Week of 18–22 May 2026 · Global threats decoded for Indian defenders, plus India-targeted activity
A quiet week on the headline-APT front, but a noisy one for edge infrastructure and endpoint security tooling — the exact layers Indian enterprises lean on hardest. Three CISA Known Exploited Vulnerabilities (KEV) additions and one actively exploited web-server flaw dominate this issue. All four touch software that is ubiquitous across Indian government, BFSI and enterprise estates.
1
NGINX heap overflow under active exploitation (CVE-2026-42945)
F5 disclosed a heap buffer overflow in NGINX's ngx_http_rewrite_module affecting Open Source 0.6.27–1.30.0 and NGINX Plus R32–R36. Crafted HTTP requests can crash worker processes (denial of service) and, where ASLR is disabled, achieve unauthenticated remote code execution. VulnCheck observed exploitation attempts beginning 16 May, three days after a public proof-of-concept appeared.
India exposureNGINX fronts a very large share of India's web, API and banking portals; an unauthenticated, internet-reachable DoS-to-RCE on this layer is high-blast-radius.
ActionUpgrade to NGINX Open Source 1.31.0 / 1.30.1 or NGINX Plus R36 P4 / R32 P6. As interim mitigation, F5 advises replacing unnamed captures with named captures in rewrite definitions. AlmaLinux, Ubuntu and Debian have shipped patched packages.
SourceHelp Net Security, "Attackers are exploiting critical NGINX vulnerability (CVE-2026-42945)," 18 May 2026.
2MediumCVSS 6.7
Trend Micro Apex One zero-day added to CISA KEV (CVE-2026-34926)
A relative directory-traversal flaw (CVSS 6.7) in on-premises Apex One was exploited as a zero-day. An actor with administrative access to the server can inject malicious code and propagate it to every managed endpoint through the trusted update channel — turning the EDR platform itself into a distribution mechanism. Trend Micro disclosed and patched it on 21 May; CISA added it to the KEV catalog the same day.
India exposureApex One is widely deployed across Indian enterprise and PSU endpoint fleets; a defender-tool compromise gives one-to-many reach across an organisation.
ActionUpdate on-premises Apex One to SP1 Critical Patch Build 18012 / baseline build 17079 and the corresponding agents; restrict and monitor administrative access to the management server.
SourceThe Hacker News, "CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV," 22 May 2026.
3
CISA adds seven exploited vulnerabilities — including two Microsoft Defender flaws (20 May)
CISA added seven entries to its KEV catalog on evidence of active exploitation: two 2026 Microsoft Defender flaws — CVE-2026-41091 (elevation of privilege) and CVE-2026-45498 (denial of service) — alongside a cluster of legacy CVEs spanning Microsoft Windows, DirectX and Internet Explorer plus Adobe Acrobat/Reader (CVE-2008-4250, CVE-2009-1537, CVE-2009-3459, CVE-2010-0249, CVE-2010-0806). The revival of decade-old CVEs indicates attackers are still finding unpatched, end-of-life software in production.
India exposureLegacy Windows and unpatched document/media stacks remain common in Indian manufacturing, OT-adjacent and government back-office environments where patching lags; these old CVEs are reliable footholds. The Defender entries underline that endpoint security itself is a target.
ActionCross-check all seven CVEs against your asset inventory; prioritise the 2026 Defender entries and remediate or isolate any remaining unsupported Windows/IE/Reader systems.
SourceCISA, "CISA Adds Seven Known Exploited Vulnerabilities to Catalog," 20 May 2026.
4
Langflow AI-builder flaw flagged as exploited (CVE-2025-34291, KEV 21 May)
CISA added an origin-validation error in Langflow — a popular low-code framework for building LLM and agentic applications — to the KEV catalog on 21 May, alongside the Apex One entry. Origin-validation weaknesses in such tooling can let attackers reach internal AI workflow components that were assumed to be trusted.
India exposureIndian enterprises and startups are rapidly standing up LLM/agent pipelines, often on self-hosted open-source tooling like Langflow placed behind weak network controls; this is exactly the new attack surface CERT-In has been warning about.
ActionInventory any Langflow deployments, apply the vendor fix, and keep AI-builder and orchestration tooling off the public internet behind authentication and network segmentation.
SourceCISA, "CISA Adds Two Known Exploited Vulnerabilities to Catalog," 21 May 2026.
The takeaway: This week's risk lived in the plumbing — web servers, endpoint security agents, legacy Windows and AI build tooling — not in any single named adversary. For Indian defenders the lesson is consistency over drama: keep an accurate asset inventory, treat KEV additions as a same-week patch trigger, and remember that your security tooling and emerging AI stack are now in the attacker's target set too. NGINX and Apex One should be patched first.
Nirad Bharat Threat Feed | Bharat-first threat intelligence
