Summaries

Daily Briefing: SANS Stormcast Tracks Active Exploits and Evolving Threats

The SANS ISC Stormcast for May 26, 2026, hosted by Johannes Ullrich, provides a concise audio briefing on the day's most significant cybersecurity developments — active Drupal SQLi exploitation, Microsoft Defender vulnerabilities under fire, and widening supply chain compromise campaigns.

View on Graph

Summary

The SANS Internet Storm Center’s Stormcast for Tuesday, May 26, 2026 delivers a focused roundup of threats that defenders need to act on immediately. Host Johannes Ullrich flags widespread exploitation of the recently disclosed Drupal core SQL injection vulnerability (CVE-2026-9082), with imperva reporting over 15,000 attack attempts targeting nearly 6,000 sites across 65 countries. The speed from disclosure to mass exploitation underscores the compressed timeline for patching critical CMS infrastructure.

The episode also tracks two Microsoft Defender vulnerabilities — CVE-2026-41091 (privilege escalation to SYSTEM) and CVE-2026-45498 (denial-of-service) — that have moved from disclosure to active exploitation. These align with the publicly discussed RedSun and UnDefend zero-days, creating urgency for organizations to verify Defender updates are current across all endpoints.

Supply chain compromise campaigns continue to dominate the threat landscape, with the TeamPCP-aligned Mini Shai-Hulud worm expanding its footprint across npm, PyPI, and Packagist ecosystems. The episode contextualizes these as part of a broader pattern where attackers use compromised developer tools and dependencies to access downstream enterprise environments.

Why It Matters

The Stormcast format serves a practical purpose: it compresses the day’s threat intelligence into minutes for practitioners who cannot afford to spend hours tracking multiple feeds. For SOC teams, the May 26 edition highlights three concurrent pressure points — CMS patching urgency, endpoint protection supply chain risk, and software supply chain integrity — that together demand triage bandwidth many teams lack.

Defender Takeaways

  • Verify Drupal Core is patched to the latest version, particularly for externally facing instances; CVE-2026-9082 exploitation is occurring at scale.
  • Confirm Microsoft Defender signatures and platform updates are current across all endpoints; CVE-2026-41091 and CVE-2026-45498 are under active exploitation.
  • Review software supply chain monitoring for npm and PyPI dependencies; the Mini Shai-Hulud worm and TeamPCP campaigns continue to compromise upstream packages.
  • Check for indicators of Drupal SQL injection exploitation in WAF and web server logs — SQL errors, anomalous parameter patterns, and unexpected database queries.
  • Validate that Defender real-time protection has not been disabled or tampered with; the privilege escalation vector in CVE-2026-41091 could allow attackers to disable security controls.

Source

Title: ISC Stormcast For Tuesday, May 26th, 2026 — Johannes Ullrich, SANS Internet Storm Center
URL: https://isc.sans.edu/diary/rss/33020