In partnership with
PatchDay Alert: 2026-05-22
|
|
DAILY BRIEF · MAY 22, 2026
|
|
Drop what you're doing if you run UniFi gear. CVE-2026-34910 is a perfect 10.0: unauthenticated command injection on any network-reachable UniFi OS device. Nobody's reported exploitation in the wild yet, but the attack requires zero credentials and zero user interaction, so that window won't stay open long. Four more high-severity bugs round out the day, including a ConnectWise Automate supply-chain risk that MSPs need to look at fast.
|
|
Clear the most in the fewest moves
2 updates close
multiple CVEs at once. Start here.
|
18
Update the azl3 kernel package to the patched version via your Azure Linux package manager.
· 18 CVEs
|
|
2
Upgrade LiteLLM to 1.83.10 or later, then audit your user list for any accounts with unexpected proxy_admin privileges.
· 2 CVEs
|
|
| |
SECURE BOOT CERTIFICATE DEADLINE
33 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
|
TOP THREAT TODAY
|
|
A bug in the Linux kernel's pcrypt module (parallel crypto) mishandles MAY_BACKLOG requests, which could let a local attacker cause memory corruption or crash the system. The CVSS is 8.4, but exploitation requires local access and a fairly specific crypto workload configuration, so real-world risk is limited for most environments.
Who's affected: Azure Linux 3.0 users running kernel 6.6.139.1-1, especially those using disk encryption or IPsec workloads that exercise the pcrypt path
| |
Patch this week.
Update the azl3 kernel package to the patched version via your Azure Linux package manager.
|
ONE UPDATE · 18 CVEs
NVD
MSRC
|
|
|
CVE-2026-2740
CVSS 8.4
|
HIGH
|
An authenticated user on a ManageEngine agent machine can get remote code execution through a vulnerable third-party dependency in ADSelfService Plus, DataSecurity Plus, or RecoveryManager Plus. The attacker needs valid credentials, but once authenticated, they can run arbitrary code on the agent. CVSS 8.4, no known exploitation yet.
Affects: Anyone running ManageEngine ADSelfService Plus before build 6525, DataSecurity Plus before build 6264, or RecoveryManager Plus before build 6313
| |
Patch within 24 hours.
Upgrade ADSelfService Plus to 6525+, DataSecurity Plus to 6264+, and RecoveryManager Plus to 6313+ from the ManageEngine download portal.
|
NVD
Ref 1
|
|
CVE-2026-47102
CVSS 8.8
|
HIGH
|
LiteLLM before 1.83.10 lets any authenticated user promote themselves to proxy_admin by calling the /user/update endpoint with a modified user_role field. Once promoted, they have full admin access to every user, API key, model config, and prompt history in the platform. Users with the org_admin role can do this without any extra exploit chain.
Affects: Teams running LiteLLM proxy before version 1.83.10, especially multi-tenant or org-scoped deployments
| |
Patch immediately.
Upgrade LiteLLM to 1.83.10 or later, then audit your user list for any accounts with unexpected proxy_admin privileges.
|
ONE UPDATE · 2 CVEs
NVD
Ref 1
Ref 2
|
|
CVE-2026-9089
CVSS 8.8
|
HIGH
|
The ConnectWise Automate agent doesn't fully verify that plugins and self-update payloads are authentic. An attacker with network access (for example, through a man-in-the-middle position or compromised update source) could swap in a malicious component. Since Automate agents run with SYSTEM privileges on managed endpoints, this is a serious supply-chain risk. CVSS 8.8, no known exploitation yet.
Affects: MSPs and IT teams running ConnectWise Automate agents on managed endpoints, prior to Automate 2026.5
| |
Patch immediately.
Upgrade your ConnectWise Automate server to 2026.5, which will push updated agents to endpoints. Verify agents update successfully across your fleet.
|
NVD
Ref 1
|
|
CVE-2026-34910
CVSS 10.0
|
CRITICAL
|
This is as bad as it gets. A network-reachable attacker can exploit an input validation failure on UniFi OS devices to inject and execute arbitrary commands, no authentication required. CVSS 10.0. If your UniFi gear is internet-facing or reachable from an untrusted network, treat this as an emergency.
Affects: Anyone running UniFi OS devices (Dream Machine, Dream Router, Cloud Gateway, NVR, or other UniFi consoles) reachable from untrusted networks
| |
Patch immediately.
Update all UniFi OS devices to the latest firmware through the UniFi Network app or SSH, and confirm no devices are directly exposed to the internet without firewall restrictions.
|
NVD
Ref 1
|
|
Community Signal Check
|
Microsoft Exchange Server zero-day XSS exploited via crafted email, no patch yet
Attackers are exploiting CVE-2026-42897 (CVSS 8.1), an XSS bug in on-prem Exchange Server, by sending crafted emails that run JavaScript when opened in OWA. This hits Exchange Subscription Edition, 2016, and 2019. Microsoft published emergency mitigations but has not shipped a patch as of May 21, so apply those mitigations now and watch for the fix.
The Hacker News
•
active_exploitation
|
|
Two Microsoft Defender bugs exploited in the wild, added to CISA KEV
CVE-2026-41091 lets a local attacker escalate to SYSTEM through the Malware Protection Engine, and CVE-2026-45498 can disable Defender's real-time protection entirely. Both are exploited in the wild, and CISA added them to the KEV catalog on May 20. Make sure your Defender engine and definitions are current across every endpoint.
Help Net Security
•
active_exploitation
|
|
NGINX heap buffer overflow (CVSS 9.2) exploited for remote code execution
CVE-2026-42945 is a heap buffer overflow in ngx_http_rewrite_module (CVSS 9.2) affecting NGINX 0.6.27 through 1.30.0. Unauthenticated attackers can crash workers or get RCE with crafted HTTP requests, though full code execution requires ASLR to be off. If you run NGINX with rewrite rules, update past 1.30.0 immediately.
The Hacker News
•
active_exploitation
|
|
KB5089549 causing install failures and slow internet on Windows 11
The May 13 Windows 11 update KB5089549 is failing to install on some machines, looping through install and rollback cycles. Users also report internet slowdowns after a successful install. Systems stuck in the rollback loop stay unpatched, so check your fleet for machines that silently failed to apply this month's fixes.
Windows Central
•
broken_patch
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
Turn AI into Your Income Engine
Ready to transform artificial intelligence from a buzzword into your personal revenue generator?
A curated collection of 200+ profitable opportunities spanning content creation, e-commerce, gaming, and emerging digital markets—each vetted for real-world potential
Step-by-step implementation guides designed for beginners, making AI accessible regardless of your technical background
Cutting-edge strategies aligned with current market trends, ensuring your ventures stay ahead of the curve
Download your guide today and unlock a future where artificial intelligence powers your success. Your next income stream is waiting.
