The Lyceum: Cyber Intelligence Daily — May 23, 2026

It's a patch-or-perish Saturday. Drupal's database is being actively ransacked through a SQL injection flaw that CISA added to its Known Exploited Vulnerabilities catalog yesterday with a federal deadline of Tuesday — and Imperva is already counting attacks in five figures across 65 countries. Ubiquiti shipped patches for three perfect-10 holes in the network gear running half the world's coffee shops and corporate campuses. And in a rare bit of good news, Dutch financial-crime investigators tore down an 800-server bulletproof hosting operation that had been quietly enabling ransomware, disinformation, and cyberattacks for years. Bring coffee.

• CVE-2026-9082 — Drupal Core (PostgreSQL backends): patched, actively exploited, added to CISA KEV with a May 27 federal deadline. SQL injection enabling privilege escalation and RCE; Imperva has logged 15,000+ attack attempts against nearly 6,000 sites in 65 countries.
• CVE-2026-34926 — Trend Micro Apex One on-premises: patched, actively exploited, KEV deadline June 4. Pre-authenticated directory traversal lets an attacker modify a key table on the server to push malicious code to every managed agent.
• CVE-2026-34908, CVE-2026-34909, CVE-2026-34910 — Ubiquiti UniFi OS: patched, no confirmed in-the-wild exploitation yet. Three CVSS 10.0 flaws — improper access control, path traversal, and command injection — exploitable by remote unauthenticated attackers.
• CVE-2026-45585 "YellowKey" — Microsoft Windows: no patch yet, public PoC out. Security feature bypass; Microsoft issued the CVE for mitigation guidance after researchers published the proof of concept outside coordinated disclosure norms.
• CVE-2026-48172 — LiteSpeed User-End cPanel Plugin before 2.4.5: patched, exploited in the wild in May 2026. Privilege escalation possibly to root; LiteSpeed published a grep one-liner to check logs for compromise.

Someone is actively trying to break into your Drupal site right now.

CVE-2026-9082 lives in Drupal's database abstraction layer and lets specially crafted requests trigger arbitrary SQL injection on sites using PostgreSQL. In plain terms: an attacker can slip malicious commands into the queries your site sends to its database, then read, modify, or delete whatever's there. The flaw requires no authentication and can lead to remote code execution and privilege escalation. Drupal updated its advisory on Friday to confirm exploitation: "The risk score has been updated to reflect that exploit attempts are now being detected in the wild," according to BleepingComputer.

The affected versions are Drupal 10.4.x before 10.4.10, 10.5.x before 10.5.10, 10.6.x before 10.6.9, 11.1.x before 11.1.10, 11.2.x before 11.2.12, and 11.3.x before 11.3.10. Per Tenable's analysis, only sites using PostgreSQL as their backend are vulnerable — MySQL, MariaDB, and SQLite installs are spared. That's the good news. The bad news, via Windows Forum's reporting: CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog on Friday, giving federal agencies until Tuesday, May 27 to patch.

Per The Hacker News, Imperva has already observed 15,000+ attack attempts against nearly 6,000 sites across 65 countries, with gaming and financial services sites accounting for roughly half of all activity. The window between disclosure and mass exploitation is closed.

If you run Drupal on PostgreSQL, update to 11.3.10, 11.2.12, 10.6.9, or 10.5.10 immediately — and even if you don't run PostgreSQL, the same releases ship dependency fixes for Symfony and Twig you'll want anyway. Watch for webshell deployment in CMS file directories and unexpected admin account creation over the next 72 hours. If you see either, start incident response, not patching.

Three CVSS 10.0 vulnerabilities in Ubiquiti gear — the brand behind UniFi routers, switches, and access points found everywhere from coffee shops to corporate campuses — and patches dropped Friday. These aren't theoretical.

CVE-2026-34908 is an improper access control flaw letting remote attackers make unauthorized system changes. CVE-2026-34909 is a path traversal vulnerability allowing access to files on the underlying system. CVE-2026-34910 is command injection — an attacker with network access can run arbitrary code on the device. All three are exploitable by remote, unauthenticated attackers. Ubiquiti reported them via its HackerOne bug bounty program and described them as low-complexity to exploit.

Ubiquiti has not confirmed in-the-wild exploitation. But the history isn't reassuring. In February 2024, the FBI took down Moobot — a botnet built from hacked Ubiquiti Edge OS routers that Russia's GRU used to proxy malicious traffic in espionage operations against the United States and its allies. On Ubiquiti gear, the window between "patch available" and "mass scanning" has historically been measured in days, not weeks.

Update affected UCG, UDM, UNVR, UDR-5G, ENVR-Core, and UCK models to firmware 5.1.12 or later; standalone UniFi OS Server installs need 5.0.8. Over the next two weeks, unexpected admin account creation or unfamiliar VPN tunnels appearing on UniFi consoles are breach indicators — pull configs for forensics before reimaging.

Most cybercrime depends on infrastructure that someone, somewhere, is willing to rent out without asking questions. On Friday, Dutch authorities ripped out a chunk of that foundation.

According to BleepingComputer, financial-crime investigators at the Dutch FIOD arrested two men and seized 800 servers linked to a web hosting company that knowingly enabled cyberattacks, interference operations, and disinformation campaigns. This is bulletproof hosting — the landlord that never calls the cops, no matter what the tenants are doing.

The Dutch operation arrived alongside a related international takedown. Per The Hacker News, authorities in a May 19–20 operation dismantled "First VPN," a criminal VPN service used by at least 25 ransomware groups, seizing 33 servers and domains including 1vpns[.]com, 1vpns[.]net, and 1vpns[.]org. Together, the two actions represent a coordinated squeeze on the layer of internet infrastructure that ransomware crews, fraud networks, and influence operators all depend on.

Infrastructure takedowns don't end cybercrime, but they force criminal operations to rebuild — burning time, money, and operational security. The two arrested operators almost certainly hold customer records, which means follow-on intelligence is coming. Watch for ransomware groups going quiet or visibly shifting infrastructure in the next 48–72 hours. Business as usual on leak sites by Monday morning would mean the seized capacity was already redundant.

There's a particular kind of irony when the software guarding your endpoints becomes the attack surface. That's what's happening with Trend Micro's Apex One.

CVE-2026-34926 is a directory traversal flaw in the Apex One on-premises server. "A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations," Trend Micro said in its advisory, per BleepingComputer. Translation: an attacker who has gained admin access to your Apex One server can use this flaw to push malicious code to every endpoint that server manages. The security console becomes the malware distribution console.

CISA added the CVE to its Known Exploited Vulnerabilities catalog and gave federal agencies until June 4 to patch. SecurityWeek notes that exploitation requires admin credentials first — this is almost certainly a second-stage move after initial access through other means. Past Apex product exploitation has been linked to Chinese state-sponsored hackers, though Trend Micro has not attributed this particular campaign.

If you run Apex One on-premises, apply the patch now and audit your server's admin account activity for the past 30 days. If defenders start finding webshells or unexpected agent policy changes deployed in late April or early May, the exploitation window was wider than the disclosure suggests.

Ukraine's Computer Emergency Response Team published an advisory Friday documenting a fresh wave of phishing attacks by UAC-0057 against Ukrainian government institutions. The lures imitate completion notifications from Prometheus — a popular Ukrainian online learning platform — sent from already-compromised accounts of legitimate Ukrainian organizations. The PDFs in the emails contain links that pull down an updated toolkit CERT-UA tracks as OYSTERFRESH, which deploys OYSTERBLUES and OYSTERSHUCK as follow-on payloads, with Cobalt Strike assessed as the final stage. The Prometheus disguise is well-chosen: it's a platform Ukrainian civil servants actually use, and the certificates the malicious PDFs imitate look genuinely plausible. Source: CERT-UA Advisory #6315762 — Ukrainian. No English-language coverage confirmed at time of publication.

Russian-language security outlet Xakep reported Friday that Microsoft confiscated the domain of a service used to digitally sign malicious software — letting attackers slip past the code-signing checks that defenders rely on to distinguish trusted binaries from malicious ones. Code-signing abuse is one of the quieter pillars of modern malware distribution; a valid signature sails a binary past application allowlists, EDR heuristics, and casual user inspection alike. Domain seizures of signing-as-a-service operations are rare and meaningful — they disrupt a part of the criminal supply chain that most security teams never see directly. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep also reported Friday that Google researchers inadvertently disclosed proof-of-concept exploit code for an unpatched vulnerability in Chromium, the open-source engine underlying Chrome, Edge, and a growing list of other browsers. Accidental disclosure of working exploits for unpatched browser flaws compresses defender response time from weeks to hours — anyone watching Google's public repositories now has functional weaponized code for a bug still live in production browsers. If you maintain a managed browser fleet, the next 48 hours are the time to check Chromium's emergency update channel. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Today: a Drupal database getting siphoned out through a PostgreSQL pinhole, 800 bulletproof servers being carted out of a Dutch data center, and three CVSS-10 holes in the router that runs your dentist's office. Speaking of dentists — somewhere in a Telegram channel right now, ShinyHunters is deciding whether DentaQuest's Medicaid records will hit the leak market before or after your weekend plans.

Patch fast, sleep when you can.

If you know someone whose Saturday is about to be ruined by a Drupal site they forgot they ran, forward this their way.