LinkedIn Carousel - #CyberWeekly Week 22

Inside Job

Your antivirus, a town's IT supplier, a control panel you forgot you had: this week the trusted layer was the way in.

Your antivirus was the target, not your shield

Platform: we name the devices missing from scope

A waste authority breached through its IT supplier

CCB patch watch: SharePoint RCE, cPanel 10.0

Easy Cyber Protection

1/4

Your security tools were the target this week, not your shield

Two stories this week share one theme: the security software meant to protect you was the thing under attack. Trend Micro Apex One is being actively…

Trend Micro Apex One (on-premises): CVE-2026-34926. CISA added it to its Known Exploited Vulnerabilities catalogue on May 21 after Trend Micro confirmed in-the-wild exploitation, and the Centre for Cybersecurity Belgium echoed it on May 26. An attacker can poison a table on the management server so malicious code deploys to every managed agent: the console becomes the distribution network. Patch on-premises now (cloud was fixed in April)
Microsoft Defender: CVE-2026-41091 (CVSS 7.8) and CVE-2026-45498 (CVSS 4.0). One ("RedSun") escalates a local user to full system rights; the other ("UnDefend") lets an ordinary user block Defender's definition updates, silencing it quietly. Both hit CISA's catalogue on May 20; the fix ships via Defender platform auto-updates
The takeaway for managed service providers (MSPs): "we have endpoint detection and response (EDR)" is not a control if the tool can be turned against you or switched off. Confirm Defender updates are actually reaching every managed device, and patch any on-premises Apex One today

Centre for Cybersecurity Belgium advisory → https://ccb.belgium.be/advisories/warning-multiple-vulnerabilities-trendai-apex-one-and-trendai-vision-one-sep-actively

2/4

Platform Spotlight: audit-readiness stops being vague and starts naming the devices missing from your scope

This week the audit-readiness view stopped saying "something is missing" and started naming names. Instead of telling you a control is under-covered, it now…

It names the missing devices. A new scope-gap diagnostic looks at a control, looks at what you actually have connected, and tells you which specific machines or accounts are not yet in scope. Not "population gap" any more, but "these three servers"
You see what proves each control. Every control now shows the actual observed signal behind it: the real setting, the real device, the real piece of evidence, in plain language, instead of a generic "satisfied via integration"
Every register fills itself from the graph. All six entity registers (devices, people, applications and the rest) now populate directly from your Microsoft 365 tenant, so the inventory an auditor checks is the live one, not a spreadsheet someone last touched in March

Run the free NIS2 scope check → https://easycyberprotection.com/dfy/nis2-scope

3/4

Breached through the back office: a Belgian waste authority loses its recycling parks via its IT supplier

On Monday May 18, the recycling parks of Beerse and Merksplas, run by IOK, the inter-municipal waste authority for the Kempen, were knocked offline by a cyberattack. IOK confirmed its own systems were not breached: the…

What happened: a third-party supplier running the recycling-park systems was compromised, so the affected system was switched off as a precaution and the parks could not operate normally. The public body in the headline never had to be breached itself
Why it matters: your security is only as strong as your suppliers'. Most small and medium-sized enterprises (SMEs) hand critical operations to a handful of vendors and never ask what those vendors' security actually looks like
The NIS2 connection: supply-chain security is an explicit obligation under the NIS2 directive, not a nice-to-have. You are expected to assess and manage the risk your suppliers carry into your operation
What to do now: list the suppliers who can take your business down if they go down. Ask each one three questions: do you have multi-factor authentication everywhere, do you have tested backups, and how fast do you tell us if you are breached

Belga via MSN → https://www.msn.com/nl-be/nieuws/nationaal/cyberaanval-treft-recyclagepark-van-beerse-merksplas/ar-AA23zjKg

4/4

CCB patch watch: a SharePoint remote-code-execution flaw and a perfect-10 cPanel bug

The Centre for Cybersecurity Belgium issued a cluster of advisories this week. Two stand out for Belgian SMEs: a SharePoint Server remote-code-execution (RCE) flaw to patch immediately, and a LiteSpeed cPanel/WHM…

SharePoint Server RCE: CVE-2026-45659 (CVSS 8.8), advisory May 27. An authenticated attacker with only "Site Member" permissions can run code over the network through unsafe deserialization. No active exploitation reported yet, but SharePoint RCE chains have a history of fast weaponisation. Many Belgian SMEs still run on-premises SharePoint: patch now
LiteSpeed cPanel/WHM plugin: CVE-2026-48172 (CVSS 10.0), advisory May 26, actively exploited. Root-level compromise of a shared-hosting control panel. If your website or mail sits on cPanel hosting, ask your provider whether they have patched
The same-day cluster: the Centre also flagged critical fixes for Ubiquiti UniFi OS and Cisco Secure Workload on May 26. None of this is a one-off, and it lands every week

Centre for Cybersecurity Belgium advisories → https://ccb.belgium.be/advisories