CISA Adds Two Known Exploited Vulnerabilities to Catalog (CVE-2026-42271, CVE-2026-50751)
CISA has added CVE-2026-42271 (BerriAI LiteLLM Command Injection) and CVE-2026-50751 (Check Point Security Gateway Improper Authentication) to the Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. Organizations are strongly urged to prioritize remediation of these vulnerabilities to reduce exposure to cyberattacks.
Detection / HunterGoogle
What Happened
CISA has warned that two software vulnerabilities are currently being exploited by attackers. The affected software includes BerriAI LiteLLM and Check Point Security Gateway. These flaws allow attackers to potentially take control of or bypass security on affected systems, posing a significant risk. Organizations using these products should immediately apply the latest security updates or patches provided by the vendors.
Key Takeaways
- CISA added CVE-2026-42271 (BerriAI LiteLLM Command Injection) to the Known Exploited Vulnerabilities (KEV) catalog.
- CISA added CVE-2026-50751 (Check Point Security Gateway Improper Authentication) to the KEV catalog.
- Both vulnerabilities have evidence of active exploitation in the wild.
- Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities per BOD 22-01.
Affected Systems
- BerriAI LiteLLM
- Check Point Security Gateway
Vulnerabilities (CVEs)
- CVE-2026-42271
- CVE-2026-50751
Attack Chain
The article does not provide specific details on the attack chain, but notes that malicious cyber actors are actively exploiting a command injection vulnerability in BerriAI LiteLLM (CVE-2026-42271) and an improper authentication vulnerability in Check Point Security Gateway (CVE-2026-50751).
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries are provided in the article.
Detection Engineering Assessment
EDR Visibility: Low — The article only discusses vulnerability announcements; no specific malware or endpoint execution details are provided. Network Visibility: Medium — Exploitation of Check Point Security Gateway and BerriAI LiteLLM may be visible in network traffic, but no specific signatures or network IOCs are provided. Detection Difficulty: Hard — Without specific IOCs or exploitation payloads, detection relies entirely on vulnerability scanning and vendor-provided patch status.
Required Log Sources
- Vulnerability Management Scanners
- Firewall Logs
- Application Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for anomalous authentication bypass attempts or unusual administrative access on Check Point Security Gateways. | Firewall Logs, Authentication Logs | Initial Access | Medium |
| Consider hunting for unexpected child processes or command execution originating from BerriAI LiteLLM services. | EDR Process Execution Logs | Execution | Medium |
Control Gaps
- Lack of timely patching for edge devices and AI/LLM middleware
Key Behavioral Indicators
- Unpatched BerriAI LiteLLM instances
- Unpatched Check Point Security Gateway instances
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Identify and patch all instances of BerriAI LiteLLM against CVE-2026-42271.
- Identify and patch all instances of Check Point Security Gateway against CVE-2026-50751.
Infrastructure Hardening
- Evaluate whether administrative interfaces for Check Point Security Gateways are exposed to the public internet and restrict access if possible.
- Review network segmentation around AI/LLM middleware like BerriAI LiteLLM to limit the blast radius of potential command injection.
User Protection
- N/A
Security Awareness
- Ensure vulnerability management teams are subscribed to CISA KEV updates to prioritize patching of actively exploited flaws.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
