The Dispatch$

A weekly brief for the security-adjacent practitioner. Each issue lists what to patch today, what to investigate this week, and what to add to the monthly or quarterly review, derived from whatever the prior week produced. Short items, clear actions, no vendor pitch.

Read it your way: RSS feed. Email subscription coming soon.

• Issue 007: Dispatch 007: TeamPCP poisoned the VS Code Nx Console extension and cloned GitHub's internal repositories, Trend Micro Apex One is being used to deliver malware to the endpoints it manages, Drupal has an actively exploited SQL injection on PostgreSQL backends, and the Secure Boot deadline is 33 days out with a confirmed OEM gap on pre-2018 hardware

  May 26, 2026 · 5 items

  The same group behind the Bitwarden CLI supply chain attack poisoned the Nx Console VS Code extension on May 20, harvested credentials from developer machines for 18 minutes, and used exfiltrated SSH keys to clone approximately 3,800 GitHub internal repositories; the SMB action is a VS Code extension audit and an auto-update policy decision, not a GitHub-specific response. CVE-2026-34926 in Trend Micro Apex One is a confirmed zero-day being exploited in the wild: an attacker with Apex One server admin credentials can modify the agent communication table and push malicious code to every managed endpoint, turning the security platform into a malware delivery mechanism; the fix is version 14.0.0.17079, KEV June 4 deadline. CVE-2026-9082 is an actively exploited SQL injection in Drupal core that affects only PostgreSQL-backed sites; KEV-listed May 22 with a May 27 deadline that has passed and a public scanner already in circulation. With 33 days to the June 26 Secure Boot certificate expiration, pre-2018 Dell, HP, and Lenovo hardware has documented capsule update issues, and the Hyper-V host-before-guest deployment ordering requirement is confirmed and consequential. And CVE-2026-5194 in wolfSSL has been patched upstream since April 8 with no major network vendor firmware advisory yet; this month is the time to inventory which perimeter and IoT devices in your environment are likely affected and set a monitoring cadence before advisories land.

• Issue 006: Dispatch 006: Exchange OWA has an actively exploited zero-day with no permanent patch yet, May Patch Tuesday shipped 30 critical CVEs including an unauthenticated domain controller RCE, and the Secure Boot deadline is 40 days out with a Windows Server gap most environments have not closed

  May 19, 2026 · 5 items

  CVE-2026-42897 is an actively exploited zero-day in on-premises Exchange Server's Outlook Web Access that Microsoft disclosed May 14, two days after a Patch Tuesday that shipped with zero zero-days; CISA KEV-listed it May 15 with a May 29 deadline, and a permanent patch is not yet available. May Patch Tuesday's 137 CVEs include CVE-2026-41089, an unauthenticated CVSS 9.8 RCE in Windows Netlogon targeting domain controllers, and four Word RCEs that trigger through the Outlook Preview Pane; no zero-days in the release itself, but the volume and the Netlogon flaw together warrant the same deployment urgency as any zero-day cycle. Fortinet disclosed CVE-2026-26084 in FortiAuthenticator on May 12, an unauthenticated RCE on the appliance most environments use to enforce MFA on VPN; no confirmed exploitation yet but Fortinet's track record argues for treating it as patch-today in practice. CISA's three-day KEV deadline is no longer a proposal: all four KEV additions from May 6 through May 14 carried three-day windows, confirming the policy shift is already operational. And with 40 days to the June 26 Secure Boot certificate expiration, this week surfaced two specific gaps: Windows Server does not receive the certificate updates automatically, and May's Patch Tuesday introduced a BitLocker recovery key prompt on devices with specific TPM platform validation GPOs.

• Issue 005: Dispatch 005: Palo Alto has a root-level firewall zero-day with no patch yet, Ivanti EPMM is exploited again, May Patch Tuesday lands Tuesday, and ClickFix has a new variant that bypasses your PowerShell detection

  May 12, 2026 · 6 items

  CVE-2026-0300 in Palo Alto PAN-OS is an unauthenticated root RCE confirmed actively exploited by a likely state-sponsored cluster; patches begin rolling out May 13 but are not yet universally available, and the interim mitigations are specific and executable today. Ivanti EPMM CVE-2026-6973 is a confirmed zero-day exploited in targeted attacks, CISA-listed with a federal deadline that has already passed; every prior EPMM zero-day campaign has been attributed to Chinese state-sponsored groups. May Patch Tuesday drops tomorrow and pre-release indicators point to at least two critical Windows RCE candidates; your pilot ring should be ready now. The Linux kernel Copy Fail vulnerability allows any unprivileged user to escalate to root with a 732-byte script; container escape is confirmed, May 15 patching deadline applies to cloud and containerized Linux workloads. CISA is reportedly discussing cutting KEV remediation deadlines from two to three weeks to three days. And ClickFix has a new variant that routes around PowerShell-focused detection entirely by using cmdkey and regsvr32 instead.

• Issue 004: Another SonicWall vulnerability, cPanel WHM had a root-level authentication bypass since February, ScreenConnect is now a confirmed Kimsuky target, and AI tool connections are a documented attack surface

  May 5, 2026 · 5 items

  CVE-2026-41940 in cPanel and WHM was exploited as a zero-day since at least February 23; Shadowserver is tracking 44,000 active scanning IPs against 650,000 exposed instances and the CISA deadline has passed. ConnectWise ScreenConnect CVE-2024-1708 was KEV-listed April 28 with Storm-1175 and North Korean group Kimsuky both confirmed exploiting the same flaw. SonicWall's entire Gen6 through Gen8 firewall lineup needs firmware updates after a three-CVE advisory dropped April 29 with an unauthenticated management access flaw leading the set. Quest KACE SMA CVE-2025-32975 exploitation chains through the appliance to backup infrastructure and domain controllers; the KACE KEV deadline was May 4. And two incidents this month, the Bitwarden CLI supply chain worm and the Vercel breach, independently document AI tool OAuth grants and MCP server configurations as active targets worth auditing this quarter.

• Issue 003: SimpleHelp is a confirmed DragonForce on-ramp, a trojanized Bitwarden CLI package was live on npm for 93 minutes, and D-Link DIR-823X has no patch

  April 28, 2026 · 5 items

  CISA KEV-listed two SimpleHelp vulnerabilities on April 24 with a May 8 federal deadline; both are confirmed DragonForce ransomware precursors and one carries a CVSS of 9.9. A trojanized build of the Bitwarden CLI was live on npm for 93 minutes on April 22, harvesting cloud credentials and exfiltrating them via public GitHub repositories; any CI pipeline that installed @bitwarden/cli during that window should be treated as compromised. D-Link DIR-823X routers have no patch, are under active Mirai exploitation, and CISA's formal guidance is to remove them from service. CVE-2026-3844 in the Breeze Cache WordPress plugin is under active exploitation with nearly 4,000 blocked attempts documented in a single 24-hour window across 400,000 active installations. The Vercel April breach closed with no npm supply chain compromise, but the attack vector, a stolen Google OAuth token from a third-party AI tool, is a class of exposure most organizations have not inventoried.

• Issue 002: SharePoint zero-day actively exploited, Storm-1175 names your MSP toolstack in its Medusa ransomware targeting list, and DarkSword lands on GitHub

  April 21, 2026 · 5 items

  April Patch Tuesday shipped 167 fixes including an actively exploited SharePoint zero-day and Outlook preview-pane RCEs that need no user click; Microsoft published a full threat actor profile on Storm-1175, a Medusa ransomware affiliate whose confirmed exploit inventory includes Exchange, ConnectWise ScreenConnect, SimpleHelp, BeyondTrust, and PaperCut; CISA added Apache ActiveMQ's thirteen-year-old unauthenticated RCE to the KEV catalog; Apple pushed DarkSword patches to most iPhones as the kit appeared on GitHub; a Cisco baseboard management controller auth bypass gives attackers hardware-level access below your EDR's line of sight; and April's Patch Tuesday silently flipped Kerberos RC4 enforcement on every domain controller you just patched, with July as the final deadline to clear dependencies before rollback is no longer possible.

• Issue 001: The first dispatch: A Fortinet EMS advisory, an Acrobat zero-day, and a Looming Secure Boot deadline

  April 14, 2026 · 6 items

  Three actively-exploited flaws in software every SMB runs (Fortinet EMS, Adobe Reader, Chrome), a Microsoft 365 device-code phishing wave that walks past MFA, and the Secure Boot cert deadline that'll get you before you notice it.