Here are today’s top cybersecurity stories for Wednesday, May 27, 2026.
CISA Adds LiteSpeed cPanel Plugin CVE-2026-48172 to KEV — Feds Have Four Days to Patch
CISA added CVE-2026-48172, a CVSS 9.8 privilege escalation flaw in the LiteSpeed cPanel user-end plugin, to its Known Exploited Vulnerabilities catalog on May 26, giving federal agencies until May 29 to patch. Unknown threat actors are actively exploiting the flaw to deploy Mirai botnet variants and a ransomware strain named Sorry. The vulnerability affects plugin versions 2.3 through 2.4.4 and lets any cPanel user execute scripts as root; version 2.4.5 resolves the issue. BleepingComputer
CrowdStrike and Google Disrupt All Four GlassWorm Botnet C2 Channels
CrowdStrike, in coordination with Google and the Shadowserver Foundation, executed a simultaneous takedown of all four command-and-control channels used by the GlassWorm supply chain botnet on May 26 at 14:00 UTC. GlassWorm has targeted software developers since at least early 2025 through malicious VS Code extensions, npm packages, and GitHub repositories, using Solana blockchain transactions, the BitTorrent DHT, a public calendar service, and direct VPS connections as C2 layers. Organizations should check network logs for connections to 164.92.88[.]210, a CrowdStrike-operated sinkhole now receiving infected-host beacons. The Hacker News
Gitea CVE-2026-27771: Unauthenticated Attackers Can Pull Private Container Images From 30,000+ Deployments
Researchers at Noscope disclosed CVE-2026-27771, a four-year-old flaw in Gitea that lets unauthenticated remote attackers pull private container images without any credentials. All Gitea versions prior to 1.26.2 are affected, and researchers estimate over 30,000 deployments in 30+ countries remain exposed, spanning healthcare providers, aerospace manufacturers, and internet service providers. Organizations unable to patch immediately can set [service].REQUIRE_SIGNIN_VIEW=true as a temporary mitigation. The Hacker News
KnowledgeDeliver LMS CVE-2026-5426: Zero-Day Exploited to Deploy Godzilla Web Shell and Cobalt Strike
A critical vulnerability in KnowledgeDeliver, a learning management system widely used in Japan, was exploited as a zero-day before a patch was issued. The flaw (CVE-2026-5426, CVSS 7.5) stems from hardcoded ASP.NET machine keys enabling ViewState deserialization attacks that lead to unauthenticated RCE. Attackers deployed the Godzilla (BLUEBEAM) web shell and ultimately pushed Cobalt Strike Beacon onto compromised servers; TTPs match several Chinese-speaking APT groups including APT41 and UNC215. All KnowledgeDeliver deployments prior to February 24, 2026, remain at risk. The Hacker News
FBI Warns: Silent Ransom Group Now Showing Up In-Person at Law Firm Offices to Steal Data
The FBI issued an alert on May 27 warning that the Silent Ransom Group (SRG), also known as Luna Moth and Chatty Spider, has escalated its tactics against U.S. law firms to include in-person visits to victim offices, posing as IT personnel and physically inserting storage devices to exfiltrate data. The group first attempts vishing calls and phishing emails to get employees to open remote desktop sessions; if those fail, a threat actor arrives in person. SRG leaves few artifacts on compromised machines, making traditional antivirus detection unlikely. BleepingComputer
SymJack: Malicious Repositories Use Symlinks to Trick AI Coding Agents Into Installing Attacker-Controlled MCP Servers
Adversa AI researchers disclosed SymJack, an attack technique that weaponizes AI coding agents — including VS Code Copilot, Cursor, Windsurf, and Claude Code — by tricking them into silently installing attacker-controlled Model Context Protocol (MCP) servers via disguised symlinks in malicious repositories. The attack requires only that a developer open a malicious repo with an AI coding tool; one approval of an innocuous-looking copy request installs a rogue MCP server capable of stealing secrets, compromising CI/CD pipelines, and deploying malicious code. SecurityWeek
Malicious npm Package “mouse5212-super-formatter” Targets Claude AI User Directories
Researchers at OX Security discovered a malicious npm package that exfiltrates files from the /mnt/user-data directory used by Anthropic’s Claude AI tool to store uploads and outputs. The package presents itself as an internal archive deployment utility and uses a hardcoded GitHub token — which was inadvertently leaked — to authenticate and push stolen files to an attacker-controlled repository during the postinstall stage. The campaign, codenamed Malware-Slop, had been downloaded approximately 676 times before disclosure. The Hacker News
CVE-2026-40369: Windows Kernel LPE With Public Exploit Allows SYSTEM Access From Any User Context
Researcher Ori Nimron published a full exploit chain for CVE-2026-40369, an untrusted pointer dereference in the Windows kernel (CVSS 7.8) patched in Microsoft’s May 2026 Patch Tuesday. The flaw allows any unprivileged process — including a browser renderer sandbox — to increment arbitrary kernel memory and escalate to SYSTEM on Windows 11 24H2 and 25H2. Three public proof-of-concept exploits are now available on GitHub, making post-patch reverse engineering and active exploitation a near-term risk for unpatched systems. Windows News / NVD
Stay tuned for today’s in-depth analysis posts.
