Tenable Blog

Oracle May 2026 Critical Security Patch Update Addresses 35 CVEs

Research Special Operations — Thu, 28 May 2026 23:06:27 -0400

Oracle addresses 35 CVEs in its May 2026 Critical Security Patch Update with 35 patches, including 11 critical updates.

Key Takeaways

The May 2026 Critical Security Patch Update (CSPU) contains fixes for 35 unique CVEs in 35 security updates
11 issues (31.4% of all patches) were assigned a critical severity rating
Oracle E-Business Suite received the highest number of patches at 12, accounting for 34.3% of all patches

Background

On May 28, Oracle released its Critical Security Patch Update (CSPU) for May 2026. Beginning in May 2026, Oracle introduced CSPUs as a monthly release cycle that sits between the larger quarterly Critical Patch Updates (CPUs), addressing a focused set of high-severity issues on a faster cadence. This CSPU contains fixes for 35 unique CVEs in 35 security updates across 5 Oracle product families. Out of the 35 security updates published, 31.4% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 51.4%, followed by critical severity patches at 31.4%.

This month's update includes 11 critical patches across 11 CVEs.

Severity	Issues Patched	CVEs
Critical	11	11
High	18	18
Medium	6	6
Low	0	0
Total	35	35

Analysis

This month's update saw the Oracle E-Business Suite product family contain the highest number of patches at 12, accounting for 34.3% of the total patches, followed by Oracle REST Data Services at 11 patches, which accounted for 31.4% of the total patches.

A full breakdown of the patches for this CSPU can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product Family	Number of Patches	Remote Exploit without Auth
Oracle E-Business Suite	12	3
Oracle REST Data Services	11	7
Oracle Communications	8	4
Oracle Database Server	3	3
Oracle Hospitality Applications	1	1

Solution

Customers are advised to apply all relevant patches in this CSPU. Please refer to the May 2026 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they're released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Download pumping: New npm deception technique for supply chain attacks

Ron Popov — Thu, 28 May 2026 06:00:00 -0400

Learn how attackers exploit automated bot traffic as part of software supply chain attacks to artificially inflate download counters and mask malicious payloads as legitimate.

Key takeaways

Volume doesn’t equal trust. Packages with numerous versions and high download counts might seem legitimate, but attackers can easily manipulate those metrics.
Attackers exploit automated infrastructure. By initially flooding the registry with numerous benign versions of a package, threat actors trigger automatic downloads from mirrors, scanners, and analysis bots, which artificially inflate traffic.
Although old download-inflation techniques still work, attackers are developing new sophisticated techniques to deceive developers into installing malicious packages.

Downloads count metric

Following recent software supply chain attacks in which Tenable has seen attackers steal access tokens and secrets from developer workstations and CI/CD build servers, we started actively monitoring and analyzing npm packages uploaded to the public registry. Initially, we used download counts as a primary metric to determine package relevance.

During our monitoring, we identified a recurring anomaly: Brand new packages displayed unusually high download counts within hours of upload. Upon further investigation, we discovered that those packages also had many versions.

We found that packages whose content got updated frequently — usually by systematically uploading many new versions for the same package — had an unusually high downloads count.

We observed this technique being used deliberately in the wild for the first time in our analysis of the malicious “ambar-src” package, which reached more than 50,000 downloads in three days after attackers uploaded more than 700 versions. We named this technique “download pumping.”

Developers and security tools frequently use download counts as one of the metrics to assess a package's legitimacy. Since there is no simple method for determining if a package is legitimate, this artificial inflation effectively disguises the threat.

Analysis

In the “ambar-src” campaign, threat actors systematically published hundreds of benign versions of the package before introducing the actual malicious payload.

Because npm registers each interaction with these updates as traffic, this repetitive version-publishing process achieved two goals:

It heavily populated the package’s release history, creating a dense changelog that made the project appear actively maintained and historically legitimate to developers evaluating it.
Every time a new version was published, automated systems like repository mirrors and analysis bots automatically downloaded it. Because the attackers systematically uploaded hundreds of versions, they artificially generated a massive wave of automated traffic, inflating the package's download count to more than 50,000 downloads in just three days.

From Tenable’s initial analysis, each version uploaded to the npm public registry typically receives between 100 and 150 downloads from automated systems. We verified that fact by running our proof-of-concept (POC) and analyzing the download count.

Download pumping PoC

To validate these mechanisms, we conducted a POC that replicated the download pumping behavior. We created test packages and systematically published a high volume of new versions to the npm registry.

As the npm team stated in their blog, their download stats are naive by design, and they do not put much effort into filtering automated bot traffic.

Thus, various repository mirrors, analytical bots, and automated security scanners immediately pulled each new version we uploaded. This validated that an attacker can predictably generate a baseline of downloads entirely through automated publishing, requiring zero organic user interaction.

During our POC, we wanted to see how different package properties might affect the automated download volume. We were working under the assumption that packages with postinstall scripts raise the interest level of security scanners.

Postinstall scripts are highly interesting to defenders because attackers frequently use these lifecycle hooks to automatically execute malicious payloads the moment a package is installed. Since this is a common malware-deployment technique, automated security scanners prioritize downloading and inspecting packages that have these scripts configured.

It is important to note that security scanners don’t have to download the package itself to determine if the npm package has a postinstall script configured, as this data is available in the package metadata in the public registry.

For those reasons, we believed that security scanners are more likely to download packages with install scripts configured, as they are more likely to contain malicious code. We deployed three distinct test packages to npm to test our assumption and observed the following results:

Version bump only: 135.55 downloads per version
This was our baseline test package. We didn’t add or remove any code when publishing a new version, nor did we make any other attempt to make the package look interesting. We simply bumped up the version number each time.
Static postinstall script: 141.91 downloads per version
This was our second test package, and the first one to have a postinstall script configured, but we didn’t change the script when publishing new versions.
Dynamic postinstall script: 158.16 downloads per version
In this third test package, we changed the postinstall script every time we bumped up the version. We did this as we believed that security scanners would be more interested in packages whose postinstall script changed, as it could be an indicator of compromise.

Graph showing how Tenable’s first POC software package experienced a spike in downloads when we started publishing new versions of it.

This data demonstrates a straightforward cause-and-effect: automated infrastructure and security scanners naturally generate more download traffic for packages that exhibit interesting or actively changing behaviors.

Other package managers

While our research focused specifically on the npm ecosystem, the fundamental mechanics behind this technique are not unique to npm. Other package registries such as PyPI, RubyGems, and NuGet operate with similar automated infrastructure — mirrors, security scanners, and analysis bots — that pull new versions as they are published. Although the specific download amplification and trust metrics may differ across ecosystems, the core principle remains the same: where automated systems react to new publications, there is potential for abuse.

Real-world example of download pumping

As already stated, we first observed this technique being used in the wild during our analysis of the “ambar-src” package.

Let’s look at this in more detail.

The attackers created an npm package containing utility code that can be used for legitimate purposes, such as MathUtils, StringUtils and Time functions. The attackers then systematically uploaded 428 legitimate versions of the package in just two hours. The attackers did this to gain initial credibility and attempt to lure developers to use their code.

Three days later, the attackers uploaded a new version containing malicious code. By this point, the attackers’ package already had more than 30,000 downloads.

In total, the attackers uploaded 724 versions including malicious and legitimate versions. This led to an artificially generated wave of automated traffic, resulting in around 50,000 downloads total.

This repetitive version-publishing process successfully inflated the package's download count and created a dense release history, making the project appear historically legitimate before the malware was deployed.

Past research on npm download manipulation

The manipulation of npm downloads metrics is not a new discovery. In a 2021 research blog, independent developer Andy Richardson showed how prone the npm registry’s download tracking is to abuse, by demonstrating that bad actors can send HTTP requests to a package’s tarball URL to fake downloads.

Using automated tools, the researcher successfully drove nearly 1 million spoofed downloads in a single week for a completely unused package.

Tenable validated this technique still works in 2026. By sending HTTP requests directly to the URL of the package’s tarball, Tenable successfully inflated a test package’s metric to 17,000 downloads in approximately one hour, using nothing more than a standard office laptop and an internet connection.

However, this new version-flooding method we’ve identified offers two distinct advantages:

First, it provides amplification, because an attacker gains 100 to 150 automated downloads from repository mirrors for every single version they upload, rather than just one download per HTTP request.
Second, systematically publishing these updates populates the release history, creating a dense version log that makes the package appear actively maintained and historically legitimate.

Mitigation of supply chain attacks

Organizations should not depend on download counts or version histories to determine if a package is legitimate. As we have demonstrated, attackers can easily fake these metrics using automated systems, creating a false sense of trust.

Instead, organizations should adopt common industry best practices, such as version pinning and implementing minimum package-age restrictions.

These best practices are effective, as security vendors and the open-source community actively monitor these registries and typically detect malicious packages fairly quickly, within a couple of days at most.

By enforcing a short waiting period of three to four days before allowing a new package or new version of an existing package into your environment, you allow the community time to identify these threats in the public registry. Once they are detected, they are removed from the public registry, eliminating the risk.

It is worth noting that npm is actively working to improve the security of its ecosystem. Recent efforts include adding support for package-age checks directly in the npm CLI, as well as strengthening authentication mechanisms for package maintainers to reduce the risk of account takeovers.

While these are meaningful steps in the right direction, the reality is that no single measure can fully prevent malicious code from reaching the public registry. Supply chain attacks will continue to evolve, and organizations should also layer their own defenses rather than rely on the ecosystem alone.

For example, organizations can add extra protection for CI/CD build servers by deploying ephemeral CI/CD runners that are destroyed immediately after a single use to prevent malware from lingering. Operating those temporary runners without persistent storage makes it harder for threat actors to save their payloads or establish persistence across different build jobs.

Additionally, organizations should enforce least-privilege network access. Restricting outbound traffic makes it harder for malicious payloads running on the build server to reach the open internet to download second-stage malware payloads like “msinit.exe.”

So what?

Currently, developers are still being hacked through open-source supply chain techniques. The metrics developers and security tools depend on — download counts, version history, maintenance activity — are superficial indicators that, as we have demonstrated, an attacker can manipulat with minimal effort. But the problem runs deeper than fake signals.

Even when a package has a legitimate track record with a trusted maintainer behind it, that trust can be compromised overnight. Recent waves of account takeovers, social engineering campaigns, and credential theft targeting established maintainers have shown that a package's history is no guarantee of its current safety, even for legitimate packages. A new version published under a trusted name can carry a malicious payload, and the package manager has no built-in mechanism to catch it.

In practice, there is no deterministic method to determine if a new package is malicious or not. Therefore, each package you install and use must be treated like it could be malicious. The meaningful trust signal comes after the fact: from security vendors and the open-source community actively scanning and analyzing packages once they are published.

This is exactly why enforcing minimum-age requirements on new packages and new versions is such an effective control. A short waiting period of a few days gives the security community time to detect, flag, and remove threats from the public registry before they ever reach your environment. Organizations that consume packages the moment they are published are accepting risk that is entirely avoidable.

Download pumping is ultimately just the initial entry vector for a much larger objective. Attackers using these techniques are generally aiming for one of two outcomes.

First, they aim to compromise build servers and CI/CD pipelines. By successfully injecting a malicious dependency into these systems, threat actors achieve “God-mode” over the infrastructure, which can lead to a full compromise of the entire production environment.

Second, and even worse, they aim to compromise the developers of highly popular packages. By hijacking a trusted maintainer’s environment, attackers can inject malicious code that thousands of downstream organizations automatically pull, creating a massive cascading effect across the broader software supply chain.

How Tenable can help defend against supply chain attacks

To defend against supply chain attacks, you need to know exactly what code is running in your environment. The Tenable One Exposure Management Platform and Tenable Nessus can help you build a complete asset inventory of the npm packages used across your organization.

Use the following Nessus plugins to build an inventory of the npm modules in your environment:

As Tenable continuously analyzes your environment, you get direct visibility into exactly what is installed on your systems. This visibility ensures you can quickly locate and remove compromised packages as soon as a new threat is discovered.

Beyond building a complete inventory, organizations also need to actively monitor their environments for live threats. Tenable One Cloud Exposure, a CNAPP, builds on this visibility by continuously monitoring your cloud environment to proactively detect these types of supply chain attacks in real time.

Together as part of the Tenable One Exposure Management Platform, these tools proactively detect supply chain attacks across your environments, ensuring your security teams can immediately identify and neutralize malicious activity before attackers can fully compromise your production systems.

Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect

Trevor Farthing — Wed, 27 May 2026 12:25:00 -0400

Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploitation, and organizational risk.

Key takeaways

The "patch everything" strategy is dead: Vulnerability prioritization based on exploitation risk offers a path forward. A directed graph model linking 600+ threat actors to vulnerabilities in 7,800 customer environments reveals that 68% of organizations carry at least one CVE previously exploited by a named adversary, and 321 tracked threat groups can reach at least one customer environment through an active vulnerability.
Prevalence of "Elite Arsenal" CVEs requires immediate attention: The 242 "Elite Arsenal" CVEs — those meeting all three criteria of critical VPR (≥ 9), CISA KEV listing, and documented threat group exploitation — are nearly universally present across the studied customer base, with 241 of 242 actively detected. More than half are five or more years old, and 78% of the persistently exploited core are simultaneously weaponized by nation-state APTs, commodity malware operators, and ransomware gangs.
Non-CVE exposures are universally dangerous: Non-CVE exposures, including misconfigurations, weak credentials, and end-of-life software, are present in virtually 100% of studied organizations, with 60% carrying at least one that maps to a tracked threat actor's preferred techniques. Preliminary modeling suggests these exposures may confer more breach risk than CVE-linked findings, yet no industry-standard scoring infrastructure exists to prioritize them.

While the first two posts in this blog series documented the accelerating vulnerability flood and the widening remediation gap, today we answer the outstanding question: Where do these forces actually collide inside customer environments? Using a directed graph model that maps more than 600 tracked threat groups to vulnerabilities observed across 7,800 organizations, Tenable Research shows you which exposures likely carry the highest real-world risk and where defenders should focus their finite remediation capacity.

Understanding the vulnerability and remediation landscape

The case for urgency has been made. In the first post, Tenable Research documented the convergence of three forces reshaping the vulnerability management landscape:

AI-driven vulnerability discovery tools accelerating CVE volume toward a projected 59,000 disclosures in 2026
NIST’s decision to scale back enrichment of the National Vulnerability Database (NVD) to only three narrow categories
The resulting structural gap for organizations that depend on public severity metadata to prioritize patching

The second post, produced in collaboration with the Verizon 2026 Data Breach Investigations Report (DBIR), quantified the remediation side of the equation:

Vulnerability exploitation has surged to become the leading initial access vector at 31% of breaches.
Median time-to-patch has grown from 32 to 43 days.
Only 26% of the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) are fully remediated across surveyed organizations.

Together, those findings support what Tenable has been saying for years: The “patch everything” strategy is no longer viable. But the findings also leave critical questions unanswered. If organizations cannot patch everything, they need to know precisely where the greatest risk concentrates inside their own environments.

This post answers these questions:

Which of the tens of thousands of active vulnerabilities do named adversaries actually exploit?
How many organizations carry those specific exposures right now?
What does the intersection of severity, active exploitation, and real-world exposure look like when you map it concretely?

Building the threat-exposure graph

To move beyond per-CVE scoring into adversary-aware prioritization, Tenable Research built a directed graph model that links four categories of real-world entities: threat actors; the attack techniques they employ; the vulnerabilities those techniques exploit; and the customer environments where those vulnerabilities are actively detected.

A simplified view of the threat-exposure graph. The graph links four kinds of real-world entities: threat actors; the techniques they use; the vulnerabilities they exploit (both CVE and non-CVE); and the customers in whose environments vulnerabilities are detected . The graph also links them along the directions in which risk actually flows.

The customer base in this analysis comprises 7,800 U.S. and Canadian organizations actively monitored by Tenable’s vulnerability management products as of May 2026. Plugin-finding telemetry, indicating which CVE and non-CVE vulnerabilities are present in each environment, was joined to proprietary threat actor tracking data curated by Tenable’s Research Special Operations (RSO) team and publicly available MITRE ATT&CK technique data.

The graph tracks more than 600 named threat actor groups. Each has been documented either to directly exploit specific CVEs (more than 6,000 CVEs across all tracked groups) or to favor specific MITRE ATT&CK techniques (58 unique techniques observed).

Because techniques map to the CVEs and non-CVE weaknesses they are known to exploit, a named adversary can reach a customer environment along two routes: directly through an exploited vulnerability, or indirectly through a technique that exploits a weakness present in their environment.

This framework transforms the prioritization question from “how severe is this CVE?” into “which named adversaries can reach my environment through this CVE, and how many other organizations share that exposure?” That is a fundamentally different kind of intelligence that per-CVE scoring layers were never designed to provide.

The Common Vulnerability Scoring System (CVSS) tells you how technically dangerous a vulnerability is.
The Exploit Prediction Scoring System (EPSS) tells you how likely it is a threat actor will exploit it.
The CISA KEV catalog tells you a bad actor has exploited it.
Tenable's Vunerability Priority Rating (VPR) and Vulnerability Watch combine these signals with proprietary threat intelligence into a per-CVE priority recommendation.

All of these are valuable, but none tie the score to your specific asset inventory and the named adversary documented to exploit it.

Two important caveats before we present the findings:

We are reporting exposure metrics, not breach predictions. When Tenable says a customer is “exposed” to a named adversary, we mean their environment contains one or more vulnerabilities that the threat actor has previously exploited or that aligns with the group’s documented technique profile. We are not predicting attacks or claiming breaches.
All analyses represent scan windows beginning May 1, 2026. “Active” means at least one Tenable scan observed the vulnerability since that date. Customers may have patched between their last scan and publication.

Tenable findings

Vulnerabilities associated with tracked threat groups are pervasive

The prevalence data is sobering. Of the 7,800 organizations in this study, 5,333 (68%) have at least one active CVE that at least one named threat actor has previously exploited. That figure alone warrants attention, but the concentration is what makes it actionable: 3,517 organizations (45%) carry 25 or more such CVEs, and 653 (8%) carry more than 100.

The problem extends well beyond CVEs. A total of 4,686 organizations (60%) carry at least one active non-CVE vulnerability, such as a misconfiguration, weak credential, or end-of-life software exposure, that maps to an attack technique a tracked threat actor is known to prefer. These findings do not receive CVE identifiers, but they are operationally exploitable, and adversary playbooks routinely depend on them.

On the adversary side, 321 of the more than 600 tracked threat actors can reach at least one customer environment through an active vulnerability. This includes the ransomware operations that most security teams already track (Conti, Ryuk, RansomHub); nation-state operators with public attribution histories (Cozy Bear, Fancy Bear, Andariel, Volt Typhoon, Salt Typhoon); and well-documented APT clusters (APT1, FIN7, MuddyWater, Earth Lusca).

Organizations in this study likely have well-developed cybersecurity programs. Tenable provides them with detailed vulnerability prioritization data. They represent the more-prepared end of the spectrum of potential threat actor targets. The exposure picture for organizations with less mature security capabilities is, by any reasonable inference, significantly worse.

These are not low-priority vulnerabilities

The 6,000-plus distinct CVEs linked to threat groups in this study are dramatically over-represented in elevated VPR tiers compared to the full CVE population.

VPR threshold	Threat group-associated CVE set	Proportion of all scored CVEs	Concentration ratio
≥ 5	21.0%	5.6%	3.7×
≥ 7	10.8%	1.6%	6.7×
≥ 9	2.66%	0.3%	≈ 9×

At the critical tier (VPR ≥ 9), CVEs associated with the study’s threat groups are nine times more concentrated than the global baseline. The persistence of these exposures is not primarily a failure of prioritization effort. Tenable data suggests the majority of customers in this study have significantly improved remediation rates for CVEs with VPR scores of 7 or higher over the past several years. Rather, continued persistence is further evidence of the central finding from the first two posts in this series: the flood of new vulnerabilities is outpacing even well-resourced organizations’ capacity to remediate.

The Elite Arsenal

If organizations cannot patch every threat group-associated vulnerability, where should they concentrate? Among the threat group-associated CVE set, 512 (8%) are listed in the CISA KEV catalog, an order of magnitude above the less-than-1% KEV share across the global CVE program. As the DBIR post documented, even KEV-listed vulnerabilities go unremediated in the majority of environments.

The intersection of Tenable’s critical VPR tier (VPR ≥ 9), the KEV catalog, and documented threat group exploitation gives us a tight shortlist: 242 CVEs that meet all three criteria simultaneously. We refer to this subset as the Elite Arsenal. Of the 242, all but one were actively detected in at least one organization's environment.

The age profile of the Elite Arsenal underscores why these exposures persist:

More than half (53%) of Elite Arsenal CVEs are at least five years old.
Nearly one in five (19%) are at least a decade old, with the oldest dating to 2009.
The median age is five years.

These vulnerabilities represent a structural condition in which certain high-value CVEs become permanent fixtures of the attack surface, surviving years of remediation effort across thousands of organizations.

What makes that persistence especially dangerous is the breadth of adversaries exploiting them. Tenable Research has independently designated 54 of the 242 Elite Arsenal CVEs as “persistently exploited,” meaning they show sustained, multi-actor weaponization over years rather than months.

Of those 54, state-sponsored APT groups have weaponized every single one.
98% have been incorporated into commodity malware delivery.
80% are exploited by ransomware operations.
78% are what Tenable calls “triple-weaponized”: simultaneously exploited by nation-state espionage actors, commodity malware operators, and ransomware gangs.

An organization carrying an unpatched Elite Arsenal CVE is exposed to all three at once.

The adversary concentration across these 54 CVEs is striking:

The most prevalent nation-state actor, Salt Typhoon, appears in association with 12 of the 54.
The most prevalent ransomware operation, Black Basta, appears across 15.
Cobalt Strike, the most common offensive tool in the set, is documented across 20.

These are not isolated associations. They represent overlapping ecosystems of exploitation where the same vulnerability serves as an entry point for espionage, extortion, and financially motivated crime simultaneously. As the previous two posts in this series alluded to, the cyber attack landscape is rapidly evolving together with AI advancements. The widespread availability of frontier models means that mapping, chaining, and exploiting distinct attack paths has gotten substantially easier. Findings here indicate that far too many organizations still carry well-known Elite Arsenal CVEs in their environments that can act as relatively-easy exploit targets for AI-assisted attacks.

Prominent examples of widely-reported, multi-year fixtures in the Elite Arsenal include:

Network-edge devices:

Citrix NetScaler ADC “Citrix Bleed” (CVE-2023-4966)
Cisco IOS XE web UI privilege chain (CVE-2023-20198, CVE-2023-20273)
Atlassian Confluence (CVE-2022-26134, CVE-2023-22515, CVE-2023-22518)
F5 BIG-IP iControl REST (CVE-2022-1388)
Palo Alto Networks PAN-OS (CVE-2024-0012, CVE-2024-3400)
Ivanti Connect Secure VPN (CVE-2024-21887, CVE-2023-46805)
ConnectWise ScreenConnect (CVE-2024-1708, CVE-2024-1709)

Endpoint and office:

Microsoft Office remote code execution flaws (CVE-2017-0199, CVE-2017-11882)
Windows kernel privilege escalations (CVE-2018-8453, CVE-2021-1732)
Outlook NTLM credential leak (CVE-2023-23397)
VMware vCenter (CVE-2023-34048)
JetBrains TeamCity (CVE-2023-42793).

Domain and SMB:

EternalBlue family (CVE-2017-0144, CVE-2017-0143, CVE-2017-0146)
Zerologon (CVE-2020-1472)
Sandworm/BlackEnergy (CVE-2014-4114).

Per-CVE remediation also misses the compound risk these vulnerabilities create when they coexist in the same environment. The Elite Arsenal contains several documented exploit chains where attackers use multiple CVEs in sequence to achieve objectives that no single vulnerability would permit.

The ProxyLogon chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) gives attackers full Exchange Server control through four chained flaws.
The Ivanti Connect Secure chain (CVE-2024-21887 with CVE-2023-46805) combines an authentication bypass with a command injection.
FortiOS SSL-VPN credential theft (CVE-2018-13379) has been documented chaining directly into Zerologon (CVE-2020-1472) for full domain compromise.

Patching one link in these chains reduces risk, but patching all of them breaks the attack path entirely. Organizations that prioritize based on individual CVE scores alone may leave compound chains intact.

The 10 most prevalent Elite Arsenal CVEs, each detected in more than 2,000 customer environments, are:

CVE-2013-3900 — WinVerifyTrust signature validation (3,027 environments)
CVE-2026-21513
CVE-2020-1472 — Zerologon
CVE-2023-28252 — CLFS
CVE-2023-32046 — Windows MSHTML
CVE-2013-2465 — Java SE
CVE-2023-36874 — Windows Error Reporting
CVE-2025-41244
CVE-2021-44228 — Log4Shell
CVE-2022-30190 — Follina

The prevalence curve across the full 242 Elite Arsenal CVEs drops steeply (see chart below): The most prevalent CVE appears in more than 3,000 environments, while the long tail includes CVEs present in only a handful.

But the critical finding is that 241 of the 242 are active somewhere. Nearly every CVE that meets all three elite criteria is currently live in at least one monitored environment.

Elite Arsenal CVE set prevalence, May 2026. Each point on the curve is one of the 242 elite-criteria CVEs (critical VPR ≥ 9, listed in CISA KEV, and reachable from a tracked threat group), ordered from most to least prevalent across the studied organization base. The y-axis shows the number of organization environments where each CVE was actively detected.

While the Elite Arsenal is not typically reported as a distinct CVE set, we encourage organizations that cannot remediate all KEV vulnerabilities with VPR ≥ 9 to prioritize those appearing on Tenable's Vulnerability Watch list, at minimum. More than 52% of Elite Arsenal CVEs published since 2024 have appeared on Vulnerability Watch at least once. It is a resource that security teams can use to inform high-impact remediation decisions.

The non-CVE exposure surface

CVE-side prioritization works because CVEs are enumerated. Each gets a globally unique identifier, and every scoring framework in the industry is built on that identifier.

No analogous standardized infrastructure exists for non-CVE findings such as misconfigured Active Directory privileges, improper password management, unencrypted database connections, or exposed management interfaces. These items do not receive CVE numbers, VPR scores, or KEV catalog entries.

The lack of standard scoring for non-CVE findings is problematic because these findings are relevant to the attack surface. Across the customer base in this study, 7,769 organizations (effectively 100%) carry at least one actionable non-CVE finding, and 4,686 (60%) carry one that maps back to a tracked threat actor’s preferred techniques.

Roughly half of observed non-CVE findings are software misconfigurations, 15% are end-of-life software exposures, and the remainder are weak credentials, audit gaps, and policy gaps that adversary playbooks routinely depend on.

There is no Elite Arsenal equivalent for misconfigurations. But the graph model allows us to answer a useful question: Which non-CVE findings sit on a path that a tracked adversary’s technique profile is likely to walk? Based on that analysis, four principles should guide non-CVE prioritization today.

Do not deprioritize non-CVE exposures simply because they lack a CVE number or a VPR score. Preliminary breach prediction modeling based on our graph suggests that non-CVE exposures may confer more data-breach risk than CVE-linked findings.
Prioritize misconfigurations and end-of-life software first within the non-CVE bucket. Together, they account for 65% of actionable non-CVE findings, and end-of-life software is by definition unpatchable. Configuration drift and end-of-life inventory are among the most consistently exploited entry points in MITRE ATT&CK adversary playbooks.
Use ATT&CK technique reachability as the prioritization axis. The 4,686 organizations carrying threat actor-mapped non-CVE findings are the non-CVE analogue of the customer set carrying Elite Arsenal CVEs. A misconfiguration that maps to a high-frequency technique threat actors use that’s active in your industry is operationally more urgent than a higher-volume but technique-unmapped finding.
Recognize that non-CVE remediation is identity and configuration work, not patch work. Many of the non-CVE findings that appear in adversary playbooks, such as over-privileged service accounts, exposed management interfaces, weak authentication, and unmonitored privileged access, are addressed by tightening identity and configuration controls. The question shifts from “have we patched this?” to “have we hardened this?”

Tenable continues to invest in the scoring and prioritization infrastructure for the non-CVE surface, including the Tenable One Exposure Management Platform’s attack path analysis capabilities, which make adversary-technique reachability a first-class prioritization signal.

Closing the loop

The three blog posts in this series trace a single argument from macro- to micro-scale attack surface evaluations.

The volume crisis documented in “Why the Approaching Flood of Vulnerabilities Changes Everything” means the patch queue will keep growing. The remediation gap documented in “Key findings from the Verizon DBIR 2026” means organizations cannot work through that queue fast enough using traditional methods.

And the exposure data in this post shows the consequences of falling behind are measurable, attributable to specific adversaries, and concentrated in specific vulnerability sets that can be named and prioritized.

The data is unambiguous. Most of the 7,800 organizations in this study carry vulnerabilities that named threat actors have exploited. More than 200 critical, KEV-listed, threat group-associated CVEs are actively present across the customer base, many of them years old. And the non-CVE exposure surface, which receives far less attention than it deserves, is nearly universal and directly aligned with documented adversary techniques.

The prioritization question is no longer: “What is critical?” It is: “What is critical and likely to be exploited by threat groups that may target my industry, and is it actually present in my environment?”

Per-CVE scores alone cannot answer that question. The answer requires graph-based methods that link threat actor behavior to the specific weaknesses in your environment. Organizations that anchor their remediation programs to this kind of reachability-aware prioritization will spend their finite capacity on measurable risk reduction rather than chasing volume.

The intelligence, the platform, and the evidence base exist to make that shift today. The volume is not going to slow down. The remediation window is not going to widen. The adversaries are not going to wait. What you can control is where you focus.

The data and threat-exposure mapping methodology presented here represent the beginning of a broader effort to give organizations a clearer view of what adversaries can actually reach in their environments. Tenable is expanding our ability to capture and integrate threat actor intelligence into customer-facing prioritization, and we look forward to sharing more of that work in the months ahead.

Learn more about how Tenable One Exposure Management Platform helps organizations prioritize what matters in a world of accelerating vulnerability discovery.

EXPOSURE 2026 prepares cybersecurity professionals for the AI era

Team Tenable — Tue, 26 May 2026 10:07:00 -0400

Cybersecurity leaders and practitioners brought their burning AI cybersecurity questions to EXPOSURE 2026. They left with clear answers and a blueprint for building an exposure management program. Get a recap and see highlights from the event in words and pictures.

Key takeaways

As frontier AI models simultaneously accelerate the pace of vulnerability discovery and exploitation and drastically reduce the cost and complexity of launching attacks, cybersecurity faces a critical inflection point where traditional threat models and manual workflows are no longer viable.
EXPOSURE 2026 gave attendees a much-needed opportunity to connect with peers, learn how they’re addressing the challenges of AI and building it into their workflows, and develop a game plan, with exposure management at its core, for protecting their organizations from AI-powered adversaries.

Tenable Co-CEOs Steve Vintz (right) and Mark Thurmond

For the cybersecurity leaders and practitioners who attended EXPOSURE 2026 in Boston this week, the event could not have come at a better time.

While momentum for exposure management as a means to proactively reduce cyber risk has been building for more than a year, recent rapid advances in frontier AI models have made it even more critical.

EXPOSURE ‘26 attendees arrived at Boston’s historic Park Plaza Hotel on Monday, May 18, 2026, just six weeks after Anthropic unveiled its groundbreaking frontier model, Claude Mythos Preview. They showed up with pressing questions about securing AI, the impact of frontier AI models on cybersecurity, and how exposure management can address all that and more.

They left with clear answers, following an intensive day of training and two days of thought-provoking mainstage and breakout sessions featuring Anthropic Field CTO (Cyber) Brett Andrews, CISOs from GEICO, Smithfield Foods, Munich Re, and EōS Fitness, and Tenable experts.

EXPOSURE 2026 gave attendees a rare opportunity to catch their breath amid the escalating, machine-speed pace of cybersecurity. It kicked off with an immersive day of training that provided attendees with a blueprint for building a successful exposure management program. And it offered them a chance to compare notes with peers and work collaboratively to develop a game plan for protecting their organizations from AI-powered adversaries with exposure management at its core.

Cybersecurity’s quadruple AI challenge

Four challenges that AI creates for cybersecurity underpinned every session at EXPOSURE 2026:

Frontier AI models like Anthropic’s Claude Opus 4.6 and Mythos make it vastly faster, easier, and more economical for threat actors to discover new vulnerabilities and build exploits for them.
AI creates new attack vectors (e.g., prompt injection, jailbreaks, model poisoning, context poisoning in memory, etc.) that traditional cybersecurity controls weren’t designed to address.
AI expands every organization’s attack surface, giving threat actors even more entry points to exploit.
AI functions as a force-multiplier for threat actors, giving them speed and the advanced, 32-step reasoning capabilities required to autonomously execute an entire network attack chain.

Anthropic Field CTO Brett Andrews (left) with Tenable SVP of Product Strategy Eitan Goldstein

Anthropic’s Andrews discussed the impact of frontier models on cybersecurity, the threat landscape, and how defenders can leverage AI to their advantage.

To illustrate what organizations are up against, several presentations highlighted the sharp contrast between the steady acceleration in vulnerability discovery and exploitation, and the simultaneous deceleration in organizations’ patching and remediation.

Tenable CTO Vlad Korsunsky

In 2021, for example, the median time to exploit was 84 days, according to Zero Day Clock. Today, it’s 1.6 days. Meanwhile, in 2025, it took organizations an average of 43 days to patch critical CVEs, up 34% from 32 days in 2024, according to data that Tenable Research contributed to the 2026 Verizon Data Breach Investigations Report (DBIR), which was released on the first day of EXPOSURE 2026.

Referencing additional data from the DBIR, Tenable Chief Product Officer Eric Doerr noted that 31% of breaches in 2025 began with an unpatched CVE as the initial access vector. This trend will likely intensify, as frontier AI models accelerate vulnerability discovery, unless security teams adapt.

Doerr also spoke to data from Tenable showing that nearly two-thirds of breaches begin with something that isn’t a CVE, such as a misconfiguration, stolen credential, or exposed secret. He used this stat to prove the point that if you’re only concerned about CVEs, you’re leaving two-thirds of your organization’s attack surface exposed. It’s this other attack surface beyond just CVEs that exposure management addresses.

Tenable Chief Product Officer Eric Doerr

AI-powered exposure management: the blueprint for preemptive defense

Presenters used these and other statistics from the DBIR, Tenable’s own telemetry, and other sources to make the case for cybersecurity transformation focused on a preemptive and much more autonomous defense.

They showed how explosive, enterprisewide adoption of AI combined with AI-enabled threat actors requires that organizations build these exposure management capabilities into their cybersecurity programs:

Unified visibility - Continuous, deterministic asset discovery across the entire hybrid attack surface, capturing every vulnerability, misconfiguration, and excessive permission across on-prem and cloud infrastructure, OT environments, and the rapidly expanding AI attack surface.
Contextual, AI-powered insights - Moving past standard CVSS scores to focus on real-world exploitability and business impact, and mapping viable attack paths to understand exactly how an attacker could move laterally toward core assets.
Machine-speed action - Shifting from manual workflows to automated, orchestrated fixes. Because human teams cannot triage alerts at machine speed, organizations must deploy agentic AI workflows with appropriate guardrails, including human oversight, to proactively harden posture and isolate active threats.

Tenable CSO Robert Huber

Tenable CSO Robert Huber shared his experience transforming his vulnerability management program and team into an exposure management program and team, which began two years ago. The impetus was the challenge that Huber and his team faced every quarter when he needed to report on cyber risk to the board of directors: His team had to manually gather, aggregate, harmonize, and analyze data from 50 different security tools that each had their own unique way of reporting on risk. Now, Huber’s team can produce reports in minutes. They’ve also extended their scope of visibility from less than 10,000 assets to more than 100,000 assets and reduced alert to ticket volume by 1,500 to 1, all with the same number of staff.

A live AI vs. AI attack simulation created and led by Tenable Researchers Robert McSulla and Ben Smith demonstrated the capabilities of a fully autonomous, agentic defense against a fully autonomous, agentic adversary.

McSulla and Smith impressed several key points upon their audience, including:

Speed is not the only factor in AI-driven attacks. Yes, AI makes threat actors faster. It also makes them smarter. The demo showed how the adversarial agents reason, make decisions, adapt, and find new, unmapped attack surfaces.
Defenders can gain the same advantages as attackers. Defensive agents proactively assess posture, develop and deploy patches for vulnerabilities, and take other hardening actions to reduce risk and mitigate threats.
Security leaders and their teams need to get comfortable with autonomous defense. Consider your tolerance for fully autonomous defensive agents: Would you let them shut down a service, configure firewall rules, rotate credentials, or write and deploy patches? That’s what it takes to keep up with agentic attacks that achieve their objectives within three minutes.
It’s time to build a governance framework for agentic defense. McSulla and Smith built a governance framework for the defensive agents in their simulation that determines intent, evaluates severity levels, and applies rules, such as when to require a human to make a decision or take an action.

Bob McSulla (left) and Ben Smith

Custom kicks and other fun

Amid the seriousness of cybersecurity, attendees got to pick out custom Converse sneakers featuring Tenable’s iconic new branding.

The "Sneaker Bar" at EXPOSURE 2026

EXPOSURE attendees also had the chance to experience the perfect summer evening at Fenway Park, home of the Boston Red Sox.

An evening at Fenway Park during EXPOSURE 2026

Tenable announcements at EXPOSURE 2026

EXPOSURE 2026 was punctuated by a host of significant announcements from Tenable, including:

The general availability of Tenable Hexa AI, the agentic engine of the Tenable One Exposure Management Platform that gives preemptive security teams capabilities to operate at machine speed.
New AI initiatives with Anthropic to increase the agentic capabilities of Tenable One.
A strategic integration with the Claude Compliance API designed to help customers improve their visibility into Claude usage across their organizations.
The release of the Tenable One Open Connector, which allows customers to bring third-party, custom, and internal data from any source into Tenable One.
The launch of the Tenable Open Partner Exchange Network.
The Tenable Research team’s prolific contributions to the 2026 Verizon Data Breach Investigations Report.

Mini Shai-Hulud: Frequently asked questions about the TeamPCP npm and PyPI supply chain campaign

Research Special Operations — Thu, 21 May 2026 11:28:22 -0400

A self-propagating worm has compromised more than 170 npm and PyPI packages, defeating provenance attestation and breaching OpenAI and Mistral AI. Here is what you need to know.

Key takeaways

Mini Shai-Hulud is a self-propagating worm by TeamPCP that steals developer and cloud credentials across the npm and PyPI ecosystems.
The campaign achieved a critical security first by compromising packages with valid SLSA Build Level 3 provenance attestations, proving that process integrity controls can be defeated.
Any system that installed a compromised package must be treated as fully compromised.

Background

Between September 2025 and May 2026, a threat group tracked as TeamPCP has conducted a series of coordinated supply chain attacks across the npm and PyPI package ecosystems. The campaign, which the group calls Shai-Hulud, uses a self-propagating worm that steals developer and cloud credentials, then leverages those credentials to publish poisoned versions of additional packages. Each compromised continuous integration and continuous deployment (CI/CD) pipeline becomes a new distribution vector, enabling exponential spread. The current iteration is known as Mini Shai-Hulud.

Tenable’s Research Special Operations Team (RSO) has compiled this FAQ to discuss what Mini Shai-Hulud is, how the campaign operates, who has been affected and what organizations should do to protect their software supply chains.

FAQ

What is Mini Shai-Hulud?

Mini Shai-Hulud is a multi-wave supply chain attack campaign that targets the npm and PyPI open-source package registries. The name, chosen by the threat group TeamPCP, is a reference to the sandworms in Frank Herbert's "Dune" novels, and the campaign carries a consistent Dune-universe theme throughout its infrastructure (dead-drop repository branch names, marker strings and operational messaging all draw from the Dune lexicon).

What is the difference between Shai-Hulud and Mini Shai-Hulud?

Shai-Hulud is the worm family. Mini Shai-Hulud is the current generation of that worm and the name TeamPCP uses for the active campaign.

When did these campaigns start?

The original Shai-Hulud worm appeared in September 2025 as the first self-replicating malware observed in the npm ecosystem. It could steal maintainer tokens and use them to publish poisoned versions of other packages without further attacker input.

A second generation, sometimes called SHA1-Hulud, surfaced in November 2025 with updated wiper functionality and improved credential harvesting.

A third variant designated SANDWORM_MODE, introduced adaptive targeting that allowed the worm to enumerate CI/CD pipeline structures before deciding how to propagate. Each generation directly addressed detection and takedown techniques applied to its predecessor, suggesting the operators monitored defensive responses and adapted accordingly.

Mini Shai-Hulud is the fourth generation, active since late April 2026. The "Mini" is TeamPCP's own ironic branding; in practice, this variant is far more destructive than the original. Its distinguishing capabilities include:

SLSA Build Level 3 provenance attestation forgery (allowing malicious packages to pass cryptographic verification)
OIDC token extraction directly from GitHub Actions runner process memory
Persistence hooks targeting AI coding agents and developer IDEs
Cross-ecosystem propagation spanning both npm and PyPI,
Triple-redundant credential exfiltration through a dedicated command-and-control server

Iteration	Name	First Observation
First	Shai-Hulud	September 2025
Second	SHA1-Hulud	November 2025
Third	SANDWORM_MODE	March 2026
Fourth	Mini Shai-Hulud	April 2026

What are the vulnerabilities associated with Mini Shai-Hulud?

The TanStack compromise has been assigned a single CVE:

CVE	Description	CVSSv3	VPR
CVE-2026-45321	Malicious code injection in 42 @tanstack packages via three chained GitHub Actions	9.6	9.2

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on May 21, 2026 and reflects VPR at that time.

What is CVE-2026-45321

CVE-2026-45321 describes a chained exploitation of three weaknesses in TanStack's GitHub Actions CI/CD configuration. The attacker created a fork of the TanStack/router repository under a renamed account to avoid detection, then opened a pull request that triggered a pull_request_target workflow. This workflow executed code from the attacker's fork in the base repository's trusted context, allowing the attacker to poison the GitHub Actions cache with malicious binaries. When legitimate maintainer pull requests were later merged, the release workflow restored the poisoned cache. Attacker-controlled code then extracted OpenID Connect (OIDC) tokens directly from the runner's process memory and exchanged them with npm's federation endpoint for full publish credentials.

The result was 84 malicious package versions published across 42 TanStack packages in under six minutes, all carrying valid SLSA Build Level 3 provenance attestations from Sigstore.

Are there other CVEs associated with Mini Shai-Hulud?

At present, only CVE-2026-45321 has been assigned. It applies specifically to the TanStack wave of the campaign. The broader Mini Shai-Hulud campaign exploits CI/CD trust relationships and stolen credentials rather than traditional software vulnerabilities.

Which threat actors are behind this campaign?

Multiple independent security firms attribute the campaign to TeamPCP, a financially motivated cybercriminal group that emerged in late 2025. Google's Threat Intelligence Group tracks the group as UNC6780. Other tracked aliases include DeadCatx3, PCPcat, ShellForce, and CipherForce, according to Snyk and Palo Alto Networks Unit 42.

TeamPCP is assessed as responsible for several prior high-profile supply chain compromises, including the Aqua Security Trivy scanner compromise (March 2026), the Bitwarden CLI npm compromise (April 2026), the Checkmarx Jenkins AST Plugin backdoor (May 2026) and GitHub (May 2026). Unit 42 has documented TeamPCP's announced partnership with the Vect ransomware group, suggesting the credential harvesting pipeline may serve as an initial access pathway for ransomware deployment.

What organizations have been affected?

At least four organizations have publicly confirmed breaches linked to the campaign:

OpenAI disclosed on May 15 that two employee devices in its corporate environment were compromised after ingesting a malicious TanStack package. Limited credential material was exfiltrated from internal source code repositories, including code-signing certificates for macOS, Windows, iOS, and Android applications. OpenAI is rotating those certificates and requiring all macOS users to update their applications before June 12, 2026. The company stated it found no evidence that customer data, production systems, or intellectual property were compromised.
Mistral AI confirmed that a codebase management system was compromised and SDK packages were contaminated. Non-core code repositories were accessed. On May 17, a TeamPCP-linked forum account claimed to be selling alleged Mistral AI repositories.
The European Commission (europa.eu) was reportedly affected by the earlier Trivy wave in March 2026, with over 90 gigabytes of data exfiltrated according to ReversingLabs reporting.
GitHub disclosed on May 19 that they were investigating claims made by TeamPCP after the group posted GitHub source code for sale. Shortly after, they confirmed that roughly 3,800 internal repositories were breached. The root cause was a trojanized Visual Studio Code extension that had been installed by an employee. That extension was later revealed to be Nx Console, in which a malicious copy of the extension was available for around 18 minutes on the Visual Studio Marketplace. According to the Nx Console security advisory, the root cause was a developer's account that had been compromised via theTanstack supply-chain compromise. The leaked credentials were then abused to run workflows on the Nx Console GitHub repository.

Beyond named victims, the campaign has compromised over 170 packages spanning both npm and PyPI with more than 518 million cumulative weekly downloads. OX Security data shows that at least 400 GitHub repositories of stolen credentials were created as part of the campaign.

How does the worm spread?

The campaign's core mechanism is a self-propagating worm. When a developer or CI/CD runner installs a compromised package, the malware executes during installation and harvests credentials stored on the system, including npm tokens, GitHub personal access tokens, AWS credentials, Kubernetes secrets, SSH keys and HashiCorp Vault tokens. The worm then uses those harvested credentials to publish poisoned versions of other packages the victim has access to, creating a chain reaction that spreads across the ecosystem without requiring further action from the attacker.

Mini Shai-Hulud employs three distinct attack chains depending on the access conditions available:

Token theft and automated mass-publish is the most common method. The attacker compromises an npm maintainer account or token through prior credential harvesting, then runs an automated script that publishes trojanized versions of every package accessible to the compromised account. The trojanized packages include a preinstall hook that downloads the Bun JavaScript runtime and executes a large, obfuscated credential-stealing payload before the dependency installation completes.
OIDC hijack with provenance defeat was used in the TanStack wave and represents the most technically sophisticated variant. Instead of stealing a stored credential, the attacker extracted a short-lived OIDC token from the runner's process memory, allowing publication through the project's own trusted pipeline with valid cryptographic attestation.
PyPI injection targets Python packages through compromised maintainer accounts. A dropper injected into the package's initialization file downloads a separate malicious payload from attacker-controlled infrastructure.

All three chains converge on the same post-exploitation behavior: credentials are exfiltrated through three redundant channels (a dedicated command-and-control server, the decentralized Session messenger network and GitHub API dead drops), and the harvested tokens are used to propagate the worm to additional packages.

Why is the SLSA provenance defeat significant?

SLSA (Supply-chain Levels for Software Artifacts) is a framework for verifying that software was built from a trusted source through a trusted process. Build Level 3, the highest practical level, requires cryptographic provenance generated by the build system itself, verified through Sigstore. Running npm audit signatures on a Level 3-attested package should confirm that the package was built exactly as the maintainer intended.

The Mini Shai-Hulud TanStack wave demonstrated that provenance attestation can verify that the build pipeline is legitimate without verifying that the code being built is safe. Because the attacker hijacked the legitimate pipeline itself (rather than publishing from an unauthorized account), the resulting packages carried valid attestations. Organizations that relied on provenance verification as a primary supply chain security control were unable to detect the compromise.

This finding has implications beyond this specific campaign. Any security control that verifies process integrity without independently verifying code integrity is vulnerable to the same class of attack. Provenance remains valuable but is no longer sufficient as a standalone trust signal for open-source packages. When malicious code can bypass cryptographic build verification, code scanning cannot live in a vacuum; it must be continuously validated alongside identity entitlements and runtime posture.

What about the open-sourced code and copycat attacks?

On May 12, 2026, TeamPCP published the Shai-Hulud worm source code on GitHub under an MIT License with the message: "Shai-Hulud: Open Sourcing The Carnage." The release included operational guidance encouraging users to customize encryption keys and infrastructure for their own campaigns. TeamPCP simultaneously announced a $1,000 contest on BreachForums for the largest supply chain attack using the code.

OX Security detected four malicious npm packages from separate threat actors deploying Shai-Hulud clones in May 2026, including chalk-tempalte (a typosquat of the popular Chalk library), @deadcode09284814/axios-util, axois-utils, and color-style-utils. These copycat packages use the open-sourced worm code with modified command-and-control infrastructure and credential exfiltration targets.

A rival worm called PCPJack has also been observed actively evicting TeamPCP infections while stealing credentials independently, adding further complexity to the threat landscape.

Is CVE-2026-45321 in the CISA Known Exploited Vulnerabilities (KEV) catalog?

As of May 20, 2026, CVE-2026-45321 is not listed in the CISA KEV catalog. NHS England issued a security alert related to the campaign, but no public advisory from CISA has been published.

What should organizations do?

Scan your dependency trees immediately. Check lockfiles and CI logs for any affected package versions across the @tanstack, @uipath, @mistralai, @opensearch-project, @antv, and @squawk namespaces. Community-maintained detection scripts can assist, though organizations should verify third-party scanning tools before deployment.
Check for persistence before revoking tokens. The worm installs a gh-token-monitor daemon (via systemd on Linux or launchctl on macOS) that polls GitHub every 60 seconds and triggers a recursive file deletion if it detects that the token has been revoked. Search for and remove this daemon, as well as injected tasks in.vscode/tasks.json and Claude Code hooks in ~/.claude/settings.json, before rotating credentials.
Rotate all credentials on potentially affected systems. If exposure is suspected, rotate GitHub tokens, npm tokens, AWS credentials, HashiCorp Vault tokens, Kubernetes service accounts, Docker credentials, and CI/CD secrets. Treat any system that installed a compromised package version as fully compromised.
Harden CI/CD pipeline configurations. Replace pull_request_target workflows with pull_request for any workflow that executes code from pull requests. Pin all GitHub Actions and workflow steps to immutable commit SHAs rather than tags or branches. Implement cache isolation between fork-originated and maintainer-originated workflows. Restrict secret access to named workflow steps using the GitHub Actions permissions key.
Implement structural dependency controls. Deploy --ignore-scripts as the default for npm installs with explicit allowlisting for trusted lifecycle hooks. Pin all dependencies to exact versions and enforce lockfile integrity verification in CI. Consider implementing minimumReleaseAge policies to delay automatic installation of newly published versions.
Audit for credential storage on developer machines. The payload targets more than 80 environment variables and filesystem paths, including.aws/credentials, .npmrc, .ssh/ directories, .kube/config, and .docker/config.json. Transition from long-lived filesystem credentials to short-lived tokens and ephemeral CI/CD environments wherever possible.
Monitor for campaign indicators. Watch for network connections to 83.142.209[.]194, DNS queries to getsession[.]org endpoints from CI runners, and GitHub repository creation matching Dune-themed naming patterns. Organizations with Software Composition Analysis tools should ensure their rulesets include the campaign's known payload hashes and behavioral indicators.

Has Tenable released any product coverage for these vulnerabilities?

Yes, Tenable customers can use Tenable One Exposure Management Platform to assess their exposure surface related to Mini Shai-Hulud. Tenable One provides visibility into software dependencies and CI/CD pipeline configurations, enabling organizations to identify potentially compromised packages within their environments and prioritize remediation based on their specific exposure context.

Tenable One Cloud Exposure Management provides immediate inventory and prioritization coverage across five dimensions:

Continuous package inventory across every cloud workload allowing you to scan container images, VMs, and registry artifacts to maintain a live software bill of materials (SBOM). The moment indicators of compromise (IOCs) publish, Tenable identifies every asset pulling the compromised versions.
Reachability and exploitability context. This is where Tenable One Cloud Exposure Management separates from list-based software composition analysis (SCA), determining whether the compromised package is actually loaded at runtime, whether the workload is internet-exposed and whether the malicious code path executes on import.
Pipeline-to-cloud lineage. Tenable One Cloud Exposure Management traces compromised packages back through CI/CD to the build artifacts they produced, through runtime. Tenable also provides runtime reachability analysis with eBPF scanning and AI-powered Threat Stories, adding yet another actionable layer of threat discovery and response.
Asset-criticality prioritization. Tenable ranks findings by business context, identity blast radius via cloud infrastructure entitlement management (CIEM), and data sensitivity via data security posture management (DSPM) so response teams work the highest-risk assets first.
Unified findings inside Tenable One. SCA hits don’t sit in isolation. They land alongside CSPM misconfigurations, identity exposures, and runtime signals from CDR, correlated by Hexa AI into a single prioritized exposure. The SCA finding joins to the IAM role that pipeline assumes, the secrets it can access and the data those secrets unlock.

Additionally, a list of Tenable plugins for CVE-2026-45321 can be found on the individual CVE page as they’re released. Coverage for the original Shai-Hulud variants can be found in plugin ID 265897.

These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)

Satnam Narang — Thu, 21 May 2026 09:25:37 -0400

A highly critical SQL injection vulnerability in Drupal core's database abstraction layer affects sites running PostgreSQL.

Change log

Update May 27: The blog has been updated to include reports of observed exploitation attempts.

Click here to review the change log history

Update May 27: The blog has been updated to include reports of observed exploitation attempts.

Key Takeaways

CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core's database abstraction API that can be exploited by unauthenticated attackers on sites using PostgreSQL.
No exploitation has been observed in the wild, but a detection PoC was published on the same day as the advisory and the patch diff was shared publicly within hours.
Patches are available across six supported Drupal branches, including two exceptional releases for end-of-life versions.

Background

On May 20, Drupal published a security advisory (SA-CORE-2026-004) for a highly critical SQL injection vulnerability in Drupal core:

CVE	Description	CVSSv3
CVE-2026-9082	Drupal Core SQL Injection Vulnerability	6.5

The advisory was preceded by a public service announcement (PSA-2026-05-18) on May 18, which warned administrators to prepare for a highly critical release and cautioned that exploitation could occur "within hours or days" of disclosure.

Drupal rates this vulnerability 20 out of 25 on its own risk scoring scale ("Highly Critical"), noting that the confidentiality impact includes "all non-public data accessible" and the integrity impact is "all data modifiable or deletable." NVD assigned a CVSSv3 score of 6.5, rating the confidentiality and integrity impacts as Low. Given the vendor's own characterization of impact and the unauthenticated attack vector, the Drupal risk rating better reflects the potential severity for affected configurations.

Analysis

CVE-2026-9082 is an SQL injection vulnerability in Drupal core's database abstraction API, specifically in the PostgreSQL EntityQuery condition handler. An unauthenticated, remote attacker can exploit this vulnerability by sending specially crafted requests to a vulnerable Drupal site running on PostgreSQL. Successful exploitation could lead to information disclosure, data modification or deletion, and in some configurations, privilege escalation or remote code execution.

User-controlled PHP array keys could reach SQL placeholder construction unsanitized. Drupal fixed this by applying ‘array_values()’ which strips attacker-supplied keys and replaces them with numeric indexes.

Scope: PostgreSQL only

This vulnerability only affects Drupal sites using PostgreSQL as their database backend. Sites running MySQL, MariaDB, or SQLite are not affected. The vulnerable code resides in Drupal’s PostgreSQL EntityQuery condition handler, which is only invoked on PostgreSQL configurations.

No exploitation observed

At the time this blog post was published on May 21, Drupal's advisory describes the exploit status as "Theoretical," and no in-the-wild exploitation has been reported.

Historical exploitation of Drupal Core

Drupal core has a well-documented history of critical vulnerabilities that attracted rapid mass exploitation. CISA's Known Exploited Vulnerabilities (KEV) catalog contains four Drupal entries, two of which have confirmed ransomware use. The Drupalgeddon vulnerabilities (CVE-2018-7600 and CVE-2018-7602) in particular became a case study in how quickly attackers weaponize Drupal flaws once details are available.

CVE	Description	Date Added	Tenable Blogs
CVE-2018-7600	Drupal Core Remote Code Execution (Drupalgeddon 2)	2021-11-03	Critical Drupal Core Vulnerability: What You Need to Know
CVE-2018-7602	Drupal Core Remote Code Execution (Drupalgeddon 3)	2022-04-13	Drupalgeddon Attacks Continue on Sites Missing Security Updates
CVE-2019-6340	Drupal Core Arbitrary PHP Code Execution	2022-03-25	Highly Critical Drupal Security Advisory Released
CVE-2020-13671	Drupal Core File Extension Sanitization	2022-01-18	--

Proof of concept

On the same day as the security release, a detection PoC and reproduction lab was published. The patch diff was also shared on social media within hours of the release.

The minimal complexity of this patch, combined with the availability of AI-powered code analysis tools that can analyze diffs and assist in exploit development, compresses the timeline between patch release and weaponization. Historically, Drupal vulnerabilities of this severity have seen exploitation within hours to days of disclosure. Administrators running PostgreSQL-backed Drupal sites face a shortening window to apply patches before exploitation attempts begin.

Update: On May 22, Drupal updated its advisory for CVE-2026-9082 to increase its risk score because "exploit attempts are now being detected in the wild" while CISA added CVE-2026-9082 to the KEV.

Solution

Drupal has released fixed versions across all currently supported branches, as well as exceptional releases for two end-of-life branches due to the severity of this vulnerability:

Affected Versions	Fixed Version
Drupal 11.3.0 - 11.3.9	11.3.10
Drupal 11.2.0 - 11.2.11	11.2.12
Drupal 11.0.0 - 11.1.9	11.1.10 (EOL, exceptional release)
Drupal 10.6.0 - 10.6.8	10.6.9
Drupal 10.5.0 - 10.5.9	10.5.10
Drupal 10.4.0 - 10.4.9	10.4.10 (EOL, exceptional release)

Sites running Drupal 8.9 or 9.5 have reached end-of-life and will not receive packaged updates. However, Drupal has published hotfix files for sites running 9.5.11 or 8.9.20. Sites on Drupal 7 are not affected.

Sites using Drupal Steward are protected against known attack vectors for this vulnerability.

According to the security advisory, these releases also include coordinated upstream security updates for Symfony and Twig. These include separate vulnerabilities from CVE-2026-9082, but Drupal core is affected by some of them. Even sites not running PostgreSQL benefit from updating to these releases.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-9082 as they're released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Drupal by using the following query: CMS contains Drupal.

Get more information

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Tenable One deepens third-party integrations with new Open Connector for unified risk visibility

Nathan Dyer — Thu, 21 May 2026 08:30:00 -0400

The days of rigid, vendor-locked security stacks are over. The Tenable One Open Connector amplifies Tenable One’s extensive capacity to ingest and consolidate third-party security data, giving you more complete visibility across your attack surface, so you can keep using your preferred cybersecurity tools.

Key takeaways

The Tenable One Open Connector enables you to integrate data from previously unsupported sources of security data, eliminating silos and providing a more unified view of cyber risk.
Break free from vendor lock-in by ingesting and mapping data from the tools that work best for your business.
Automate data ingestion to ensure your exposure management decisions always use up-to-date data insights.

If you’re running a security organization, you likely struggle with this persistent and disruptive problem: Security data is spread across too many disparate tools, making it nearly impossible to get a clear, unified picture of your organization’s overall risk exposure.

This is one of the fundamental challenges that an effective exposure management program addresses.

One of the primary goals of the Tenable One Exposure Management Platform is to serve as the central hub for unified risk reduction across your entire environment, including on-premises assets, cloud workloads, IoT devices, OT systems, AI tools, identity platforms, and more. With Tenable One, you can break down data-security silos that heterogeneous tools create and unify fragmented visibility into one place.

Earlier this year, Tenable introduced Tenable One Connectors. To date, we have more than 300 of these validated integrations, which give security teams the ability to integrate these tools and consolidate their data into Tenable One. These custom-built connectors have established Tenable One as one of the most open and interconnected exposure management platforms on the market.

Now, we are delivering the final piece of the puzzle with the launch of the Tenable One Open Connector.

By expanding your reach beyond the 300-plus official integrations, the Tenable One Open Connector allows you to ingest data from other unsupported tools, spreadsheets, and even homegrown internal systems. This includes everything from manual pentesting results and specialized security tools to custom internal configuration-management databases (CMDBs) and AI-driven security audits.

A truly open approach to exposure management

Unified visibility across your attack surface provides context to see how individual risks relate to one another. What may look like a low-priority issue on its own can become a critical weakness when linked to others, forming dangerous attack paths for adversaries. This relationship-driven view allows you to separate real threats from background noise, prioritize with confidence, and focus on the exposures that pose real risk to your business’s operations, revenue, and reputation. This is what exposure management is all about: building a security program that sees the whole picture, not just isolated pieces.

The Tenable One Open Connector redefines how you manage data across your attack surface. By unifying your security data into a single source of truth, it gives your security team the visibility and control they need to see more, act faster, and work smarter. Here’s how:

Get a more complete view of risk
The Tenable One Open Connector empowers you to bring more of your security data together into one unified, contextual view of cyber risk. With this more expansive visibility, you can perform a more holistic risk analysis and accurately prioritize to reduce critical exposures across your entire attack surface.
Unlock an open, flexible platform for your security stack
A rigid, vendor-locked security stack hampers your team’s ability to assess cyber risk. At Tenable, we believe you should use the security tools that work best for your business, instead of having to make compromises driven by vendor restrictions. The Tenable One Open Connector gives you that freedom. As your priorities and tools evolve, the Tenable One Open Connector evolves with you, ensuring your heterogeneous toolset doesn’t hold your exposure management strategy back.
Act faster with automated, always-current data
The Tenable One Open Connector helps you base your exposure management decisions on the latest, most complete data — without being limited to manual updates. If you rely only on manual uploads, your data will likely become outdated, impacting your ability to make accurate risk assessments. Continuous, automated insights empower your team to act faster, reduce risk more effectively, and confidently demonstrate security outcomes to your business.
Tailor your data mapping for deeper insights
Instead of being locked into rigid, vendor-defined field mappings, the Tenable One Open Connector gives you complete control over data organization within Tenable One. This flexibility allows you to segment data in ways that best fit your needs, leading to more precise data organization and helping you conduct tailored analysis.

Tenable One Open Connector: How it works

The Tenable One Open Connector is powerful yet simple, so you can get your security data into Tenable One in minutes.

Automated uploads: Fully automate the ingestion process by establishing a seamless connection between Tenable One and an S3 bucket in your cloud storage. As source files refresh, Tenable One automatically ingests new data for continuous, up-to-date visibility without manual intervention. In addition, you also have the option to manually upload files, such as CSV, Excel, or ZIP files.
Flexible data mapping: Control exactly how the system organizes your data. Map file fields to Tenable One fields, combine multiple fields into one, or split a single field across several, so you have ample flexibility to structure and analyze your data precisely.
Automated data correlation: Automatically deduplicate, correlate, and normalize all incoming data for accurate, consistent comparisons across your entire dataset.

See it in action

Watch the Tenable One Open Connector guided demo to see just how easy it is to connect a new data source.

Tenable One Open Connector FAQ

1. What is the Tenable One Open Connector?

The Tenable One Open Connector is the newest addition to the Tenable One ecosystem, specifically designed to further break down data silos in your security stack. While Tenable One Connectors focus on pre-configured custom integrations with specific third-party products, the Open Connector allows you to capture and integrate data from previously out-of-reach sources — including internal systems, niche third-party tools, and spreadsheets — directly into Tenable One.

2. Why do I need the Tenable Open Connector?

Fragmented data creates massive blind spots, and attackers thrive in the shadows between those silos. Adversaries don’t view your environment as a collection of separate domains or disconnected tools. They see it as one interconnected map of assets. With data scattered among tens or even hundreds of siloed tools, you struggle to see the critical connections and lateral paths that an attacker would exploit to move through your environment. To stay ahead of today’s threats, especially those boosted by AI, you must adopt the attacker’s perspective. The Tenable One Open Connector gives you clarity to identify exposures and block attacks before they ever have a chance to start.

3. What is the value of the Tenable One Open Connector?

The Tenable One Open Connector delivers comprehensive flexibility and visibility to your security operations. You can perform a more holistic risk analysis by unifying disparate data sources that were once impossible to correlate. Beyond just visibility, the connector offers flexible data mapping to segment and organize your information to fit your specific business needs, rather than getting locked in a rigid, pre-defined template. You also get true independence from vendor integration roadmaps, so you can use the tools that work for your business and integrate them into Tenable One on your own terms.

Ready to break down even more data silos and achieve a truly unified view of risk? Request a demo of Tenable One today.

Implement agentic AI in cybersecurity with Tenable Hexa AI: Reduce cyber risk at machine speed

Eric Doerr — Wed, 20 May 2026 09:00:00 -0400

As frontier AI models collapse the traditional exploit window, Tenable Hexa AI transforms the security operating model from manual triage to agentic orchestration. See how you can automate vulnerability remediation and super-charge exposure management with Tenable Hexa AI.

Key takeaways

AI models like Claude Mythos have reduced the time from vulnerability discovery to weaponization from weeks to minutes, making manual defense untenable.
Tenable Hexa AI serves as an agentic engine that orchestrates complex, multi-step remediation workflows across modern attack surfaces to accelerate the speed of preemptive security and propel your exposure management program.
Using the Model Context Protocol (MCP) included in Tenable Hexa AI, your team can build and deploy custom agents that anchor your preferred LLMs in the Tenable Exposure Data Fabric, ensuring every automated action is governed, auditable, and accurate.

Why you need to implement agentic AI in cybersecurity (and specifically, in vulnerability management)

For most of my career in cybersecurity, we’ve operated on a fundamental, if unspoken, assumption: We had a grace period. Whenever a new vulnerability was discovered, we knew we had time, often weeks or months, before adversaries would begin exploiting it. The time between vulnerability discovery and exploitation gave us breathing room. It gave us time to patch, triage, and remediate.

But not any more. The gap between discovery and exploitation has been shrinking for years, and the vulnerability discovery capabilities demonstrated by frontier AI models like Claude Mythos are narrowing it even more.

We have entered the era of AI speed. When an LLM can unearth a 27-year-old vulnerability in a hardened OS in minutes, and then weaponize it in seconds, old defensive cycles can’t keep up, and that’s untenable.

This is why I’m so excited to announce the general availability of Tenable Hexa AI, the agentic engine of the Tenable One Exposure Management Platform, at EXPOSURE 2026: because it’s designed to help your organization address the escalating, AI-driven pace of vulnerability discovery.

The agentic AI imperative in cybersecurity: Scale your preemptive defense to match machine speed with agentic innovation from Tenable

Tenable Hexa AI is built to be a force multiplier and a flexible engine for innovation. Featuring a suite of built-in agents ready to automate assessment configuration, asset tagging, dashboard creation, ticket creation, and more, Tenable Hexa AI is designed to help your organization overcome the operational challenges deepened by adversarial AI use.

When the window between discovery and exploitation hits near-zero, security teams locked in manual vulnerability management operating models are forced into a state of perpetual emergency. Manually stitching together context and telemetry from cloud, identity, OT, and vulnerability silos in an arduous effort to prioritize remediation for downstream IT and DevOps teams is a losing battle.

And when you can’t provide clear, risk-based remediation priorities to IT and DevOps teams, you end up bombarding them with seemingly urgent tickets that may not in fact be critical to your organization. Constant shifts in remediation priorities and endless debates over what needs fixing and why is not sustainable. It creates friction and causes you to lose the cybersecurity race.

In a world where attackers move at machine speed, only comprehensive exposure intelligence combined with the agentic AI orchestration capabilities provided by the Tenable One Exposure Management Platform can give you clarity and control.

Tenable Hexa AI doesn’t just tell you where you are vulnerable; it mobilizes your preemptive defense.

Capabilities of Tenable Hexa AI

With this GA release, Tenable delivers foundational capabilities to help your organization accelerate the pace of vulnerability discovery and remediation, including:

Your choice of agents - Use our pre-built, out-of-the-box agents to start reducing risk immediately, or use the Model Context Protocol (MCP) server built into Tenable Hexa AI to create custom agents tailored to your organization’s environment.
Advanced multi-step reasoning - Tenable Hexa AI executes complex, end-to-end workflows spanning your attack surface (e.g., IT, cloud, identity, OT, etc.) in a single request, eliminating the need for practitioners to toggle between views to get exposure context. It understands that a CVE in your web app is a critical threat specifically because it is linked to a privileged service account with a path to your sensitive data.
Automated remediation workflows - Tenable Hexa AI orchestrates remediation workflows, automatically creating and routing tickets, generating custom policies, and producing audit-ready reports, so security teams can act fast on every critical exposure.
End-to-end exposure path insights - Practitioners can query their environment by identity attributes, such as service accounts, privileged users, and Active Directory groups, to surface exposure paths that traditional asset inventories miss. Tenable Hexa AI also provides guided assistance for complex Active Directory sensor configurations.

Build your own AI agents for cybersecurity with Tenable Hexa AI

In addition to out-of-the-box agentic capabilities for use cases like automated assessment configuration, asset tagging, and ticket creation, customers can also build custom agents via Tenable Hexa AI's built-in MCP that are informed by your organization’s unique security policies and internal business logic.

Tenable Hexa AI serves as the orchestration layer connecting your favorite AI tools to your infrastructure and other security tools, all with the data and context from the Tenable Exposure Data Fabric. By anchoring the models your organization uses in the authoritative context of your own environment, Tenable Hexa AI moves you beyond generic AI answers to governed and auditable automation. Whether you are automating complex remediation or generating board-ready dashboards, Tenable Hexa AI ensures the output is both verifiable and auditable.

The Tenable Exposure Data Fabric is key because an agent is only as effective as the data it has access to. Tenable Hexa AI is powered by the Tenable Exposure Data Fabric, a repository of 20 years of vulnerability research and the industry’s largest collection of contextualized exposure data. In other words, we’ve built an agentic engine for cybersecurity that uses the world’s best exposure data to drive machine-speed actions. This is the only way to ensure your AI is validating the real state of your environment, rather than just guessing.

Real-world agentic AI use cases for Tenable Hexa AI

While there are virtually infinite ways to apply agentic orchestration to your unique cybersecurity challenges, here are four high-impact areas where manual workflows traditionally break down and make it impossible for you to keep pace with AI-powered vulnerability discovery:

Supply chain response - Neutralize third-party threats by using Tenable Hexa AI to correlate software components with affected internal assets.

Automated patching - Use custom Hexa agents to beat the Mythos clock by orchestrating patches the moment a vulnerability is validated.

Remediation assignment - Use Tenable Hexa AI to automatically match CVEs to asset owners in seconds and trigger immediate response workflows.

These use cases demonstrate how Tenable Hexa AI can bridge the gap between exposure intelligence and action.

Make the untenable Tenable

The collapse of the exploit window is a wake-up call. It gives us the opportunity to change how we work. By shifting from manual triage to agentic orchestration, organizations are seeing a shift in productivity and how they prioritize and action exposure reduction.

While early design partners have already reclaimed days per month on foundational tasks like asset tagging, the value is not found solely in the hours saved, but rather, in the precision of the response. By automating the correlation between cloud, identity, AI, OT, and vulnerability data, Tenable One provides the clear, contextualized instructions that IT and DevOps teams need to act with confidence.

This eliminates the administrative friction and back-and-forth negotiation that often results in critical vulnerabilities going unaddressed. Reclaiming those days means your best people are no longer buried in spreadsheets; they are focused on high-impact strategy, architecture hardening, and preemptive defense.

Tenable Hexa AI is available today as part of the Tenable One Foundation and Tenable One Advanced packages.

Key findings from the Verizon DBIR 2026: Slower vulnerability remediation meets faster exploitation

Scott Caveza — Tue, 19 May 2026 09:17:00 -0400

The 2026 Verizon Data Breach Investigations Report (DBIR) reveals a troubling trend: vulnerability exploitation has surged to become the number one initial access vector while remediation rates have worsened.

Key takeaways

Vulnerability exploitation has surged to become the leading initial access vector for breaches, accounting for 31% of data breaches during the study period.
Security teams’ patching efforts are falling further behind, with the median time-to-patch growing by 11 days in the past year.
As AI-powered tools increase the speed and volume of vulnerability discovery and vulnerability exploitation, exposure management helps organizations keep up by continually assessing their attack surfaces, prioritizing risks, and orchestrating automated remediation of security weaknesses.

What is the Verizon DBIR report

Verizon’s annual Data Breach Investigations Report (DBIR) has helped organizations understand evolving cyber threats since its first release in 2008. For the 2026 edition, Tenable Research once again contributed enriched data on vulnerability exploitation and vulnerability remediation trends. This year’s findings paint a stark picture: Compared with last year, organizations are facing a significant increase in the volume of “must-patch” vulnerabilities from the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.

The widening gap between vulnerability disclosure and remediation represents one of the most pressing challenges in cybersecurity today. Security teams are already overwhelmed, both by the rising number of vulnerabilities and the lack of time for patch management. This reality underscores the critical need for comprehensive exposure management, a strategic, AI-driven approach to preemptive security designed to help organizations reduce cyber risk by continually assessing their attack surfaces, prioritizing risks, and orchestrating automated remediation of security weaknesses.

Verizon DBIR 2026 overview and analysis

The 2026 Verizon DBIR found that vulnerability exploitation is the top initial access vector, accounting for 31% of data breaches during the study period. Even more concerning is that the median time-to-patch has increased from 32 days to 43 days, a 34% increase. This year’s findings paint a stark picture: The number of vulnerabilities continues to snowball, as organizations’ patching rates continue to fall behind.

The CVE explosion continues — and AI will accelerate it

The vulnerability landscape continues to see explosive growth as the CVE program currently reports more than 351,000 registered CVEs with more than 21,500 already reserved in 2026. As we’re on the path for another record number of CVEs, this flood of vulnerabilities creates an extremely difficult situation for security teams already stretched thin. With median time-to-patch increasing and exploitation timelines shrinking, attackers are winning the race between disclosure and remediation.

The situation may be poised to worsen dramatically. The cybersecurity community is increasingly concerned about AI-powered vulnerability discovery tools like Anthropic’s Claude Mythos, which can automatically identify security flaws in codebases at unprecedented speed and scale. While such tools hold promise for defensive security teams, they also represent a potential inflection point: if AI can discover vulnerabilities faster than organizations can patch them, the already immense patch burden could become truly unmanageable.

This AI-driven acceleration comes at the worst possible time. Organizations are already struggling to remediate vulnerabilities, with the Verizon data breach investigations report finding that organizations successfully remediate only 26% of KEV vulnerabilities. Adding to this concern, the DBIR points out that there has been a nearly 50% increase in the number of CISA KEV vulnerabilities to patch in 2025, putting even more pressure on security teams.

If AI models begin flooding the CVE database with newly discovered vulnerabilities, or worse, if attackers leverage these models to find and exploit zero-days before defenders can respond, the current remediation crisis is likely to escalate into a systemic failure of the traditional patch-based defense model.

The exposure management imperative

While vulnerability exploitation dominates headlines as the number one initial access vector, it represents only a slice of the exposure problem. The DBIR notably highlights credential abuse as another significant threat vector, underscoring that vulnerabilities don’t exist in isolation. Stolen credentials can transform a moderate-severity vulnerability into a critical breach pathway, while exposed configurations can provide attackers with the access needed to exploit unpatched systems.

This interconnected nature of exposures highlights why more and more organizations are adopting comprehensive exposure management. Understanding and addressing the full attack surface, including identity risks, misconfigurations, excessive permissions, and vulnerable assets, is essential to reducing breach risk in today’s threat landscape.

The emergence of AI-powered vulnerability discovery makes exposure management absolutely essential. As AI tools accelerate vulnerability identification, organizations cannot simply try to patch more vulnerabilities faster. Instead, they must focus on understanding and remediating the vulnerabilities that matter most in the context of their specific environment. A newly discovered vulnerability on an isolated system with no credentials exposed and strong access controls poses far less risk than an older CVE on an internet-facing asset with weak authentication. The Tenable One Exposure Management Platform provides both the contextual framework needed to make these critical prioritization decisions and the agentic orchestration engine required to accelerate remediation in an era of AI-accelerated vulnerability discovery.

Notable data insights from the DBIR reporting period

As Tenable Research examined the trends in the data, our team decided to distill the CVEs into product categories and compare which categories saw the largest percentage of unremediated assets. For our analysis, we focused on KEV CVEs as these are vulnerabilities known to have been exploited and in attackers’ crosshairs.

As you can see in the figure below, vulnerabilities affecting development tools saw the highest rate of unremediated assets, followed by virtualization/hypervisor flaws and remote monitoring and management (RMM) flaws. While the remediation process across these product categories can vary, the overall trend of nearly all of the product categories having an above 50% unremediated rate demonstrates that organizations are still struggling with vulnerability remediation.

Similarly, we looked at the average number of days that assets remained unremediated while comparing that to the number of CVEs affecting that category during the DBIR reporting period.

Tenable analysis of the data reinforces the stark reality highlighted in the Verizon DBIR: Organizations are taking longer to patch known and exploited vulnerabilities while facing a rapid increase in the number of vulnerabilities that require immediate attention.

DBIR findings

The 2026 DBIR findings are sobering but not surprising to those on the front lines of cybersecurity. The data confirms what many security teams experience daily: The patch burden is growing faster than organizations’ ability to respond. With vulnerability exploitation now the top initial access vector and median time-to-patch continuing to climb, the gap between attacker speed and defender response continues to widen.

Organizations must adopt an exposure-centric approach that considers not just the presence of vulnerabilities, but the full risk context of their environment:

Which assets are exposed?
Who has access?
Which credentials are compromised?
Which exposure combinations create the most dangerous attack paths?

In an era where AI is discovering vulnerabilities faster than humans can patch them, understanding which exposures truly matter represents the only sustainable path forward.

The 2026 DBIR, enriched with Tenable Research’s data, provides valuable insights into today’s threat landscape. Tenable encourages security professionals to read the full Verizon DBIR to understand current attack trends and use these findings to inform their exposure management strategies. The crisis documented in this report signals that the traditional vulnerability-centric model needs a fundamental evolution toward comprehensive, AI-driven exposure management.

Identifying affected systems

Tenable provides comprehensive detection coverage for CISA’s KEV catalog, with detection capabilities deployed rapidly following vulnerability disclosure. This coverage spans diverse asset categories, enabling comprehensive visibility into actively exploited vulnerabilities across your environments. CVEs on the KEV catalog will have a tag on the individual CVE pages, and you can browse our upcoming plugins on our Plugins Pipeline page.

Get more information

Verizon 2026 Data Breach Investigations Report (DBIR)

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Frequently asked questions about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182)

Research Special Operations — Thu, 14 May 2026 21:05:46 -0400

Multiple critical authentication bypass vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager are under active exploitation by multiple threat clusters, including CVE-2026-20182, which has been exploited as a zero-day by a sophisticated threat actor.

Key Takeaways

CVE-2026-20182 is a critical (CVSSv3 10.0) authentication bypass in Cisco Catalyst SD-WAN Controller and Manager disclosed on May 14 with confirmed active exploitation.
A sophisticated threat actor designated UAT-8616 has exploited Cisco SD-WAN vulnerabilities since at least 2023, and 10 additional threat clusters began exploitation of multiple vulnerabilities in SD-WAN after public proof-of-concept code became available.
Patches are available for all supported Cisco Catalyst SD-WAN releases and CISA has mandated remediation by May 17 under Emergency Directive 26-03.

Background

Tenable's Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding the ongoing exploitation of multiple vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager.

FAQ

When were these Cisco SD-WAN vulnerabilities first disclosed?

On February 25, 2026, Cisco published an advisory for CVE-2026-20127, a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager that was already being exploited in the wild at the time of disclosure. Alongside that advisory, Cisco also released patches for three additional vulnerabilities in SD-WAN Manager: CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122. The security advisory for these CVEs (cisco-sa-sdwan-authbp-qwCX8D4v) was updated in March to confirm exploitation of CVE-2026-20128 and CVE-2026-20122 and then again in April to confirm that CVE-2026-20133 had also been exploited.

On May 14, 2026, Cisco published a new advisory (cisco-sa-sdwan-rpa2-v69WY2SW) for CVE-2026-20182, a separate critical authentication bypass vulnerability that was discovered during the investigation into the earlier exploitation. This vulnerability is also under active exploitation.

What are the vulnerabilities associated with the Cisco SD-WAN exploitation?

There are five CVEs associated with this ongoing campaign, plus one older vulnerability used for post-compromise privilege escalation:

CVE	Description	CVSSv3	Cisco Advisory
CVE-2026-20182	Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability	10.0	cisco-sa-sdwan-rpa2-v69WY2SW
CVE-2026-20127	Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability	10.0	cisco-sa-sdwan-rpa-EHchtZk
CVE-2026-20133	Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability	7.5	cisco-sa-sdwan-authbp-qwCX8D4v
CVE-2026-20128	Cisco Catalyst SD-WAN Manager Credential Access Vulnerability	7.5	cisco-sa-sdwan-authbp-qwCX8D4v
CVE-2026-20122	Cisco Catalyst SD-WAN Manager Arbitrary File Overwrite Vulnerability	5.4	cisco-sa-sdwan-authbp-qwCX8D4v
CVE-2022-20775	Cisco SD-WAN CLI Path Traversal Privilege Escalation Vulnerability	7.8	cisco-sa-sd-wan-priv-E6e8tEdF

Both CVE-2026-20182 and CVE-2026-20127 are critical-severity flaws that enable remote, unauthenticated access to administrative functions due to broken peering authentication logic. CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122, when chained together, allow a remote unauthenticated attacker to gain access to the SD-WAN Manager.

What products are affected?

The following table lists the CVEs and affected devices. None of these vulnerabilities require specific device configurations to be exploitable, and all deployment models are affected:

CVE	Affected Device(s)
CVE-2026-20182	Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager
CVE-2026-20127	Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager
CVE-2026-20133	Cisco Catalyst SD-WAN Manager
CVE-2026-20128	Cisco Catalyst SD-WAN Manager
CVE-2026-20122	Cisco Catalyst SD-WAN Manager
CVE-2022-20775	Cisco SD-WAN Software: - SD-WAN vBond Orchestrator Software - SD-WAN vEdge Cloud Routers - SD-WAN vEdge Routers - SD-WAN vManage Software - SD-WAN vSmart Controller Software

How severe is the exploitation?

Successful exploitation of CVE-2026-20182 or CVE-2026-20127 provides access to a privileged (but non-root) internal account on the SD-WAN Controller. That access opens NETCONF, giving the attacker the ability to alter network configuration across the entire SD-WAN fabric. In observed attacks, the threat actor UAT-8616 then leveraged CVE-2022-20775 via a software version downgrade technique to escalate privileges to root.

Post-compromise activities observed by Cisco Talos include SSH key injection, NETCONF configuration manipulation, malicious account creation, and extensive log clearing to cover tracks.

Who is UAT-8616?

UAT-8616 is a designation assigned by Cisco Talos to a “highly sophisticated cyber threat actor” that has been exploiting Cisco SD-WAN infrastructure since at least 2023. According to Cisco Talos, UAT-8616 targets critical infrastructure sectors and its infrastructure overlaps with monitored Operational Relay Box (ORB) networks.

UAT-8616 exploits CVE-2026-20182 and CVE-2026-20127 for initial access, then, in the case of CVE-2026-20127 exploitation, performs software version downgrades to expose CVE-2022-20775 for root privilege escalation. After achieving root access, the actor restores the original software version to conceal the exploitation path. Additional persistence techniques include injecting SSH keys into authorized_keys files, enabling PermitRootLogin in the SSH daemon configuration, and clearing forensic evidence from syslog, wtmp, lastlog, bash_history and cli-history files.

Are there other threat actors exploiting these vulnerabilities?

Yes. Cisco Talos has identified 10 additional threat clusters that are distinct from UAT-8616. These clusters have been exploiting the CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 chain since early March 2026, following the publication of proof-of-concept code by ZeroZenX Labs. The tools deployed by these clusters range from webshells (Godzilla, Behinder, XenShell) and red team frameworks (AdaptixC2, Sliver) to cryptocurrency miners (XMRig) and credential stealers targeting admin hashes, JWT tokens and AWS credentials.

Are proofs-of-concept (PoCs) available?

Yes. ZeroZenX Labs published proof-of-concept code for the CVE-2026-20133, CVE-2026-20128, CVE-2026-20122 exploit chain in March 2026. This PoC release directly correlated with the surge in exploitation activity across multiple threat clusters. The availability of public PoC code highlights the risk to any exposed SD-WAN infrastructure that remains unpatched.

What actions has CISA taken?

CISA has taken multiple actions in response to the Cisco SD-WAN exploitation campaign:

February 25, 2026: Added CVE-2026-20127 and CVE-2022-20775 to the Known Exploited Vulnerabilities (KEV) catalog
April 20, 2026: Added CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to the KEV catalog
May 14, 2026: Added CVE-2026-20182 to the KEV catalog with an action deadline of May 17, 2026
May 14, 2026: Issued Emergency Directive 26-03 and published Hunt & Hardening Guidance for Cisco SD-WAN Devices

All five CVEs in this campaign are now in CISA's KEV catalog.

Are patches available?

Cisco has released patches for each of the vulnerabilities discussed in this blog. We recommend reviewing the security advisories issued by Cisco for each CVE to identify the patch release and any considerations that may apply in order to apply the patches successfully.

Are there indicators of compromise (IoC)?

Cisco has published detailed IoC information across its advisories and Talos blog posts. The indicators include:

Log evidence: Check /var/log/auth.log for "Accepted publickey for vmanage-admin" entries from unknown or unauthorized IP addresses
Control connection anomalies: Run show control connections detail or show control connections-history detail and look for connections with state:up and challenge-ack: 0, which may indicate unauthorized peering
Post-compromise artifacts: Unauthorized SSH keys in /home/vmanage-admin/.ssh/authorized_keys/, PermitRootLogin enabled in /etc/ssh/sshd_config, unexplained software downgrades followed by reboots

Full IoC lists including C2 server IPs, malware file hashes, and attacker source IPs are available in the Cisco Talos blog.

Has Tenable Research classified these vulnerabilities as part of Vulnerability Watch?

Yes. CVE-2026-20182, CVE-2026-20127, CVE-2026-20128, and CVE-2026-20122 have been classified as Vulnerabilities of Interest under Vulnerability Watch due to confirmed active exploitation and the availability of public proof-of-concept code. Tenable has been tracking this cluster of vulnerabilities since the original disclosure in February 2026, with watches re-established as exploitation escalated in March and again in May 2026 when CVE-2026-20182 was disclosed.

Has Tenable released product coverage?

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-20182, CVE-2026-20127, CVE-2026-20133, CVE-2026-20128, CVE-2026-20122, and CVE-2022-20775. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Cisco Catalyst SD-WAN devices by using the following query: Document Title contains Cisco Catalyst SD-WAN.

Get more information

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.