TL;DR

CISA just dropped 7 new entries into the Known Exploited Vulnerabilities (KEV) catalogue — and at least 2 are already being used in active ransomware campaigns. If your business runs Cisco networking gear, cPanel/WHM hosting, ConnectWise ScreenConnect, Ivanti endpoint tools, VMware, or anything on Linux, there's a critical patch with your name on it. Federal patch deadline for the most urgent: now.​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​​‌​‌‌​‌‍​​‌‌​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

What Just Happened: CISA's May KEV Dump

On May 18, 2026, CISA published a cluster of 7 new Known Exploited Vulnerabilities (KEV) entries — the catalogue of flaws with confirmed active exploitation in the wild. This isn't a theoretical list. These are vulnerabilities attackers are actively weaponising right now. The KEV catalogue carries binding operational weight: US federal agencies must remediate by the specified due date under BOD 22-01. But CISA's guidance is explicit — all organisations should prioritise these, not just government.

For Australian SMBs with 10–50 staff, the message is blunt: your patching backlog just got a mandatory priority queue. Several of these vulnerabilities affect products SMBs rely on every day. At least two have

been observed in active ransomware operations.​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​​‌​‌‌​‌‍​​‌‌​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The 7 CVEs That Matter Most

1. Cisco Catalyst SD-WAN — CVE-2026-20182 (CVSS 10.0)

The damage: Unauthenticated remote attacker bypasses authentication and walks straight into full administrator privileges. No credentials needed. No user interaction.

Why it's terrifying: This has been exploited silently in the wild since 2023. Attackers have had a nearly three-year head start. CISA issued Emergency Directive 26-03 for this one — that's the highest urgency level the agency has.

Who's affected: Any business running Cisco Catalyst SD-WAN or SD-WAN Manager. If your branch offices or remote sites use Cisco for SD-WAN, you're in the blast radius. Patch immediately. Isolate management interfaces from the internet. Ship logs off-device — attackers are deleting local logs to cover tracks.

Deadline: NOW. No workaround exists.

2. WebPros cPanel & WHM / WP2 — CVE-2026-41940 (CVSS 9.8)

The damage: Authentication bypass in the login flow. Unauthenticated remote attackers get unauthorised access to the entire control panel — websites, databases, email accounts, everything.

Confirmed ransomware use: Yes. CISA flags this one as known detected in ransomware campaigns.

Who's affected: Any business whose website runs on cPanel/WHM hosting — which is the majority of SMBs using shared or managed WordPress hosting. If your hosting provider hasn't patched, your site is a target. Ask them today: "Have you applied the CVE-2026-41940 patch?"

Deadline: Immediate for internet-facing panels.

3. ConnectWise ScreenConnect — CVE-2024-1708 (CVSS 8.4)

The damage: Path traversal vulnerability allowing remote code execution and direct access to confidential data or critical systems.

Confirmed ransomware use: Yes. Known detected since April 2026.

Who's affected: Any business using ConnectWise ScreenConnect for remote support — extremely common among MSPs serving Australian SMBs. If your IT provider uses ScreenConnect to manage your systems, your entire network could be reachable through this one flaw. Verify with your MSP that they've patched to the latest version.

Deadline: Immediately. This is a remote-access tool — the blast radius is every machine it touches.

4. Ivanti Endpoint Manager Mobile (EPMM) — CVE-2026-1603/CVE-2026-6973

The damage: Unauthenticated credential leak (CVE-2026-1603) and authenticated remote code execution via improper input validation (CVE-2026-6973, CVSS 7.2). Chained together, an attacker can steal credentials, then execute arbitrary code.

Who's affected: Organisations using Ivanti Endpoint Manager Mobile for device management. Common in mid-market firms managing corporate mobiles and BYOD fleets.

Deadline: Apply vendor patches immediately. CISA confirms active exploitation.

5. VMware Aria Operations — CVE-2026-22719 (CVSS 8.1)

The damage: Unauthenticated command injection with remote code execution potential. Added to KEV March 3, 2026. Federal patch deadline was March 24 — meaning this has already passed the government's mandatory remediation window.

Who's affected: VMware Aria Operations users. VMware is ubiquitous in SMB server rooms for virtualisation. If your server infrastructure runs on VMware, verify whether Aria Operations is in your stack — it often ships as part of vRealize Suite bundles.

Deadline: Should have been patched 8 weeks ago. If you haven't, do it today.

6. Linux Kernel Privilege Escalation — CVE-2026-31431 (CVSS 7.8)

The damage: Incorrect resource transfer between security spheres allowing privilege escalation. Attacker with limited access escalates to root.

Who's affected: Nearly every Linux server in existence. Web servers, database servers, file servers, container hosts — all potentially vulnerable. This is the one that flies under the radar because it's not a single product with a vendor alert. It's the operating system itself.

Deadline: Apply your distribution's kernel update. For Ubuntu: apt update && apt upgrade linux-image-generic. For RHEL/CentOS/Rocky: dnf update kernel.

7. BeyondTrust Remote Support & Privileged Remote Access — CVE-2026-1731 (CVSS 9.9)

The damage: Pre-authentication remote code execution. Was a zero-day for a full week before disclosure. Proof-of-concept exploit dropped almost immediately. Now confirmed in active ransomware campaigns.

Who's affected: ~11,000 instances still exposed online according to threat intelligence. BeyondTrust is used for privileged access management — the tool that controls who gets admin access. Compromising it means compromising the keys to the kingdom.

Deadline: Patch immediately. If you can't patch, take it offline until you can.

What Australian SMBs Should Do Right Now

First hour: Inventory your exposure. Check whether you run Cisco SD-WAN, cPanel/WHM, ConnectWise ScreenConnect, Ivanti EPMM, VMware Aria, BeyondTrust, or any Linux servers. Don't guess — check.

First day: Patch the internet-facing ones first. Cisco SD-WAN, cPanel, ScreenConnect, BeyondTrust — anything reachable from the internet goes to the top of the queue. An attacker doesn't need to be on your network to exploit these.

First week: Patch everything else. Linux kernel updates across all servers. VMware Aria if applicable. Ivanti endpoint tools.

Ongoing: Make KEV review part of your weekly patch cycle. CISA updates the catalogue as new exploitation evidence appears — it's not a monthly schedule. The catalogue's time filter (Last 30 Days) makes this a 15-minute weekly task.

If you're under-resourced: Talk to your MSP or IT provider. Ask specifically: "Have you patched CVE-2026-20182 and CVE-2026-41940?" If they can't answer, that's a red flag.

FAQ

Does CISA's BOD 22-01 apply to my Australian business?

Legally, no — it binds US federal agencies. But operationally, CISA strongly urges all organisations to follow the same timelines. Attackers don't check your jurisdiction before exploiting these flaws. The threat is global.

How is KEV different from a regular CVE list?

KEV only includes vulnerabilities with confirmed, active exploitation in the wild and a clear remediation path (patch, mitigation, or workaround). It's designed to answer "what should we patch first right now?" — not "what's theoretically dangerous?"

What if my vendor hasn't released a patch yet?

CISA's guidance in these cases is to apply available mitigations (like isolating management interfaces), follow vendor instructions, or — if neither exists — discontinue use of the product. Running unpatched, actively-exploited software is not an option.

How do I stay on top of this weekly?

Bookmark the CISA KEV catalogue and filter by "Last 30 Days." Check every Monday. It takes 15 minutes and tells you exactly what's being exploited right now.

Conclusion

Seven new KEV entries, two confirmed in active ransomware campaigns, multiple CVSS 10.0 criticals, and at least one vulnerability exploited undetected since 2023. This is not a drill. The gap between disclosure and exploitation is now measured in hours — and in some cases, attackers were inside before the CVE was even public.

Start with your internet-facing assets. Move to internal systems. Verify with your MSP. Document your patching so you can prove it was done.

For Australian SMBs without a dedicated security team, this is exactly the kind of threat landscape that justifies external help. If you're not confident you've patched everything on this list by end of week, let's talk.

Get a free 30-minute cybersecurity posture assessment at consult.lil.business. We'll check your exposure against the current KEV catalogue and tell you what to patch first.

References

  1. CISA Known Exploited Vulnerabilities Catalog
  2. CISA Binding Operational Directive 22-01 — Reducing the Significant Risk of Known Exploited Vulnerabilities
  3. CISA Emergency Directive 26-03 — Cisco SD-WAN Devices
  4. CVEFeed — CISA KEV Catalog with Latest Additions
  5. Australian Cyber Security Centre (ACSC) — Essential Eight Maturity Model
  6. CVE-2026-20182 — NIST National Vulnerability Database
  7. CVE-2026-41940 — WebPros cPanel & WHM Authentication Bypass

TL;DR

  • A popular tool that programmers use has a serious security problem
  • The problem is called CVE-2026-28292 and it's very dangerous (score 9.8 out of 10)
  • It lets attackers run commands on computers that use certain versions of the tool
  • Anyone who uses this tool needs to update it right away

What Is simple-git and Why Do Programmers Use It?

Imagine you have a robot that helps you organize your school projects. The robot keeps track of every change you make, lets you go back to older versions, and helps you work with friends on the same project. That's what git does for computer programmers—it's like a super-powered "undo" button and collaboration tool [1].

Simple-git is a popular tool that lets programs talk to git automatically. Think of it like a translator: your program says "save this work" in English, and simple-git translates it into git-language so git understands what to do [2].

Programmers use simple-git all the time in web applications, tools that help other programmers, and systems that automatically update websites. It's everywhere in modern software.

What's the Problem?

Someone found a way to trick simple-git into running bad commands instead of just translating for git. It's like if you told your translator robot "say hello" but instead it started opening doors and turning off lights [3].

The scary part is that this trick doesn't need a password or special access. If an application uses simple-git in the wrong way, an attacker could send a specially crafted message that makes the application do whatever the attacker wants [4].

The problem affects versions 3.15.0 through 3.32.2 of simple-git. Version 3.23.0 fixes the problem, so everyone needs to update to that version or a newer one [5].

How Could This Hurt a Business?

Imagine a company has a website that lets programmers share their code. The website uses simple-git to manage all the shared projects. If an attacker knows about this vulnerability, they could:

  • Send a specially crafted project name to the website
  • The website passes that name to simple-git
  • Simple-git gets tricked into running bad commands
  • The attacker now has control over the website's computer [6]

This is called "remote code execution"—the attacker can run commands on a computer without even being in the same building. It's like giving someone the keys to your house through the mail slot [7].

Why This Happened Twice Before

The really concerning part is that this same kind of problem was found and fixed in simple-git in 2022 (CVE-2022-25860 and CVE-2022-25912) [8]. But the fix wasn't complete—attackers found a different way to do the same trick.

It's like patching a hole in a tire, but the patch wasn't big enough. The air is still leaking out, just through a different spot.

What Businesses Need to Do Right Now

1. Check If You Use simple-git

Any business that has programmers or uses web applications should check if they depend on simple-git. Programmers can run a command to see if it's installed in their projects [9].

2. Update to Version 3.23.0 or Newer

If version 3.15.0 through 3.32.2 is installed, update it immediately. This is critical—not something to put off until next week [10].

3. Check Your Dependencies

Your business might not directly use simple-git, but the tools you use might depend on it. It's like your backpack has a pocket, and that pocket has a smaller pocket—you need to check all the layers [11].

4. Set Up Automatic Checks

There are tools that can automatically watch for problems like this and alert you when they're found. It's like having a security guard that checks all your doors and windows every night [12].

The Big Lesson: We All Depend on Each Other's Code

Modern software is built like a tower of blocks. Each block is a piece of code written by someone else. When one block has a crack, the whole tower can wobble [13].

That's why security isn't just about writing good code yourself—it's about making sure all the blocks you use are solid too. When a popular tool like simple-git has a problem, it affects everyone who uses it, even if they wrote perfect code themselves.

FAQ

No, you need to update to the fixed version (3.23.0 or newer). The problem is in how the tool was written, so the people who make simple-git had to fix it and release a new version [14].

If your business has programmers who work with Node.js (a popular programming system), ask them to check if any projects use simple-git. If they're not sure, that's a problem—not knowing what you're using is risky [15].

Not necessarily. The attack comes through normal web traffic—it looks like a regular request until simple-git processes it. Firewalls are like locks on your doors, but this attack uses the doorbell [16].

Programming is complicated, and it's hard to think of every possible way someone might try to trick your code. That's why security updates happen constantly—it's not that the programmers were bad, it's that attackers are always finding new tricks [17].

References

[1] TheHackerWire, "Critical RCE in simple-git (CVE-2026-28292)," TheHackerWire, March 10, 2026. [Online]. Available: https://www.thehackerwire.com/critical-rce-in-simple-git-cve-2026-28292/

[2] npm, "simple-git package," npm, 2026. [Online]. Available: https://www.npmjs.com/package/simple-git

[3] TheHackerWire, "Critical RCE in simple-git," 2026.

[4] CWE, "CWE-78: OS Command Injection," MITRE, 2025. [Online]. Available: https://cwe.mitre.org/data/definitions/78.html

[5] TheHackerWire, "Critical RCE in simple-git," 2026.

[6] OWASP, "Command Injection," OWASP Foundation, 2025. [Online]. Available: https://owasp.org/www-project-command-injection/

[7] CWE, "CWE-78: OS Command Injection," 2025.

[8] TheHackerWire, "Critical RCE in simple-git," 2026.

[9] npm Documentation, "Troubleshooting dependency trees," npm, 2025. [Online]. Available: https://docs.npmjs.com/cli/v9/commands/npm-ls

[10] TheHackerWire, "Critical RCE in simple-git," 2026.

[11] GitHub, "About Dependabot alerts," GitHub, 2025. [Online]. Available: https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

[12] Ibid.

[13] CISA, "Software Supply Chain Security," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/software-supply-chain-security

[14] TheHackerWire, "Critical RCE in simple-git," 2026.

[15] Flashpoint, "Navigating 2026's Converged Threats: Insights from Flashpoint's Global Threat Intelligence Report," Flashpoint, March 11, 2026. [Online]. Available: https://flashpoint.io/blog/global-threat-intelligence-report-2026/

[16] OWASP, "Command Injection," 2025.

[17] Flashpoint, "Navigating 2026's Converged Threats," 2026.

Worried about your software dependencies? Book a free cybersecurity consultation at consult.lil.business—we'll help you understand and secure your code.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation