Weekly Exploit Roundup

Generated 2026-05-19T08:00:17.018992+00:00 (UTC)

1. Patch Tuesday – May 2026
   Source: Rapid7 Cybersecurity Blog | Published: 2026-05-13T00:22:19+00:00 | Score: 25.787
   Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above. Windows Netlogon: critical RCE Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges or user interaction are required, and attack complexity is low, which suggests that creation of a reliable exploit might not be especially difficult for anyone with knowledge of the specific mechanism. Mic
2. Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws
   Source: The Hacker News | Published: 2026-05-18T10:54:05+00:00 | Score: 22.972
   Ivanti, Fortinet, n8n, SAP, and VMware have released security fixes for various vulnerabilities that could be exploited by bad actors to bypass authentication and execute arbitrary code.
   Topping the list is a critical flaw impacting Ivanti Xtraction (CVE-2026-8043, CVSS score: 9.6) that could be exploited to achieve information disclosure or client-side attacks.
   "External control of a file name
3. NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE
   Source: The Hacker News | Published: 2026-05-17T11:57:53+00:00 | Score: 21.289
   A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck.
   The vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0. According to AI-native security company depthfirst, the
4. The Dark Side of Efficiency: When Network Controllers Become "God Mode" for Attackers
   Source: Rapid7 Cybersecurity Blog | Published: 2026-05-14T16:00:00+00:00 | Score: 20.667
   Imagine you build a massive corporate campus with every security control money can buy. Blast resistant doors. Biometric scanners. Guards at every entrance. Maybe something similar to the infamous Death Star. On paper, it looks fantastic. Then, somewhere along the way, somebody decides the maintenance team needs a universal key that opens every door in the building without setting off any alarms. That certainly makes operations easier, but it also means one mistake, one compromise (like a well placed photon torpedo), or one very bad decision can unravel the whole thing. That is basically the problem we keep running into in modern enterprise networking. Why SD-WAN controllers create concentrated risk This week, Rapid7 researchers Stephen Fewer and Jonah Burgess disclosed CVE-2026-20182 , a maximum severity (CVSS 10.0) vulnerability in the Cisco Catalyst SD-WAN Controller. The technical details matter, and quite a bit, at that, but the bigger lesson here is even more important. This bug
5. When IT Support Calls: Dissecting a ModeloRAT Campaign from Teams to Domain Compromise
   Source: Rapid7 Cybersecurity Blog | Published: 2026-05-13T14:44:02+00:00 | Score: 19.915
   Overview Attackers do not need to break into the front door when they can convince employees to open it for them through the tools they already trust. In April 2026, Rapid7 investigated an enterprise intrusion that began with a Microsoft Teams message from a fake “IT Support” account and quickly escalated into a full compromise chain involving malware deployment, privilege escalation, credential theft, lateral movement, and exfiltration. The incident illustrates a critical risk for modern enterprises: Collaboration platforms have become part of the attack surface, and when combined with identity abuse and Living-off-the-Land techniques, they can provide attackers with a low-friction path into the environment. Therefore, this attack was particularly concerning due to the way the intrusion shifted from endpoint compromise to broader identity-driven risk. And while it was not surprising that the attacker used a novel technique, what was concerning was how the attacker was able to chain to
6. Critical Vulnerability Exposes Industrial Robot Fleets to Hacking
   Source: SecurityWeek | Published: 2026-05-19T06:18:51+00:00 | Score: 19.45
   The vulnerability, CVE-2026-8153, affects Universal Robots PolyScope 5 and it can be exploited for OS command injection. The post Critical Vulnerability Exposes Industrial Robot Fleets to Hacking appeared first on SecurityWeek .
7. Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming
   Source: The Hacker News | Published: 2026-05-16T15:20:48+00:00 | Score: 19.176
   A critical security vulnerability impacting the
   Funnel Builder
   plugin for WordPress has come under active exploitation in the wild to
   inject malicious JavaScript code
   into WooCommerce checkout pages with the goal of stealing payment data.

   Details of the activity were
   published
   by Sansec this week. The vulnerability currently does not have an official CVE identifier. It

8. Metasploit Wrap-Up 05/15/2026
   Source: Rapid7 Cybersecurity Blog | Published: 2026-05-15T18:54:25+00:00 | Score: 18.967
   Weaponizing a text editor for fun and profit Gather round, dear readers, because today, we (by we, we mean @h00die) dropped the ultimate persistence mechanism: Vim plugin persistence. And honestly, calling it "persistence" feels redundant — Vim is already the most persistent thing ever. Somewhere, somehow, there will still be a Vim session open since 2011, because no one has figured out how to close it. So we are not so much establishing a foothold here as we are joining an existing hostage situation. Elsewhere this week, Marvell's QConvergeConsole has been caught handing arbitrary files to unauthenticated visitors, as is tradition (CVE-2025-6793), GestioIP 3.5.7 ships an upload handler, so trusting it will cheerfully let an admin overwrite the handler with a backdoor and then dutifully execute it (CVE-2024-48760). And of course, we can't forget about Dolibarr ERP/CRM, which blocks PHP injections by checking — and we cannot stress this enough — by searching for string <?php. So @M4nu02
9. On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
   Source: The Hacker News | Published: 2026-05-15T06:19:04+00:00 | Score: 18.493
   Microsoft has disclosed a new security vulnerability impacting on-premise versions of Exchange Server that it said has come under active exploitation in the wild.
   The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An anonymous researcher has been credited with discovering and reporting the issue.
   "
10. Funnel Builder WordPress plugin bug exploited to steal credit cards
    Source: BleepingComputer | Published: 2026-05-15T19:30:33+00:00 | Score: 17.685
    A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript snippets into WooCommerce checkout pages. […]

End of report.