(TLP:CLEAR) Weekly Vulnerabilities to Prioritize – May 21, 2026

The below vulnerabilities have been identified by WaterISAC analysts as important for water and wastewater utilities to prioritize in their vulnerability management efforts. WaterISAC shares critical vulnerabilities that affect widely used products and may be under active exploitation. WaterISAC draws additional awareness in alerts and advisories when vulnerabilities are confirmed to be impacting, or have a high likelihood of impacting, water and wastewater utilities. Members are encouraged to regularly review these vulnerabilities, many of which are often included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

Cisco Secure Workload Unauthorized API Access Vulnerability
CVSS v3.1: 10.0
CVE: CVE-2026-20223
Description: A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role. This vulnerability is due to insufficient validation and authentication when accessing REST API endpoints. An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint.
Source: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy

Microsoft Windows Buffer Overflow Vulnerability
CVSS: N/A
CVEs: CVE-2008-4250
Description: The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka “Server Service Vulnerability.” CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog.
Original Source: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067

Microsoft DirectX NULL Byte Overwrite Vulnerability
CVSS: N/A
CVE: CVE-2009-1537
Description: Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted QuickTime media file, as exploited in the wild in May 2009, aka “DirectX NULL Byte Overwrite Vulnerability.” CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog.
Source: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-028

Microsoft Defender Vulnerabilities
CVSS 3.1: 4.0, 7.8
CVEs: CVE-2026-45498, CVE-2026-41091
Description: Microsoft Defender Denial of Service vulnerability, and Improper link resolution before file access (‘link following’) in Microsoft Defender allows an authorized attacker to elevate privileges locally. CISA added these vulnerabilities to its Known Exploited Vulnerabilities Catalog.
Original Sources:

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45498
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091