ThreatPulse — May 14, 2026 | 6 threats, personalised for Ethan Andrews

        May 14, 2026

ThreatPulse — May 14, 2026 | 6 threats, personalised for Ethan Andrews

Threat Intelligence Digest
ThreatPulse — May 14, 2026

    Personalised for Ethan Andrews
     ·  Detection Engineer
     ·  Detection: KQL

  Threat Level: CRITICAL

6
Items

4
Critical

2
High

1
CISA KEV

HIGH

        33/100

Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access

      CVSS 7.2
       · 
      EPSS 6.4%
       · thehackernews.com

CISA KEVHIGHKQLCVE-2026-6973

Detection (KQL)
KQL
let timeframe = 7d; let epmm_processes = dynamic(['EMM.exe', 'EMMService.exe', 'EMMAgent.exe', 'mdm.exe']); let suspicious_extensions = dynamic(['.exe', '.dll', '.ps1', '.bat', '.cmd', '.vbs', '.js']); union (DeviceProcessEvents | where Timestamp > ago(timeframe) | where InitiatingProcessFileName in (epmm_processes) or ProcessCommandLine has_any ('powershell', 'cmd.exe', 'wscript', 'cscript') | where ProcessIntegrityLevel == 'System' or ProcessTokenElevation == 'TokenElevationTypeFull' | project Timestamp, DeviceId, DeviceName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, AccountName, AccountDomain, ProcessIntegrityLevel, ProcessTokenElevation), (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where InitiatingProcessFileName in (epmm_processes) | where RemoteIPType == 'Public' and Protocol in ('tcp', 'udp') | where RemotePort in (22, 23, 3389, 4444, 5555, 8080, 8443, 9090) | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessCommandLine), (DeviceFileEvents | where Timestamp > ago(timeframe) | where InitiatingProcessFileName in (epmm_processes) | where ActionType in ('FileCreated', 'FileModified') | where FolderPath has_any ('\\\\Windows\\\\System32', '\\\\Windows\\\\Temp', '\\\\ProgramData') | where FileName has_any (suspicious_extensions) | project Timestamp, DeviceId, DeviceName, FolderPath, FileName, InitiatingProcessFileName, ActionType, SHA256) | summarize EventCount = count() by DeviceId, DeviceName, bin(Timestamp, 1h) | where EventCount > 5 | limit 1000
SummaryDetects exploitation attempts against Ivanti EPMM CVE-2026-6973, a remote code execution vulnerability affecting versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1 that requires administrative authentication. Identifies suspicious process execution, network connections, and file modifications originating from EPMM services or administrative accounts with unusual behavior patterns.
Affected ProductsIvanti Endpoint Manager Mobile (EPMM)  ·  Windows  ·  Azure
MITRE ATT&CKT1190T1133T1078T1059
Detection LogicCorrelates suspicious process execution, elevated privilege operations, and anomalous network/file activity originating from known EPMM service processes or administrative accounts. Flags system-level process creation, public IP connections on non-standard ports, and file modifications in sensitive directories within a 7-day window. Aggregates events by device and time to identify coordinated exploitation patterns.

CRITICAL

        49/100

CVE-2026-40621: ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected produc

      CVSS 9.8
       · 
      EPSS 0.0%
       · nvd.nist.gov

CRITICALKQLCVE-2026-40621

Detection (KQL)
KQL
let ElecomDevicePatterns = dynamic(['elecom', 'wrc-', 'wlc-', '192.168.100', '192.168.0']); let SuspiciousUrls = dynamic(['/admin', '/cgi-bin', '/config', '/status', '/system', '/network', '/wireless']); let TimeWindow = 7d; union (DeviceNetworkEvents | where Timestamp > ago(TimeWindow) | where RemoteUrl has_any (ElecomDevicePatterns) or RemoteIP matches regex @'^192\.168\.(0|100)\.' | where ActionType in ('ConnectionSuccess', 'ConnectionAttempt', 'InboundConnectionAccepted') | project Timestamp, DeviceId, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, Protocol), (DeviceNetworkEvents | where Timestamp > ago(TimeWindow) | where RemoteUrl has_any (SuspiciousUrls) and RemoteUrl has_any (ElecomDevicePatterns) | where ActionType in ('ConnectionSuccess', 'ConnectionAttempt') | project Timestamp, DeviceId, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, Protocol) | where RemotePort in (80, 443, 8080, 8443) | summarize ConnectionCount = count(), UniqueProcesses = dcount(InitiatingProcessFileName), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by DeviceName, RemoteIP, RemoteUrl, Protocol | where ConnectionCount >= 2 | project-away ConnectionCount | limit 1000
SummaryDetects unauthorized access attempts to ELECOM wireless LAN access point devices via unauthenticated URLs, which may indicate exploitation of CVE-2026-40621. Monitors for network connections to known ELECOM device IP ranges and suspicious HTTP/HTTPS requests lacking authentication headers.
Affected ProductsELECOM wireless LAN access point devices  ·  ELECOM WRC series  ·  ELECOM WLC series
MITRE ATT&CKT1190T1566T1200
False Positive NotesLegitimate administrative access from authorized IT personnel or network management tools may trigger alerts. Whitelist known management workstations and scheduled network monitoring tasks. Filter out connections from internal network management subnets. Note: This detection supports manufacturing industry compliance frameworks (IEC 62443, NIST Cybersecurity Framework) for supply chain risk management and asset inventory controls.
Detection LogicIdentifies network connections from endpoints to ELECOM wireless LAN access point devices (identified by known IP ranges, hostnames, and URL patterns) attempting to access unauthenticated administrative URLs. Correlates multiple connection attempts to the same device/URL combination to filter noise and identify potential exploitation patterns.

CRITICAL

        49/100

CVE-2026-41050: Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git pus

      CVSS 9.9
       · 
      EPSS 0.0%
       · nvd.nist.gov

CRITICALKQLCVE-2026-41050

Detection (KQL)
KQL
let timeframe = 7d; let suspicious_helm_patterns = dynamic(['helm', 'kubectl', 'git', 'gitrepo']); let secret_keywords = dynamic(['secret', 'password', 'token', 'credential', 'apikey', 'aws_', 'azure_']); union (DeviceProcessEvents | where TimeGenerated > ago(timeframe) | where ProcessCommandLine has_any (suspicious_helm_patterns) | where ProcessCommandLine matches regex @'(?i)(serviceaccount|impersonate|--as=|--as-group)' | project Timestamp, DeviceId, DeviceName, ProcessCommandLine, AccountName, ProcessId, FileName), (DeviceFileEvents | where TimeGenerated > ago(timeframe) | where FolderPath matches regex @'(?i)(kubernetes|k8s|helm|\.kube)' | where FileName matches regex @'(?i)(secret|config|token|credential)' | where ActionType in ('FileCreated', 'FileModified') | project Timestamp, DeviceId, DeviceName, FolderPath, FileName, ActionType, AccountName), (DeviceNetworkEvents | where TimeGenerated > ago(timeframe) | where InitiatingProcessCommandLine has_any (suspicious_helm_patterns) or InitiatingProcessFileName has_any (suspicious_helm_patterns) | where RemoteUrl matches regex @'(?i)(kubernetes|k8s|api\.github|registry)' | project Timestamp, DeviceId, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType), (CloudAppEvents | where TimeGenerated > ago(timeframe) | where Application has_any ('GitHub', 'GitLab', 'Azure DevOps') | where ObjectName matches regex @'(?i)(secret|token|credential|gitrepo)' | where Operation in ('GitPushEvent', 'RepositoryPush', 'SecretAccess') | project Timestamp, DeviceId, AccountId, ObjectName, Operation, RawEventData) | summarize EventCount = count(), UniqueDevices = dcount(DeviceId), EventTypes = make_set(ActionType) by bin(Timestamp, 1h), DeviceName, AccountName | where EventCount > 3 | limit 1000
SummaryCVE-2026-41050 exploits improper ServiceAccount impersonation in Fleet's Helm deployer, allowing attackers with git repository access to exfiltrate secrets across Kubernetes namespaces. Detection focuses on identifying suspicious container image deployments, secret access patterns, and lateral movement within Kubernetes-managed infrastructure.
Affected ProductsFleet (Helm deployer)  ·  Kubernetes  ·  Docker  ·  GitHub  ·  GitLab  ·  Azure DevOps  ·  Azure Kubernetes Service (AKS)
MITRE ATT&CKT1552.007T1526T1578.001T1021.006

CRITICAL

        47/100

CVE-2026-41225: A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role

      CVSS 9.1
       · 
      EPSS 0.0%
       · nvd.nist.gov

CRITICALKQLCVE-2026-41225

Detection (KQL)
KQL
let timeWindow = 7d; let iControlProcesses = dynamic(['icontrol', 'restd', 'tmsh']); DeviceProcessEvents | where TimeGenerated > ago(timeWindow) | where ProcessCommandLine has_any (iControlProcesses) or InitiatingProcessFileName has_any (iControlProcesses) | where ProcessCommandLine matches regex @'(?i)(cmd|powershell|bash|sh|python|perl)\s+' or ProcessCommandLine matches regex @'(?i)(exec|system|eval|subprocess)' | project Timestamp, DeviceId, DeviceName, ProcessId, ProcessCommandLine, AccountName, AccountDomain, FileName, FolderPath, SHA256 | union (DeviceNetworkEvents | where TimeGenerated > ago(timeWindow) | where InitiatingProcessFileName has_any (iControlProcesses) or InitiatingProcessCommandLine has_any (iControlProcesses) | where RemoteIPType == 'Public' or RemotePort in (4443, 443, 8443) | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl, Protocol, InitiatingProcessId) | order by Timestamp desc | limit 1000
SummaryDetects suspicious process execution and network connections from iControl REST services that may indicate exploitation of CVE-2026-41225, where authenticated attackers with Manager role execute arbitrary commands. Monitors for unusual command execution patterns and outbound connections originating from iControl REST processes.
Affected ProductsF5 iControl REST  ·  Windows  ·  Docker
MITRE ATT&CKT1059T1190T1133
False Positive NotesLegitimate administrative tasks using iControl REST for configuration management may trigger alerts; whitelist known management tools and scheduled maintenance scripts. Filter by trusted source IPs and service accounts performing routine operations. Note: This detection supports SOC2 Type II (CC6.1, CC7.2) and ISO 27001 (A.12.2.1) compliance evidence for monitoring privileged account activity and detecting unauthorized command execution.
Detection LogicCorrelates DeviceProcessEvents and DeviceNetworkEvents to identify iControl REST processes spawning command interpreters (cmd, powershell, bash, python) with suspicious command patterns (exec, system, eval, subprocess), combined with outbound network connections to public IPs or non-standard ports. Focuses on authenticated session abuse by privileged accounts executing arbitrary commands post-exploitation.

CRITICAL

        42/100

New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution

      CVSS 9.8
       · 
      EPSS 0.1%
       · thehackernews.com

CRITICALKQLCVE-2026-45185

Detection (KQL)
KQL
let timeframe = 7d; let exim_processes = dynamic(['exim', 'exim4', 'eximon', 'exipick']); let suspicious_children = dynamic(['bash', 'sh', 'cmd.exe', 'powershell.exe', 'python.exe', 'perl.exe', 'nc.exe', 'ncat.exe']); union (DeviceProcessEvents | where TimeGenerated > ago(timeframe) | where ProcessFileName has_any (exim_processes) or InitiatingProcessFileName has_any (exim_processes) | where ActionType in ('ProcessCreated', 'ProcessTerminated') | project Timestamp, DeviceId, DeviceName, ProcessId, ProcessFileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, AccountName, AccountDomain), (DeviceNetworkEvents | where TimeGenerated > ago(timeframe) | where InitiatingProcessFileName has_any (exim_processes) or InitiatingProcessCommandLine has_any (exim_processes) | where ActionType == 'ConnectionSuccess' | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl, Protocol, LocalIP, LocalPort), (DeviceFileEvents | where TimeGenerated > ago(timeframe) | where InitiatingProcessFileName has_any (exim_processes) | where ActionType in ('FileCreated', 'FileModified') and (FolderPath has_any ('/usr/lib', '/lib', '/opt') or FileName has_any ('gnutls', '.so', '.a')) | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, FileName, FolderPath, FileSize, SHA256, ActionType) | where Timestamp > ago(timeframe) | limit 1000
SummaryThis detection identifies potential exploitation of CVE-2026-45185 (Exim BDAT vulnerability) by monitoring for suspicious process execution, network connections, and file modifications associated with Exim mail services and GnuTLS libraries. The query flags abnormal Exim process behavior, unexpected child processes, and network activity that may indicate code execution attempts on vulnerable systems.
Affected ProductsExim Mail Transfer Agent  ·  GnuTLS  ·  Linux/Unix systems  ·  Docker containers running Exim
MITRE ATT&CKT1190T1203T1059
Detection LogicMonitor for Exim process execution anomalies including: (1) Exim spawning unexpected child processes (shells, interpreters, network utilities) indicative of code execution; (2) Exim initiating suspicious network connections to non-standard ports or external IPs; (3) Exim modifying system libraries (GnuTLS, libc) or creating files in sensitive directories. Cross-correlate process, network, and file events to identify exploitation chains.

HIGH

        39/100

18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE

      CVSS 8.1
       · 
      EPSS 0.0%
       · thehackernews.com

HIGHKQLCVE-2026-42945

Detection (KQL)
KQL
let timeframe = 7d; let nginx_processes = dynamic(['nginx.exe', 'nginx', 'ngx_http_rewrite_module']); let suspicious_children = dynamic(['cmd.exe', 'powershell.exe', 'bash', 'sh', 'python.exe', 'python', 'curl', 'wget', 'nc.exe', 'ncat.exe']); union (DeviceProcessEvents | where Timestamp > ago(timeframe) | where InitiatingProcessFileName has_any ('nginx', 'ngx') or ProcessFileName has_any ('nginx', 'ngx') | where ActionType in ('ProcessCreated', 'ProcessTerminated') | project Timestamp, DeviceId, DeviceName, ProcessId, ProcessFileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, AccountDomain), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where InitiatingProcessFileName has_any ('nginx', 'ngx') and ProcessFileName has_any (suspicious_children) | project Timestamp, DeviceId, DeviceName, ProcessId, ProcessFileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, AccountName), (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where InitiatingProcessFileName has_any ('nginx', 'ngx') and ActionType == 'ConnectionSuccess' | where RemoteIPType == 'Public' or RemotePort in (4444, 5555, 6666, 7777, 8888, 9999) | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl, Protocol), (SecurityEvent | where TimeGenerated > ago(timeframe) | where Process has_any ('nginx', 'ngx') and (EventID == 4688 or EventID == 4689) | project TimeGenerated, Computer, Process, CommandLine, ParentImage, Account) | limit 1000
SummaryDetects exploitation attempts against CVE-2026-42945, an 18-year-old NGINX rewrite module heap buffer overflow vulnerability that enables unauthenticated remote code execution. Monitors for suspicious NGINX process behavior, unexpected child processes, and network connections indicative of post-exploitation activity.
Affected ProductsNGINX Plus  ·  NGINX Open Source  ·  Docker (NGINX containers)  ·  Windows (NGINX on Windows)  ·  Linux (NGINX on Linux)
MITRE ATT&CKT1190T1059T1571

THREATPULSE
Automated threat intelligence, personalised for your role.

Unsubscribe
     · 
    Update Preferences
     · 
    threatpulse.io

                                Don't miss what's next. Subscribe to Ethan Andrews:

            Email address (required)