TL;DR
CISA just dropped 7 new entries into the Known Exploited Vulnerabilities (KEV) catalogue — and at least 2 are already being used in active ransomware campaigns. If your business runs Cisco networking gear, cPanel/WHM hosting, ConnectWise ScreenConnect, Ivanti endpoint tools, VMware, or anything on Linux, there's a critical patch with your name on it. Federal patch deadline for the most urgent: now.
What Just Happened: CISA's May KEV Dump
On May 18, 2026, CISA published a cluster of 7 new Known Exploited Vulnerabilities (KEV) entries — the catalogue of flaws with confirmed active exploitation in the wild. This isn't a theoretical list. These are vulnerabilities attackers are actively weaponising right now. The KEV catalogue carries binding operational weight: US federal agencies must remediate by the specified due date under BOD 22-01. But CISA's guidance is explicit — all organisations should prioritise these, not just government.
For Australian SMBs with 10–50 staff, the message is blunt: your patching backlog just got a mandatory priority queue. Several of these vulnerabilities affect products SMBs rely on every day. At least two have been observed in active ransomware operations.
The 7 CVEs That Matter Most
1. Cisco Catalyst SD-WAN — CVE-2026-20182 (CVSS 10.0)
The damage: Unauthenticated remote attacker bypasses authentication and walks straight into full administrator privileges. No credentials needed. No user interaction.
Why it's terrifying: This has been exploited silently in the wild since 2023. Attackers have had a nearly three-year head start. CISA issued Emergency Directive 26-03 for this one — that's the highest urgency level the agency has.
Who's affected: Any business running Cisco Catalyst SD-WAN or SD-WAN Manager. If your branch offices or remote sites use Cisco for SD-WAN, you're in the blast radius. Patch immediately. Isolate management interfaces from the internet. Ship logs off-device — attackers are deleting local logs to cover tracks.
Deadline: NOW. No workaround exists.
2. WebPros cPanel & WHM / WP2 — CVE-2026-41940 (CVSS 9.8)
The damage: Authentication bypass in the login flow. Unauthenticated remote attackers get unauthorised access to the entire control panel — websites, databases, email accounts, everything.
Confirmed ransomware use: Yes. CISA flags this one as known detected in ransomware campaigns.
Who's affected: Any business whose website runs on cPanel/WHM hosting — which is the majority of SMBs using shared or managed WordPress hosting. If your hosting provider hasn't patched, your site is a target. Ask them today: "Have you applied the CVE-2026-41940 patch?"
Deadline: Immediate for internet-facing panels.
3. ConnectWise ScreenConnect — CVE-2024-1708 (CVSS 8.4)
The damage: Path traversal vulnerability allowing remote code execution and direct access to confidential data or critical systems.
Confirmed ransomware use: Yes. Known detected since April 2026.
Who's affected: Any business using ConnectWise ScreenConnect for remote support — extremely common among MSPs serving Australian SMBs. If your IT provider uses ScreenConnect to manage your systems, your entire network could be reachable through this one flaw. Verify with your MSP that they've patched to the latest version.
Deadline: Immediately. This is a remote-access tool — the blast radius is every machine it touches.
4. Ivanti Endpoint Manager Mobile (EPMM) — CVE-2026-1603/CVE-2026-6973
The damage: Unauthenticated credential leak (CVE-2026-1603) and authenticated remote code execution via improper input validation (CVE-2026-6973, CVSS 7.2). Chained together, an attacker can steal credentials, then execute arbitrary code.
Who's affected: Organisations using Ivanti Endpoint Manager Mobile for device management. Common in mid-market firms managing corporate mobiles and BYOD fleets.
Deadline: Apply vendor patches immediately. CISA confirms active exploitation.
5. VMware Aria Operations — CVE-2026-22719 (CVSS 8.1)
The damage: Unauthenticated command injection with remote code execution potential. Added to KEV March 3, 2026. Federal patch deadline was March 24 — meaning this has already passed the government's mandatory remediation window.
Who's affected: VMware Aria Operations users. VMware is ubiquitous in SMB server rooms for virtualisation. If your server infrastructure runs on VMware, verify whether Aria Operations is in your stack — it often ships as part of vRealize Suite bundles.
Deadline: Should have been patched 8 weeks ago. If you haven't, do it today.
6. Linux Kernel Privilege Escalation — CVE-2026-31431 (CVSS 7.8)
The damage: Incorrect resource transfer between security spheres allowing privilege escalation. Attacker with limited access escalates to root.
Who's affected: Nearly every Linux server in existence. Web servers, database servers, file servers, container hosts — all potentially vulnerable. This is the one that flies under the radar because it's not a single product with a vendor alert. It's the operating system itself.
Deadline: Apply your distribution's kernel update. For Ubuntu: apt update && apt upgrade linux-image-generic. For RHEL/CentOS/Rocky: dnf update kernel.
7. BeyondTrust Remote Support & Privileged Remote Access — CVE-2026-1731 (CVSS 9.9)
The damage: Pre-authentication remote code execution. Was a zero-day for a full week before disclosure. Proof-of-concept exploit dropped almost immediately. Now confirmed in active ransomware campaigns.
Who's affected: ~11,000 instances still exposed online according to threat intelligence. BeyondTrust is used for privileged access management — the tool that controls who gets admin access. Compromising it means compromising the keys to the kingdom.
Deadline: Patch immediately. If you can't patch, take it offline until you can.
ISO 27001 SMB Starter Pack — $147
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for SMBs worldwide.
Get the Starter Pack →What Australian SMBs Should Do Right Now
First hour: Inventory your exposure. Check whether you run Cisco SD-WAN, cPanel/WHM, ConnectWise ScreenConnect, Ivanti EPMM, VMware Aria, BeyondTrust, or any Linux servers. Don't guess — check.
First day: Patch the internet-facing ones first. Cisco SD-WAN, cPanel, ScreenConnect, BeyondTrust — anything reachable from the internet goes to the top of the queue. An attacker doesn't need to be on your network to exploit these.
First week: Patch everything else. Linux kernel updates across all servers. VMware Aria if applicable. Ivanti endpoint tools.
Ongoing: Make KEV review part of your weekly patch cycle. CISA updates the catalogue as new exploitation evidence appears — it's not a monthly schedule. The catalogue's time filter (Last 30 Days) makes this a 15-minute weekly task.
If you're under-resourced: Talk to your MSP or IT provider. Ask specifically: "Have you patched CVE-2026-20182 and CVE-2026-41940?" If they can't answer, that's a red flag.
FAQ
Does CISA's BOD 22-01 apply to my Australian business?
Legally, no — it binds US federal agencies. But operationally, CISA strongly urges all organisations to follow the same timelines. Attackers don't check your jurisdiction before exploiting these flaws. The threat is global.
How is KEV different from a regular CVE list?
KEV only includes vulnerabilities with confirmed, active exploitation in the wild and a clear remediation path (patch, mitigation, or workaround). It's designed to answer "what should we patch first right now?" — not "what's theoretically dangerous?"
What if my vendor hasn't released a patch yet?
CISA's guidance in these cases is to apply available mitigations (like isolating management interfaces), follow vendor instructions, or — if neither exists — discontinue use of the product. Running unpatched, actively-exploited software is not an option.
How do I stay on top of this weekly?
Bookmark the CISA KEV catalogue and filter by "Last 30 Days." Check every Monday. It takes 15 minutes and tells you exactly what's being exploited right now.
Conclusion
Seven new KEV entries, two confirmed in active ransomware campaigns, multiple CVSS 10.0 criticals, and at least one vulnerability exploited undetected since 2023. This is not a drill. The gap between disclosure and exploitation is now measured in hours — and in some cases, attackers were inside before the CVE was even public.
Start with your internet-facing assets. Move to internal systems. Verify with your MSP. Document your patching so you can prove it was done.
For Australian SMBs without a dedicated security team, this is exactly the kind of threat landscape that justifies external help. If you're not confident you've patched everything on this list by end of week, let's talk.
Get a free 30-minute cybersecurity posture assessment at consult.lil.business. We'll check your exposure against the current KEV catalogue and tell you what to patch first.
References
- CISA Known Exploited Vulnerabilities Catalog
- CISA Binding Operational Directive 22-01 — Reducing the Significant Risk of Known Exploited Vulnerabilities
- CISA Emergency Directive 26-03 — Cisco SD-WAN Devices
- CVEFeed — CISA KEV Catalog with Latest Additions
- Australian Cyber Security Centre (ACSC) — Essential Eight Maturity Model
- CVE-2026-20182 — NIST National Vulnerability Database
- CVE-2026-41940 — WebPros cPanel & WHM Authentication Bypass
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →