Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks
Drupal released security updates for CVE-2026-9082, a highly critical flaw affecting sites that use PostgreSQL databases, which can allow anonymous attackers to send crafted requests leading to SQL injection, information disclosure, privilege escalation, or remote code execution in some cases. Teams running Drupal should update supported branches immediately, and unsupported Drupal 8 and 9 deployments should be treated as higher risk even where best-effort patches are available. The combination of anonymous exploitability and a path to RCE makes this a priority patch for any PostgreSQL-backed Drupal site exposed to untrusted traffic.
Microsoft Patches Exploited UnDefend and RedSun Defender Zero-Days
Microsoft released fixes for two Microsoft Defender vulnerabilities that have been exploited in the wild — CVE-2026-41091, which can allow local privilege escalation to SYSTEM, and CVE-2026-45498, which can trigger denial of service — with CISA adding both to its Known Exploited Vulnerabilities catalog. The flaws are attributed to the same researcher behind the earlier BlueHammer, MiniPlasma, and GreenPlasma disclosures, continuing a streak of Windows and Defender zero-days published in protest of Microsoft’s bug bounty program. Security teams should confirm Defender Antimalware Platform updates are current and pay particular attention to systems where endpoint protection updates may lag behind normal patching cycles.
Hackers Bypass SonicWall VPN MFA Due to Incomplete Patching
ReliaQuest reported intrusions where attackers brute-forced credentials and bypassed MFA on SonicWall Gen6 SSL-VPN appliances tied to CVE-2024-12802, with observed activity including reconnaissance, RDP access, attempted Cobalt Strike deployment, and behavior consistent with initial access broker operations. SonicWall has clarified that firmware updates alone don’t fully mitigate the issue on Gen6 devices — administrators also need to manually reconfigure LDAP settings — meaning appliances that appear patched may still be exposed. Teams running affected hardware should verify both the firmware version and the required configuration change before considering the issue resolved.
Webworm APT Targets European Government Organizations With New Backdoors
ESET reported that Webworm, a China-aligned APT group also tracked as Space Pirates and UAT-8302, has expanded its targeting from Asia into European government organizations across Belgium, Italy, Poland, Serbia, and Spain, with recovered command-and-control messages showing reconnaissance against more than 50 targets. Researchers identified two new backdoors called EchoCreep and GraphWorm, both of which abuse legitimate platforms including Discord, GitHub, Microsoft Graph, OneDrive, and AWS S3 to blend C2 traffic into normal cloud activity. The expansion into European government targets represents a meaningful shift in the group’s operational scope and signals broader interest in NATO-aligned institutions.
7-Eleven Confirms Breach After ShinyHunters Claims
7-Eleven confirmed that attackers breached systems used to store franchisee documents, with stolen information including names, addresses, and Social Security numbers, following ShinyHunters’ claim that it exfiltrated data from the company’s Salesforce environment. The company has not publicly confirmed the full scope of the compromise, leaving franchisees and affected individuals with limited visibility into what was taken and how it may be used. Large retail and franchise ecosystems present a compounded risk after breaches like this — the combination of identity data, business relationships, and distributed franchisee networks creates significant surface area for follow-on phishing, fraud, and extortion campaigns.
The post InfoSec News Nuggets 05/21/2026 appeared first on AboutDFIR – The Definitive Compendium Project.
