CVE-2026-8398 describes a compromise of DAEMON Tools Lite installer packages (versions 12.5.0.2421–12.5.0.2434) distributed from the legitimate daemon-tools.cc site between April 8 and May 2026, with The Hacker News noting the supply-chain angle. Organizations should audit any systems where these tools were installed during the compromise windows and rotate exposed credentials immediately.

Three critical pre-auth RCEs in Gladinet Triofox Cloud Server Agent expose TCP port 7878 to unauthenticated remote takeover. CVE-2026-8364, CVE-2026-8363, and CVE-2026-8362 affect the GladServerAgentService.exe process, which listens on port 7878 and processes HTTP requests. CVE-2026-8364 allows unauthenticated access to sensitive endpoints including /resources, /status, /sysinfo, /woshome, /Settings, /schedule, and /DavC... CVE-2026-8363 is a stack-based buffer overflow in WOSDeviceDropFolder.dll triggered by a long URL path starting with /resources, while CVE-2026-8362 is a similar overflow in WOSDefaultHttpModule.dll via /woshome paths. All three carry CVSS 9.8 ratings with no EPSS score yet, but the attack surface — an unauthenticated HTTP listener on a fixed port — makes these prime candidates for mass scanning. No patches or mitigations have been published as of this writing.

Fortinet discloses a critical improper-access-control flaw in FortiAuthenticator that can lead to remote code execution. CVE-2026-44277 (CVSS 9.8) affects FortiAuthenticator versions 8.0.2, 8.0.0, 6.6.0–6.6.8, and 6.5.0–6.5.6, allowing an attacker to execute unauthorized code or commands. BleepingComputer and SecurityWeek both covered the disclosure, with The Hacker News including it in a broader roundup of patches from Ivanti, SAP, VMware, and n8n. Given FortiAuthenticator's role as a centralized authentication gateway, a pre-auth RCE here could enable lateral movement across an entire Fortinet environment. Organizations should prioritize patching to the latest fixed versions.

Two critical RCEs in IBM HTTP Server and WebSphere Web Server Plug-ins demand immediate attention from enterprise shops. CVE-2026-9170 (CVSS 9.8) affects IBM HTTP Server versions 8.5 and 9.0, while CVE-2026-8633 (CVSS 9.8) impacts IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty versions 8.5 and 9.0. Both enable remote code execution over the network without authentication. Given the widespread deployment of IBM HTTP Server as a reverse proxy and load balancer in enterprise data centers, these flaws represent a significant lateral-movement and initial-access vector. IBM has not yet released patch details publicly.

A decade-old GitBucket RCE resurfaces with a public PoC, targeting unauthenticated instances running version 4.23.1. CVE-2018-25332 (CVSS 9.8) combines weak secret token generation with insecure file upload to achieve unauthenticated remote code execution. Though the CVE was assigned years ago, the risk score remains high (0.64) because many organizations run older GitBucket instances for self-hosted Git repositories without proper hardening. Attackers can brute-force weak tokens and upload malicious files to execute arbitrary commands on the server. Teams still running GitBucket should verify their version and apply any available patches or migrate to a maintained fork.

Two critical flaws in FastNetMon Community Edition — an integer overflow and an OS command injection — expose network monitoring infrastructure to takeover. CVE-2026-48691 (CVSS 9.8) is an integer overflow in the BGP AS_PATH attribute encoder within src/bgp_protocol.hpp, where attribute_length is computed from attacker-controlled data without validation. CVE-2026-48687 (CVSS 9.8) is an OS command injection in the Juniper router integration plugin's _log() function in fastnetmon_juniper.php, which constructs shell commands from unsanitized input. Both affect FastNetMon Community Edition through version 1.2.9. Since FastNetMon is often deployed with BGP peering to network edge devices, exploitation could allow attackers to inject malicious BGP announcements or pivot into core routing infrastructure.

Synthesized by Vypr AI