Mid-Week Intel: Drupal SQL Injection on KEV, Microsoft Defender Double, and Cisco Catalyst SD-WAN Emergency Directive 26-03

Sunday's recap is normally enough, but this week earned a mid-week supplement. CISA pushed a one-vulnerability KEV update on Monday morning — Drupal Core CVE-2026-9082, a SQL injection now being actively exploited within days of Drupal's patch — and the cumulative weight of last week's catalog updates deserves more attention than the Sunday digest gave them. So here is the Tuesday rundown.

⚠️ Active Exploitation This Week

If you run Drupal in any internet-facing capacity, the May 26 CVE-2026-9082 KEV add is for you. If your endpoint protection is Microsoft Defender enterprise tier, last Wednesday's double (CVE-2026-41091, CVE-2026-45498) should already be patched. If you run any Cisco Catalyst SD-WAN gear, Emergency Directive 26-03 from CISA last week is binding on federal agencies and a strong signal for the rest of us.

1. CVE-2026-9082 — Drupal Core SQL Injection (Added to KEV Today)

CISA KEV added: May 26, 2026 · Status: Active exploitation within days of Drupal's patch

A SQL injection flaw in Drupal Core was disclosed and patched by the Drupal Security Team late last week. By Monday morning CISA had added it to KEV after detecting in-the-wild exploitation. The flaw specifically affects PostgreSQL-backed Drupal sites and lets attackers move from initial probing to data exfiltration, privilege escalation, or full remote code execution against any exposed instance still running the unpatched build.

Drupal is the CMS sitting under a lot of mid-market Texas marketing sites, university subsites, regional healthcare patient portals, and government department pages. The "we have a tech team that handles that" assumption tends to break down on Drupal because the typical install is owned by a marketing agency, an ed-tech consultant, or a contractor who hasn't been retained in a year.

How to remediate:

Identify every Drupal instance your business runs. Marketing site. Portal. Anything else that runs on it.
Verify the version. Apply the patch per the official Drupal Security Advisories.
If your Drupal site is PostgreSQL-backed, treat the application as actively compromised until you verify otherwise. Pull access logs for the last 30 days and check for anomalous database queries.
Rotate every administrative credential associated with the Drupal install. Audit any user accounts created in the last 30 days.
If a contractor owns the site and they cannot confirm they have patched within 72 hours, take it offline until they do.

2. CVE-2026-41091 and CVE-2026-45498 — The Microsoft Defender Double

CISA KEV added: May 20, 2026 · Federal patch deadline: June 10, 2026

Last Wednesday's KEV update was a seven-CVE dump that mostly comprised vintage Microsoft and Adobe flaws from 2008-2010 (now being weaponized against unpatched legacy systems), plus two contemporary Defender vulnerabilities: CVE-2026-41091, a privilege escalation in Microsoft Defender, and CVE-2026-45498, a denial-of-service flaw in the same product family.

This is the second Defender CVE on KEV in a month — CVE-2026-33825 (access-control flaw) landed on April 22. Three Defender CVEs in roughly five weeks tells you the Defender attack surface is currently a hot research target. The product itself ships patches automatically through Windows Update for tenanted Microsoft 365 Defender, but on-premise Defender deployments and certain Defender for Business configurations require explicit updates.

What to verify:

In Microsoft 365 Defender portal, confirm that all endpoints show "Up to date" for both signature and platform versions. Anything still on platform 4.18.xxxx older than May 2026 needs investigation.
For Defender for Business tenants, validate that automatic updates are enabled and that no devices are in "Onboarded but not reporting" status.
If you also see CVE-2008-4250 (Microsoft Windows buffer overflow) in your scan reports — which CISA added in the same batch — that means you have a Windows 7/Server 2008-era system somewhere on your network that nobody is patching. Treat as urgent.

3. CVE-2026-20182 — Cisco Catalyst SD-WAN Controller (Emergency Directive 26-03)

CISA KEV added: May 14, 2026 · Severity: Critical — Authentication bypass · Emergency Directive 26-03 issued

This is the one that should have made bigger headlines than it did. CVE-2026-20182 is an authentication bypass against Cisco Catalyst SD-WAN Controller, and CISA issued Emergency Directive 26-03 alongside the KEV add — a step CISA only takes when the federal civilian executive branch needs to act inside 24 hours. For comparison, ED 26-03 is the same severity classification CISA used for Ivanti and Citrix NetScaler in 2024.

If you read the April 26 recap, you already know my position on Cisco Catalyst SD-WAN as a product family right now: it has been on fire for two months. CVE-2026-20122, -20128, -20133 in April. CVE-2026-42897 PoC released in early May. Now CVE-2026-20182 with an Emergency Directive. That is five critical issues in one product family in under sixty days.

If you run Catalyst SD-WAN Controller anywhere — typical for multi-site Texas retail, regional healthcare networks, and MSPs serving regional chains — Emergency Directive 26-03's "Hunt and Hardening Guidance" is the document to follow. The TL;DR is: patch immediately, take the management plane off the public internet, audit access logs for the last 90 days, and treat any anomalous authentication as suspected compromise until proven otherwise.

4. The 60-Day Pattern Hardens

Look at the last sixty days of recaps in aggregate. Edge appliances on KEV every week. Security products themselves on KEV three times in five weeks. AI tooling on KEV (Langflow). And now CMSes on KEV (Drupal, today). The attack surface is widening and the cadence of weaponization is accelerating.

The throughline I keep returning to is inventory. Most Texas small businesses I take over from a prior IT provider do not have a written inventory of what software is running where, what version, who owns patching, and what is internet-exposed. Until that inventory exists, every KEV update is a guessing game. Once it exists, the same KEV update becomes a ten-minute filter against the inventory and either nothing matches or there is a clear list of things to patch this week.

If you do not have that inventory and you would like one, BVTech will build it for you on a fixed-fee project. Most engagements take two weeks; the document outlasts the engagement and lets your subsequent IT provider — us or anyone else — work efficiently.

Want Help This Week?

If you run Drupal, Microsoft Defender enterprise tier, or any Cisco Catalyst SD-WAN gear and you are not sure where you stand against the deadlines above — call BVTech at (210) 538-3669 or email [email protected]. The first conversation is always free; we will tell you exactly where the risk lives and what to do about it.

— Jordan Polasek is the Founder and Managing Partner of BVTech LLC, a Texas-based managed IT services provider. He holds AWS and 1Password certifications, the Certified Polysomnographic Technologist credential (CPSGT #294), and won the SuperOps Solo MSP of the Year Award in 2023. Connect with Jordan on LinkedIn or at jordanpolasek.com.

📰 More BVTech News ← All Articles Get Help from Jordan →