Executive summary.

Identity-focused abuse and rapid exploitation of KEV-listed internet-facing vulnerabilities shaped the U.S. threat landscape this week. Token and OAuth abuse via ROADtools, active e-skimming against WooCommerce via CVE-2026-47100, and CISA KEV additions for Drupal, Trend Micro Apex One, and Langflow drove consistent pressure across government, financial services, MSSPs, and retail and hospitality. Microsoft’s disruption of Fox Tempest malware-signing-as-a-service reduced one criminal enabler but underscored ongoing supply-chain risk.

Sector · 01Government agency.

Key insight. ROADtools abuse against Entra ID, a contractor GitHub key exposure, and three CISA KEV additions created compounding identity and perimeter risk for U.S. government agencies this week. C1 C2 C3

Findings

• ROADtools identity tooling abuse (Entra ID) — nation-state actors abused ROADtools for Entra ID discovery, device-registration persistence, and token exchange that can bypass interactive MFA and conditional access where protections are not configured. Medium confidence C1
• CISA KEV additions (CVE-2026-9082, CVE-2026-34926, CVE-2025-34291) — critical Drupal SQL injection (PostgreSQL), Trend Micro Apex One, and Langflow developer tooling all added to KEV catalog; FCEB agencies must remediate under BOD 22-01. High confidence C2
• AWS GovCloud key exposure (contractor GitHub) — a public contractor repository exposed AWS GovCloud keys and internal deployment artifacts; all exposed credentials should be treated as compromised and rotated immediately. High confidence C3

Recommended executive action

• Enforce token protection and restrict device-code flows for Entra ID; initiate secrets rotation for any contractor-exposed keys. High confidence
• Map KEV entries to agency internet-facing assets and apply compensating controls where immediate patching is not possible. High confidence
• Task cloud/identity owners to run Unit 42 XQL hunts for scripted user-agent patterns and anomalous device registrations. Medium confidence

Selected indicators (defanged)

Sources & reading. Palo Alto Unit 42 ROADtools analysis; CISA KEV catalog; Dark Reading / KrebsOnSecurity (contractor exposure).

Sector · 02Financial services.

Key insight. Identity-first intrusions — phishing, token theft, OAuth abuse, MFA bypass — dominated observed incidents and remain the primary route to account takeover and payment fraud for U.S. financial institutions. High confidence C4

Findings

• Identity-focused attack dominance — phishing, token theft, MFA bypass, and OAuth abuse remained the dominant risk theme; these compress the attack lifecycle and enable rapid account takeover. High confidence C4
• KEV exploitation pressure — financial organisations with externally facing services matching CISA KEV additions face elevated exploitation risk; cross-checking internet-facing assets against KEV is essential. High confidence C2
• Third-party ransomware / extortion risk — ongoing ransomware and data-extortion activity against fintechs and processors continues to pose downstream risk to banks and credit unions. High confidence C5
• Dark-web visibility gap — credential collection limitations reduced confidence in detecting underground sales for FSI this week. Medium confidence

Regulatory implications

• FFIEC / Operational Resilience: Validate third-party continuity plans and patching timelines against FFIEC expectations.
• PCI-DSS / SOX: Payment rails and transaction integrity controls must be validated following any card-data exposure or unusual payment activity.

Recommended executive action

• Enforce phishing-resistant MFA for high-value roles and require out-of-band verification for high-value transfers. High confidence
• Map KEV entries to external assets and remediate or segment affected services. High confidence
• Re-establish dark-web monitoring to detect credential sales and DLS postings tied to sector victims. Medium confidence

Sector · 03Managed security service providers (MSSPs).

Key insight. No confirmed new MSSP-wide breach in the window, but high-severity vulnerabilities in ConnectWise Automate and ManageEngine ADSelfService create material supply-chain and concentration risk across managed client estates. High confidence C6 C7

Findings

• ConnectWise Automate CVE-2026-9089 — CVSS 8.8 high-severity RCE-related risk in the Automate Agent / RMM platform; remediated in version 2026.5. Unpatched instances present significant supply-chain risk. High confidence C6
• ManageEngine ADSelfService CVE-2026-2740 — authenticated remote code execution path in MSSP-managed identity tooling; vendor advisory and patches available. High confidence C7
• Fox Tempest supply-chain risk — Microsoft’s disruption of the malware-signing-as-a-service operation highlights the need for behavioural validation of signed installers across managed estates.

Selected indicators — MSSP tooling CVEs

Recommended executive action

• Prioritise patching ConnectWise Automate to 2026.5 and apply vendor mitigations for ManageEngine where deployed. High confidence
• Review RMM/PSA auto-update channels and restrict plugin sources; monitor for anomalous plugin or update activity. High confidence
• Instruct downstream clients to validate vendor attestations and consider temporary isolation of exposed agents until patched. High confidence

Sector · 04Retail & hospitality.

Key insight. Active e-skimming exploitation of CVE-2026-47100 (Funnel Builder / WooCommerce) with live card-stealing payloads and WebSocket C2, combined with a BWH Hotels guest-data exposure, made retail and hospitality the most immediately impacted sector this week. High confidence C8 C10

Findings

• Funnel Builder CVE-2026-47100 — active e-skimming — FunnelKit (WooCommerce) was actively exploited to inject e-skimming JavaScript into checkout flows; Sansec observed payloads loading from analytics-reports[.]com and WebSocket C2 at protect-wss[.]com. Patch v3.15.0.3 available. High confidence C8
• Fox Tempest disruption — supply-chain signing risk — Microsoft’s takedown of the malware-signing-as-a-service portal reduces delivery friction for criminal affiliates via fake support tools and signed installers. High confidence C9
• BWH Hotels guest-data exposure — hospitality guest-record exposure increased likelihood of follow-on phishing and social engineering against affected customers. High confidence C10
• Credential stuffing / loyalty account takeover — persistent trend; defenders should prioritise rate-limiting and fraud detection for loyalty portals.

Selected indicators (defanged)

Recommended executive action

• Patch Funnel Builder to v3.15.0.3 immediately; hunt for injected scripts on checkout pages and block payload hosts at the WAF. High confidence
• Validate loyalty and guest-portal MFA and enforce rate-limiting for account actions. High confidence
• Prepare customer-notification and remediation templates for data-exposure incidents. Medium confidence

SynthesisU.S. cross-sector summary & risk outlook.

Cross-sector synthesis. Identity abuse (ROADtools Entra ID tooling, token/OAuth theft, phishing) and KEV-driven exploitation of internet-facing components (Drupal, Trend Micro Apex One, Langflow, WooCommerce) were the dominant enabling conditions across all four observed U.S. sectors. Microsoft’s Fox Tempest disruption and ConnectWise/ManageEngine vulnerability disclosures compound concentration risk for MSSPs and their downstream clients.

Top prioritised actions for leadership. Patch KEV-listed internet-facing assets (CISO / IT Ops — immediate), enforce phishing-resistant MFA across all high-value roles (Identity team — immediate), and rotate any contractor-exposed cloud credentials while auditing MSSP tooling for CVE-2026-9089 and CVE-2026-2740. High confidence

Recommended actions.

Immediate (0–24 hours)

Short term (1–7 days)

• Inventory and validate exposure for PostgreSQL-backed Drupal sites; apply compensating WAF rules where patching is delayed. C2
• Rotate any exposed contractor / cloud credentials; enforce short-lived credentials for contractor GovCloud access. C3
• Re-establish dark-web monitoring to detect credential sales and DLS postings tied to sector victims.
• Validate signed binaries and require behavioural attestation for vendor-supplied software in light of Fox Tempest disruption. C9

Monitor

• Watchlist: Drupal + PostgreSQL public sites, ConnectWise Automate deployments, Funnel Builder plugin instances, and identity / OAuth app inventories.
• Continue monitoring vendor advisories (CISA, vendor bulletins) for exploit details and mitigation updates.

IOC / Observable table.

Technical details.

A1 · FunnelKit / CVE-2026-47100 (E-skimming)

Detection guidance.

• Hunt for unexpected script loads on checkout pages and WAF logs for requests to analytics-reports[.]com or base64-encoded script injections.
• Monitor web-proxy and WAF logs for outbound WebSocket connections to protect-wss[.]com.

Mitigation detail. Patch Funnel Builder to v3.15.0.3. Interim: remove unknown external scripts from checkout settings; apply WAF rule to block payload hosts. Monitor payment processing for anomalous transactions.

A2 · ConnectWise Automate — CVE-2026-9089

Detection guidance. Audit plugin/update origins; monitor agent behavior for unexpected component loads. Search for anomalous network connections from managed hosts following plugin/update events.

Mitigation detail. Upgrade Automate to 2026.5 (vendor bulletin). Restrict plugin sources and disable automatic plugin installation where not necessary.

A3 · Drupal CVE-2026-9082 (Critical SQL injection)

Detection guidance. Monitor web application logs for anomalous POST payloads, unusual SQL error traces, and unexpected query patterns on PostgreSQL-backed Drupal instances. Run runZero or similar discovery to identify affected instances.

Mitigation detail. Apply Drupal SA-CORE-2026-004 patches immediately. Interim: apply WAF rules for known SQLi vectors. Treat as KEV-priority for internet-facing deployments.

A4 · ROADtools — Entra ID identity tooling abuse

Detection guidance.

• Search Microsoft Graph and Entra ID audit logs for scripted user agents such as python-requests/* or occurrences of the string roadtools in UA fields.
• Hunt for unusual device registration events with default device names (e.g., DESKTOP-XXXXXXXX) and correlate with token issuance events.

Mitigation. Enable token protection; restrict device-code flow in conditional access; audit OAuth app consent; enforce least privilege for service principals.

Incident timeline (2026-05-15 → 2026-05-22).

Sources used.