IT, Telecom & Cyber · International (Houston)

Verify Supplier Patching, SSO Controls, and Switch Sourcing Options

Published May 27, 2026, 5:09 AM CSTINTERNATIONALFull category signal
Ask AI
CISA gives feds 4 days to patch actively exploited cPanel plugin flaw

In 60 seconds

Top move

CISA issued a federal directive forcing quick patching of an actively exploited LiteSpeed cPanel plugin; hosting and managed‑service providers should be treated as remediation owners until they provide explicit patch or mitigation evidence

Key takeaways

  • CISA issued a federal directive forcing quick patching of an actively exploited LiteSpeed cPanel plugin; hosting and managed‑service providers should be treated as remediation owners until they provide explicit patch or mitigation evidence.[1]
  • A KnowledgeDeliver LMS zero‑day used identical pre‑shared machine keys to install persistent web shells, so hosted LMS suppliers and any shared‑key configurations must be assumed compromised until vendors prove key rotation and cleanup.[4]
  • Charter confirmed an incident tied to a voice‑phishing compromise of a Microsoft Entra (SSO) account with claims of mass data export; buyers need supplier attestations for SSO token revocation, audit logs, and cross‑SaaS containment procedures.[5]
  • Cisco’s move to support the open SONiC network OS on Nexus 9000 switches creates a practical alternate sourcing lever for datacenter switching—add SONiC compatibility checks to upcoming RFPs to preserve negotiation options.[3]
  • Microsoft released an optional Windows 11 preview update that includes Secure Boot certificate rollouts and calls out related server lookup issues; coordinate endpoint testing and supplier validation before broad rollouts to avoid unexpected service impacts.[2]

What changed since last run

  • CISA issued a Binding Operational Directive specifically for a LiteSpeed cPanel plugin (new federal patching mandate not present in the prior brief).
  • Confirmed exploitation of a KnowledgeDeliver LMS zero‑day using shared machine keys (a new supply‑side configuration and persistence risk to hosted LMS suppliers).
  • Charter publicly acknowledged an SSO‑linked breach with extortion claims, introducing fresh SaaS/SSO supplier incident considerations.

Key facts

  • CISA Binding Operational Directive with a federal patching window
  • CVE‑2026‑48172: privilege escalation via lsws.redisAble mishandling
  • Vendor guidance to apply mitigations or discontinue product where mitigations are unavailable
  • Critical zero‑day in KnowledgeDeliver exploited to deploy Godzilla web shell
  • Attack leveraged identical pre‑shared ASP.NET machine keys across deployments
  • Exploitation enabled unauthenticated remote code execution and persistence

Why it matters

CISA issued a federal directive forcing quick patching of an actively exploited LiteSpeed cPanel plugin; hosting and managed‑service providers should be treated as remediation owners until they provide explicit patch or mitigation evidence. A KnowledgeDeliver LMS zero‑day used identical pre‑shared machine keys to install persistent web shells, so hosted LMS suppliers and any shared‑key configurations must be assumed compromised until vendors prove key rotation and cleanup. Charter confirmed an incident tied to a voice‑phishing compromise of a Microsoft Entra (SSO) account with claims of mass data export; buyers need supplier attestations for SSO token revocation, audit logs, and cross‑SaaS containment procedures. Cisco’s move to support the open SONiC network OS on Nexus 9000 switches creates a practical alternate sourcing lever for datacenter switching—add SONiC compatibility checks to upcoming RFPs to preserve negotiation options

Cost / money

  • Expect near‑term remediation and emergency support spend from hosting suppliers operating cPanel/LiteSpeed as buyers require proof‑of‑patch or compensating mitigations.[1]
  • Incident response, containment, and forensic work for LMS web‑shell infections and vishing‑based SSO compromises will increase IR and recovery costs for both buyers and affected suppliers.[4]

Supplier / commercial

  • Hosting and managed‑service providers with cPanel/LiteSpeed may narrow quote validity or charge premiums for expedited maintenance; buyers can use proof‑of‑patch requirements and short remediation acceptance windows to manage pricing posture.[1]
  • Telecom and SaaS suppliers with SSO integrations (example: Charter) will face pressure to provide token/session revocation support and cooperative forensics; expect buyers to push for incident cooperation SLAs and evidence clauses.[5]
  • Cisco’s SONiC support opens procurement leverage: require NOS flexibility and clarified support models in RFPs to test single‑vendor consolidation assumptions and supplier bundling.[3]

Safety / operations

  • The LiteSpeed cPanel flaw permits remote privilege escalation to root, so operations must isolate affected servers, validate backups, and demand eradication evidence to avoid persistent backdoors.[1]
  • KnowledgeDeliver instances using identical pre‑shared ASP.NET machine keys enable unauthenticated remote code execution and persistence; treat affected LMS deployments as compromised until vendors prove key rotation and web‑shell removal.[4]

What to watch

  • Public extortion listings (ShinyHunters, Play) can trigger regulatory notification, contractual disputes, and supplier blame games; verify supplier notification timelines and breach coverage because public claims often outpace forensic confirmation.[5]

Top stories

Story 1BleepingComputerMay 27, 2026

CISA gives feds 4 days to patch actively exploited cPanel plugin flaw

Signal strongSource-grounded
Source notes [1]Read source

What happened

CISA issued a Binding Operational Directive giving federal agencies four days to patch an actively exploited LiteSpeed cPanel user‑end plugin (CVE‑2026‑48172) that enables privilege escalation. The advisory highlights a Redis enable/disable mishandling in lsws.redisAble and urges applying vendor mitigations or discontinuing use where unavailable. Operationally, hosting and managed‑service providers running cPanel/LiteSpeed must confirm patch status and be prepared for mitigations that could affect uptime; watch supplier remediation timelines and rollback plans

Buyer takeaway

Treat supplier patch confirmation as a compliance and delivery item; require suppliers to prove remediation or provide approved mitigations before normalizing risk

Cost / money

Short‑term increase in managed‑service and on‑demand support spend is likely while suppliers push emergency patches or mitigations

Supplier / commercial

Suppliers may narrow quote validity or charge premiums for emergency maintenance; buyers can demand proof‑of‑patch clauses or temporary credits for downtime

Safety / operations

The flaw permits root code execution; operations must isolate affected systems, validate backups, and verify eradication steps to prevent persistent access

What to watch

Watch for mitigations that disable features or require reboots which could affect uptime and SLA pass‑through obligations

Key facts

  • CISA Binding Operational Directive with a federal patching window
  • CVE‑2026‑48172: privilege escalation via lsws.redisAble mishandling
  • Vendor guidance to apply mitigations or discontinue product where mitigations are unavailable

Source excerpts

S. federal agencies four days to secure their servers against a critical vulnerability in the LiteSpeed cPanel user-end plugin, which is actively being exploited in attacks
S. federal agencies to patch their systems by midnight on Friday, May 29, as mandated by Binding Operational Directive (BOD) 22-01
federal agencies four days to secure their servers against a critical vulnerability in the LiteSpeed cPanel user-end plugin, which is actively being exploited in attacks. Tracked as CVE-2026-48172, this privilege escalation vulnerability is related to the mishandling of Redis enable/disable features and was found in the lsws
Story 2BleepingComputerMay 26, 2026

KnowledgeDeliver flaw exploited as a zero-day to install web shells

Signal strongSource-grounded
Source notes [4]Read source

What happened

Researchers reported a critical KnowledgeDeliver LMS zero‑day exploited to deploy the Godzilla web shell by leveraging identical pre‑shared ASP.NET machine keys across deployments. The flaw allowed unauthenticated remote code execution and persistent access because attackers could sign malicious ViewState payloads with the shared machine key. Buyers should treat hosted LMS instances as potentially compromised until suppliers demonstrate key rotation, removal of web shells, and forensic evidence of eradication

Buyer takeaway

Consider hosted LMS a high‑impact supplier exposure until vendors show unique key management and demonstrable cleanup

Cost / money

Expect incremental incident response, containment, and supplier remediation costs for affected LMS instances

Supplier / commercial

Require supplier attestations of unique key deployment, key rotation evidence, and contractual obligations for forensic cleanup and monitoring

Safety / operations

Web shells enable long‑term persistence; operations must assume compromise and require proof of eradication before restoring services

What to watch

Watch for partial remediation claims or delayed key rotations that enable repeat exploitation

Key facts

  • Critical zero‑day in KnowledgeDeliver exploited to deploy Godzilla web shell
  • Attack leveraged identical pre‑shared ASP.NET machine keys across deployments
  • Exploitation enabled unauthenticated remote code execution and persistence

Source excerpts

NET-based in-memory web shell, Godzilla (a
Exploitation was possible due to the use of “identical pre-shared ASP. NET machine keys across multiple customer deployments,” the researchers said
Hackers exploited a critical zero-day vulnerability in a server running the KnowledgeDeliver learning management system (LMS) to deploy the Godzilla web shell
Story 3BleepingComputerMay 26, 2026

Charter confirms data breach after ShinyHunters extortion threat

Signal strongSource-grounded
Source notes [5]Read source

What happened

Charter Communications confirmed a security incident after being listed by the ShinyHunters extortion group, which claims data stolen via a voice‑phishing attack that compromised an employee's Microsoft Entra SSO account and exported SaaS data. Charter says no sensitive personal customer information was taken and is alerting authorities, but the incident illustrates how an SSO account takeover can cascade across connected SaaS applications. Procurement should verify supplier SSO protections, token revocation procedures, and incident cooperation terms to limit cross‑SaaS exposure

Buyer takeaway

Treat supplier SSO incidents as supply‑chain events and require rapid attestation and cross‑SaaS containment procedures from impacted suppliers

Cost / money

SSO‑related breaches increase third‑party IR, notification, and recovery costs for both buyer and supplier

Supplier / commercial

Negotiate incident cooperation SLAs, evidence requirements, and token/session revocation support from SaaS and telecom suppliers

Safety / operations

Account takeover can enable lateral access to connected SaaS systems; operations must verify token revocation and audit logging from suppliers

What to watch

Watch for inconsistencies between public claims and supplier statements; require forensic evidence before closing disputes

Key facts

  • Charter listed on a data leak/extortion site after alleged vishing SSO compromise
  • Threat actor claimed export of customer and business records via a compromised SSO account
  • Charter stated no sensitive personal customer information was exfiltrated and is notifying au

Source excerpts

Since last year, the extortion group has been conducting widespread social engineering campaigns that target employees and BPO agents' Microsoft Entra, Okta, and Google SSO accounts. After gaining access to a corporate SSO account, the threat actors steal data from connected SaaS applications such as Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, and many others
Instructure said it ultimately reached an "agreement" with the extortion gang, meaning it likely paid a ransom to prevent the public release of the stolen data
Charter listing on the ShinyHunters data leak site ShinyHunters claimed to BleepingComputer that they breached Charter on April 1 through a voice phishing (vishing) attack that compromised an employee's Microsoft Entra account
Story 4theregisterMay 27, 2026

Cisco making SONiC available to all customers – not just hyperscalers

Signal moderateDirectional
Source notes [3]Read source

What happened

Cisco said it will extend SONiC (Software for Open Networking in the Cloud) support to Nexus 9000 datacenter switches, giving customers the option to run SONiC alongside ACI or NX‑OS stacks. The move broadens NOS choice for datacenter switching and targets AI‑class fabrics where NOS flexibility matters. Procurement should add SONiC compatibility checks to switch sourcing to preserve negotiation leverage and validate vendor support models before committing to a single stack

Buyer takeaway

Add SONiC compatibility to switch sourcing checklists to preserve negotiation leverage and test single‑vendor consolidation assumptions

Cost / money

Open NOS adoption may shift total cost drivers for support, training, and integration; commercial effects depend on vendor service offerings

Supplier / commercial

Vendors may offer alternative bundles or support tiers; use NOS flexibility to negotiate maintenance and support terms

Safety / operations

Introducing a new NOS requires validating interoperability, supportability, and in‑house or supplier skillsets to avoid operational downtime

What to watch

Watch for hidden integration costs or limited enterprise support when running SONiC on enterprise hardware

Key facts

  • Cisco to support SONiC on Nexus 9000 datacenter switches
  • SONiC option complements Cisco Cloud Scale/Silicon One or NX‑OS/ACI environments
  • Positioned for customers building AI‑class fabrics seeking switching flexibility

Source excerpts

”The networking giant said its support for SONiC includes “hardening the stack and backing it with Cisco Technical Assistance Center (TAC), while integration with Nexus Dashboard provides familiar tools for automated bring-up and health monitoring. ”A Cisco spokesperson told The Register the post we’ve linked to above effectively represents an announcement that it will soon make support for SONiC generally available
SONiC on everyday datacenter hardware is therefore an idea whose time has come. Enter Cisco, which has supported SONiC on its routers for years and last week quietly mentioned it will soon extend that support to its N9000 datacenter switches
Networks Logo for SONiC the “Software for Open Networking in the Cloud” project at the Linux Foundation Hardened version of open-source NOS coming to Nexus 9000s Cisco is close to allowing customers to run the SONiC network operating system on its flagship Nexus 9000 series datacenter switches
Story 5BleepingComputerMay 27, 2026

Windows 11 KB5089573 update released with performance improvements

Signal moderateSource-grounded
Source notes [2]Read source

What happened

Microsoft released the KB5089573 optional preview cumulative update for Windows 11 25H2 and 24H2 with performance and reliability improvements and a Secure Boot certificate rollout. The update is optional (non‑security preview) and Microsoft also reiterated known issues affecting domain controller lookups on some server builds, which makes staged testing important. Buyers should coordinate endpoint testing windows with desktop and identity suppliers and watch for related server lookup disruptions before broad deployment

Buyer takeaway

Treat preview updates as a coordination item between endpoint teams and identity/SaaS suppliers; require staged testing and supplier validation before enterprise rollout

Cost / money

Staged testing and remediation for known issues will consume IT operations cycles and may require supplier support time

Supplier / commercial

Endpoint and identity suppliers may need to provide compatibility guidance or remediation timelines; include update coordination clauses where possible

Safety / operations

Known issues affecting domain controller lookups can degrade admin tooling and sign‑in behavior; validate recovery steps with identity owners

What to watch

Watch for preview updates that change Secure Boot behavior and require coordinated certificate rollout to avoid unexpected failures

Key facts

  • KB5089573: optional Windows 11 preview for 25H2 and 24H2 with performance/reliability fixes
  • Includes Secure Boot certificate refresh guidance for impacted systems
  • Microsoft noted a known issue affecting domain controller lookup failures on some server builds

Source excerpts

Microsoft has released the KB5089573 preview cumulative update for Windows 11 versions 25H2 and 24H2, which comes with 30 changes, including performance and reliability improvements
However, unlike regular Patch Tuesday cumulative updates, monthly preview updates are optional and do not include security updates. With the May 2026 optional update, Microsoft is gradually rolling out general OS performance upgrades and several reliability improvements to Windows Hello
However, unlike regular Patch Tuesday cumulative updates, monthly preview updates are optional and do not include security updates

VP Snapshot

Executive Risk & Action View

CISA issued a federal directive forcing quick patching of an actively exploited LiteSpeed cPanel plugin; hosting and managed‑service providers should be treated as remediation owners until they provide explicit patch or mitigation evidence.

Overall
74
Cost
61
Supply
25
Schedule
20
Compliance
15

Top signals

30-180dcost

Signal 1: Cost / money

Expect near‑term remediation and emergency support spend from hosting suppliers operating cPanel/LiteSpeed as buyers require proof‑of‑patch or compensating mitigations.

Signal 2: Cost / money

Incident response, containment, and forensic work for LMS web‑shell infections and vishing‑based SSO compromises will increase IR and recovery costs for both buyers and affected suppliers.

30-180dcommercial

Signal 3: Supplier / commercial

Hosting and managed‑service providers with cPanel/LiteSpeed may narrow quote validity or charge premiums for expedited maintenance; buyers can use proof‑of‑patch requirements and short remediation acceptance windows to manage pricing posture.

Signal 4: Supplier / commercial

Telecom and SaaS suppliers with SSO integrations (example: Charter) will face pressure to provide token/session revocation support and cooperative forensics; expect buyers to push for incident cooperation SLAs and evidence clauses.

Signal 5: Supplier / commercial

Cisco’s SONiC support opens procurement leverage: require NOS flexibility and clarified support models in RFPs to test single‑vendor consolidation assumptions and supplier bundling.

30-180dsupplier

Signal 6: Safety / operations

The LiteSpeed cPanel flaw permits remote privilege escalation to root, so operations must isolate affected servers, validate backups, and demand eradication evidence to avoid persistent backdoors.

Recommended actions

CategoryDue 3d

Request supplier attestations and evidence for cPanel/LiteSpeed patch or mitigation status across hosted and managed servers.

Documented supplier attestations and a mapped inventory of patched or mitigated cPanel instances.

OpsDue 3d

Inventory hosted LMS instances and require immediate containment confirmation from LMS suppliers, including proof of unique machine keys and web‑shell eradication steps.

Inventory of LMS deployments with supplier containment attestations and open remediation tickets.

ContractsDue 21d

Issue contract change requests or SLA addenda to hosting, LMS, and SaaS suppliers requiring proof‑of‑patch, forensic cooperation, and token/session revocation support for SSO in...

Amended supplier terms or documented exception workflows requiring proof‑of‑patch, timely notifications, and forensic cooperation.

CategoryDue 60d

Update datacenter switch sourcing templates and RFPs to include SONiC compatibility checks, interoperability tests, and clarified vendor support models.

RFP templates and vendor questionnaires that include SONiC support, interoperability tests, and support model clarifications.

Risk register

RiskTriggerMitigation
Public extortion listings (ShinyHunters, Play) can trigger regulatory notification, contractual disputes, and supplier blame games; verify supplier notification timelines and breach coverage because public claims often outpace forensic confirmation.Public extortion listings (ShinyHunters, Play) can trigger regulatory notification, contractual disputes, and supplier blame games; verify supplier notification timelines and breach coverage because public claims often outpace forensic confirmation.Confirm exposure with category, contracts, and operations before the next supplier commitment.

CM Snapshot

Category Manager Decision Detail

Today's priorities

Request supplier attestations and evidence for cPanel/LiteSpeed patch or mitigation status across hosted and managed servers.

because CISA issued a binding federal patching directive and the vulnerability is actively exploited, so supplier confirmation reduces buyer exposure and prioritizes remediation...

Due 3d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Inventory hosted LMS instances and require immediate containment confirmation from LMS suppliers, including proof of unique machine keys and web‑shell eradication steps.

because the KnowledgeDeliver zero‑day exploited shared machine keys to install persistent web shells, so hosted LMS may already be compromised and need containment evidence.

Due 3d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Issue contract change requests or SLA addenda to hosting, LMS, and SaaS suppliers requiring proof‑of‑patch, forensic cooperation, and token/session revocation support for SSO in...

because recent SSO compromises and LMS persistence risks show supplier responsibilities materially affect buyer exposure, so contracts should mandate evidence, notifications, an...

Due 21d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Update datacenter switch sourcing templates and RFPs to include SONiC compatibility checks, interoperability tests, and clarified vendor support models.

because Cisco’s SONiC availability on N9000 hardware creates an alternate OS path that can change supplier leverage, so adding compatibility checks preserves sourcing optionalit...

Due 60d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Supplier radar

BleepingComputer

high

Observed supplier signal

Hosting and managed‑service providers with cPanel/LiteSpeed may narrow quote validity or charge premiums for expedited maintenance; buyers can use proof‑of‑patch requirements and short remediation acceptance windows to manage pricing posture.

Commercial implication

Hosting and managed‑service providers with cPanel/LiteSpeed may narrow quote validity or charge premiums for expedited maintenance; buyers can use proof‑of‑patch requirements and short remediation acceptance windows to manage pricing posture.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

BleepingComputer

high

Observed supplier signal

Telecom and SaaS suppliers with SSO integrations (example: Charter) will face pressure to provide token/session revocation support and cooperative forensics; expect buyers to push for incident cooperation SLAs and evidence clauses.

Commercial implication

Telecom and SaaS suppliers with SSO integrations (example: Charter) will face pressure to provide token/session revocation support and cooperative forensics; expect buyers to push for incident cooperation SLAs and evidence clauses.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

theregister

high

Observed supplier signal

Cisco’s SONiC support opens procurement leverage: require NOS flexibility and clarified support models in RFPs to test single‑vendor consolidation assumptions and supplier bundling.

Commercial implication

Cisco’s SONiC support opens procurement leverage: require NOS flexibility and clarified support models in RFPs to test single‑vendor consolidation assumptions and supplier bundling.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

Negotiation levers

Request supplier attestations and evidence for cPanel/LiteSpeed patch or mitigation status across hosted and managed servers.

When to use: because CISA issued a binding federal patching directive and the vulnerability is actively exploited, so supplier confirmation reduces buyer exposure and prioritizes remediation...

Expected outcome: Documented supplier attestations and a mapped inventory of patched or mitigated cPanel instances.

Commercial mechanism to carry into the next supplier conversation

Inventory hosted LMS instances and require immediate containment confirmation from LMS suppliers, including proof of unique machine keys and web‑shell eradication steps.

When to use: because the KnowledgeDeliver zero‑day exploited shared machine keys to install persistent web shells, so hosted LMS may already be compromised and need containment evidence.

Expected outcome: Inventory of LMS deployments with supplier containment attestations and open remediation tickets.

Commercial mechanism to carry into the next supplier conversation

Issue contract change requests or SLA addenda to hosting, LMS, and SaaS suppliers requiring proof‑of‑patch, forensic cooperation, and token/session revocation support for SSO in...

When to use: because recent SSO compromises and LMS persistence risks show supplier responsibilities materially affect buyer exposure, so contracts should mandate evidence, notifications, an...

Expected outcome: Amended supplier terms or documented exception workflows requiring proof‑of‑patch, timely notifications, and forensic cooperation.

Commercial mechanism to carry into the next supplier conversation

Update datacenter switch sourcing templates and RFPs to include SONiC compatibility checks, interoperability tests, and clarified vendor support models.

When to use: because Cisco’s SONiC availability on N9000 hardware creates an alternate OS path that can change supplier leverage, so adding compatibility checks preserves sourcing optionalit...

Expected outcome: RFP templates and vendor questionnaires that include SONiC support, interoperability tests, and support model clarifications.

Commercial mechanism to carry into the next supplier conversation

Talking points

CISA issued a federal directive forcing quick patching of an actively exploited LiteSpeed cPanel plugin; hosting and managed‑service providers should be treated as remediation owners until they provide explicit patch or mitigation evidence.
A KnowledgeDeliver LMS zero‑day used identical pre‑shared machine keys to install persistent web shells, so hosted LMS suppliers and any shared‑key configurations must be assumed compromised until vendors prove key rotation and cleanup.
Charter confirmed an incident tied to a voice‑phishing compromise of a Microsoft Entra (SSO) account with claims of mass data export; buyers need supplier attestations for SSO token revocation, audit logs, and cross‑SaaS containment procedures.
Cisco’s move to support the open SONiC network OS on Nexus 9000 switches creates a practical alternate sourcing lever for datacenter switching—add SONiC compatibility checks to upcoming RFPs to preserve negotiation options.

Supplier radar

SupplierSignalImplicationNext stepConfidence
BleepingComputerHosting and managed‑service providers with cPanel/LiteSpeed may narrow quote validity or charge premiums for expedited maintenance; buyers can use proof‑of‑patch requirements and short remediation acceptance windows to manage pricing posture.Hosting and managed‑service providers with cPanel/LiteSpeed may narrow quote validity or charge premiums for expedited maintenance; buyers can use proof‑of‑patch requirements and short remediation acceptance windows to manage pricing posture.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high
BleepingComputerTelecom and SaaS suppliers with SSO integrations (example: Charter) will face pressure to provide token/session revocation support and cooperative forensics; expect buyers to push for incident cooperation SLAs and evidence clauses.Telecom and SaaS suppliers with SSO integrations (example: Charter) will face pressure to provide token/session revocation support and cooperative forensics; expect buyers to push for incident cooperation SLAs and evidence clauses.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high
theregisterCisco’s SONiC support opens procurement leverage: require NOS flexibility and clarified support models in RFPs to test single‑vendor consolidation assumptions and supplier bundling.Cisco’s SONiC support opens procurement leverage: require NOS flexibility and clarified support models in RFPs to test single‑vendor consolidation assumptions and supplier bundling.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high

Negotiation levers

  • Request supplier attestations and evidence for cPanel/LiteSpeed patch or mitigation status across hosted and managed servers.because CISA issued a binding federal patching directive and the vulnerability is actively exploited, so supplier confirmation reduces buyer exposure and prioritizes remediation...Documented supplier attestations and a mapped inventory of patched or mitigated cPanel instances.

    high confidence

  • Inventory hosted LMS instances and require immediate containment confirmation from LMS suppliers, including proof of unique machine keys and web‑shell eradication steps.because the KnowledgeDeliver zero‑day exploited shared machine keys to install persistent web shells, so hosted LMS may already be compromised and need containment evidence.Inventory of LMS deployments with supplier containment attestations and open remediation tickets.

    high confidence

  • Issue contract change requests or SLA addenda to hosting, LMS, and SaaS suppliers requiring proof‑of‑patch, forensic cooperation, and token/session revocation support for SSO in...because recent SSO compromises and LMS persistence risks show supplier responsibilities materially affect buyer exposure, so contracts should mandate evidence, notifications, an...Amended supplier terms or documented exception workflows requiring proof‑of‑patch, timely notifications, and forensic cooperation.

    high confidence

  • Update datacenter switch sourcing templates and RFPs to include SONiC compatibility checks, interoperability tests, and clarified vendor support models.because Cisco’s SONiC availability on N9000 hardware creates an alternate OS path that can change supplier leverage, so adding compatibility checks preserves sourcing optionalit...RFP templates and vendor questionnaires that include SONiC support, interoperability tests, and support model clarifications.

    high confidence

What to do / What to watch

What to do now

  • Request supplier attestations and evidence for cPanel/LiteSpeed patch or mitigation status across hosted and managed servers.

    Why: because CISA issued a binding federal patching directive and the vulnerability is actively exploited, so supplier confirmation reduces buyer exposure and prioritizes remediation...

    Owner: Category

    Expected outcome: Documented supplier attestations and a mapped inventory of patched or mitigated cPanel instances.

    [1]
  • Inventory hosted LMS instances and require immediate containment confirmation from LMS suppliers, including proof of unique machine keys and web‑shell eradication steps.

    Why: because the KnowledgeDeliver zero‑day exploited shared machine keys to install persistent web shells, so hosted LMS may already be compromised and need containment evidence.

    Owner: Ops

    Expected outcome: Inventory of LMS deployments with supplier containment attestations and open remediation tickets.

    [4]

Next few weeks

  • Issue contract change requests or SLA addenda to hosting, LMS, and SaaS suppliers requiring proof‑of‑patch, forensic cooperation, and token/session revocation support for SSO in...

    Why: because recent SSO compromises and LMS persistence risks show supplier responsibilities materially affect buyer exposure, so contracts should mandate evidence, notifications, an...

    Owner: Contracts

    Expected outcome: Amended supplier terms or documented exception workflows requiring proof‑of‑patch, timely notifications, and forensic cooperation.

    [5]

Longer view

  • Update datacenter switch sourcing templates and RFPs to include SONiC compatibility checks, interoperability tests, and clarified vendor support models.

    Why: because Cisco’s SONiC availability on N9000 hardware creates an alternate OS path that can change supplier leverage, so adding compatibility checks preserves sourcing optionalit...

    Owner: Category

    Expected outcome: RFP templates and vendor questionnaires that include SONiC support, interoperability tests, and support model clarifications.

    [3]

What to watch

  • Public extortion listings (ShinyHunters, Play) can trigger regulatory notification, contractual disputes, and supplier blame games; verify supplier notification timelines and breach coverage because public claims often outpace forensic confirmation
  • Public extortion listings (ShinyHunters, Play) can trigger regulatory notification, contractual disputes, and supplier blame games; verify supplier notification timelines and breach coverage because public claims often outpace forensic confirmation.: Public extortion listings (ShinyHunters, Play) can trigger regulatory notification, contractual disputes, and supplier blame games; verify supplier notification timelines and breach coverage because public claims often outpace forensic confirmation
  • CISA issued a federal directive forcing quick patching of an actively exploited LiteSpeed cPanel plugin; hosting and managed‑service providers should be treated as remediation owners until they provide explicit patch or mitigation evidence
  • A KnowledgeDeliver LMS zero‑day used identical pre‑shared machine keys to install persistent web shells, so hosted LMS suppliers and any shared‑key configurations must be assumed compromised until vendors prove key rotation and cleanup
  • Charter confirmed an incident tied to a voice‑phishing compromise of a Microsoft Entra (SSO) account with claims of mass data export; buyers need supplier attestations for SSO token revocation, audit logs, and cross‑SaaS containment procedures
  • Cisco’s move to support the open SONiC network OS on Nexus 9000 switches creates a practical alternate sourcing lever for datacenter switching—add SONiC compatibility checks to upcoming RFPs to preserve negotiation options

Market pulse

IndexLatestChangeAs of
Palo Alto (PANW)320 +0.00 (+0.00%)May 27, 2026, 10:13 AM
CrowdStrike (CRWD)285 +0.00 (+0.00%)May 27, 2026, 10:13 AM
Zscaler (ZS)195 +0.00 (+0.00%)May 27, 2026, 10:13 AM
Fortinet (FTNT)72 +0.00 (+0.00%)May 27, 2026, 10:13 AM
  • Palo Alto: Active exploitation and federal patch directives tend to increase demand for network and endpoint security services; monitor Palo Alto partner readiness and supplier capacity
  • CrowdStrike: Incidents that drive IR and EDR demand can shift short‑term vendor workload and support availability; watch CrowdStrike‑related capacity and pricing signals
  • Zscaler: Identity and SSO incidents increase buyer focus on cloud access security and CASB/IDP vendor engagement; track Zscaler signal for identity traffic inspection demand

Sources

Inline citations jump here. Expand a source to read the excerpt, the AI interpretation, and the original link.

[1] CISA gives feds 4 days to patch actively exploited cPanel plugin flaw

bleepingcomputer.com · May 27, 2026

Expand

AI reading

CISA issued a Binding Operational Directive giving federal agencies four days to patch an actively exploited LiteSpeed cPanel user‑end plugin (CVE‑2026‑48172) that enables privilege escalation. The advisory highlights a Redis enable/disable mishandling in lsws.redisAble and urges applying vendor mitigations or discontinuing use where unavailable. Operationally, hosting and managed‑service providers running cPanel/LiteSpeed must confirm patch status and be prepared for mitigations that could affect uptime; watch supplier remediation timelines and rollback plans

Buyer takeaway

Treat supplier patch confirmation as a compliance and delivery item; require suppliers to prove remediation or provide approved mitigations before normalizing risk

Cost / money

Short‑term increase in managed‑service and on‑demand support spend is likely while suppliers push emergency patches or mitigations

Supplier / commercial

Suppliers may narrow quote validity or charge premiums for emergency maintenance; buyers can demand proof‑of‑patch clauses or temporary credits for downtime

Safety / operations

The flaw permits root code execution; operations must isolate affected systems, validate backups, and verify eradication steps to prevent persistent access

What to watch

Watch for mitigations that disable features or require reboots which could affect uptime and SLA pass‑through obligations

Key facts

  • CISA Binding Operational Directive with a federal patching window
  • CVE‑2026‑48172: privilege escalation via lsws.redisAble mishandling
  • Vendor guidance to apply mitigations or discontinue product where mitigations are unavailable

Source excerpts

S. federal agencies four days to secure their servers against a critical vulnerability in the LiteSpeed cPanel user-end plugin, which is actively being exploited in attacks
S. federal agencies to patch their systems by midnight on Friday, May 29, as mandated by Binding Operational Directive (BOD) 22-01
federal agencies four days to secure their servers against a critical vulnerability in the LiteSpeed cPanel user-end plugin, which is actively being exploited in attacks. Tracked as CVE-2026-48172, this privilege escalation vulnerability is related to the mishandling of Redis enable/disable features and was found in the lsws

Used in this brief

  • Next 72 hours — Request supplier attestations and evidence for cPanel/LiteSpeed patch or mitigation status across hosted and managed servers.. Rationale: because CISA issued a binding federal patching directive and the vulnerability is actively exploited, so supplier confirmation reduces buyer exposure and prioritizes remediation.... Owner: Category. KPI: Documented supplier attestations and a mapped inventory of patched or mitigated cPanel instances
  • CISA issued a Binding Operational Directive specifically for a LiteSpeed cPanel plugin (new federal patching mandate not present in the prior brief)
  • CISA issued a Binding Operational Directive giving federal agencies four days to patch an actively exploited LiteSpeed cPanel user‑end plugin (CVE‑2026‑48172) that enables privilege escalation. The advisory highlights a Redis enable/disable mishandling in lsws.redisAble and urges applying vendor mitigations or discontinuing use where unavailable. Operationally, hosting and managed‑service providers running cPanel/LiteSpeed must confirm patch status and be prepared for mitigations that could affect uptime; watch supplier remediation timelines and rollback plans
Open original source

[2] Windows 11 KB5089573 update released with performance improvements

bleepingcomputer.com · May 27, 2026

Expand

AI reading

Microsoft released the KB5089573 optional preview cumulative update for Windows 11 25H2 and 24H2 with performance and reliability improvements and a Secure Boot certificate rollout. The update is optional (non‑security preview) and Microsoft also reiterated known issues affecting domain controller lookups on some server builds, which makes staged testing important. Buyers should coordinate endpoint testing windows with desktop and identity suppliers and watch for related server lookup disruptions before broad deployment

Buyer takeaway

Treat preview updates as a coordination item between endpoint teams and identity/SaaS suppliers; require staged testing and supplier validation before enterprise rollout

Cost / money

Staged testing and remediation for known issues will consume IT operations cycles and may require supplier support time

Supplier / commercial

Endpoint and identity suppliers may need to provide compatibility guidance or remediation timelines; include update coordination clauses where possible

Safety / operations

Known issues affecting domain controller lookups can degrade admin tooling and sign‑in behavior; validate recovery steps with identity owners

What to watch

Watch for preview updates that change Secure Boot behavior and require coordinated certificate rollout to avoid unexpected failures

Key facts

  • KB5089573: optional Windows 11 preview for 25H2 and 24H2 with performance/reliability fixes
  • Includes Secure Boot certificate refresh guidance for impacted systems
  • Microsoft noted a known issue affecting domain controller lookup failures on some server builds

Source excerpts

Microsoft has released the KB5089573 preview cumulative update for Windows 11 versions 25H2 and 24H2, which comes with 30 changes, including performance and reliability improvements
However, unlike regular Patch Tuesday cumulative updates, monthly preview updates are optional and do not include security updates. With the May 2026 optional update, Microsoft is gradually rolling out general OS performance upgrades and several reliability improvements to Windows Hello
However, unlike regular Patch Tuesday cumulative updates, monthly preview updates are optional and do not include security updates

Used in this brief

  • Microsoft released the KB5089573 optional preview cumulative update for Windows 11 25H2 and 24H2 with performance and reliability improvements and a Secure Boot certificate rollout. The update is optional (non‑security preview) and Microsoft also reiterated known issues affecting domain controller lookups on some server builds, which makes staged testing important. Buyers should coordinate endpoint testing windows with desktop and identity suppliers and watch for related server lookup disruptions before broad deployment
  • Buyer bottom line: optional Windows 11 preview updates can change sign‑in and Secure Boot behavior—validate with identity and endpoint suppliers before mass rollout to avoid support incidents
  • Treat preview updates as a coordination item between endpoint teams and identity/SaaS suppliers; require staged testing and supplier validation before enterprise rollout
Open original source

[3] Cisco making SONiC available to all customers – not just hyperscalers

theregister.com · May 27, 2026

Expand

AI reading

Cisco said it will extend SONiC (Software for Open Networking in the Cloud) support to Nexus 9000 datacenter switches, giving customers the option to run SONiC alongside ACI or NX‑OS stacks. The move broadens NOS choice for datacenter switching and targets AI‑class fabrics where NOS flexibility matters. Procurement should add SONiC compatibility checks to switch sourcing to preserve negotiation leverage and validate vendor support models before committing to a single stack

Buyer takeaway

Add SONiC compatibility to switch sourcing checklists to preserve negotiation leverage and test single‑vendor consolidation assumptions

Cost / money

Open NOS adoption may shift total cost drivers for support, training, and integration; commercial effects depend on vendor service offerings

Supplier / commercial

Vendors may offer alternative bundles or support tiers; use NOS flexibility to negotiate maintenance and support terms

Safety / operations

Introducing a new NOS requires validating interoperability, supportability, and in‑house or supplier skillsets to avoid operational downtime

What to watch

Watch for hidden integration costs or limited enterprise support when running SONiC on enterprise hardware

Key facts

  • Cisco to support SONiC on Nexus 9000 datacenter switches
  • SONiC option complements Cisco Cloud Scale/Silicon One or NX‑OS/ACI environments
  • Positioned for customers building AI‑class fabrics seeking switching flexibility

Source excerpts

”The networking giant said its support for SONiC includes “hardening the stack and backing it with Cisco Technical Assistance Center (TAC), while integration with Nexus Dashboard provides familiar tools for automated bring-up and health monitoring. ”A Cisco spokesperson told The Register the post we’ve linked to above effectively represents an announcement that it will soon make support for SONiC generally available
SONiC on everyday datacenter hardware is therefore an idea whose time has come. Enter Cisco, which has supported SONiC on its routers for years and last week quietly mentioned it will soon extend that support to its N9000 datacenter switches
Networks Logo for SONiC the “Software for Open Networking in the Cloud” project at the Linux Foundation Hardened version of open-source NOS coming to Nexus 9000s Cisco is close to allowing customers to run the SONiC network operating system on its flagship Nexus 9000 series datacenter switches

Used in this brief

  • Supplier / commercial: Cisco’s SONiC support opens procurement leverage: require NOS flexibility and clarified support models in RFPs to test single‑vendor consolidation assumptions and supplier bundling
  • Next quarter — Update datacenter switch sourcing templates and RFPs to include SONiC compatibility checks, interoperability tests, and clarified vendor support models.. Rationale: because Cisco’s SONiC availability on N9000 hardware creates an alternate OS path that can change supplier leverage, so adding compatibility checks preserves sourcing optionalit.... Owner: Category. KPI: RFP templates and vendor questionnaires that include SONiC support, interoperability tests, and support model clarifications
  • Cisco said it will extend SONiC (Software for Open Networking in the Cloud) support to Nexus 9000 datacenter switches, giving customers the option to run SONiC alongside ACI or NX‑OS stacks. The move broadens NOS choice for datacenter switching and targets AI‑class fabrics where NOS flexibility matters. Procurement should add SONiC compatibility checks to switch sourcing to preserve negotiation leverage and validate vendor support models before committing to a single stack
Open original source

[4] KnowledgeDeliver flaw exploited as a zero-day to install web shells

bleepingcomputer.com · May 26, 2026

Expand

AI reading

Researchers reported a critical KnowledgeDeliver LMS zero‑day exploited to deploy the Godzilla web shell by leveraging identical pre‑shared ASP.NET machine keys across deployments. The flaw allowed unauthenticated remote code execution and persistent access because attackers could sign malicious ViewState payloads with the shared machine key. Buyers should treat hosted LMS instances as potentially compromised until suppliers demonstrate key rotation, removal of web shells, and forensic evidence of eradication

Buyer takeaway

Consider hosted LMS a high‑impact supplier exposure until vendors show unique key management and demonstrable cleanup

Cost / money

Expect incremental incident response, containment, and supplier remediation costs for affected LMS instances

Supplier / commercial

Require supplier attestations of unique key deployment, key rotation evidence, and contractual obligations for forensic cleanup and monitoring

Safety / operations

Web shells enable long‑term persistence; operations must assume compromise and require proof of eradication before restoring services

What to watch

Watch for partial remediation claims or delayed key rotations that enable repeat exploitation

Key facts

  • Critical zero‑day in KnowledgeDeliver exploited to deploy Godzilla web shell
  • Attack leveraged identical pre‑shared ASP.NET machine keys across deployments
  • Exploitation enabled unauthenticated remote code execution and persistence

Source excerpts

NET-based in-memory web shell, Godzilla (a
Exploitation was possible due to the use of “identical pre-shared ASP. NET machine keys across multiple customer deployments,” the researchers said
Hackers exploited a critical zero-day vulnerability in a server running the KnowledgeDeliver learning management system (LMS) to deploy the Godzilla web shell

Used in this brief

  • Cost / money: Incident response, containment, and forensic work for LMS web‑shell infections and vishing‑based SSO compromises will increase IR and recovery costs for both buyers and affected suppliers
  • Safety / operations: KnowledgeDeliver instances using identical pre‑shared ASP.NET machine keys enable unauthenticated remote code execution and persistence; treat affected LMS deployments as compromised until vendors prove key rotation and web‑shell removal
  • Next 72 hours — Inventory hosted LMS instances and require immediate containment confirmation from LMS suppliers, including proof of unique machine keys and web‑shell eradication steps.. Rationale: because the KnowledgeDeliver zero‑day exploited shared machine keys to install persistent web shells, so hosted LMS may already be compromised and need containment evidence.. Owner: Ops. KPI: Inventory of LMS deployments with supplier containment attestations and open remediation tickets
Open original source

[5] Charter confirms data breach after ShinyHunters extortion threat

bleepingcomputer.com · May 26, 2026

Expand

AI reading

Charter Communications confirmed a security incident after being listed by the ShinyHunters extortion group, which claims data stolen via a voice‑phishing attack that compromised an employee's Microsoft Entra SSO account and exported SaaS data. Charter says no sensitive personal customer information was taken and is alerting authorities, but the incident illustrates how an SSO account takeover can cascade across connected SaaS applications. Procurement should verify supplier SSO protections, token revocation procedures, and incident cooperation terms to limit cross‑SaaS exposure

Buyer takeaway

Treat supplier SSO incidents as supply‑chain events and require rapid attestation and cross‑SaaS containment procedures from impacted suppliers

Cost / money

SSO‑related breaches increase third‑party IR, notification, and recovery costs for both buyer and supplier

Supplier / commercial

Negotiate incident cooperation SLAs, evidence requirements, and token/session revocation support from SaaS and telecom suppliers

Safety / operations

Account takeover can enable lateral access to connected SaaS systems; operations must verify token revocation and audit logging from suppliers

What to watch

Watch for inconsistencies between public claims and supplier statements; require forensic evidence before closing disputes

Key facts

  • Charter listed on a data leak/extortion site after alleged vishing SSO compromise
  • Threat actor claimed export of customer and business records via a compromised SSO account
  • Charter stated no sensitive personal customer information was exfiltrated and is notifying au

Source excerpts

Since last year, the extortion group has been conducting widespread social engineering campaigns that target employees and BPO agents' Microsoft Entra, Okta, and Google SSO accounts. After gaining access to a corporate SSO account, the threat actors steal data from connected SaaS applications such as Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, and many others
Instructure said it ultimately reached an "agreement" with the extortion gang, meaning it likely paid a ransom to prevent the public release of the stolen data
Charter listing on the ShinyHunters data leak site ShinyHunters claimed to BleepingComputer that they breached Charter on April 1 through a voice phishing (vishing) attack that compromised an employee's Microsoft Entra account

Used in this brief

  • Next 2-4 weeks — Issue contract change requests or SLA addenda to hosting, LMS, and SaaS suppliers requiring proof‑of‑patch, forensic cooperation, and token/session revocation support for SSO in.... Rationale: because recent SSO compromises and LMS persistence risks show supplier responsibilities materially affect buyer exposure, so contracts should mandate evidence, notifications, an.... Owner: Contracts. KPI: Amended supplier terms or documented exception workflows requiring proof‑of‑patch, timely notifications, and forensic cooperation
  • Public extortion listings (ShinyHunters, Play) can trigger regulatory notification, contractual disputes, and supplier blame games; verify supplier notification timelines and breach coverage because public claims often outpace forensic confirmation
  • Charter Communications confirmed a security incident after being listed by the ShinyHunters extortion group, which claims data stolen via a voice‑phishing attack that compromised an employee's Microsoft Entra SSO account and exported SaaS data. Charter says no sensitive personal customer information was taken and is alerting authorities, but the incident illustrates how an SSO account takeover can cascade across connected SaaS applications. Procurement should verify supplier SSO protections, token revocation procedures, and incident cooperation terms to limit cross‑SaaS exposure
Open original source

[6] Palo Alto

finance.yahoo.com · n.d.

Expand
Open original source

[7] CrowdStrike

finance.yahoo.com · n.d.

Expand
Open original source

[8] Zscaler

finance.yahoo.com · n.d.

Expand
Open original source
More from IT, Telecom & CyberBack to Executive View