Welcome to the May 2026 edition of the MEDITECH Customer Security Newsletter. This month, we provide critical updates on vulnerabilities added to federal catalogs and strategic intelligence on threat actors targeting essential infrastructure. Our goal is to provide you with actionable information and resources to strengthen your organization's security posture. This data has been gleaned from the review of public records on file with CISA, H-ISAC and Health Sector Cybersecurity Coordination Center (HC3) alerts. Please note the Talk To Us section, as we would like to tailor future editions of the newsletter to address specific concerns.
Known Exploited Vulnerabilities
Between April 8 and May 13, 2026, CISA added 32 vulnerabilities to its "Known Exploited Vulnerabilities" catalog. These additions are based on evidence of active exploitation in the wild. Because these vulnerabilities are frequent attack vectors for malicious actors, they pose a significant risk to organizational security.
| CVE Record & Severity | Targeted Product | Attack Type |
|---|---|---|
| CVE-2026-42208 (Critical) | BerriAI LiteLLM | SQL Injection |
| CVE-2026-6973 (High) | Ivanti Endpoint Manager Mobile (EPMM) | Improper Input Validation (RCE) |
| CVE-2026-0300 (Critical) | Palo Alto Networks PAN-OS | Out-of-bounds Write (Root RCE) |
| CVE-2026-31431 (High) | Linux Kernel | Incorrect Resource Transfer |
| CVE-2026-41940 (Critical) | WebPros cPanel & WHM | Missing Authentication |
| CVE-2026-32202 (Medium) | Microsoft Windows Shell | Protection Mechanism Failure |
| CVE-2024-1708 (High) | ConnectWise ScreenConnect | Path Traversal (RCE) |
| CVE-2024-57726 (Critical) | SimpleHelp | Missing Authorization |
| CVE-2024-57728 (High) | SimpleHelp | Path Traversal (RCE) |
| CVE-2024-7399 (Critical) | Samsung MagicINFO 9 Server | Path Traversal |
| CVE-2025-29635 (High) | D-Link DIR-823X | Command Injection |
| CVE-2026-39987 (Critical) | Marimo AI Notebook | Pre-auth Remote Code Execution |
| CVE-2026-33825 (High) | Microsoft Defender | Insufficient Access Control |
| CVE-2024-27199 (High) | JetBrains TeamCity | Relative Path Traversal |
| CVE-2025-32975 (Critical) | Quest KACE Systems Management Appliance | Improper Authentication |
| CVE-2026-20128 (High) | Cisco Catalyst SD-WAN Manager | Recoverable Password Storage |
| CVE-2025-48700 (Medium) | Zimbra Collaboration Suite (ZCS) | Cross-site Scripting (XSS) |
| CVE-2023-27351 (High) | PaperCut NG/MF | Improper Authentication |
| CVE-2025-2749 (High) | Kentico Xperience | Path Traversal |
| CVE-2026-20133 (High) | Cisco Catalyst SD-WAN Manager | Exposure of Sensitive Information |
| CVE-2026-20122 (Medium) | Cisco Catalyst SD-WAN Manager | Incorrect Use of Privileged APIs |
| CVE-2026-34197 (High) | Apache ActiveMQ | Improper Input Validation (RCE) |
| CVE-2026-32201 (Medium) | Microsoft SharePoint Server | Improper Input Validation (Spoofing) |
| CVE-2009-0238 (High) | Microsoft Office Excel | Remote Code Execution |
| CVE-2026-34621 (High) | Adobe Acrobat and Reader | Prototype Pollution (RCE) |
| CVE-2026-21643 (Critical) | Fortinet FortiClient EMS | SQL Injection (RCE) |
| CVE-2020-9715 (High) | Adobe Acrobat | Use-After-Free (RCE) |
| CVE-2023-36424 (High) | Microsoft Windows (CLFS) | Out-of-Bounds Read |
| CVE-2023-21529 (High) | Microsoft Exchange Server | Insecure Deserialization (RCE) |
| CVE-2025-60710 (High) | Microsoft Windows | Link Following (Privilege Escalation) |
| CVE-2012-1854 (High) | Microsoft VBA | Insecure Library Loading (RCE) |
| CVE-2026-1340 (Critical) | Ivanti Endpoint Manager Mobile (EPMM) | Code Injection (RCE) |
Threat Actor Spotlight: Handala (The Pro-Iranian "Faketivist" Group)
Since emerging in December 2023, the threat actor known as Handala (also stylized as Handala_hack) has transitioned from regional targeting to launching major disruptive operations against U.S. critical infrastructure. While the group presents itself as an independent, pro-Palestinian hacktivist collective, security analysts identify it as a "faketivist" front—a persona operated by Iranian state-linked clusters such as Void Manticore (also known as Red Sandstorm or Banished Kitten) to provide the regime with plausible deniability.
- Targeting Strategy: Handala prioritizes sectors with high societal and operational impact, particularly healthcare and energy. Their selection process favors targets whose compromise offers high media visibility, intended to create reputational damage and widespread psychological distress.
- Operational Behavior (May 2026 Update): Throughout late March and April 2026, the group demonstrated sophisticated "Living off the Land" (LotL) capabilities. In a significant escalation on March 11, 2026, the group claimed responsibility for a massive wiper attack on the medical technology firm Stryker, allegedly impacting over 200,000 systems globally by abusing enterprise management tools like Microsoft Intune to issue bulk factory reset commands.
- Tactics and Techniques: The group relies heavily on initial access through spear-phishing and the exploitation of exposed credentials or compromised VPN infrastructure. Unlike traditional ransomware gangs, Handala often deploys destructive wipers (such as the Hamsa or Hatef tools) designed to permanently erase data rather than encrypt it for profit. Their operations are frequently paired with "hack and leak" activities, including the public doxxing of defense engineers and high-ranking government officials to amplify the perceived scale of the breach.
- Proactive Defense: Mitigation strategies should focus on eliminating internet-facing administrative interfaces and implementing phishing-resistant multi-factor authentication (MFA). Organizations are also urged to maintain immutable, off-site backups to ensure recovery in the event of a pure data-destruction (wiper) event.
News
Securing the Autonomous Frontier: Strategic Guidance for Agentic AI Adoption
CISA and its international partners urge organizations to integrate agentic AI into established cybersecurity frameworks—prioritizing least-privilege access, cryptographically secured identities, and human-in-the-loop checkpoints—to mitigate the unique risks of privilege creep and emergent autonomous behaviors.
Health Sector Resilience in the Claude Mythos
Health-ISAC and Quest Diagnostics highlight the systemic shift in healthcare risk posed by Claude Mythos—an Anthropic AI model with unprecedented autonomous capabilities for zero-day vulnerability discovery and weaponization—and warn that the global proliferation of such unregulated tools by late 2026 will drastically lower the barrier for sophisticated cyberattacks against critical infrastructure.
Additional Resources
- HHS 405(d) Aligning Health Care Industry Security Approaches - The 405(d) Program and Task Group is a collaborative effort between industry and the federal government, which aims to raise awareness, provide vetted cybersecurity practices, and move healthcare organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the sector. Their website provides the latest resources and information as well as an opportunity for involvement.
- Helpful resources CISA has provided can be found on the following pages:
Talk to us!
We at MEDITECH would love to hear your feedback about this newsletter and we’d like to know what is on your mind. Is there something you would like us to address?
We also have a question for you that is important to us. What are your largest concerns or security hopes for 2026?
Please let us know by contacting us!
Until next time, stay alert out there!