Cyber Roundup — Week of May 18

Here are the main stories you missed last week.

1. LiteSpeed: CVE-2026-48172 cPanel plugin flaw grants any user instant root access

The headline: Active exploitation of CVE-2026-48172, a maximum-severity vulnerability in LiteSpeed’s User-End cPanel Plugin, allows any authenticated cPanel user to execute arbitrary scripts with root privileges. The flaw affects plugin versions 2.3 through 2.4.4 and stems from incorrect privilege assignment in the lsws.redisAble function. LiteSpeed patched the vulnerability on May 21, but cPanel forced a fleet-wide emergency uninstall five hours before the scheduled fix.

What we’re actually watching: Shared hosting just became a single point of total failure. Any low-privilege tenant account can now compromise the entire server — and most hosting providers don’t know which customers have active sessions.

The vulnerability requires no complex exploitation. A single malformed API call with the right parameter values escalates any cPanel user to root. There’s no race condition to win, no authentication bypass needed — just one HTTP request to an endpoint that every logged-in cPanel user can access by default. On shared hosting environments where hundreds of customers hold valid cPanel sessions simultaneously, this creates mass exposure where any compromised tenant account becomes a server-wide compromise.

Hosting provider detection capabilities lag behind the threat timeline. The vulnerability was disclosed May 22, actively exploited by May 23, and affects millions of servers globally. Most hosting providers rely on automated vulnerability scanning that operates on weekly or monthly cycles, not the hours-to-days timeline that critical web application vulnerabilities now require. CybelAngel detects exposed cPanel installations across customer attack surfaces and correlates them with active exploit campaigns.

Emergency response exceeded normal patch management timelines. cPanel forced a fleet-wide uninstall five hours before LiteSpeed’s scheduled security release window, breaking normal coordinated disclosure practices. This suggests either confirmed mass exploitation or intelligence about impending automated attacks. The accelerated timeline indicates that standard “patch within 30 days” policies are insufficient when vulnerabilities enable instant privilege escalation on multi-tenant infrastructure, a pattern we’ve seen across critical infrastructure vulnerabilities affecting shared systems.

The CISO question: Do you have an inventory of every cPanel installation your organization operates, manages, or depends on — including hosting providers, development servers, and subsidiary environments — and can you verify their patch status within hours of a critical disclosure?

2. Drupal: CVE-2026-9082 SQL injection attacked 6,000 sites in 48 hours

The headline: CVE-2026-9082, a SQL injection vulnerability in Drupal Core’s database abstraction API, was actively exploited within 48 hours of the May 20 security patch. Imperva detected over 15,000 attack attempts targeting 6,000 sites across 65 countries, with gaming and financial services sites comprising 50% of targets. The flaw affects all supported Drupal versions using PostgreSQL databases and allows unauthenticated attackers to execute arbitrary SQL commands.

What we’re actually watching: The window between disclosure and mass exploitation shrunk to hours. PostgreSQL-backed Drupal sites became targets faster than most organizations can deploy emergency patches.

Attack automation moved from proof-of-concept to mass scanning within 48 hours. Drupal published patches on May 20 with a public service announcement warning that exploitation could occur “within hours or days.” Security researchers published detection proof-of-concepts the same day, and the patch diff became publicly available within hours. Attackers automated the vulnerability into scanning tools faster than most enterprise change management processes could deploy the fix.

Target selection reveals monetization priorities. Almost 50% of the 15,000 attacks targeted gaming and financial services websites — sectors where credential theft and financial data access have immediate value. This targeting pattern indicates organized threat actors rather than opportunistic script kiddies, suggesting the vulnerability was integrated into professional attack infrastructure designed for specific revenue streams.

Unauthenticated attack vectors eliminate defensive depth. CVE-2026-9082 requires no authentication, making traditional perimeter controls and user access management ineffective. The vulnerability exists in Drupal’s core database API, bypassing application-level security controls and enabling direct database manipulation. Organizations that segment database access or restrict administrative functions cannot prevent exploitation since the vulnerability operates at the framework level.

The CISO question: For your public-facing web applications, can you deploy critical security patches within hours of disclosure, or does your change management process assume you have days or weeks to respond to unauthenticated remote code execution vulnerabilities?

3. Europol: First VPN takedown exposes 5,000 criminal accounts to law enforcement

The headline: Operation Saffron on May 19-20 dismantled First VPN, a criminal anonymization service used by at least 25 ransomware groups including Avaddon. The coordinated operation across seven countries seized 33 servers in 27 countries, arrested a Ukrainian administrator, and provided law enforcement with the complete user database of more than 5,000 criminal accounts. The FBI confirmed the service was used for network reconnaissance, intrusions, and command-and-control infrastructure since 2014.

What we’re actually watching: Law enforcement shifted from pursuing individual attackers to dismantling the shared infrastructure that makes ransomware operations viable at scale. The seizure of user databases means ongoing investigations can now track previously anonymous threat actors.

Criminal infrastructure consolidation created single points of failure. First VPN appeared in “almost every major cybercrime investigation” supported by Europol in recent years, demonstrating how ransomware groups rely on shared services rather than developing independent infrastructure. This consolidation makes law enforcement disruption more effective — taking down one service impacts dozens of criminal operations simultaneously rather than requiring individual pursuit of each group.

User database seizure enables retroactive attribution. The complete user database includes subscription records, payment information, and traffic logs that link previously anonymous ransomware campaigns to specific accounts. This retroactive attribution allows investigators to connect attacks spanning multiple years to individual operators, creating prosecution opportunities that didn’t exist when the original crimes occurred.

The operation timeline shows coordinated international response capabilities. Operation Saffron executed across seven countries over two days, with synchronized server seizures in 27 countries. This level of coordination indicates mature law enforcement cooperation mechanisms that can respond faster than criminal organizations can adapt their infrastructure. Previous takedowns required months of coordination; this operation compressed execution into 48 hours.

The CISO question: Does your threat intelligence program track which anonymization services and bulletproof hosting providers are used in attacks against your industry, and do you collaborate with law enforcement when you identify criminal infrastructure that multiple organizations are facing?

4. npm: 700+ packages mass-compromised through automated credential theft

The headline: Mass compromise of over 700 npm package versions occurred through automated mass tagging and republishing on May 22-23, with many versions appearing only seconds apart. The attack suggests attackers obtained organization-level credentials, repository automation, or release infrastructure access. The rapid succession of package updates indicates automated mass tagging or republishing rather than manual compromise.

What we’re actually watching: Supply chain attacks scaled to industrial levels through automation. Instead of targeting individual packages, attackers compromised credential management or CI/CD infrastructure to manipulate hundreds of packages simultaneously.

Automated credential harvesting enables mass-scale package compromise. The attack pattern — 700+ packages updated within seconds of each other — indicates automated systems rather than manual exploitation. This suggests attackers compromised either organization-level npm credentials, GitHub automation tokens, or CI/CD pipeline secrets that could programmatically publish package updates at scale. Traditional package security focused on individual maintainer compromise cannot address infrastructure-level attacks.

Package ecosystem trust models break down under automation. npm’s trust model assumes human maintainers making deliberate publishing decisions, but automated attacks can manipulate dozens of packages faster than manual review processes can detect suspicious activity. The rapid succession of updates — “many versions appearing only seconds apart” — would trigger automated publishing workflows but bypass human oversight that might detect malicious changes.

Supply chain attack vectors now target development infrastructure rather than just code. The compromise method, likely organization-level credentials or repository automation — indicates attackers are focusing on development infrastructure rather than convincing maintainers to include malicious code. This shift means traditional code review and dependency scanning may miss attacks that manipulate the publishing process rather than the package contents. Similar patterns appear when attackers target monitoring and development platforms that have privileged access to multiple systems.

The CISO question: For your organization’s software development pipeline, do you have monitoring and alerting for mass package updates, unusual publishing patterns, or automated credential usage that might indicate compromised development infrastructure rather than individual developer accounts?

5. CISA: Eight new exploited flaws added to KEV with compressed federal deadlines

The headline: CISA added eight vulnerabilities to the Known Exploited Vulnerabilities catalog this week, including three Cisco Catalyst SD-WAN Manager flaws and vulnerabilities in PaperCut, JetBrains TeamCity, Kentico Xperience, and Quest KACE. Federal agencies face remediation deadlines of April 23 and May 4, creating compressed timelines for patching actively exploited vulnerabilities.

What we’re actually watching: Federal vulnerability response timelines compressed to weeks rather than months. CISA’s accelerated KEV additions indicate that exploitation patterns are moving faster than traditional quarterly patch cycles.

Active exploitation confirmation drives immediate federal action. The eight vulnerabilities added to KEV all show evidence of active exploitation in the wild, meaning threat actors are currently using these flaws to compromise systems. CISA’s decision to mandate federal remediation within days rather than the standard 30-day timeline suggests either confirmed attacks against government systems or intelligence indicating imminent targeting.

Enterprise infrastructure vulnerabilities dominate the KEV additions. The affected products — Cisco SD-WAN Manager, PaperCut print management, JetBrains TeamCity, Quest KACE systems management — represent core enterprise infrastructure rather than end-user applications. This pattern indicates attackers are focusing on high-value network infrastructure and development tools that provide broad access to organizational systems.

Compressed federal deadlines signal private sector urgency. When CISA mandates federal remediation within days, private sector organizations should interpret this as immediate threat intelligence rather than routine vulnerability disclosure. Federal agencies often face the same threat actors targeting private industry, making CISA’s emergency timelines relevant indicators of current attack campaigns.

The CISO question: When CISA adds vulnerabilities to the KEV catalog with compressed federal deadlines, does your organization treat this as immediate threat intelligence requiring emergency patching, or do you maintain standard patch management timelines regardless of federal urgency indicators?

The pattern across all five stories

Shared infrastructure became the universal attack vector this week.

LiteSpeed plugin compromise affected every shared hosting customer on vulnerable servers. Drupal vulnerability targeted every PostgreSQL-backed site using affected versions. First VPN takedown disrupted 25 ransomware groups using the same anonymization service. npm package compromise hit hundreds of packages through shared development infrastructure. Federal systems faced eight vulnerabilities in enterprise infrastructure components.

Every attack exploited trust relationships that organizations didn’t realize they depended on. Shared hosting customers trusted plugin security. Drupal sites trusted framework-level input validation. Ransomware groups trusted VPN provider anonymity. Developers trusted package repository integrity. Federal agencies trusted vendor patch timelines.

CybelAngel finds exposed credentials, misconfigured services, and compromised infrastructure across your digital ecosystem, before attackers use shared trust relationships to turn one vulnerability into organization-wide compromise.