us:
English: Americas
Executive Summary
The CVE Landscape Has Changed. The Threat Actors Haven't.
Proofpoint's dual telemetry streams — targeted attack visibility covering hundreds of millions of messages daily, and a global network sensor array that generated over 3 million alerts and identified four undisclosed CVEs in 2026 to date — present a consistent picture: attackers are opportunistic. They grab newly published CVEs when public proof-of-concept code appears, chain them with established techniques, and move on.
What has changed is the volume of vulnerabilities feeding that pipeline. NIST reported that CVE submissions in Q1 2026 were nearly one-third higher than the same quarter last year, and that the National Vulnerability Database still cannot keep pace with enrichment. The widely-cited driver is AI-assisted vulnerability discovery: frontier models are enabling both defenders and researchers — and, increasingly, anyone with access to an open-weights model — to surface bugs at machine speed. The exploit window is narrowing, but the exploitation pattern remains recognizable.
KEY TAKEAWAY
Proofpoint telemetry shows 12 distinct 2026 CVEs being actively exploited in network-facing attacks, compared to the 8 currently listed on the CISA KEV catalog. The four-CVE gap represents real-world exploitation that CISA has not yet formally catalogued — a visibility problem that defenders cannot afford to ignore.
Targeted Email Telemetry
Three 2026 CVEs in Targeted Email: Old Tricks, New Vulnerabilities
Proofpoint's email telemetry — which covers organizations across the globe — has identified two 2026 CVEs being actively weaponized in targeted attack campaigns this year. Neither represents a fundamental shift in tradecraft. Both fit cleanly into attacker playbooks that Proofpoint has tracked for years.
CVE-2026-21509 — Microsoft Office (RTF/OLE Code Execution)
The more prominent of the two is CVE-2026-21509, a remote code execution vulnerability in Microsoft Office affecting RTF and OLE document processing. Within 24 hours of public disclosure in January 2026, Russia-linked TA422 (APT28) weaponized the flaw in malicious RTF files targeting Ukrainian government agencies and European defense, transportation, and diplomatic entities — behavior consistent with the group's well-documented practice of rapidly adopting newly disclosed Office vulnerabilities for email-borne initial access.
Proofpoint telemetry observed CVE-2026-21509 in targeted spear-phishing campaigns delivering weaponized document attachments with high-fidelity institutional lures — official letterheads, bilingual formatting, ministerial seals. The exploitation delivers a multi-stage infection chain culminating in the NotDoor Outlook backdoor and Covenant Grunt implants. Cloud storage services (notably filen.io) serve as C2 infrastructure, blending malicious traffic with normal enterprise activity.
CVE-2026-21510 — Windows Shell Protection Mechanism Failure
In two separate campaigns observed by Proofpoint in March and April 2026, DPRK-aligned threat actor TA406 (Opal Sleet) chained CVE-2026-21509 and CVE-2026-21510 within a single attack sequence. Social engineering lures themed around visa processing and diplomatic initiatives delivered RTF attachments weaponizing CVE-2026-21509 for initial code execution.
The use of the same CVE pair previously documented in TA422's campaigns is a textbook illustration of the delayed-remediation risk: once a vulnerability with reliable code execution is demonstrated in the wild, additional threat actors will adopt it opportunistically, regardless of patch availability. Disclosure and exploitation are no longer sequential.
In both TA406 campaigns, the OLE objects embedded in the RTF attachments were LNK files. Upon execution, these initiated a WebDAV connection to download secondary LNK files, which then invoked CVE-2026-21510 to bypass Windows Shell security controls and execute a DLL payload. It is at this stage that TA406's chain diverges from TA422's — the downstream payloads and post-exploitation behavior reflect distinct operational infrastructure and tradecraft between the two threat actors.
PROOFPOINT OBSERVED
All CVE-2026-21509 and CVE-2026-21510 messages targeting Proofpoint customers were blocked at delivery. Indicators of compromise for the associated campaign are available to Proofpoint Threat Intelligence subscribers.
CVE-2026-32202 — Windows (Incomplete Patch Bypass)
The third (targeted) email-weaponized CVE of 2026 is CVE-2026-32202, a Windows vulnerability stemming from an incomplete patch for earlier CVE-2026-21510. The flaw was exploited as a zero-day alongside CVE-2026-21513 by TA422 in attacks targeting Ukraine and EU member states beginning in late 2025. Microsoft added CVE-2026-32202 to the CISA KEV catalog after acknowledging active exploitation in April 2026.
The exploitation chain is notable for its stability: the two CVEs are being chained to achieve reliable initial access via email-delivered lures, reinforcing a recurring Proofpoint observation that incomplete patches create a secondary exploitation window that sophisticated actors actively monitor and capitalize on.
FINDING #1
Both 2026 CVEs observed in targeted email campaigns are Microsoft-ecosystem vulnerabilities exploited by a single, state-sponsored actor (TA422) via highly targeted spear-phishing. The technique — weaponized Office documents with institutional lures — is unchanged from campaigns Proofpoint tracked years prior. The CVEs are new. The behavior is not.
Network Sensor Telemetry
Twelve 2026 CVEs Across 5,000+ Sensors — Four Ahead of CISA
Proofpoint's network sensor infrastructure — spanning over 5,000 sensors globally with more than 3 million alerts analyzed in 2026 — has detected active exploitation attempts for 12 distinct 2026 CVEs. The CISA KEV catalog, as of this writing, lists 8 CVEs from 2026. The four-CVE gap reflects a structural reality: CISA's KEV process is necessarily reactive and evidence-based, while internet-scale sensor telemetry captures exploitation activity earlier and more broadly.
The 12 CVEs observed span a predictable set of target categories: network perimeter devices, enterprise web infrastructure, collaboration and mail platforms, and remote access management systems. This distribution reflects attacker prioritization of internet-exposed attack surface.
CVES SEEN IN NETWORK TELEMETRY (PROOFPOINT OBSERVED VS. CISA KEV)
|
CVE |
Affected Product |
Vulnerability Type |
Vector |
KEV Listed |
|
CVE-2026-20122 |
Cisco Catalyst SD-WAN |
Authentication Bypass |
Network |
Yes |
|
CVE-2026-20128 |
Cisco Catalyst SD-WAN |
Authentication Bypass |
Network |
Yes |
|
CVE-2026-20133 |
Cisco Catalyst SD-WAN Manager |
Info Disclosure |
Network |
Yes |
|
CVE-2026-0300 |
Palo Alto PAN-OS |
Out-of-bounds Write / RCE |
Network |
Yes |
|
CVE-2026-6973 |
Ivanti EPMM |
Authentication Bypass |
Network |
Yes |
|
CVE-2026-41940 |
WebPros cPanel & WHM / WP2 |
Missing Auth — Critical Function |
Network |
Yes |
|
CVE-2026-42897 |
Microsoft Exchange Server |
Cross-Site Scripting (OWA) |
Network |
Yes |
|
CVE-2026-39987 |
Marimo (Python notebooks) |
Remote Code Execution |
Network |
Yes |
|
CVE-2026-1281 |
Ivanti EPMM |
Zero-day / Auth Bypass |
Network |
No * |
|
CVE-2026-1340 |
Ivanti EPMM |
Zero-day / Auth Bypass |
Network |
No * |
|
CVE-2026-20182 |
Cisco Catalyst SD-WAN |
Authentication Bypass |
Network |
No * |
|
CVE-2026-31431 |
Linux Kernel |
Incorrect Resource Transfer / Priv-Esc |
Network |
No * |
* Not on CISA KEV list as of May 15, 2026, but active exploitation confirmed in Proofpoint telemetry.
The cPanel Cluster: Mass Exploitation at Scale
CVE-2026-41940, the cPanel authentication bypass, illustrates the opportunistic mass-exploitation pattern most clearly. What began as exploratory probing evolved into a multi-actor campaign combining ransomware deployment, website defacement, and — in at least one documented case — targeted cyber-espionage. We also now increasingly observe this vulnerability within attack chains of threat actors that rely on compromising legitimate websites via web inject, such as TA569 (SocGholish). As these campaigns generally leverage non-malicious email communications to drive intended victims to the compromised assets, we have not included this activity in the “targeted” email section of this report.
Proofpoint sensor data observed automated scanning traffic targeting cPanel instances within days of public proof-of-concept code availability, consistent with how financially motivated actors typically operationalize newly published vulnerabilities.
Cisco SD-WAN: A Persistent Perimeter Target
Three CVEs in our network telemetry affect Cisco Catalyst SD-WAN infrastructure: CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133. The first two are authentication bypass vulnerabilities; the third exposes sensitive configuration data. CISA issued Emergency Directive ED 26-03 specifically covering these flaws. Proofpoint sensor data shows exploitation attempts against exposed SD-WAN management interfaces across multiple verticals, consistent with reconnaissance-phase activity by both nation-state and financially motivated actors.
FINDING #2
Four of the 12 2026 CVEs seen in Proofpoint's network telemetry are not yet on the CISA KEV list. Organizations relying solely on KEV for prioritization are operating with an incomplete picture. Network-scale telemetry is consistently 2–4 weeks ahead of formal KEV inclusion for perimeter vulnerability classes.
Structural Context
AI Is Discovering More Vulnerabilities. It Isn't (Yet) Changing How They're Exploited.
The macro context behind the 2026 CVE surge deserves careful framing. There is credible, growing evidence that frontier AI models are materially accelerating vulnerability discovery. Mozilla's Firefox team, working with frontier models, released 61 patches in February and 76 in March. Apache is experiencing a 170%+ increase in published CVEs. NIST CVE submissions in Q1 2026 ran nearly one-third above the same period last year. By one estimate, 55,000 to 60,000 CVEs will be published across all of 2026.
Critically, these discoveries are being made primarily by defenders and researchers — the intent is patching, not exploitation. The early 2026 surge was initially noisy, with a flood of low-quality AI-assisted submissions, but quality has improved markedly since April as tooling matures.
What Proofpoint's telemetry does not show is a corresponding transformation in attacker behavior. The threat actors exploiting 2026 CVEs in our email and network data are using them the same way they've used newly disclosed vulnerabilities for years: grab the public PoC, adapt it to existing delivery infrastructure, target exposed attack surface opportunistically. APT28 weaponized CVE-2026-21509 within 24 hours — but delivered it via the same spear-phishing RTF/OLE chain the group has used since at least 2022.
THE NUANCE THAT MATTERS
Frontier AI is almost certainly shrinking the window between vulnerability discovery and exploit availability, even if it hasn't yet transformed attacker tradecraft at scale. The 42% year-over-year increase in zero-days exploited before public disclosure (CrowdStrike 2026 Global Threat Report) is a leading indicator worth watching. The story may look different by year-end.
The NIST Gap Problem
One structural consequence of the CVE volume surge deserves particular attention for defenders. NIST has formally acknowledged that the National Vulnerability Database can no longer enrich every new CVE submission at the same speed or depth as before. Backlogged CVEs published before March 1, 2026 are being moved to a "Not Scheduled" enrichment category. For security teams relying on NVD CVSS scores and metadata to drive patch prioritization queues, this creates a systematic blind spot. Threat-intelligence-driven prioritization — using data like Proofpoint's sensor telemetry to identify what is actually being exploited — becomes more important, not less, as the vulnerability catalog scales.
FINDING #3
The surge in 2026 CVE volume is a consequence of AI-assisted vulnerability discovery by defenders, not offensive AI capability deployed at scale. Attacker behavior in Proofpoint telemetry remains opportunistic and technique-stable. The risk is not that AI has transformed the threat actor, but that a higher-volume CVE pipeline will strain patch prioritization processes — particularly as NIST NVD enrichment coverage thins out.
Defensive Guidance
Recommendations for Security Teams
The patterns in Proofpoint's 2026 telemetry translate into several concrete defensive priorities:
1. Don't Wait for KEV to Prioritize Network-Facing CVEs
Four of the 12 2026 CVEs Proofpoint has observed being actively exploited are not yet on the CISA KEV list. For internet-exposed infrastructure — network perimeter devices, mail servers, VPN and remote access management platforms — treat newly disclosed authentication bypass and RCE vulnerabilities as high priority immediately upon disclosure, particularly when public PoC code is available. Prevention via an IPS ruleset will likely be the only option for certain exploits.
2. Patch Microsoft Office and Windows With Urgency
Both 2026 CVEs observed in targeted email campaigns are Microsoft-ecosystem vulnerabilities. CVE-2026-21509 and CVE-2026-32202 were exploited by APT28 within days of disclosure. Organizations in government, defense, transportation, and European critical infrastructure should treat Microsoft's monthly patches — especially for Office and Windows zero-days — as emergency items. Apply Microsoft's registry hardening guidance alongside patches.
3. Rebuild Patch Prioritization Workflows for Higher Volume
With 55,000–60,000 CVEs projected for 2026 and NVD enrichment coverage declining, CVSS-score-driven prioritization is increasingly inadequate. Teams should augment or replace CVSS-centric workflows with exploitation-signal-based prioritization: which vulnerabilities are generating actual exploit traffic in telemetry right now?
4. Monitor AI Developer Tooling as an Emerging Attack Surface
CVE-2026-39987 (Marimo RCE) and the BerriAI LiteLLM SQL injection vulnerability represent a newly emerging class of AI developer tooling targets on the KEV list. As AI infrastructure proliferates in enterprise environments — often with broad network access and sensitive credential stores — treat these platforms with the same exposure scrutiny applied to traditional web application infrastructure.
5. Assume the Window Is Narrower Than It Was
TA422’s sub-24-hour weaponization of CVE-2026-21509 is consistent with a structural trend: the time between vulnerability disclosure and exploit availability is compressing. Assume that a high-severity, remotely exploitable vulnerability with public PoC is being actively attempted within 48–72 hours of disclosure, and size response SLAs accordingly.
Methodology
Data Sources and Scope
Email telemetry in this report covers Proofpoint's global email security platform, which analyzes hundreds of millions of messages daily across enterprise customers in AMER, EMEA, and APJ. Targeted attack data reflects campaigns observed by the Proofpoint Emerging Threats team in which CVE-year-2026 vulnerabilities appeared as the initial access vector.
Network telemetry is sourced from Proofpoint's distributed sensor infrastructure: more than 5,000 passive network sensors generating over 3 million alerts in 2026 year-to-date. CVE observation in this context reflects detected exploitation attempts or successful exploitation events, not theoretical exposure. The CISA KEV catalog figures cited reflect the catalog's state as of May 15, 2026.
CVE background information and campaign attribution details draw on public reporting from CISA, CERT-UA, Trellix, Securelist, Recorded Future, and other sources, corroborated against Proofpoint telemetry.