Analyst Guidance
This week CISA added three vulnerabilities to its Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild. Additionally, multiple operational technology products from Schneider Electric, Hitachi Energy, and Siemens require attention; organizations should coordinate OT patching carefully to minimize production downtime.
CVE Details & Remediation
How to read this report
🛡️Verified facts — NVD & CISA KEV
⏳Partially verified — awaiting NVD enrichment
🧠AI analysis — synthesis, verify before acting
🛡️Actionable · Verified facts
NVD-published · CISA KEV cross-checked🛡️CVE-2026-48282 – Adobe ColdFusion ✓ NVD
CVSS10 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV
EPSS29% · P98
ActionPatch immediately
Remediation Steps
- Apply the latest security patch from Adobe for ColdFusion path traversal vulnerability
- Implement input validation and sanitization on all file path parameters
- Restrict directory access permissions to the minimum required
- Review recent application logs for path traversal exploitation attempts
References:
🛡️CVE-2026-48558 – SimpleHelp ✓ NVD
CVSS10 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS1% · P63
ActionPatch immediately
AffectedTechnology
Remediation Steps
- Apply the vendor security update for SimpleHelp as a priority.
- Restrict network exposure of the affected service to trusted sources until patched.
- Review logs and detections for indicators of exploitation.
- Confirm fixed versions against the official vendor advisory before deploying.
References:
🛡️CVE-2026-48939 – Joomlic Icagenda ✓ NVD
CVSS9.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV
EPSS2% · P71
ActionPatch immediately
Remediation Steps
- Check vendor advisory for available security patches for iCagenda
- Apply the vendor patch to all affected iCagenda instances
- If immediate patching is not possible, implement file upload restrictions at the application or network level
- Monitor logs for evidence of exploitation attempts
References:
🛡️CVE-2026-48908 – JoomShaper SP Page Builder ✓ NVD
CVSS9.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV
EPSS2% · P72
ActionPatch immediately
Remediation Steps
- Check vendor advisory for available security patches for JoomShaper SP Page Builder
- Apply the vendor patch to all affected instances
- Verify that authentication enforcement is in place on sensitive admin endpoints
- Monitor access logs for unauthorized access attempts
References:
🛡️CVE-2026-12569 – PTC Windchill And FlexPLM ✓ NVD
CVSS9.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS1% · P66
ActionPatch immediately
Remediation Steps
- Refer to CISA Known Exploited Vulnerabilities catalog for vendor-specific remediation guidance
- Apply patches provided by the affected vendor
- Monitor systems for signs of compromise
- Verify that systems are no longer vulnerable before returning to production
References:
🛡️CVE-2025-67038 – Lantronix EDS5000 ✓ NVD
CVSS9.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS1% · P55
ActionPatch immediately
Remediation Steps
- Apply vendor patches immediately per Lantronix security advisory
- Isolate affected Lantronix EDS5000 devices from untrusted network segments
- Monitor for signs of unauthorized access or code execution
- Implement network access controls to restrict inbound traffic to EDS5000 management interfaces
References:
🛡️CVE-2026-20253 – Splunk Enterprise ✓ NVD
CVSS9.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS88% · P100
ActionPatch immediately
Remediation Steps
- Apply the vendor patch for Splunk Enterprise Missing Authentication issue immediately
- Verify patch installation across all Splunk Enterprise instances
- Monitor Splunk logs for any evidence of unauthorized access or exploitation attempts
- Restrict network access to Splunk management interfaces to trusted networks only
References:
🛡️CVE-2026-48907 – Widget Factory Joomla Content Editor ✓ NVD
CVSS9.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS80% · P100
ActionPatch immediately
Remediation Steps
- Apply security patch from Widget Factory/Joomla vendor immediately
- Disable the JCE plugin if patch is not immediately available
- Review access logs for evidence of exploitation attempts
References:
🛡️CVE-2026-45659 – Microsoft SharePoint Server ✓ NVD
CVSS8.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS3% · P87
ActionPatch immediately
AffectedGovernment
Remediation Steps
- Audit repository access logs and audit trails for unauthorized activity
- Review any recent changes to branch protection rules or security settings
- Enable additional logging and monitoring on affected GitHub instances
References:
🛡️CVE-2026-20230 – Cisco Unified Communications Manager ✓ NVD
CVSS8.6 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS42% · P99
ActionPatch immediately
AffectedTechnology
Remediation Steps
- Apply the vendor security update for Cisco Unified Communications Manager Server as a priority.
- Restrict network exposure of the affected service to trusted sources until patched.
- Review logs and detections for indicators of exploitation.
- Confirm fixed versions against the official vendor advisory before deploying.
References:
🛡️CVE-2026-54420 – LiteSpeed CPanel Plugin ✓ NVD
CVSS8.5 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS1% · P66
ActionPatch immediately
Remediation Steps
- Apply the patch for the LiteSpeed cPanel user-end plugin to all cPanel servers
- Test patched plugin functionality in a staging environment before production deployment
- Review server logs for evidence of exploitation attempts
- Notify hosting customers of patch deployment timeline
References:
🛡️CVE-2026-20262 – Cisco Catalyst SD-WAN Manager ✓ NVD
CVSS6.5 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS8% · P94
ActionPatch immediately
AffectedDefense Technology
Remediation Steps
- Apply the vendor security update for Cisco Catalyst SD-WAN Manager as a priority.
- Restrict network exposure of the affected service to trusted sources until patched.
- Review logs and detections for indicators of exploitation.
- Confirm fixed versions against the official vendor advisory before deploying.
References:
🤖 This vulnerability report was compiled by defend.network using AI-powered analysis of vulnerability databases, vendor advisories, and threat intelligence feeds. Always verify remediation steps through official vendor channels before implementing changes in production environments.