CVE-2026-4911, CVE-2026-5502, CVE-2026-1108: CISA KEV Alert — Analysis, Detection, and Patching

By Senior Security Consultant, Security Arsenal

Introduction

On May 27, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. This addition signals that active exploitation has been detected in the wild, raising the urgency for Federal Civilian Executive Branch (FCEB) agencies and the broader private sector. Under Binding Operational Directive (BOD) 22-01, FCEB agencies are required to patch these vulnerabilities by June 17, 2026.

For defenders, this alert underscores a harsh reality: perimeter devices (Fortinet), web application frameworks (Progress Telerik), and core operating systems (Linux Kernel) are simultaneously under fire. This post provides a technical breakdown of the flaws, actionable detection logic, and immediate remediation steps.

Technical Analysis

1. CVE-2026-4911: Fortinet FortiOS SSL-VPN Heap Overflow

• Affected Product: Fortinet FortiOS
• Affected Versions: 7.2.0 through 7.2.8; 7.4.0 through 7.4.2
• CVSS Score: 9.8 (Critical)
• Vector: Network, Low Complexity, No Privs Required, User Interaction: None

Defender's View: This vulnerability is a heap-based buffer overflow in the SSL-VPN component of FortiOS. An unauthenticated, remote attacker can send specially crafted requests to the SSL-VPN web portal to corrupt heap memory. Successful exploitation results in Arbitrary Code Execution (RCE) as the root user. Given the privileged position of perimeter firewalls, this provides attackers with a beachhead to pivot into internal networks. Exploitation does not require user authentication, making internet-facing devices primary targets for automated scanning tools.

2. CVE-2026-5502: Progress Telerik UI Remote Code Execution

• Affected Product: Progress Telerik UI for ASP.NET AJAX
• Affected Versions: R1 2024 SP1 (2024.1.424) and earlier
• CVSS Score: 9.8 (Critical)
• Vector: Network, Low Complexity, Privs Required (Low - typically anonymous web access), User Interaction: None

Defender's View: The flaw stems from insecure deserialization within the DialogHandler and other Telerik RadAsyncUpload components. Attackers can leverage a hardcoded cryptographic key (or a misconfigured one) to encrypt and serialize malicious .NET objects. When the server deserializes the payload, it executes arbitrary code within the context of the IIS application pool (often SYSTEM if misconfigured). This is a classic supply-chain issue affecting legacy enterprise applications.

3. CVE-2026-1108: Linux Kernel nf_tables Use-After-Free

• Affected Product: Linux Kernel
• Affected Versions: 5.10 through 6.6
• CVSS Score: 7.8 (High)
• Vector: Local, Low Complexity, Privs Required: Low

Defender's View: A use-after-free vulnerability was discovered in the netfilter nf_tables component, responsible for packet filtering (iptables/nftables). A local user with low privileges can trigger a race condition during batch rule deletion/updates, leading to kernel memory corruption. While this requires local access initially, it is often paired with a web RCE (like CVE-2026-5502) or a misconfigured container breakout to escape containment and achieve root privileges on the host.

Detection & Response

Given the active exploitation status, SOC teams must prioritize detection of anomalous behavior associated with these vulnerabilities.

Sigma Rules

---
title: Potential Fortinet FortiOS SSL-VPN Exploitation Attempt
id: 8c4e3d12-7a9b-4f1c-9e0a-2b4d6e8f0a1b
status: experimental
description: Detects potential heap overflow exploitation attempts against FortiOS SSL-VPN interface based on URI anomalies and heavy request patterns.
references:
  - https://www.cisa.gov/news-events/alerts/2026/05/27/cisa-adds-three-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/05/28
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: webserver
  product: fortinet
detection:
  selection:
    c-uri|contains:
      - '/remote/login'
      - '/remote/fortisslvpn'
    sc-status: 400
    cs-method: POST
  condition: selection
falsepositives:
  - Legitimate misconfigurations
level: high
---
title: Progress Telerik RadAsyncUpload Deserialization Activity
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
description: Detects requests to Telerik DialogHandler indicative of deserialization attacks or key validation attempts.
references:
  - https://www.cisa.gov/news-events/alerts/2026/05/27/cisa-adds-three-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/05/28
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: webserver
detection:
  selection:
    c-uri|contains: 'Telerik.Web.UI.DialogHandler.aspx'
  selection_large:
    cs-bytes > 10000
  condition: selection or selection_large
falsepositives:
  - Legitimate file uploads in enterprise apps
level: medium
---
title: Linux Kernel nf_tables Privilege Escalation Activity
id: 9f8e7d6c-5b4a-3c2d-1e0f-9a8b7c6d5e4f
status: experimental
description: Detects suspicious nft command usage often associated with triggering the use-after-free vulnerability in nf_tables.
references:
  - https://www.cisa.gov/news-events/alerts/2026/05/27/cisa-adds-three-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/05/28
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith: '/nft'
    CommandLine|contains:
      - 'delete element'
      - 'flush ruleset'
  condition: selection
falsepositives:
  - Legitimate firewall administration
level: medium

KQL (Microsoft Sentinel / Defender)

// Hunt for Fortinet SSL-VPN anomalies (CEF/Syslog format)
CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceProduct == "FortiGate"
| where RequestURL contains "/remote/"
| where SentBytes > 2000 or ReceivedBytes > 5000
| project TimeGenerated, DeviceAction, SourceIP, DestinationIP, RequestURL, Reason
| order by TimeGenerated desc

// Hunt for Telerik Exploitation Indicators in IIS Logs
W3CIISLog
| where csUriStem contains "Telerik.Web.UI.DialogHandler.aspx"
| where scStatus == 500 or scStatus == 200
| extend Timestamp = TimeGenerated
| project Timestamp, sIP, cIP, csUriQuery, csUserAgent, scStatus, scWin32Status
| order by Timestamp desc

// Hunt for Linux Kernel Exploit attempts via Auditd
Syslog
| where ProcessName == "nft"
| where SyslogMessage contains "delete" or SyslogMessage contains "flush"
| project TimeGenerated, HostName, ProcessName, SyslogMessage
| order by TimeGenerated desc

Velociraptor VQL

// Hunt for suspicious nft processes on Linux endpoints
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name = 'nft'
   AND (CommandLine =~ 'delete' OR CommandLine =~ 'flush')

// Scan for Telerik specific files in web roots
SELECT FullPath, Size, Mtime
FROM glob(globs='/var/www/*/Telerik.Web.UI.dll')

Remediation Script (Bash)

#!/bin/bash
# Remediation and Check Script for CVE-2026-1108 (Linux Kernel)
# Usage: sudo ./check_kernel.sh

echo "[+] Checking Linux Kernel Version for CVE-2026-1108..."
CURRENT_KERNEL=$(uname -r)
echo "Current Kernel: $CURRENT_KERNEL"

# List of vulnerable kernels (simplified representation for 2026 context)
VULNERABLE_PATTERNS=("5.10" "5.15" "6.1" "6.5")

IS_VULNERABLE=false
for pattern in "${VULNERABLE_PATTERNS[@]}"; do
    if [[ "$CURRENT_KERNEL" == $pattern* ]]; then
        IS_VULNERABLE=true
        break
    fi
done

if [ "$IS_VULNERABLE" = true ]; then
    echo "[!] ALERT: System is running a vulnerable kernel version."
    echo "[+] Action Required: Update to Kernel 6.6.18 or higher immediately."
    # Example remediation command for Debian/Ubuntu systems (uncomment to execute)
    # apt-get update && apt-get install -y linux-image-generic
else
    echo "[+] Kernel version appears patched or not in the vulnerable range."
fi

Remediation

1. Fortinet FortiOS (CVE-2026-4911)

• Action: Upgrade to the latest firmware immediately.
• Fixed Versions:
  • FortiOS 7.2.9 or later
  • FortiOS 7.4.3 or later
• Workaround: If immediate patching is impossible, disable SSL-VPN access from untrusted networks or enforce strict IP allow-listing via Local-in policies. Disable the admin access on the WAN interface if not required for VPN authentication.
• Vendor Advisory: Fortinet PSIRT Advisory

2. Progress Telerik (CVE-2026-5502)

• Action: Update the Telerik UI for ASP.NET AJAX libraries.
• Fixed Version: R2 2024 (2024.2.424) or later.
• Configuration Check: Ensure the AsyncUpload configuration does not rely on default or hardcoded encryption keys. Rotate the EncryptionKey and SignatureKey in the web.config immediately.
• Detection Tip: Scan web file directories for Telerik.Web.UI.dll. Right-click the file > Details > File Version to confirm the build date is post-May 2026.

3. Linux Kernel (CVE-2026-1108)

• Action: Update the Linux kernel to a patched version.
• Fixed Versions:
  • Mainline: 6.7 and above
  • Stable: 6.6.18 and above
• Mitigation: Restrict CAP_NET_ADMIN capabilities. Ensure unprivileged users cannot load kernel modules or manipulate nftables rules. Verify container runtime configurations (e.g., Docker, Kubernetes) to prevent privileged: true pods where unnecessary.

Deadline: CISA BOD 22-01 requires remediation by June 17, 2026.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub