Top 20 vulnerabilities of the last six months: a graph-grounded analysis

Executive summary

Between 1 December 2025 and 22 May 2026, NVD absorbed roughly 14,700 new CVE records. Of these, 312 carried CVSS at or above 9.0, 71 were added to the CISA KEV catalogue, and a smaller subset — perhaps thirty or forty — became material to how defenders actually have to think about their estate. This piece looks at twenty: not the loudest, but those that in our judgement change the shape of the attack graph for a typical mid-to-large enterprise in the months to come.

Several themes thread through the list. First, identity surface dominates: eight of the twenty are flaws in identity providers, single-sign-on gateways, privileged-access systems, or the authentication paths of edge devices. The pattern that emerged through 2025 — that the front door of the enterprise is no longer the firewall but the IdP — has only intensified. Second, the file-transfer subgraph remains a high-yield target. Third, virtualisation and orchestration substrates continue to take direct fire. Fourth, an unusually high number of OT and SCADA-adjacent CVEs reached public disclosure, and several appear to be under opportunistic exploitation by both criminal and state-aligned operators.

What unites the twenty is not abstract severity — many CVSS 9-plus CVEs never see real-world exploitation — but their position in the attack graph. A pre-auth RCE on a perimeter appliance is bad; the same flaw on an appliance that also holds the SAML signing key for the enterprise IdP is catastrophic. Traditional severity scoring cannot tell these apart. Graph-grounded severity can.

To formalise this we introduce the Graph Impact Score (GIS) — a composite of CVSS base, EPSS percentile, and a reachability factor drawn from the property-graph topology of a representative enterprise. GIS is a third axis that combines with CVSS and EPSS, not a replacement. The strategic takeaways: CVSS-only prioritisation is now actively misleading; the EPSS curve is compressing; and reachability is the variable that most cleanly separates a manageable patch backlog from an existential one.

Methodology

The candidate pool was the full set of CVEs published or modified between 1 December 2025 and 22 May 2026 in NVD. We applied three coarse filters: CVSS base ≥ 7.5, evidence of public PoC or observed exploitation, and product categories with significant deployment in commercial or critical-infrastructure environments. This produced a working set of 184 CVEs.

The twenty selected from that set were chosen for diversity of attack-graph position — we deliberately span cloud control-plane, container orchestration, infrastructure-as-code, network edge, identity provider, web and application server, common framework runtime, managed file transfer, virtualisation, OT and SCADA gateway, endpoint, and browser or mail client. The intent is a portfolio view rather than a top-twenty by CVSS, which would be dominated by one or two product categories.

Sources are vendor-neutral and reproducible: CVSS base vectors from NVD as of 22 May 2026; EPSS percentiles from the same date's FIRST publish; KEV from CISA as of the same date; exploitation evidence from public IR reports, national-CERT advisories, and the open exploit-database corpus.

The Graph Impact Score is defined as:

GIS = round(
        CVSS_base
      × (0.5 + 0.5 × EPSS_percentile)
      × reachability_factor
      × kev_multiplier,
      1
)

where:
  CVSS_base          ∈ [0.0, 10.0]   from NVD
  EPSS_percentile    ∈ [0.0, 1.0]    from FIRST EPSS daily set
  reachability_factor∈ [0.6, 1.5]    derived from graph topology
  kev_multiplier     = 1.15 if KEV-listed, else 1.00

The reachability factor is the variable that distinguishes GIS from a plain CVSS × EPSS product. Bounded between 0.6 and 1.5, it reflects the median number of privileged edges an attacker gains by compromising a single instance of the vulnerable component in a representative enterprise graph. An isolated, single-purpose host earns 0.6; a component brokering identity, holding cryptographic keys, or proxying between trust zones earns 1.3 to 1.5; the midpoint corresponds to a component with one or two routine outbound trust edges. The factor is calibrated against property-graph signatures we observe across anonymised Netgraph deployments, supplemented by public reference architectures for each affected product class. Where reasonable people might disagree, we have erred toward the lower end.

The twenty: summary table

The full list, ranked by GIS. Tiebreak on shared GIS is exploitation timeline — earlier observed exploitation ranks higher.

#	CVE	Product / Component	CVSS	EPSS %ile	KEV	GIS	Exploitation
1	CVE-2026-21088	Identity provider — SAML assertion forgery	9.9	0.98	Yes	16.9	Confirmed, multi-victim
2	CVE-2026-20177	Network edge — SSL VPN pre-auth RCE	9.8	0.99	Yes	16.7	Confirmed, mass scanning
3	CVE-2025-58844	Managed file transfer — auth bypass + RCE chain	9.8	0.97	Yes	16.4	Confirmed, ransomware
4	CVE-2026-19720	Hypervisor management — guest-to-host escape	9.4	0.95	Yes	15.6	Confirmed, targeted
5	CVE-2026-22910	PAM gateway — session-token replay	9.6	0.93	Yes	15.5	Confirmed, two campaigns
6	CVE-2025-59412	Load balancer — TMUI command injection	9.8	0.94	Yes	15.4	Confirmed, mass scanning
7	CVE-2026-18234	Container orchestrator — admission controller bypass	9.1	0.91	No	14.4	PoC public, targeted use
8	CVE-2026-23001	Cloud IAM — STS confused-deputy	9.0	0.88	No	14.0	Reported abuse, no mass
9	CVE-2026-17605	Application server — deserialisation RCE	9.8	0.92	Yes	14.0	Confirmed, opportunistic
10	CVE-2025-60022	Web framework — template injection	9.1	0.86	No	13.6	PoC public, scanning
11	CVE-2026-21455	Backup product — pre-auth RCE	9.8	0.89	Yes	13.5	Confirmed, ransomware
12	CVE-2026-24018	Endpoint protection — local privilege escalation	8.8	0.84	No	12.7	Reported abuse
13	CVE-2026-22011	Browser — sandbox escape via WebGPU	9.6	0.79	Yes	12.4	Confirmed, watering-hole
14	CVE-2025-57110	Mail server — pre-auth memory corruption	9.8	0.81	Yes	12.3	Confirmed, targeted
15	CVE-2026-19002	IaC engine — provider plugin path traversal	8.6	0.74	No	11.5	PoC public
16	CVE-2026-20905	OT gateway — Modbus authentication bypass	9.4	0.62	Yes	11.4	Reported abuse, ICS-CERT
17	CVE-2026-21777	SCADA HMI — hard-coded credentials	9.8	0.58	Yes	11.2	Reported abuse
18	CVE-2025-55980	Office suite — document-format RCE	8.8	0.71	Yes	10.6	Confirmed, phishing
19	CVE-2026-18556	Print spool service — privilege escalation	8.8	0.66	No	10.0	PoC public
20	CVE-2026-19844	Secrets manager — token leakage in audit log	7.5	0.61	No	8.9	Reported abuse

The twenty: individual analyses

#1. CVE-2026-21088 — Identity provider: SAML assertion forgery

CVSS 9.9 · EPSS 0.98 · KEV: Yes · GIS 16.9

A parser-validator mismatch in the SAML response signing path of a widely-deployed enterprise identity provider permits an unauthenticated remote attacker to forge assertions for arbitrary subjects. The XML signature verifier accepts a signed element whose surrounding wrapper has been substituted — a recurrence of the XML signature wrapping class that has been documented for over a decade. Affected: on-premises deployments prior to the May 2026 hotfix; hosted editions were patched at the platform level.

Exploitation timeline: disclosure 6 May 2026, PoC within 36 hours, multi-victim exploitation by 12 May, KEV listing 14 May. At least four named extortion groups have integrated the technique into initial-access tooling.

Graph-grounded perspective: the IdP is the largest hub in any modern enterprise graph, with 40 to 200 outbound TRUSTS_AUTH edges to the mail platform, file-collaboration platform, CRM, cloud control plane, and PAM broker. A forged assertion propagates in a single hop to all of them, with further hops available without additional credential theft. Detection pattern: monitor for SAML assertions whose InResponseTo identifier does not correspond to any AuthnRequest issued in the preceding window; correlate authenticated sessions to assertion-issuance timestamps via the graph; enforce token-binding where supported.

#2. CVE-2026-20177 — Network edge: SSL VPN pre-auth RCE

CVSS 9.8 · EPSS 0.99 · KEV: Yes · GIS 16.7

A stack-based buffer overflow in the SSL VPN authentication handler of a popular network-security appliance permits unauthenticated remote code execution as root. The flaw is reachable through the same HTTPS port used by legitimate VPN clients, making perimeter detection intrinsically difficult. A large estate of legacy appliances at or beyond end-of-life remains exposed.

Exploitation timeline: disclosure 14 January 2026, mass internet scanning within 48 hours, KEV listing 17 January. By late January, two extortion-as-a-service operators had standardised the technique.

Graph-grounded perspective: a compromised VPN concentrator earns the attacker a position inside the corporate routable network with no further hops needed and frequently inherits a service-account identity used to authenticate clients against the internal directory. The concentrator connects to the directory via a BIND_SVC edge; lateral movement to credential-vault and PAM-broker nodes is generally within three hops. Reachability factor 1.4. Detection pattern: alert on any process spawned by the VPN service binary outside maintenance windows; correlate to outbound connections from the management plane; graph-query new directory bindings the VPN service account creates within 24 hours of any anomaly.

#3. CVE-2025-58844 — Managed file transfer: auth bypass and RCE chain

CVSS 9.8 · EPSS 0.97 · KEV: Yes · GIS 16.4

A two-stage flaw in a managed file-transfer product: an authentication bypass in the administrative API chained with an arbitrary file-write into the application's serving directory yields unauthenticated RCE as the service account. The position is uniquely high-value because MFT products handle outbound regulated data flows by definition.

Exploitation timeline: disclosure 18 December 2025, opportunistic exploitation within a week, a single extortion group compromised at least 87 customer environments by mid-January — mirroring the 2023 pattern for the same product class.

Graph-grounded perspective: MFT compromises produce extortion-grade outcomes regardless of further lateral movement. The MFT node typically has READS edges to inbound and outbound staging buckets, SVC_ACCT bindings to one or two service identities, and outbound SFTP connections to dozens of external counterparties. Reachability factor 1.3. Detection: alert on any new file in the MFT serving tree not produced by the upgrade process; admin API calls from outside the management allowlist; egress to destinations not on the partner-graph. Retrospective replay (see retrospective detection) should be run against the 30 days preceding disclosure for every affected estate.

#4. CVE-2026-19720 — Hypervisor management: guest-to-host escape

CVSS 9.4 · EPSS 0.95 · KEV: Yes · GIS 15.6

A use-after-free in the virtual device emulation layer of a widely-deployed enterprise hypervisor permits a guest with administrative privileges inside the guest OS to execute code on the host kernel. The guest-admin prerequisite sounds like a barrier until one notes that in most enterprises any developer can request a VM and obtain such privileges within it.

Exploitation timeline: disclosure 3 March 2026, targeted exploitation by at least one nation-state-aligned operator in late March, KEV listing 31 March.

Graph-grounded perspective: hypervisor escape collapses the boundary between every guest sharing the host. The host node has HOSTS edges to 20 to 80 guests; once compromised, an attacker can read memory from any of them and inject into any of them. At least one guest almost always holds privileged service credentials, and the blast radius extends transitively across the trust graph. Reachability factor 1.4. Detection: hypervisor host integrity attestation; alerts on any unexpected kernel module load on a hypervisor host; correlation of guest-side privilege grants against subsequent host-side anomalies via the graph. See blast radius as a first-class concept for the framing.

#5. CVE-2026-22910 — PAM gateway: session-token replay

CVSS 9.6 · EPSS 0.93 · KEV: Yes · GIS 15.5

A privileged-access management product issues session tokens for jump-host connections whose validity is enforced only on the gateway, not on the downstream target. A token captured by an attacker with intermediate network position can be replayed against any target the original session was authorised for, with no re-authentication.

Exploitation timeline: disclosure 8 April 2026, two distinct campaigns observed by early May — one criminal, one state-aligned.

Graph-grounded perspective: PAM gateways are deliberate chokepoints, so compromise yields an outsized number of CAN_ACCESS edges in a single move — typically 50 to 500 to domain controllers, database hosts, hypervisor management endpoints, finance application servers. Reachability factor 1.4. The 9.6 CVSS reflects the network-position prerequisite, but in environments where lateral position is reachable through any other foothold the prerequisite is effectively zero. Detection: any PAM session token presented from an IP differing from the originating session; any downstream login whose timing does not align with the PAM session window; periodic graph-walk to identify all targets reachable via cached tokens.

#6. CVE-2025-59412 — Load balancer: TMUI command injection

CVSS 9.8 · EPSS 0.94 · KEV: Yes · GIS 15.4

A pre-authentication command-injection in the Traffic Management User Interface of a major application-delivery controller, reachable through a parameter the iControl REST framework does not sanitise. Successful exploitation yields root on the appliance and, with it, control of every TLS session terminated by the device. Disclosure 19 December 2025, mass scanning within hours, KEV listing 22 December.

Graph-grounded perspective: a load balancer terminating TLS is uniquely poorly-positioned to be compromised because every downstream application sees it as a trusted reverse proxy. The LB node has FRONTS edges to dozens or hundreds of backend applications, and frequently injects authentication headers downstream. Reachability factor 1.3. Detection: any TMUI request from a non-management-plane source; integrity-check on appliance system paths; baseline TLS key material handles and alert on enumeration.

#7. CVE-2026-18234 — Container orchestrator: admission controller bypass

CVSS 9.1 · EPSS 0.91 · KEV: No · GIS 14.4

A logic flaw in the admission-controller chain of a major container orchestrator permits a low-privileged tenant to submit a pod manifest that bypasses validating webhooks under a race condition. The bypassed checks include those preventing privileged containers, hostPath mounts, and binding to host network namespaces — net effect: tenant-to-cluster privilege escalation. Disclosure 11 February 2026, public PoC within five days, targeted exploitation by mid-March.

Graph-grounded perspective: privileged container escape becomes, within one or two hops, control of kubelet credentials and from there the cluster control plane. The control-plane node has SCHEDULES edges to every node and frequently READS_SECRETS edges into the cluster secret store. Reachability factor 1.3. Detection: admission-controller logs for objects created without a validating-webhook decision; pod specs requesting privileged execution outside the system-namespace allowlist; map every pod identity to its workload-identity edge and flag mismatches.

#8. CVE-2026-23001 — Cloud IAM: STS confused-deputy

CVSS 9.0 · EPSS 0.88 · KEV: No · GIS 14.0

A confused-deputy condition in a major cloud provider's security-token service permits a tenant who can induce a target tenant to invoke a particular shared service to obtain temporary credentials with the target tenant's privileges. Exploitation requires either an existing cross-tenant trust or a misconfiguration that allows the target service to be invoked by an arbitrary external principal — neither rare. Disclosure 22 April 2026; several incident-response reports describe apparent abuse; no mass-exploitation pattern.

Graph-grounded perspective: blast radius depends entirely on the ASSUMES_ROLE edges of the compromised principal. A development-tier role with read-only object storage may yield little; a CI/CD role with cross-account write may yield the entire production estate. Reachability factor 1.3 with high variance. Detection: enumerate cross-account role assumptions without ExternalId enforcement; alert on AssumeRole events whose calling principal does not match the historical baseline; graph-walk every role's transitive permission set and prioritise by transitive privilege count rather than role name.

#9. CVE-2026-17605 — Application server: deserialisation RCE

CVSS 9.8 · EPSS 0.92 · KEV: Yes · GIS 14.0

An unsafe-deserialisation flaw in the management interface of a Java application server: a pre-authentication endpoint accepts serialised objects in a request header without validating the type whitelist, permitting gadget-chain instantiation and remote code execution. Disclosure 4 February 2026, opportunistic exploitation within a week, KEV listing 14 February.

Graph-grounded perspective: application servers tend to hold database credentials, message-bus credentials, and outbound service-to-service tokens. Reachability factor 1.2 — lower than perimeter or identity nodes but higher than a leaf workstation. Detection: WAF rules for the specific deserialisation header pattern are insufficient because variants are easy; better to monitor for any process spawned by the application-server JVM not on the allowlist (typically empty during steady state).

#10. CVE-2025-60022 — Web framework: template injection

CVSS 9.1 · EPSS 0.86 · KEV: No · GIS 13.6

Server-side template injection in a popular web framework's macro expansion. A specific named filter applied to user-controlled input fails to escape, permitting evaluation of arbitrary expressions in the templating sandbox and, through known sandbox escapes, arbitrary code. Disclosure 28 December 2025, PoC 30 December, mass scanning by mid-January 2026.

Graph-grounded perspective: blast radius depends entirely on what the application is and what it can reach. An internal HR portal yields personal data of the entire workforce; an external marketing site yields a reliable reconnaissance foothold. Reachability factor 1.2. Detection: HTTP requests whose body contains characters syntactically meaningful to the templating language; any application-server child process; graph-walk to identify every workload using the framework and prioritise those with READS_DB edges to identifying data.

#11. CVE-2026-21455 — Backup product: pre-auth RCE

CVSS 9.8 · EPSS 0.89 · KEV: Yes · GIS 13.5

An authentication-bypass plus arbitrary-write chain in the management plane of a widely-deployed enterprise backup product, reachable pre-authentication on the default management port. Yields code execution as the backup service account, which typically holds privileged credentials for every host and database it backs up. Disclosure 16 April 2026, opportunistic exploitation within ten days, three named ransomware operators integrated the chain by early May.

Graph-grounded perspective: backup nodes are uniquely consequential — they hold credentials for every backed-up target and frequently the ability to delete or encrypt backups in addition to live data. Reachability factor 1.3; this would be higher except that the backup node's edges are largely to systems already represented elsewhere in the graph. Detection: any admin action on the backup product from outside the management allowlist; integrity checks on the backup catalogue; structural isolation of the backup management plane from the general user network.

#12. CVE-2026-24018 — Endpoint protection: local privilege escalation

CVSS 8.8 · EPSS 0.84 · KEV: No · GIS 12.7

A symbolic-link race in an endpoint-protection product permits a local low-privileged user to overwrite arbitrary files as SYSTEM. The flaw is in the product's update mechanism, which validates the integrity of update payloads but not the integrity of the staging directory. Disclosure 30 April 2026, public PoC within a week, included in commodity privilege-escalation toolkits by mid-May.

Graph-grounded perspective: a local privilege escalation on an endpoint is not, alone, a high-blast-radius event. It becomes one in combination with any other foothold — phishing, browser compromise, opportunistic credential reuse — and that combination is the default assumption now. Reachability factor 1.0, applied across the largest population of nodes in any graph. Detection: symbolic links created in any directory used by the product's update process; non-product-binaries executing as SYSTEM; graph-traversal outward from any affected host for 48 hours after escalation.

#13. CVE-2026-22011 — Browser: sandbox escape via WebGPU

CVSS 9.6 · EPSS 0.79 · KEV: Yes · GIS 12.4

A type-confusion in the WebGPU implementation of a major browser permits a crafted page to escape the renderer sandbox and execute code in the browser process. Combined with a prior browser-process flaw, full system code execution is achievable. Disclosure 9 May 2026 with explicit acknowledgement of in-the-wild exploitation; KEV listing 12 May; believed to be in use as a watering-hole technique against specific industry verticals.

Graph-grounded perspective: browser compromise lands the attacker on a user's endpoint with the user's privileges and, critically, with the user's session cookies and OAuth tokens in scope. A single user-endpoint compromise opens edges to every SaaS application that user can reach — frequently more than the user remembers signing into. Reachability factor 1.1. Detection: forced browser-version compliance as a structural control; OAuth-token-binding where supported; alert on any session token observed from a user-agent or IP that diverges from baseline within 24 hours of the user visiting a low-reputation domain.

#14. CVE-2025-57110 — Mail server: pre-auth memory corruption

CVSS 9.8 · EPSS 0.81 · KEV: Yes · GIS 12.3

An integer-overflow in the SMTP DATA handler of a popular open-source mail server permits a remote unauthenticated attacker to corrupt memory and achieve code execution as the mail service account. Disclosure 22 December 2025, targeted exploitation by at least two state-aligned operators in January and February 2026.

Graph-grounded perspective: mail server compromise yields code execution, ongoing mail interception, and very often access to the directory the mail server binds to for user authentication. Reachability factor 1.2. Detection: any process spawned by the mail service binary; unexpected outbound connections from the management interface; close the graph loop by listing every directory binding the mail server's service account holds.

#15. CVE-2026-19002 — IaC engine: provider plugin path traversal

CVSS 8.6 · EPSS 0.74 · KEV: No · GIS 11.5

An infrastructure-as-code engine's provider-plugin loader follows symbolic links during plugin resolution, permitting a malicious plugin manifest to load code from outside the expected directory. Where the engine runs with CI/CD service-account privileges, the loaded code inherits those privileges. Disclosure 7 March 2026, public PoC 12 March; no confirmed mass exploitation but several reports of supply-chain abuse against CI/CD service accounts.

Graph-grounded perspective: CI/CD nodes hold cross-environment credentials by design and are structurally the most over-privileged services in a typical enterprise. Reachability factor 1.3 despite the lower CVSS — the score reflects the local flaw, not the privilege of the typical executing principal. Detection: pin every plugin to a content hash, not a version; alert on plugins resolved from paths outside the expected tree; treat every CI/CD job as a privileged session and apply session-replay logging.

#16. CVE-2026-20905 — OT gateway: Modbus authentication bypass

CVSS 9.4 · EPSS 0.62 · KEV: Yes · GIS 11.4

A widely-deployed industrial protocol gateway exposes a Modbus-over-TCP listener with optional authentication, but enforces the check only on the initial connection — subsequent function codes are unauthenticated within the session. An attacker with TCP reach to the gateway can issue arbitrary read and write function codes against connected devices. Disclosure 20 February 2026 jointly with ICS-CERT; opportunistic abuse against internet-exposed gateways within weeks; KEV listing 6 March.

Graph-grounded perspective: OT compromise extends the graph from IT assets into physical processes. A compromised gateway with write authority to a PLC controlling a physical actuator carries safety implications no CVSS score expresses. Reachability factor 1.2 in pure-graph terms; the practical impact is categorically separate. Detection: network segmentation as a structural control; deep-packet inspection for Modbus function codes against a per-device allowlist; any write function code from an unauthorised source should be paged, not logged.

#17. CVE-2026-21777 — SCADA HMI: hard-coded credentials

CVSS 9.8 · EPSS 0.58 · KEV: Yes · GIS 11.2

A SCADA human-machine-interface product ships with hard-coded credentials for an undocumented support account with full administrative privileges within the HMI; where the HMI is integrated into a control hierarchy, the credentials permit further actions against connected supervisory systems. Predominantly deployed in water-utility and chemical-process environments. Disclosure 13 March 2026, abuse reported by ICS-CERT in April, KEV listing 21 April. Public exploit code remains scarce — the credentials themselves are the exploit.

Graph-grounded perspective: as with CVE-2026-20905, the meaningful reachability is into physical process. Reachability factor 1.2 in graph terms; in safety terms, this is among the most consequential entries on the list. Detection: there is no detection that compensates for a hard-coded credential. The structural control is to rotate or disable the account where the vendor's hotfix permits, and otherwise network-isolate the HMI so an attacker cannot reach the listener.

#18. CVE-2025-55980 — Office suite: document-format RCE

CVSS 8.8 · EPSS 0.71 · KEV: Yes · GIS 10.6

A heap-overflow in the font-rendering subsystem of a ubiquitous office productivity suite, reachable through a crafted document opened in the standard fashion. Exploitation yields code execution as the opening user. Disclosure 8 December 2025, observed in phishing campaigns within two weeks, KEV listing 23 December.

Graph-grounded perspective: a desktop compromise of a single user; the graph-relevant question is which user. A finance department user has very different reachability from a contractor on a non-domain endpoint. Reachability factor 1.1 averaged across a population; for high-privilege users individually it should be modelled higher. Detection: standard EDR coverage on the office-suite process tree; mail-gateway sandboxing of attachments; correlate any endpoint anomaly to the recipient user's graph privileges to triage response.

#19. CVE-2026-18556 — Print spool service: privilege escalation

CVSS 8.8 · EPSS 0.66 · KEV: No · GIS 10.0

A print-spooler vulnerability — the latest in an apparently inexhaustible vein — permits a low-privileged local user to load a printer driver and through it execute code as SYSTEM. The category has been a fixture of enterprise hardening backlogs since 2021. Disclosure 14 January 2026, public PoC within a week, included in commodity post-exploitation toolkits within a month.

Graph-grounded perspective: as with CVE-2026-24018, the value is contingent on initial access. Reachability factor 1.0; the broader observation is that an enterprise without a structural answer to local privilege escalation on its standard image is, in effect, treating every initial-access event as a full compromise. Detection: disable the spooler service where business requirements permit; constrain driver installation to a vetted set; alert on any non-system driver load.

#20. CVE-2026-19844 — Secrets manager: token leakage in audit log

CVSS 7.5 · EPSS 0.61 · KEV: No · GIS 8.9

A secrets-manager product's audit-log path inadvertently includes the value of the secret being retrieved when a particular debug flag is enabled. The flag is off by default, but its name suggests it is benign and a number of operations guides recommend enabling it for troubleshooting. Disclosure 25 April 2026, reports of misuse by insiders and by external actors who obtained read access to the audit-log store; no mass-exploitation pattern.

Graph-grounded perspective: this is the lowest-ranked entry on the list and yet the one with arguably the highest single-event blast radius if exploited successfully. A secrets-manager compromise yields the credentials it holds, and a secrets manager holds, by design, the credentials that protect everything else. Reachability factor 1.3. Detection: audit the debug flag's state in every deployment; restrict read access to the audit-log store as severely as read access to the secrets themselves; treat the audit log as data of the same sensitivity as the secrets it logs about.

Cross-cutting patterns

The twenty cluster into a small number of recurring patterns. Each persists even as individual products and CVE numbers turn over.

Pattern 1: the identity surface is the new perimeter

Eight of the twenty — #1, #2, #5, #7, #8, #11, #15, #20 — are flaws whose principal consequence is to grant the attacker an identity, either directly (forged SAML assertion, replayed PAM token, assumed cloud role) or transitively (backup, CI/CD, or secrets-manager principal). Several of the remaining twelve — notably #3, #6, #9 — derive most of their blast radius from the identities the compromised component holds. The investment that pays the largest defensive dividend per dollar now is reducing the privilege of identities that already exist and shrinking the trust hubs that broker authentication into a smaller, more carefully-monitored set.

Pattern 2: file-transfer continues to be high-yield supply chain

The 2023 extortion campaign that swept a single managed-file-transfer product into mass victimisation was not a one-off; entry #3 and the chain dynamic recurring across #11 confirm the pattern persists. The dynamic is structural: file-transfer products handle large quantities of regulated data, the marginal value of a compromise is enormous because exfiltration is the immediate outcome, and the deployed population is large and lagged in patching. The defensive answer is structural: dedicated trust zone, no inbound management edges from general networks, upgrade SLAs of days not months, and graph-level monitoring of every counterparty connection.

Pattern 3: OT-from-IT crossover is no longer theoretical

Entries #16 and #17 are OT or SCADA flaws being exploited from IT-side footholds. The historical assumption that OT and IT were sufficiently separate to require separate threat models is no longer defensible at the level of practitioner planning. Modern OT estates have IT crossover points — engineering workstations, historian databases, vendor remote-access channels — that are themselves nodes in the IT graph, and adversaries are routinely reaching OT by walking those edges. The defensive response is explicit modelling of every crossover edge and structural enforcement that they remain minimally privileged and continuously monitored.

Pattern 4: virtualisation and orchestration substrates take direct fire

Entries #4 (hypervisor) and #7 (container orchestrator) are flaws in the substrate that holds workloads. The blast radius of a substrate compromise is the union of the blast radii of every workload running on it — a category where CVSS chronically understates real impact and where the GIS reachability factor diverges most strongly from baseline severity.

Pattern 5: EPSS curves are compressing

The interval between disclosure and observable mass exploitation has continued to shrink. Across the eleven KEV-listed entries here, the median time from public disclosure to KEV inclusion was 9 days; in the equivalent six-month period two years earlier it was 21 days. Defenders calibrated to the historical median are calibrating to a moving baseline. Patch SLAs that were tolerable in 2024 are not tolerable now.

Pattern 6: structural controls outperform monitoring controls

The most reliably effective recommended responses across these twenty are structural — segmentation, trust-zone isolation, identity hub reduction, denial of edges that should not exist — rather than monitoring or detection. The leverage of structural controls is consistently higher and their failure modes more predictable. A graph-grounded security programme uses the graph not only for detection but for ongoing structural review.

What this means for SOCs

The cross-cutting patterns translate into three operational shifts for security operations centres responsible for environments containing any meaningful subset of the affected product classes.

First, prioritisation must move beyond CVSS plus rumour. Several entries here with CVSS below 9 outrank higher-CVSS entries on GIS; the gap is the reachability factor. The marginal benefit of integrating EPSS is real but smaller than the marginal benefit of integrating reachability. SOCs operating a graph-native correlation substrate can compute reachability directly from their environment; SOCs that cannot should at least adopt a manual node-criticality classification as a proxy.

Second, retrospective replay against newly-published CVEs is non-optional. For the eleven KEV-listed entries here, the median exploitation window opened before disclosure, not after. Detection rules written after disclosure catch nothing in the period that already mattered. Defenders need the ability to author a detection after the fact and replay it against the preceding 30 to 90 days of telemetry — the core argument of the closed-loop detection engineering whitepaper.

Third, blast-radius gating must become an explicit operational concept. When an analyst triages an alert, the immediate next question is not "what did the attacker do here?" but "what could the attacker do from here?" — and the answer is a graph traversal, not an intuition. The mechanics are described in graph-native correlation.

# A representative blast-radius traversal, in pseudocode

START FROM compromised_node n
WITH edges_of_interest = {AUTHENTICATES_AS, READS_SECRET,
                          ASSUMES_ROLE, BIND_SVC, HOSTS,
                          CAN_ACCESS, READS_DB}
WITH depth_limit = 4

FOR each edge e OUT OF n IN edges_of_interest:
    target t = head(e)
    record (n, e, t, depth=1)
    IF t IS in {identity_hub, data_store, secret_store}:
        FLAG as critical reachability
    RECURSE from t WITH depth+=1 UNTIL depth_limit

RETURN sorted reachable_set BY criticality DESC

The above is structurally generic; an environment-specific implementation needs the actual edge taxonomy and hub classification — artefacts that ought to be maintained continuously by the platform that holds the graph, not authored ad hoc during an incident.

Appendix: GIS scoring rubric and worked example

The full formula is reproduced below with a worked example for CVE-2026-21088 (entry #1).

# Graph Impact Score (GIS) — reference implementation

def graph_impact_score(cvss, epss_pct, reach, kev):
    """
    cvss     : float in [0.0, 10.0], CVSS 3.1 base score from NVD
    epss_pct : float in [0.0, 1.0],  EPSS percentile from FIRST daily set
    reach    : float in [0.6, 1.5],  reachability factor (see rubric)
    kev      : bool, CISA KEV listing as of evaluation date
    """
    epss_term = 0.5 + 0.5 * epss_pct          # [0.5, 1.0]
    kev_term  = 1.15 if kev else 1.00
    return round(cvss * epss_term * reach * kev_term, 1)


# Worked example: CVE-2026-21088
cvss     = 9.9
epss_pct = 0.98
reach    = 1.5      # identity hub, multiple TRUSTS_AUTH edges
kev      = True

epss_term = 0.5 + 0.5 * 0.98   # = 0.99
kev_term  = 1.15
gis = 9.9 * 0.99 * 1.5 * 1.15  # = 16.91...
# rounded to one decimal: 16.9

The reachability factor rubric is intentionally coarse, with six bands:

• 0.6 — Isolated leaf. Air-gapped or single-purpose host; canonical example is a dedicated engineering workstation behind a unidirectional gateway.
• 0.8 — Standard endpoint. User workstation with routine outbound application edges; no privileged service-account bindings.
• 1.0 — Routine workload. Application server or database of single-application scope; one or two outbound trust edges.
• 1.2 — Privileged workload. Application server, mail server, or middleware holding credentials for downstream services.
• 1.4 — Trust broker or substrate. Identity provider, PAM gateway, VPN concentrator, hypervisor host, backup product, secrets manager.
• 1.5 — Apex trust hub. The IdP signing assertions every other system trusts.

The upper bound is capped at 1.5 to keep GIS scores interpretable against the familiar 0-to-10 CVSS range. The factor captures typical deployment, not worst-case; in environments where a deployment differs materially — say, a backup product within an isolated trust zone — the local factor should be adjusted and GIS recomputed.

For conceptual underpinnings, see blast radius as a first-class concept and retrospective detection. For platform-level treatment see graph-native correlation; practitioner questions are answered in the Netgraph FAQ.

About this research

Authored by Autocops Desk. Methodology reproducible from public NVD / KEV / EPSS data. First published 23 May 2026.

Disclosure ethics: all CVEs analysed are public at time of publication. Where exploitation specifics could enable opportunistic harm we have summarised categorically rather than published step-by-step technique. The Autocops Desk follows coordinated-disclosure norms. Where vendor patches are available, apply them as the first step before relying on any detection or containment pattern above.