MSP Threat Radar Weekly Briefing — Week of 2026-05-25

This week’s briefing tracks 12 recent watch items across 6 vendors, with emphasis on active service incidents and high-priority operational issues.

Top items

Palo Alto Networks PAN-OS Authentication Bypass Vulnerability

• Vendor: Palo Alto Networks
• Published: 2026-05-29
• Status: active
• Source: cisa-kev
• Official advisory: https://security.paloaltonetworks.com/CVE-2026-0257

Palo Alto Networks PAN-OS contains an authentication bypass vulnerability that allows attackers to bypass security restrictions and establish an unauthorized VPN connection.

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-06-01.

nx console vulnerability (CVE-2026-48027)

• Vendor: Nx
• Published: 2026-05-27
• Status: active
• Source: nvd
• Official advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-48027

Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version.

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Review affected assets, prioritize patch validation, and map remediation against managed client inventory.

Daemon Tools Lite Embedded Malicious Code Vulnerability

• Vendor: Daemon
• Published: 2026-05-27
• Status: active
• Source: cisa-kev
• Official advisory: https://blog.daemon-tools.cc/post/security-incident

Daemon Tools contains an unspecified vulnerability that has a high impact on confidentiality, integrity, and availability.

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-05-30.

TanStack Unspecified Vulnerability

• Vendor: Tanstack
• Published: 2026-05-27
• Status: active
• Source: cisa-kev
• Official advisory: https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx

TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity. Known ransomware use: Known.

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-06-10.

LiteSpeed cPanel Plugin Privilege Escalation Vulnerability

• Vendor: Litespeed
• Published: 2026-05-26
• Status: active
• Source: cisa-kev
• Official advisory: https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/

LiteSpeed cPanel Plugin contains privilege escalation vulnerability that is exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with root privileges.

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-05-29.