LiteLLM has a KEV deadline today
The news: CVE-2026-42208 is a pre-authentication SQL injection in BerriAI's LiteLLM proxy that reaches its credential database through the API key check path. CISA added it to KEV on May 8 with a three-day federal deadline that lands today, which is rare for AI infrastructure.
Why it matters: LiteLLM is the open-source proxy enterprises stand up to route prompts and credentials across multiple LLM providers. Sysdig recorded the first exploit attempt 26 hours after the GitHub advisory was indexed, well before most enterprises had imported the changelog. The credentials the proxy managed are the credentials your AI workloads were trusting.
What to do: Find LiteLLM in your Helm charts and container registries this morning, patch to v1.83.7 or newer, then rotate every API key the proxy was holding.
Ivanti EPMM is a zero-day again
CVE-2026-6973 is an authenticated admin RCE in Ivanti Endpoint Manager Mobile, with CISA confirming active exploitation and Ivanti acknowledging that a very limited number of customers were already hit. The exploit chain assumes admin credentials, which means the real story is wherever EPMM admin passwords were reused, never rotated, or sitting alongside the IT helpdesk's secondary account. Patch to 12.6.1.1, 12.7.0.1, or 12.8.0.1, force a credential rotation on every EPMM admin, and audit the last 90 days of EPMM admin logins for anomalies. An MDM compromise is a managed-device compromise; the policy server is where this gets you, not the device.
Dirty Frag is already in production exploits
Dirty Frag (CVE-2026-43284 and CVE-2026-43500) is a Linux kernel local privilege escalation in the esp4, esp6, and rxrpc paged-fragment decryption paths, and Microsoft's Security Blog flagged active post-compromise use on May 8 alongside a public exploit on GitHub. The bug is a deterministic logic flaw, no race condition required, so any unprivileged shell becomes root reliably. Affected code has been upstream since 2017 for ESP and 2023 for rxrpc, which means production fleets running modern kernels are vulnerable by default. Patched kernels are rolling, but where IPsec ESP and rxrpc are not in use, blacklist the modules on hardened workloads today and treat any host with both loaded as a higher-risk asset until patched.
Watch This
The pattern across these three CVEs is not which products were hit, it is which layer got hit. Kernel, MDM, AI proxy all sit a tier above the workloads they manage, and all three are now the way into those workloads. Inventory your control planes this quarter, not just your endpoints.
This week, DoGood network members are pulling control-plane inventories: which AI proxies hold credentials, which MDM admins are not in the privileged-access vault, and which container hosts load kernel modules they do not need. If you run IT or security at a $100M+ company, that is the conversation your peers are already having.
Know a CIO who needs this? Forward it and they can subscribe here.
Enterprise IT leader at a $100M+ company? Apply to join DoGood.