MSP Threat Radar Weekly Briefing — Week of 2026-05-11

This week’s briefing tracks 12 recent watch items across 3 vendors, with emphasis on active service incidents and high-priority operational issues.

Top items

catalyst sd-wan manager vulnerability (CVE-2026-20182)

• Vendor: Cisco
• Published: 2026-05-14
• Status: active
• Source: nvd
• Official advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-20182

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.  A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.

Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlined in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. Review affected assets, prioritize patch validation, and map remediation against managed client inventory.

Microsoft Exchange Server Cross-Site Scripting Vulnerability

• Vendor: Microsoft
• Published: 2026-05-15
• Status: active
• Source: cisa-kev
• Official advisory: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897

Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-05-29.

Microsoft Authenticator Information Disclosure Vulnerability (CVE-2026-41615)

• Vendor: Microsoft
• Published: 2026-05-14
• Status: active
• Source: msrc
• Official advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41615

Information published.

Customer action is required. Review the Security Update Guide entry, confirm affected Microsoft products, and prioritize patch validation or mitigation.

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability (CVE-2026-45495)

• Vendor: Microsoft
• Published: 2026-05-15
• Status: active
• Source: msrc
• Official advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45495

Information published.

Customer action is required. Review the Security Update Guide entry, confirm affected Microsoft products, and prioritize patch validation or mitigation.

PAN-OS: Heap-Based Buffer Overflow in DNS Proxy and DNS Server Allows Unauthenticated Remote Code Execution (CVE-2026-0264)

• Vendor: Palo Alto Networks
• Published: 2026-05-13
• Status: active
• Source: palo-alto
• Official advisory: https://security.paloaltonetworks.com/CVE-2026-0264

A buffer overflow vulnerability in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS® Software allows an unauthenticated attacker with network access to cause a denial of service (DoS) condition (all PAN-OS platforms except Cloud NGFW and Prisma Access) or potentially execute arbitrary code by sending specially crafted network traffic (PA-Series hardware only). Panorama, Cloud NGFW, and Prisma® Access are not impacted by this vulnerability.

VERSION MINOR VERSION SUGGESTED SOLUTION Cloud NGFW   No action needed PAN-OS 12.1 12.1.5 through 12.1.6 Upgrade to 12.1.7 or later. 12.1.2 through 12.1.4-h* Upgrade to 12.1.4-h5 or 12.1.7 or later. PAN-OS 11.2 11.2.11 or later Upgrade to 11.2.12 or later. 11.2.8 through 11.2.10-h* Upgrade to 11.2.10-h6 or 11.2.12 or later. 11.2.5 through 11.2.7-h* Upgrade to 11.2.7-h13 or 11.2.12 or later. 11.2.0 through 11.2.4-h* Upgrade to 11.2.4-h17 or 11.2.12 or later. PAN-OS 11.1 11.1.14 or later Upgrade to 11.1.15 or later. 11.1.11 through 11.1.13-h* Upgrade to 11.1.13-h5 or 11.1.15 or later. 11.1.8 through 11.1.10-h* Upgrade to 11.1.10-h25 or 11.1.15 or later. 11.1.7 through 11.1.7-h* Upgrade to 11.1.7-h6 or 11.1.15 or later. 11.1.5 through 11.1.6-h* Upgrade to 11.1.6-h32 or 11.1.15 or later. 11.1.0 through 11.1.4-h* Upgrade to 11.1.4-h33 or 11.1.15 or later. PAN-OS 10.2 10.2.17 through 10.2.18-h* Upgrade to 10.2.18-h6 or later.   10.2.14 through 10.2.16-h* Upgrade to 10.2.16-h7 or 10.2.18-h6 or later. 10.2.11 through 10.2.13-h* Upgrade to 10.2.13-h21 or 10.2.18-h6 or later. 10.2.8 through 10.2.10-h* Upgrade to 10.2.10-h36 or 10.2.18-h6 or later.   10.2.0 through 10.2.7-h* Upgrade to 10.2.7-h34 or 10.2.18-h6 or later. Prisma Access  No action needed. All older unsupported PAN-OS versions   Upgrade to a supported fixed version.