#CyberWeekly

Two stories this week share one theme: the security software meant to protect you was the thing under attack. Trend Micro Apex One is being actively exploited, and two Microsoft Defender zero-days let attackers seize full system rights or quietly switch the antivirus off.

• Trend Micro Apex One (on-premises): CVE-2026-34926. CISA added it to its Known Exploited Vulnerabilities catalogue on May 21 after Trend Micro confirmed in-the-wild exploitation, and the Centre for Cybersecurity Belgium echoed it on May 26. An attacker can poison a table on the management server so malicious code deploys to every managed agent: the console becomes the distribution network. Patch on-premises now (cloud was fixed in April)
• Microsoft Defender: CVE-2026-41091 (CVSS 7.8) and CVE-2026-45498 (CVSS 4.0). One ("RedSun") escalates a local user to full system rights; the other ("UnDefend") lets an ordinary user block Defender's definition updates, silencing it quietly. Both hit CISA's catalogue on May 20; the fix ships via Defender platform auto-updates
• The takeaway for managed service providers (MSPs): "we have endpoint detection and response (EDR)" is not a control if the tool can be turned against you or switched off. Confirm Defender updates are actually reaching every managed device, and patch any on-premises Apex One today

The boring controls are what contain this: timely patching, least privilege, and not trusting a single agent blindly. Our antivirus comparison and patch-management guide are the plain-language versions.

This week the audit-readiness view stopped saying "something is missing" and started naming names. Instead of telling you a control is under-covered, it now points at the exact devices missing from your scope, shows the real signal that proves each control, and pulls every register straight from your Microsoft tenant. And anyone can now run a free NIS2 scope quick-check before committing to anything.

• It names the missing devices. A new scope-gap diagnostic looks at a control, looks at what you actually have connected, and tells you which specific machines or accounts are not yet in scope. Not "population gap" any more, but "these three servers"
• You see what proves each control. Every control now shows the actual observed signal behind it: the real setting, the real device, the real piece of evidence, in plain language, instead of a generic "satisfied via integration"
• Every register fills itself from the graph. All six entity registers (devices, people, applications and the rest) now populate directly from your Microsoft 365 tenant, so the inventory an auditor checks is the live one, not a spreadsheet someone last touched in March
• A dedicated page per entity. Click any device or person and land on its own page showing every control it touches, and why
• Free NIS2 scope quick-check. Not a customer yet? Run a free scope-and-baseline quick-check and see where you stand, no commitment, no card

The throughline: an audit-ready answer is only useful if it is specific. "You are 80% there" helps no one; "add these three servers and link this one policy" is a to-do list. See how scope works in a real NIS2 engagement.

On Monday May 18, the recycling parks of Beerse and Merksplas, run by IOK, the inter-municipal waste authority for the Kempen, were knocked offline by a cyberattack. IOK confirmed its own systems were not breached: the attacker hit an external supplier that runs the parks' control and weighbridge systems, and the disruption cascaded downstream. It is the most ordinary kind of incident there is, and the most instructive.

• What happened: a third-party supplier running the recycling-park systems was compromised, so the affected system was switched off as a precaution and the parks could not operate normally. The public body in the headline never had to be breached itself
• Why it matters: your security is only as strong as your suppliers'. Most small and medium-sized enterprises (SMEs) hand critical operations to a handful of vendors and never ask what those vendors' security actually looks like
• The NIS2 connection: supply-chain security is an explicit obligation under the NIS2 directive, not a nice-to-have. You are expected to assess and manage the risk your suppliers carry into your operation
• What to do now: list the suppliers who can take your business down if they go down. Ask each one three questions: do you have multi-factor authentication everywhere, do you have tested backups, and how fast do you tell us if you are breached

The authority in the headline did nothing wrong, and still spent days restoring service. That is the whole point of supply-chain risk. Start with our supplier security guide and the NIS2 supply-chain requirements.

The Centre for Cybersecurity Belgium issued a cluster of advisories this week. Two stand out for Belgian SMEs: a SharePoint Server remote-code-execution (RCE) flaw to patch immediately, and a LiteSpeed cPanel/WHM plugin bug with the rare combination of a perfect 10.0 severity score and confirmed active exploitation.

• SharePoint Server RCE: CVE-2026-45659 (CVSS 8.8), advisory May 27. An authenticated attacker with only "Site Member" permissions can run code over the network through unsafe deserialization. No active exploitation reported yet, but SharePoint RCE chains have a history of fast weaponisation. Many Belgian SMEs still run on-premises SharePoint: patch now
• LiteSpeed cPanel/WHM plugin: CVE-2026-48172 (CVSS 10.0), advisory May 26, actively exploited. Root-level compromise of a shared-hosting control panel. If your website or mail sits on cPanel hosting, ask your provider whether they have patched
• The same-day cluster: the Centre also flagged critical fixes for Ubiquiti UniFi OS and Cisco Secure Workload on May 26. None of this is a one-off, and it lands every week

Patch management is the discipline that turns this weekly rhythm into a calendar instead of a fire drill. Our patch-management guide is the version you can hand to a client.