End-of-Day report
Timeframe: Mittwoch 20-05-2026 18:00 - Donnerstag 21-05-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
News
Hackers bypass SonicWall VPN MFA due to incomplete patching
Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks. [..] SonicWall warned in a security advisory for CVE-2024-12802 that installing the firmware update alone on Gen6 devices does not fully mitigate the vulnerability, and a manual reconfiguration of the LDAP server is required. Failing to do so leaves open the possibility of bypassing MFA protection.
https://www.bleepingcomputer.com/news/security/hackers-bypass-sonicwall-vpn-mfa-due-to-incomplete-patching/
A New SonicWall Scanning Spike Echoes the Pattern That Preceded CVE-2026-0400
Between May 9 and May 18, 2026, GreyNoise observed a significant new spike in scanning of SonicWall SonicOS management interfaces. The May 12 peak - approximately 597,000 sessions - was the largest single-day total recorded on the SonicWall SonicOS API Scanner tag in the past 90 days, roughly 46× the typical daily volume for this tag in the 30 days before the elevation.
https://www.greynoise.io/blog/sonicwall-scanning-spike-echoes-pattern-preceded-cve-2026-0400
Google publishes exploit code threatening millions of Chromium users
Google on Wednesday published exploit code for an unfixed vulnerability in its Chromium browser codebase [..] The proof-of-concept code exploits the Browser Fetch programming interface, a standard that allows long videos and other large files to be downloaded in the background. An attacker can use the exploit to create a connection for monitoring some aspects of a user-s browser usage and as a proxy for viewing sites and launching denial-of-service attacks. [..] The unfixed vulnerability can be exploited by any website a user visits. [..] Users of Chromium browsers should be suspicious of download dropdowns that appear for no reason.
https://arstechnica.com/security/2026/05/google-publishes-exploit-code-threatening-millions-of-chromium-users/
Attackers spill plaintext passwords of 46k Myspace93 users after 2021 breach
Users of the Myspace93 parody web art site be warned: the dataset spilled after a reported breach in 2021 included the plaintext usernames and passwords of more than 46,000 registered users. [..] In addition to the clear-as-day passwords and usernames, HIBP said email addresses and IP addresses were also among the exposed data.
https://www.theregister.com/security/2026/05/21/46k-plaintext-passwords-pwned-in-myspace93-breach/5244024
The npm Threat Landscape: Attack Surface and Mitigations (Updated May 20)
Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more.
https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/
Webworm: New burrowing techniques
ESET researchers analyzed the 2025 activity of Webworm, a China-aligned APT group that started out targeting organizations in Asia, but has recently shifted its focus to Europe.
https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/
Europe dismantles VPN service used by cybercriminals to hide ransomware attacks
The international operation targeted a service known as First VPN, which had been marketed for years on Russian-speaking cybercrime forums as a secure way for criminals to evade law enforcement.
https://therecord.media/europe-dismantles-first-vpn
Microsoft warnt vor Defender 0-Days und patcht
Microsoft hat zum 19. Mai 2026 zwei 0-Day-Schwachstellen CVE-2026-41091 und CVE-2026-45498 im Defender durch Update der Defender Antimalware Platform geschlossen. Die Schwachstellen betrafen die Defender Antimalware Platform Version 4.18.26030.3011 und älter.
https://borncity.com/blog/2026/05/21/microsoft-warnt-vor-defender-0-days-und-patcht/
Unpatchable Vulnerabilities of Kubernetes: CVE-2021-25740
For this post, we're going to look at the last of the four unpatchable Kubernetes CVEs, CVE-2021-25740, which relates to how Kubernetes ingress or LoadBalancer features can be abused to bypass network security controls in a cluster.
https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerabilities-cve-2021-25740/
Vulnerabilities
Sicherheitspatches Atlassian: Bamboo, Confluence & Co. sind verwundbar
Angreifer können an mehreren Softwareschwachstellen unter anderem in Atlassian Bamboo Data Center and Server, Confluence Data Center and Server und Jira Data Center and Server ansetzen und betroffene Systeme im schlimmsten Fall vollständig kompromittieren. Sicherheitsupdates sind verfügbar.
https://www.heise.de/news/Sicherheitspatches-Atlassian-Bamboo-Confluence-Co-sind-verwundbar-11301596.html
Grafikkartentreiber von Nvidia unter Linux und Windows angreifbar
Nutzen Angreifer Schwachstellen im Grafikkartentreiber von Nvidia erfolgreich aus, können sie Dienste abstürzen lassen, unbefugt auf Informationen zugreifen oder sogar Schadcode ausführen. Dagegen stehen abgesicherte Versionen für Linux und Windows zum Download bereit. Weiterhin haben die Entwickler Lücken in der vGPU-Software geschlossen.
https://www.heise.de/news/Grafikkartentreiber-von-Nvidia-unter-Linux-und-Windows-angreifbar-11301854.html
Kritische Sicherheitslücke in Drupal Core - Updates verfügbar
In Drupal Core existiert eine SQL-Injection-Schwachstelle in der Datenbank-Abstraktions-API. Speziell gestaltete Anfragen können zu beliebigen SQL-Injections führen. Die Schwachstelle ist ausschließlich für Drupal-Installationen relevant, die PostgreSQL als Datenbank einsetzen, und kann ohne Authentifizierung durch anonyme Benutzer:innen ausgenutzt werden.
https://www.cert.at/de/warnungen/2026/5/kritische-sicherheitslucke-in-drupal-core-updates-verfugbar
Cisco Secure Workload Unauthorized API Access Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy
Splunk: SVD-2026-0515: Third-Party Package Updates in Splunk User Behavior Analytics - May 2026
https://advisory.splunk.com//advisories/SVD-2026-0515
LWN: Security updates for Thursday
https://lwn.net/Articles/1073860/