Hello all! With the crazy explosion of vulnerabilities being disclosed lately, I thought it might be helpful to have a weekly post about the top CVE's from the week before. Mods, let me know if this breaks any rules or if it should be posted differently. My intention is just community building and trying to help others out that are in the same situation as our team.

Four vulns stood out to me from the past week. All of them are on CISA's KEV list, which means there is evidence of active exploitation. The two internet-facing ones should be prioritized first is applicable.

1. CVE-2026-0257, Palo Alto PAN-OS GlobalProtect auth bypass

If you have GlobalProtect exposed, this is not one to let sit too long. Attackers are able to forge GlobalProtect session cookies and connect to the VPN without valid credentials.

Affected: PAN-OS firewalls with the GlobalProtect portal or gateway enabled.

Why it matters: The CVSS score is only 4.0, which looks “medium” on paper, but that score feels misleading here. It is KEV-listed, exploited in the wild, unauthenticated, and sitting on an internet-facing VPN service.

Action: upgrade to a fixed PAN-OS release now, or disable the auth-override feature as an interim step. Also review GlobalProtect logs for sessions you cannot account for.

2. CVE-2026-35616: Fortinet FortiClient EMS pre-auth API bypass

This one is nasty because of what EMS manages.

It is a pre-auth bypass that can let an attacker push scripts to managed endpoints. Arctic Wolf reported exploitation in May, including EKZ infostealer activity disguised as a Fortinet update.

Affected: FortiClient EMS 7.4.5 through 7.4.6.

Why it matters: EMS has a bunch of downstream control. If someone can abuse it, the impact can quickly move from just “one exposed management service” to “many managed endpoints.”

Action: Confirm your EMS version and apply the hotfix. I’d also review managed-endpoint policies and Remote Access Profiles for anything you did not create recently.

3. CVE-2026-48172: LiteSpeed cPanel plugin privilege escalation to root

This one mainly matters for web hosts, MSPs, and anyone running cPanel with LiteSpeed.

Any authenticated cPanel user can run scripts as root through the plugin’s Redis JSON API. It was reportedly exploited as a zero-day before the fix shipped.

Affected: LiteSpeed user-end cPanel plugin versions 2.3 through 2.4.4.

Why it matters: CVSS 9.8. Added to KEV on May 26, with the federal remediation deadline already passed on May 29.

Action: Update the plugin to 2.4.5 or later. IOC to check in the cPanel logs:

cpanel_jsonapi_func=redisAble

4. CVE-2026-34926: Trend Micro Apex One on-prem directory traversal

This is not really a front-door bug, but it is still worth attention because of the blast radius.

An attacker with admin access to the Apex One server can inject code into the agent update channel and push it to managed endpoints.

Affected: On-premise Trend Micro Apex One. The SaaS version is not impacted.

Why it matters: KEV-listed and exploited in the wild. Federal deadline is June 4. The caveat is that it obviously already requires prior admin access to the server, so treat it as an escalation/lateral-movement risk.

Action: Apply Trend Micro’s fix. If you cannot patch immediately, restrict who and what can reach the Apex One management server.

Not every KEV entry deserves a full on fire drill, but the Palo Alto and Fortinet items seem like the ones I would want handled first if they were in my environment.

Let me know if this format is helpful at all and I'll do another one next week if it's worthwhile to the community!