Clinical Cyber Dispatch · Free Edition · Issue date: 1 June 2026
Healthcare cyber intelligence — decision brief
Critical-Now Items
6
6 require exposure decision
Ready for remediation
5
5 with source-backed guidance; 1 needs remediation-source validation; 3 expanded; 1 validation card; 2 compact ready cards
Exploit signal
5 CISA KEV
4 also corroborated by VulnCheck; 1 VulnCheck-only item.
Last verified
1 June 2026
21:07 UTC
Retained unresolved risk remains critical; see Retained CVE Watch for closure tracking.
CISO Quick Read
Critical-Now Items
6
Decision required
Validate local exposure for all 6
Ready for remediation
5
5 of 6 have source-backed remediation; 1 needs remediation-source validation; 3 expanded; 1 validation card; 2 compact ready cards
Policy monitors
2
AI/CIRCIA monitoring only
Decision
Validate local exposure for all 6 Critical-Now items; remediate source-backed items or document exception. Open an investigation only if local telemetry shows exposure plus suspicious activity.
2 items are past due.
Critical-Now items — ready for remediation
- CVE-2026-48172LiteSpeed WHM Plugin; LiteSpeed cPanel Plugin
- CVE-2026-8398DAEMON Tools Lite for Windows
- CVE-2026-0257Palo Alto Networks PAN-OS
HRS = Healthcare Relevance Score (1–100). It reflects healthcare operational relevance using clinical exposure, exploit/KEV signal, EPSS, and source-pack confidence. Full rubric: HRS rubric.
CISO Decision Brief
- Critical-Now remediation5 of 6 Critical-Now items have source-backed remediation guidance; 1 needs remediation-source validation. Validate local exposure and prioritize remediation by internet exposure, exploit evidence, business dependency, and HRS. The 3 highest-priority items are expanded below; the remaining 3 are shown below as 2 compact cards and 1 remediation-source-validation card and repeated in the Decision Board for comparison.
- Policy monitorsAI/CIRCIA monitoring is elevated, but no binding compliance change is verified in this issue. Route to security, privacy/legal, emergency management, AI governance, and procurement for awareness, registration/input decisions, and vendor-diligence planning.
- Healthcare Incident WatchNo incident in this issue requires immediate breach-response action based on verified primary sources. Three secondary-source awareness items are shown for vendor-risk, disclosure, litigation, or settlement monitoring. Review only if a named organization, vendor, geography, service line, or patient-data relationship is in scope.
What changed since last issue
CVE scope this issue: Decision Board shows all 8 tracked CVE rows — 6 Critical-Now (6 retained from prior issues, 0 newly elevated) and 2 additional monitored rows.
- No newly elevated Critical-Now items; 6 remain open from prior issues. All 6 require exposure validation; 5 have source-backed remediation guidance and 1 needs remediation-source validation.
- Exploit-priority signal: 5 CISA KEV items; 4 also corroborated by VulnCheck; 1 VulnCheck-only item.
- Same-Day KEV Watch: 1 new or materially changed exploited-vulnerability signal requires change review and exposure decision.
- 7 healthcare incident/disclosure candidates reviewed; no verified-material action items. 3 secondary-source awareness cards are shown; 4 additional secondary-awareness items remain tracked but not displayed.
- HSCC AI cybersecurity guidance entered AI Watch as an elevated nonbinding sector guidance monitor for vendor-risk, supply-chain transparency, model auditability, and AI governance readiness.
- State AI law: Connecticut SB 5 / Public Act No. 26-15 entered State / International Watch as a newly tracked state AI law monitor. Treat as state-law awareness for HR, vendor-risk, privacy, procurement, and AI governance; not a federal healthcare compliance change.
How to use Critical-Now Items
Use this sequence before assigning escalation work:
- Validate and remediate for each ready-for-remediation item.
- Investigate only if local telemetry indicates exploitation.
- Start HIPAA breach risk assessment only with evidence of unauthorized PHI/ePHI access, use, or disclosure.
Critical-Now Items
6 Critical-Now items this week. 5 of 6 have source-backed remediation guidance; 1 needs remediation-source validation. Validate local exposure, then remediate or document an exception. The 3 highest-priority items are expanded below; the remaining 3 are shown below as 2 compact cards and 1 remediation-source-validation card and repeated in the Decision Board for comparison.
Ready for remediation
Ready for remediation means the newsletter has source-backed vendor action specific enough to open a remediation ticket.
Free content: priority, HRS, deadline, action, and source references. HRS uses the Healthcare Relevance Score rubric. HRS rubric.
CVE-2026-48172 — LiteSpeed WHM Plugin; LiteSpeed cPanel Plugin: security vulnerability
Required remediation
Update LiteSpeed deployments to cPanel user-end plugin 2.4.7 or later. The exploited issue is in the LiteSpeed user-end cPanel plugin; the WHM plugin update bundles the fixed cPanel plugin. Review cPanel logs for redisAble cPanel JSON API indicators, validate IPs, examine system logs, and remove the user-end plugin if immediate update is not possible. If immediate patching is not possible, document exception, compensating controls, owner, and target remediation date.
Local validation
Local validation: confirm whether LiteSpeed User-End cPanel Plugin before 2.4.5 is installed in cPanel/WHM hosting environments. Verify update target: cPanel user-end plugin 2.4.7 or later. Review cPanel logs for redisAble cPanel JSON API indicators, validate detected IPs, examine system logs, and map whether hosted sites support patient-facing, physician-practice, portal-handoff, or vendor-managed workflows.
Why healthcare should care
Where it shows up: shared hosting, cPanel/WHM administration, public web properties, physician-practice sites, campaign pages, and vendor-managed healthcare web estates. What could happen: A compromised cPanel user-end plugin can enable privilege escalation on the hosting server; healthcare impact depends on which hosted sites, forms, and workflows are actually present. Local check: check LiteSpeed cPanel/WHM plugin versions, review redisAble cPanel JSON API indicators, validate detected IPs, and map hosted workflows before privacy escalation.
Remediation status
Ready for remediation: source-backed guidance is specific enough to open a remediation ticket.
Item-specific privacy note
Potential public-site, admin, or portal risk only if the affected environment is deployed in that workflow. Review patient, billing, appointment, portal, or form data only if the affected site processes that data.
View sources and technical details
Last verified: 2026-06-01 17:07 ET
Source checked: 1 June 2026 13:55 ET (1 June 2026 17:55 UTC)
Freshness: current
Evidence note: Prioritized because CISA KEV, VulnCheck KEV, vendor source affected a deployed healthcare-relevant technology category.
Fixed releases
- cPanel user-end plugin 2.4.7 or later
CVE-2026-8398 — DAEMON Tools Lite for Windows: security vulnerability
Required remediation
Remove DAEMON Tools Lite Windows builds 12.5.0.2421 through 12.5.0.2434. If immediate patching is not possible, document exception, compensating controls, owner, and target remediation date.
Local validation
Local validation: confirm whether DAEMON Tools Lite for Windows is installed on managed workstations, admin endpoints, imaging/support workstations, or software-distribution paths. Review endpoint telemetry, installer source, persistence, and outbound activity before closure.
Why healthcare should care
Where it shows up: managed workstations, admin endpoints, CI/CD and software distribution paths, patient-facing application builds, imaging/support workstations, and vendor-maintained desktops. What could happen: A malicious dependency or signed installer can abuse trust in legitimate software, steal credentials, alter builds, install persistence, or create a foothold on systems that laterally reach clinical, patient-access, or administrative networks. Local check: confirm affected version/build range, install or dependency source, build pipeline exposure, endpoint artifacts, EDR alerts, persistence, and whether the asset has privileged or clinical-network access.
Remediation status
Ready for remediation: source-backed guidance is specific enough to open a remediation ticket.
View sources and technical details
Last verified: 2026-06-01 17:07 ET
Source checked: 1 June 2026 13:55 ET (1 June 2026 17:55 UTC)
Freshness: current
Evidence note: Prioritized because CISA KEV, VulnCheck KEV, vendor source affected a deployed healthcare-relevant technology category.
CVE-2026-0257 — Palo Alto Networks PAN-OS: security vulnerability
Required remediation
Validate GlobalProtect portal/gateway exposure and Authentication Override cookie configuration. Upgrade affected Palo Alto Networks PAN-OS to the source-listed fixed release for the matching branch: PAN-OS 12.1: >=12.1.4-h6, >=12.1.7; PAN-OS 11.2: >=11.2.4-h17, >=11.2.7-h14, >=11.2.10-h7, >=11.2.12; PAN-OS 11.1: >=11.1.4-h33, >=11.1.6-h32, >=11.1.7-h6, >=11.1.10-h25, >=11.1.13-h5, >=11.1.15; plus 3 more affected branches — see the full fixed-release table in the Source Pack and the vendor advisory. If you cannot patch immediately, apply the source-listed mitigation: use a dedicated certificate for Authentication Override cookies, or disable Authentication Override options where appropriate. Document exception and compensating controls if remediation is delayed.
Local validation
Local validation: confirm exposed GlobalProtect portal/gateway, deployed PAN-OS or Prisma Access branch, Authentication Override cookie configuration, dedicated certificate use, internet reachability, identity integration, and downstream access scope.
Why healthcare should care
Where it shows up: remote workforce VPN, vendor access, remote clinics, telehealth administration, privileged administration, perimeter ingress, and identity-adjacent access paths. What could happen: Unauthorized VPN or perimeter access can become an access-control bypass or foothold toward clinical, operational, or PHI/ePHI-bearing systems only if local evidence confirms routing and privileges make that path reachable. Local check: confirm GlobalProtect portal/gateway exposure, Authentication Override cookie settings, dedicated certificate use, internet reachability, identity integration, and downstream access scope.
Remediation status
Ready for remediation: source-backed guidance is specific enough to open a remediation ticket.
View sources and technical details
Last verified: 2026-06-01 17:07 ET
Source checked: 1 June 2026 13:55 ET (1 June 2026 17:55 UTC)
Freshness: current
Evidence note: Prioritized because CISA KEV, vendor source affected a deployed healthcare-relevant technology category.
Fixed releases
- PAN-OS 12.1: >=12.1.4-h6, >=12.1.7
- PAN-OS 11.2: >=11.2.4-h17, >=11.2.7-h14, >=11.2.10-h7, >=11.2.12
- PAN-OS 11.1: >=11.1.4-h33, >=11.1.6-h32, >=11.1.7-h6, >=11.1.10-h25, >=11.1.13-h5, >=11.1.15
- PAN-OS 10.2: >=10.2.7-h34, >=10.2.10-h36, >=10.2.13-h21, >=10.2.16-h7, >=10.2.18-h6, >=10.2.18
- Prisma Access 11.2: >=11.2.7-h13
- Prisma Access 10.2: >=10.2.10-h36
Additional Critical-Now items
One needs remediation-source validation; two are ready for remediation. The validation card shows what evidence is missing before a remediation ticket can be opened. The ready compact cards include source-backed remediation guidance. All three are repeated in the Decision Board for comparison.
Needs remediation-source validation means the item is important, but the newsletter has not verified a vendor/source-backed fix, mitigation, removal path, or affected-version mapping specific enough to open a remediation ticket.
Needs remediation-source validation
CVE-2026-48027 — Nx Console: needs remediation-source validation
Remediation status: Source-backed remediation is not yet specific enough for a ticket.
Why still Critical-Now: CISA KEV exploitation/source signal with healthcare-relevant exposure keeps it Critical-Now until remediation is verified.
Local validation: confirm whether Nx Console is present locally, identify deployed version and exposure surface, assign the business owner, and determine whether local evidence indicates the system supports patient-facing, operational, administrative, or PHI/ePHI-bearing workflows.
Reason (evidence missing): remediation text is generic; affected version family not verified; vendor fixed version, mitigation, or isolation path not verified
What would promote it: vendor/source-backed fixed version, mitigation, removal path, decommission/isolation path, or affected-version mapping specific enough to route a remediation ticket.
Deadline/source deadline: Due 2026-06-10
Source Pack: NVD / CISA KEV / Vendor advisory / VulnCheck KEV / EPSS
Next step: validate product presence and obtain the vendor fix, mitigation, removal path, or decommission/isolation path before emergency change.
CRITICAL-NOW CVE-2026-45321 — @tanstack/* npm packages: security vulnerability. Ready for remediation. HRS 80 High Due 2026-06-10 Remove the malicious @tanstack/* package versions (1.169.5, 1.169.8), pin to the clean release (1.169.9), rebuild from a clean lockfile, and rotate exposed npm/CI tokens. Source Pack: NVD / CISA KEV / Vendor advisory / VulnCheck KEV / EPSS
Required remediation: Remove the malicious @tanstack/* package versions (1.169.5, 1.169.8), pin to the clean release (1.169.9), rebuild from a clean lockfile, and rotate exposed npm/CI tokens.
Local validation: scan lockfiles (package-lock.json / yarn.lock / pnpm-lock.yaml), SBOMs, artifact manifests, and CI/build caches across repositories, build runners, and developer workstations for @tanstack/* packages; confirm whether any malicious version was installed during the compromise window before closing.
Exploit signal: None.
Remediation status: Ready for remediation — source-backed guidance is specific enough to open a remediation ticket.
Sources: Source Pack: NVD / CISA KEV / Vendor advisory / VulnCheck KEV / EPSS
CRITICAL-NOW CVE-2026-8732 — WP Maps Pro: security vulnerability. Ready for remediation. HRS 65 Moderate Due 2026-06-08 Update WP Maps Pro to version 6.1.1 or later from the trusted vendor/licensed update channel. Source Pack: NVD / Vendor advisory / VulnCheck KEV / EPSS / VulnCheck exploitation catalog
Required remediation: Update WP Maps Pro to version 6.1.1 or later from the trusted vendor/licensed update channel.
Local validation: confirm whether WP Maps Pro version 6.1.0 or earlier is installed. Prioritize public-facing, patient-facing, marketing, appointment, location-directory, portal-handoff, or form-bearing sites. Review administrator accounts, temporary-access activity, recent plugin/theme changes, unexpected files, and web logs before closure.
Exploit signal: None.
Remediation status: Ready for remediation — source-backed guidance is specific enough to open a remediation ticket.
Sources: Source Pack: NVD / Vendor advisory / VulnCheck KEV / EPSS / VulnCheck exploitation catalog
Retained CVE Watch — 5 prior open items (5 critical/KEV) retained from prior issues and outside this week's Critical-Now Items.
Retention policy: CISA KEV, VulnCheck KEV, active-exploitation, and operational CRITICAL-priority items remain for 30 days unless resolved; HIGH items retain for 14 days; MEDIUM watch items retain for 7 days.
CVE-2026-6973 — Ivanti Endpoint Manager Mobile (EPMM)
Why retained: CISA KEV / critical-exploitation retention window (30 days)
Current action: Confirm whether this prior open item is resolved, accepted by exception, or still present.
Patch status: Fixed-release or mitigation path documented in CISA/Cisco source.
Source deadline: 2026-05-10. Age-out date: 2026-06-06 (5 days remaining).
KEV status: CISA KEV — federal mandate, patch by 2026-05-10.
CVE-2026-0300 — Palo Alto PAN-OS
Why retained: CISA KEV / critical-exploitation retention window (30 days)
Current action: Restrict the User-ID Authentication Portal to trusted zones and trusted IPs, monitor Threat ID 510019 where supported, and apply the branch-specific fixed PAN-OS release
Patch status: Fixed releases are available for several PAN-OS branches per Palo Alto Networks advisory (for example 12.1.4-h5, 11.2.7-h13, 11.2.10-h6, 11.1.4-h33, 11.1.6-h32, 11.1.10-h25, 11.1.13-h5, 10.2.10-h36, and 10.2.18-h6); some branch fixes remain ETA-based. Compensating control: restrict User-ID Authentication Portal access immediately.
Source deadline: Immediate. Age-out date: 2026-06-07 (6 days remaining).
KEV status: CISA KEV — federal mandate, patch by 2026-05-09.
CVE-2026-42208 — LiteLLM
Why retained: CISA KEV / critical-exploitation retention window (30 days)
Current action: Upgrade LiteLLM to 1.83.10 or 1.83.7 as applicable, review Postgres exposure, and rotate OpenAI, Anthropic, and Azure OpenAI keys if exposed
Patch status: Fixed release available — v1.83.10-stable.
Source deadline: Immediate. Age-out date: 2026-06-07 (6 days remaining).
KEV status: CISA KEV — federal mandate, patch by 2026-05-11.
CVE-2026-6692 — Slider Revolution / WordPress ecosystem
Why retained: VulnCheck KEV retention window (30 days)
Current action: Confirm whether this prior open item is resolved, accepted by exception, or still present.
Patch status: Fixed release available; confirm the exact version from the vendor source before closure.
Source deadline: Immediate. Age-out date: 2026-06-07 (6 days remaining).
KEV status: VulnCheck KEV.
CVE-2026-20182 — Cisco Catalyst SD-WAN
Why retained: CISA KEV / critical-exploitation retention window (30 days)
Current action: Review CISA Emergency Directive 26-03 and Cisco SD-WAN guidance, verify affected controllers/managers, apply the Cisco fixed release for the deployed train (20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.15.506, 20.18.2.2), and document mitigation or exception status
Patch status: Fixed-release or mitigation guidance is documented in the CISA/Cisco source; verify the affected train and apply the Cisco fixed release (20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.15.506, 20.18.2.2) or required mitigation.
Source deadline: 2026-05-17. Age-out date: 2026-06-13 (12 days remaining).
KEV status: CISA KEV — federal mandate, patch by 2026-05-17.
Same-Day KEV Watch
New or materially changed exploited-vulnerability signals since the last run. If an item is already in Critical-Now, use this watch for change context and the main card for remediation detail.
- CVE-2026-0257 — Palo Alto Networks PAN-OS. Change: cisa kev due today. CISA added: 2026-05-29. Source deadline: 2026-06-01. Why healthcare cares: Remote access / perimeter exposure may support workforce, vendor, remote clinic, telehealth administration, privileged administration, or access to clinical/business systems. Decision: Already in Critical-Now; validate GlobalProtect exposure, use the main remediation card for branch-specific vendor remediation/mitigation, and document exception status if delayed. Source-backed action: Validate GlobalProtect portal/gateway exposure and authentication override cookie configuration.
Landscape Watch
Sector read
7 healthcare incident/disclosure candidates reviewed; no verified-material action items. 3 secondary-source awareness cards are shown; 4 additional secondary-awareness items remain tracked but not displayed. Vendor advisory watch: no reader action this week.
Named actor and tooling watch
Actor/tooling items are shown here as bounded Landscape Watch context. They become current healthcare alerts only when this window includes an HPH-sector source, healthcare victim, or healthcare-specific campaign evidence.
Background SOC context
These items are retained as low-prominence SOC context. They are not current healthcare alerts unless this window includes healthcare victim, HPH-sector, or campaign-specific evidence.
- Cobalt Strike — background SOC context. Generic IOC activity observed; no current healthcare-specific campaign verified. Evidence sources: AlienVault OTX threat pulses, ThreatFox IOC feed (Abuse.ch).
- Lazarus Group — background SOC context. Historical HPH relevance retained; current generic IOC mentions only. Evidence sources: AlienVault OTX threat pulses.
Medical device / OT watch: No material healthcare OT/ICS or medical-device signal crossed the action threshold this week.
Healthcare Incident Watch — no verified material action items
7 healthcare incident/disclosure candidates reviewed; no verified-material action items. 3 secondary-source awareness cards are shown; 4 additional secondary-awareness items remain tracked but not displayed.
Source quality: official/regulator notices outrank secondary reporting. Methodology. Visible awareness items are concentrated in HIPAA Journal this week because no verified primary-source incident item cleared the display threshold. And other monitored feeds did not return stronger official incident evidence.
Recent incident/disclosure window
27 May 2026 · HIPAA Journal
Connecticut Medicaid Portal Breach Affects 22,500 Hartford HealthCare Patients
Editorial summary: secondary-source awareness item selected for disclosure-pattern monitoring; do not treat it as a verified material action item without local scope or primary-source confirmation.
Currentness: source 27 May 2026; recent incident/disclosure window.
Source quality: Secondary-source awareness; official notice not verified.
Why selected: Selected because it is current healthcare-sector cyber awareness with privacy, vendor-risk, settlement, disclosure, or social-engineering relevance.
Reader relevance: Awareness item only. Review if your organization, vendor, region, service line, or patient-data relationship is in scope; do not initiate breach response from secondary reporting alone.
Recent incident/disclosure window
27 May 2026 · HIPAA Journal
Extortion Group Conducts Social Engineering Campaign Impersonating IT Support Staff
Editorial summary: secondary-source awareness item selected for disclosure-pattern monitoring; do not treat it as a verified material action item without local scope or primary-source confirmation.
Currentness: source 27 May 2026; recent incident/disclosure window.
Source quality: Secondary-source awareness; official notice not verified.
Why selected: Selected because it is current healthcare-sector cyber awareness with privacy, vendor-risk, settlement, disclosure, or social-engineering relevance.
Reader relevance: Awareness item only. Review if your organization, vendor, region, service line, or patient-data relationship is in scope; do not initiate breach response from secondary reporting alone.
Recent incident/disclosure window
26 May 2026 · HIPAA Journal
OCR Reports to Congress on HIPAA Compliance and Data Breaches in 2024
Editorial summary: secondary-source awareness item selected for disclosure-pattern monitoring; do not treat it as a verified material action item without local scope or primary-source confirmation.
Currentness: source 26 May 2026; recent incident/disclosure window.
Source quality: Secondary-source awareness; official notice not verified.
Why selected: Selected because it is current healthcare-sector cyber awareness with privacy, vendor-risk, settlement, disclosure, or social-engineering relevance.
Reader relevance: Awareness item only. Review if your organization, vendor, region, service line, or patient-data relationship is in scope; do not initiate breach response from secondary reporting alone.
4 additional secondary-awareness items remain tracked but not displayed unless local scope is confirmed.
Sector Readiness / Industry Guidance Watch
Non-binding healthcare-sector guidance and readiness events are shown here when current or future-dated source material changes planning, participation, or sector-awareness decisions.
Operation Vital Signs
Organizer: HSCC
Event date(s): July 21-22, 2026
Status: Consider participation / readiness planning
Reader action: Route to security, incident response, emergency management, privacy/legal, and clinical operations leaders if tabletop participation or lessons learned apply.
Regulatory & Privacy
What we are watching
1 regulatory/privacy monitoring item elevated this window; no new binding rule was verified.
Standing watch: CIRCIA final rule timing, HIPAA Security Rule modernization, Health Care Cybersecurity and Resiliency Act movement, OCR settlement patterns, FDA medical-device cybersecurity, HHS HC3 sector alerts, CISA KEV healthcare exposure, and federal AI policy that changes healthcare vendor diligence.
This week: Review the monitor item below and route participation/readiness review to security, privacy, legal, and emergency-management owners. Last checked: 1 June 2026 17:53 UTC.
CIRCIA stakeholder update — monitor / consider participation
Status: Monitor / consider participation
What changed: CISA announced a revised CIRCIA stakeholder-engagement schedule. This is not a new binding reporting obligation.
Why healthcare cares: The update affects covered critical infrastructure incident-reporting scope and burden. Healthcare security, privacy, legal, and emergency-management leaders should monitor scope, burden, incident-reporting readiness, and ransomware-payment governance.
Reader action: Monitor the schedule and consider participation where Healthcare and Public Health Sector scope, incident-reporting burden, or reporting-readiness ownership is in scope.
Topic: CIRCIA
Status: Revised stakeholder schedule announced
Why we watch: Mandatory 72-hour cyber incident reporting and 24-hour ransomware payment reporting for covered healthcare...
This week’s action: Review the schedule; consider registering or submitting input if incident-reporting scope, ransomware-payment reporting, reporting burden, or HPH-sector impact affects your organization.
Standing watchlist (remaining reference items) · 10 items
No other standing item changed a deadline, owner, privacy posture, or security action this week.
Collapsed groups: 7 federal actions; 3 state or international items.
Standing-watch methodology and canonical source list: /methodology/.
Federal watch items
- HIPAA Security Rule update (NPRM 2024) — NPRM published Federal Register 2025-01-06. Final rule timeline not yet announced. Adds explicit MFA, encryption, and incident response controls. Why we watch: First substantive HIPAA Security Rule update in over a decade — closes longstanding gaps around MFA, vulnerability management, and incident-response evidence workflows. Forecast: If finalized substantially as proposed, expect heavier documentation, MFA, encryption, segmentation, testing, and incident-response evidence requirements. HHS OCR HIPAA Security Rule NPRM fact sheet: “Require the use of multi-factor authentication, with limited exceptions.” (Monitor; no action this week.) Source
- Health Care Cybersecurity and Resiliency Act of 2025 — Reported / not final. Senate companion under HELP Committee review. Provides authorities for HHS-CISA coordination and minimum cyber standards for healthcare entities. Why we watch: Would codify mandatory minimum cybersecurity standards for healthcare and authorize HHS-CISA cyber incident coordination — the closest thing to a sector-wide cyber baseline currently moving. Forecast: If the bill advances, anticipate procurement and governance pressure around baseline controls rather than an immediate compliance deadline. (Monitor; no action this week.) Source
- OCR HIPAA enforcement and incident-reporting activity — Routine OCR enforcement and reporting updates monitored. Watch for resolution agreements citing security-rule failures (risk analysis, MFA, log retention). Why we watch: OCR settlements reveal which control failures are actively being penalized — direct input into your control-prioritization roadmap. Forecast: Expect OCR enforcement patterns to keep rewarding demonstrable risk analysis, risk management, and evidence of security-rule follow-through. (Monitor; no action this week.) Source
- FDA medical-device cybersecurity guidance & safety communications — FDA pre-market cybersecurity guidance (2023) in effect. Watch for SaMD AI/ML cyber guidance and post-market vulnerability advisories. Why we watch: Vendor must demonstrate cybersecurity in pre-market submission. Post-market FDA safety communications can drive emergency clinical-engineering action. Forecast: Expect continued vendor-evidence pressure for device cybersecurity, especially patchability, post-market monitoring, and coordinated vulnerability disclosure. (Monitor; no action this week.) Source
- HHS HC3 / sector cyber alerts — Routine sector alerts and threat briefs monitored. Higher-frequency advisories during active campaign periods. Why we watch: HC3 issues healthcare-specific TTP intel (ransomware groups targeting clinics, telehealth-specific threats) often days ahead of industry coverage. Forecast: Expect this to remain a weekly threat-intel input, with higher action value when HC3 names a campaign, sector target, or mitigation. (Monitor; no action this week.) Source
- CISA KEV additions affecting healthcare-deployed software — Tracked daily. Healthcare-relevant additions surface in CVE Decision Board with operational priority Critical. Why we watch: CISA KEV addition = federal mandate (BOD 22-01 timelines) for FCEB agencies and a strong signal for healthcare. Immediate-action trigger. Forecast: Expect KEV additions to remain the strongest public signal for urgent patch governance and exception review in healthcare environments. (Monitor; no action this week.) Source
- White House / OMB / NIST / CAISI AI policy affecting healthcare — Active. Federal AI policy posture is shifting; watch for AI executive orders, NIST AI RMF updates, and CAISI evaluation guidance affecting healthcare AI deployments. Why we watch: Federal AI governance defines what evaluations, evidence, and assurances healthcare AI vendors must produce — direct procurement and validation impact. Forecast: Expect AI governance to translate into vendor-diligence questions before it becomes a single healthcare-specific compliance checklist. (Monitor; no action this week.) Source
State / international watch items
- Washington My Health My Data Act — State health-data privacy law in force. Watch for enforcement activity and vendor-contract implications involving non-HIPAA consumer health data. Why we watch: Healthcare-adjacent apps, digital front doors, marketing pixels, and wellness programs can create state-law privacy exposure even when HIPAA does not apply. Forecast: Expect continued state attention on consumer health data, especially web tracking, apps, and non-HIPAA wellness workflows. (Monitor; no action this week.) Source
- California CPPA / CCPA health-data privacy enforcement — State privacy enforcement monitored for health-data, tracking-technology, and vendor-processing implications. Why we watch: Large health systems with California patients or web properties need a view of privacy notices, tracking tech, and service-provider obligations outside HIPAA. Forecast: Expect California privacy enforcement to keep shaping tracking-technology reviews and service-provider contract evidence. (Monitor; no action this week.) Source
- EU AI Act / NIS2 healthcare supplier exposure — International regulatory posture monitored for multinational health systems and suppliers serving EU-regulated healthcare environments. Why we watch: EU AI and cyber-resilience obligations can affect vendor due diligence, clinical AI assurance, and supplier security evidence for global healthcare organizations. Forecast: Expect multinational suppliers to package EU AI and cyber evidence into healthcare procurement responses over the next planning cycle. (Monitor; no action this week.) Source
Official regulatory source update detected this window.
Last verified: 1 June 2026 17:53 UTC
AI & Clinical Automation Watch
Editorial read
No new AI-infrastructure CVE crossed the action threshold this window. Retained AI-infrastructure watch item: CVE-2026-42208 (LiteLLM).
This week: Keep retained AI gateway items visible until closure: verify fixed versions, validate exposure, and rotate provider keys if compromise cannot be ruled out.
AI Watch shows elevated decision-relevant items only. Additional AI policy, acquisition, and governance signals remain under internal monitoring unless they cross the public-action threshold.
No new AI-infrastructure CVE crossed the action threshold. Possible federal AI/cybersecurity executive-order activity is elevated this week due to reported federal activity and HHS AI oversight reporting.
1. AI Policy & Model Governance Elevated monitor
HSCC AI cybersecurity guidance — elevated sector monitor
Elevated monitorWhy healthcare cares: HSCC guidance is nonbinding but likely to influence healthcare vendor-risk reviews, AI governance expectations, supply-chain transparency, model auditability, and customer security questionnaires. Treat as a readiness signal, not a legal compliance change.
Recommended action: Review AI-enabled third-party inventory, vendor disclosures, data lineage, embedded dependencies, model auditability, post-deployment monitoring, and contract/security review evidence.
Confidence: High — official HSCC source
Connecticut AI law — elevated state monitor
Elevated monitorWhy healthcare cares: Connecticut enacted SB 5 / Public Act No. 26-15, creating state AI governance structures and requirements affecting AI systems, AI companions, automated employment-related decision tools, and related notices. Healthcare relevance: monitor for HR, workforce, vendor-risk, procurement, privacy, and AI governance implications if operating, hiring, or deploying AI tools in Connecticut. Treat as state-law monitoring, not a federal healthcare compliance change. Effective dates tracked: 2026-10-01.
Recommended action: Route to HR, legal/compliance, privacy, procurement, vendor risk, and AI governance; do not treat as a federal healthcare compliance obligation.
Confidence: High — official Connecticut General Assembly source
Potential AI/cybersecurity executive order monitor — elevated
Elevated monitorWhy healthcare cares: No signed binding action verified this week, but current reporting indicates a planned or postponed AI/cybersecurity action. Healthcare relevance: monitor future model-assurance, vendor-diligence, and critical-infrastructure cybersecurity expectations.
Recommended action: Treat as elevated monitoring, not a binding compliance change, unless an official White House, OMB, NIST/CAISI, HHS, FDA, or OCR source creates a binding obligation.
Confidence: Medium — reporting plus official negative checks
Source status: monitoring signal; do not treat as binding compliance action. — 2026-06-01
HHS AI oversight monitor
Elevated monitorWhy healthcare cares: HHS is expanding AI review of audits from states and federal grant recipients. Privacy/compliance relevance: monitor governance, accuracy, appeal safeguards, audit documentation, and funding-risk implications.
Recommended action: Route to privacy, compliance, and audit leadership for monitoring; do not initiate HIPAA/OCR notification workflows from this policy signal alone absent local evidence.
Confidence: Medium — agency/reporting source
AI Infrastructure Watch No change
CVE-2026-42208 — LiteLLM: retained KEV AI gateway watch
Retained watchWhy healthcare cares: LiteLLM is an AI gateway/proxy pattern that can hold provider keys, prompts, query history, or patient-context workflow data in healthcare deployments. It remains on the retained CVE watch and ages out in 6 days unless resolved.
Recommended action: Keep the item visible until closed: verify patched LiteLLM versions, review Postgres query logs and LiteLLM application logs, and rotate OpenAI, Anthropic, and Azure OpenAI provider keys if exposure cannot be ruled out.
Confidence: High — retained CISA KEV / prior issue state
Source ↗ — 2026-06-01
Trending tactics: attackers continue to favor internet-reachable control planes, API gateways, and automation middleware because those systems often hold tokens, route requests, and bridge multiple clinical or administrative workflows. Treat AI gateways like identity-adjacent infrastructure: log access, narrow network reachability, and review prompt or key exposure before rotating credentials.
AI Action This Week
- Patch any AI gateway / inference component listed in AI Infrastructure Watch, including CVE-2026-42208.
- Forward any items in AI Policy & Model Governance to CIO/CMIO and procurement; refresh AI vendor diligence questions accordingly.
- If AI gateways may handle PHI, confirm BAA review, PHI-redaction, audit logging, and human-in-the-loop controls.
LiteLLM CVE-2026-42208 remediation reference: upgrade from 1.83.7 to 1.83.10-stable; review Postgres database log, query log, query history, and credentials table access; rotate OpenAI, Anthropic, and Azure OpenAI provider keys.
CVE Decision Board — compare action items and monitored CVEs
Operational priority, CVE, product, severity, likelihood, and deadline are shown.
| Priority: CRITICAL-NOW | CVE: CVE-2026-48027 | Product: Nx Console | CVSS: 9.8 Critical | EPSS: 96% Very high | HRS: 80 High | Exploit Intel: CISA KEV Confidence: High | Deadline: Due 2026-06-10 |
Retention: Critical-Now / exposure review (needs remediation-source validation). Retained from prior issue. First-elevated date unavailable. First seen: 2026-06-01. Age-out: 2026-07-01 (30 days remaining) unless resolved or source status changes. Retention reason: CISA KEV source status retained for 30 days or until resolved. Source deadline: 2026-06-10. Material change: none. Why healthcare-relevantCategory: Exploited enterprise platform Basis: This item is retained because confirmed exploitation changes remediation priority even when healthcare-specific targeting is not proven. Where it shows up: the affected platform may be ordinary IT, patient-facing web, vendor-managed infrastructure, identity, or care-supporting systems depending on local deployment. What could happen: Confirmed exploitation drives urgency, but healthcare impact depends on whether the product is exposed, privileged, or connected to patient-access or clinical workflows. Local check: validate product presence, affected version, internet reachability, privilege level, and business owner before escalating to privacy or clinical operations. Healthcare concern: The healthcare question is where the exploited platform sits: identity path, patient-facing web path, vendor-managed service, clinical support system, or ordinary back-office asset. The answer changes urgency and escalation. Local validation: confirm whether Nx Console is present locally, identify deployed version and exposure surface, assign the business owner, and determine whether local evidence indicates the system supports patient-facing, operational, administrative, or PHI/ePHI-bearing workflows. Remediation: Vendor/source-backed remediation was not verified. Validate product presence and obtain the vendor fix, mitigation, or removal path before emergency change. | |||||||
| Priority: CRITICAL-NOW | CVE: CVE-2026-8398 | Product: DAEMON Tools Lite for Windows | CVSS: 9.8 Critical | EPSS: 0% Low | HRS: 92 Critical | Exploit Intel: CISA KEV Confidence: High | Deadline: Past due 2 days (deadline 2026-05-30) |
Retention: Critical-Now / ready for remediation. Retained from prior issue. First-elevated date unavailable. First seen: 2026-06-01. Age-out: 2026-07-01 (30 days remaining) unless resolved or source status changes. Retention reason: CISA KEV source status retained for 30 days or until resolved. Source deadline: 2026-05-30. Material change: none. Why healthcare-relevantCategory: Endpoint software supply-chain risk Basis: DAEMON Tools Lite for Windows is a software-supply-chain item, not a generic patient-facing web/plugin finding. Public source facts indicate package, installer, dependency, build, or signed-binary trust concerns. Where it shows up: managed workstations, admin endpoints, CI/CD and software distribution paths, patient-facing application builds, imaging/support workstations, and vendor-maintained desktops. What could happen: A malicious dependency or signed installer can abuse trust in legitimate software, steal credentials, alter builds, install persistence, or create a foothold on systems that laterally reach clinical, patient-access, or administrative networks. Local check: confirm affected version/build range, install or dependency source, build pipeline exposure, endpoint artifacts, EDR alerts, persistence, and whether the asset has privileged or clinical-network access. Healthcare concern: In healthcare, the realistic concern is trusted software distribution: affected dependencies or installers can reach admin endpoints, CI/CD systems, patient-facing applications, imaging/support workstations, or vendor-maintained desktops and create credential-theft, persistence, or lateral-movement opportunities. Local validation: confirm whether DAEMON Tools Lite for Windows is installed on managed workstations, admin endpoints, imaging/support workstations, or software-distribution paths. Review endpoint telemetry, installer source, persistence, and outbound activity before closure. Remediation: Remove DAEMON Tools Lite Windows builds 12.5.0.2421 through 12.5.0.2434. | |||||||
| Priority: CRITICAL-NOW | CVE: CVE-2026-48172 | Product: LiteSpeed WHM Plugin; LiteSpeed cPanel Plugin | CVSS: 9.8 Critical | EPSS: 0% Low | HRS: 80 High | Exploit Intel: CISA KEV Confidence: High | Deadline: Past due 3 days (deadline 2026-05-29) |
Retention: Critical-Now / ready for remediation. Retained from prior issue. First-elevated date unavailable. First seen: 2026-06-01. Age-out: 2026-07-01 (30 days remaining) unless resolved or source status changes. Retention reason: CISA KEV source status retained for 30 days or until resolved. Source deadline: 2026-05-29. Material change: none. Why healthcare-relevantCategory: Hosting control-plane risk Basis: LiteSpeed WHM Plugin; LiteSpeed cPanel Plugin is a hosting control-plane dependency; the exploited issue is in the LiteSpeed user-end cPanel plugin. Where it shows up: shared hosting, cPanel/WHM administration, public web properties, physician-practice sites, campaign pages, and vendor-managed healthcare web estates. What could happen: A compromised cPanel user-end plugin can enable privilege escalation on the hosting server; healthcare impact depends on which hosted sites, forms, and workflows are actually present. Local check: check LiteSpeed cPanel/WHM plugin versions, review redisAble cPanel JSON API indicators, validate detected IPs, and map hosted workflows before privacy escalation. Healthcare concern: Healthcare relevance depends on whether cPanel/WHM hosting supports hospital, physician-practice, campaign, appointment, billing, referral, portal-handoff, or vendor-managed sites. Local validation: confirm whether LiteSpeed User-End cPanel Plugin before 2.4.5 is installed in cPanel/WHM hosting environments. Verify update target: cPanel user-end plugin 2.4.7 or later. Review cPanel logs for redisAble cPanel JSON API indicators, validate detected IPs, examine system logs, and map whether hosted sites support patient-facing, physician-practice, portal-handoff, or vendor-managed workflows. Remediation: Apply vendor-supported fixed release(s): cPanel user-end plugin 2.4.7 or later. Validate local exposure, then document exceptions and compensating controls if remediation is delayed. | |||||||
| Priority: CRITICAL-NOW | CVE: CVE-2026-45321 | Product: @tanstack/* npm packages | CVSS: 9.6 Critical | EPSS: 0% Low | HRS: 80 High | Exploit Intel: CISA KEV Confidence: High | Deadline: Due 2026-06-10 |
Retention: Critical-Now / ready for remediation. Retained from prior issue. First-elevated date unavailable. First seen: 2026-06-01. Age-out: 2026-07-01 (30 days remaining) unless resolved or source status changes. Retention reason: CISA KEV source status retained for 30 days or until resolved. Source deadline: 2026-06-10. Material change: none. Why healthcare-relevantCategory: Exploited enterprise platform Basis: This item is retained because confirmed exploitation changes remediation priority even when healthcare-specific targeting is not proven. Where it shows up: the affected platform may be ordinary IT, patient-facing web, vendor-managed infrastructure, identity, or care-supporting systems depending on local deployment. What could happen: Confirmed exploitation drives urgency, but healthcare impact depends on whether the product is exposed, privileged, or connected to patient-access or clinical workflows. Local check: validate product presence, affected version, internet reachability, privilege level, and business owner before escalating to privacy or clinical operations. Healthcare concern: The healthcare question is where the exploited platform sits: identity path, patient-facing web path, vendor-managed service, clinical support system, or ordinary back-office asset. The answer changes urgency and escalation. Local validation: confirm whether @tanstack/* npm packages is present locally, identify deployed version and exposure surface, assign the business owner, and determine whether local evidence indicates the system supports patient-facing, operational, administrative, or PHI/ePHI-bearing workflows. Remediation: Vendor/source-backed remediation was not verified. Validate product presence and obtain the vendor fix, mitigation, or removal path before emergency change. | |||||||
| Priority: CRITICAL-NOW | CVE: CVE-2026-0257 | Product: Palo Alto Networks PAN-OS | CVSS: 9.1 Critical | EPSS: 0% Low | HRS: 87 Critical | Exploit Intel: CISA KEV Confidence: High | Deadline: Due 2026-06-01 |
Retention: Critical-Now / ready for remediation. Retained from prior issue. First-elevated date unavailable. First seen: 2026-06-01. Age-out: 2026-07-01 (30 days remaining) unless resolved or source status changes. Retention reason: CISA KEV source status retained for 30 days or until resolved. Source deadline: 2026-06-01. Material change: none. Why healthcare-relevantCategory: Remote access / perimeter risk Basis: Palo Alto Networks PAN-OS is remote-access, VPN, perimeter, and identity-adjacent infrastructure. Where it shows up: remote workforce VPN, vendor access, remote clinics, telehealth administration, privileged administration, perimeter ingress, and identity-adjacent access paths. What could happen: Unauthorized VPN or perimeter access can become an access-control bypass or foothold toward clinical, operational, or PHI/ePHI-bearing systems only if local evidence confirms routing and privileges make that path reachable. Local check: confirm GlobalProtect portal/gateway exposure, Authentication Override cookie settings, dedicated certificate use, internet reachability, identity integration, and downstream access scope. Healthcare concern: Healthcare relevance depends on whether GlobalProtect portal or gateway supports remote workforce, vendor access, remote clinics, telehealth administration, privileged administration, or access to clinical/business systems. Local validation: confirm exposed GlobalProtect portal/gateway, deployed PAN-OS or Prisma Access branch, Authentication Override cookie configuration, dedicated certificate use, internet reachability, identity integration, and downstream access scope. Remediation: Apply vendor-supported fixed release(s): PAN-OS 12.1: >=12.1.4-h6, >=12.1.7, PAN-OS 11.2: >=11.2.4-h17, >=11.2.7-h14, >=11.2.10-h7, >=11.2.12, PAN-OS 11.1: >=11.1.4-h33, >=11.1.6-h32, >=11.1.7-h6, >=11.1.10-h25, >=11.1.13-h5, >=11.1.15, PAN-OS 10.2: >=10.2.7-h34, >=10.2.10-h36, >=10.2.13-h21, >=10.2.16-h7, >=10.2.18-h6, >=10.2.18, Prisma Access 11.2: >=11.2.7-h13, Prisma Access 10.2: >=10.2.10-h36. Validate local exposure, then document exceptions and compensating controls if remediation is delayed. | |||||||
More monitored CVEs (3)
| Priority: CRITICAL-NOW | CVE: CVE-2026-8732 | Product: WP Maps Pro | CVSS: 9.8 Critical | EPSS: 22% Moderate | HRS: 65 Moderate | Exploit Intel: VulnCheck KEV Confidence: Medium | Deadline: Due 2026-06-08 |
Retention: Critical-Now / ready for remediation. Retained from prior issue. First-elevated date unavailable. First seen: 2026-06-01. Age-out: 2026-07-01 (30 days remaining) unless resolved or source status changes. Retention reason: VulnCheck KEV source status retained for 30 days or until resolved. Source deadline: 2026-06-08. Material change: none. Why healthcare-relevantCategory: Exploited enterprise platform Basis: This item is retained because confirmed exploitation changes remediation priority even when healthcare-specific targeting is not proven. Where it shows up: the affected platform may be ordinary IT, patient-facing web, vendor-managed infrastructure, identity, or care-supporting systems depending on local deployment. What could happen: Confirmed exploitation drives urgency, but healthcare impact depends on whether the product is exposed, privileged, or connected to patient-access or clinical workflows. Local check: validate product presence, affected version, internet reachability, privilege level, and business owner before escalating to privacy or clinical operations. Healthcare concern: The healthcare question is where the exploited platform sits: identity path, patient-facing web path, vendor-managed service, clinical support system, or ordinary back-office asset. The answer changes urgency and escalation. Local validation: confirm whether WP Maps Pro version 6.1.0 or earlier is installed. Prioritize public-facing, patient-facing, marketing, appointment, location-directory, portal-handoff, or form-bearing sites. Review administrator accounts, temporary-access activity, recent plugin/theme changes, unexpected files, and web logs before closure. Remediation: Apply vendor-supported fixed release(s): 6.1.1. Validate local exposure, then document exceptions and compensating controls if remediation is delayed. | |||||||
| Priority: HIGH | CVE: CVE-2026-8809 | Product: Advanced Custom Fields: Extended (WordPress) | CVSS: 9.8 Critical | EPSS: 41% Moderate | HRS: 56 Moderate | Exploit Intel: Public PoC Confidence: Medium | Deadline: Due 2026-06-15 |
Retention: retained. Retained from prior issue. First-elevated date unavailable. First seen: 2026-06-01. Age-out: 2026-06-15 (14 days remaining) unless resolved or source status changes. Retention reason: HIGH-priority watch retained while exploit, healthcare, or source signal remains relevant. Source deadline: 2026-06-15. Material change: none. Why healthcare-relevantCategory: Patient-facing digital risk Basis: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. Where it shows up: public, patient-facing, marketing, physician-practice, intranet, or vendor-managed WordPress properties. What could happen: A plugin or theme flaw can affect site integrity, redirects, credentials, or patient-facing trust depending on how the component is deployed. Local check: confirm deployment, affected version, WAF coverage, admin changes, fixed release, and whether patient-facing workflows are in scope. Healthcare concern: Healthcare relevance depends on patient services, referrals, billing, marketing pixels, or portal handoff; otherwise treat as web-platform remediation. Local validation: confirm whether Advanced Custom Fields: Extended (WordPress) version 0.9.2.5 or earlier is installed. Prioritize public-facing, patient-facing, marketing, appointment, location-directory, portal-handoff, or form-bearing sites. Review administrator accounts, temporary-access activity, recent plugin/theme changes, unexpected files, and web logs before closure. Remediation: Validate whether Advanced Custom Fields: Extended (WordPress) is installed in the affected version range identified by the source. If present, confirm the vendor-supported fixed release before closure; apply compensating controls or disable affected functionality until remediation is verified. | |||||||
| Priority: MONITOR | CVE: CVE-2026-7797 | Product: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin (WordPress) | CVSS: 7.5 High | EPSS: 31% Moderate | HRS: 56 Moderate | Exploit Intel: Public PoC Confidence: Medium | Deadline: Due 2026-07-01 |
Retention: monitored. Retained from prior issue. First-elevated date unavailable. First seen: 2026-06-01. Age-out: 2026-06-08 (7 days remaining) unless resolved or source status changes. Retention reason: monitored item retained for comparison unless exploit or source signal changes. Source deadline: 2026-07-01. Material change: none. Why healthcare-relevantCategory: Patient-facing digital risk Basis: The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'append where sql' param Where it shows up: appointment, intake, referral, billing, contact, and portal handoff forms on public or vendor-managed WordPress sites. What could happen: Attackers may tamper with form workflows, alter submissions, inject redirects, or abuse trust in the patient-facing site. Local check: map the plugin to live forms, submitted data, file attachments, portal links, and payment handoffs before privacy escalation. Healthcare concern: The exposure is form workflow integrity: appointment, intake, referral, billing, or contact forms can be altered or abused if active. Local validation: confirm whether Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin (WordPress) version 1.6.11.8 or earlier is installed. Prioritize public-facing, patient-facing, marketing, appointment, location-directory, portal-handoff, or form-bearing sites. Review administrator accounts, temporary-access activity, recent plugin/theme changes, unexpected files, and web logs before closure. Remediation: Validate whether Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin (WordPress) is installed in the affected version range identified by the source. If present, confirm the vendor-supported fixed release before closure; apply compensating controls or disable affected functionality until remediation is verified. | |||||||
Sort order prioritizes exploitation signals and deadlines.
Why low-EPSS items can still be Critical-Now
Low EPSS does not mean low operational risk.
EPSS estimates short-term exploit probability; operational priority also weighs confirmed exploitation and source deadlines.
Examples this week: 4 low-EPSS items remain prioritized because exploitation/source signals override low EPSS.
Methodology
8 CVEs analyzed · 5 CISA KEV items; 4 also corroborated by VulnCheck; 1 VulnCheck-only item. Methodology and limitations are collapsed; standing methodology is available at /methodology/.
Public issue methodology is summary-only to preserve the decision-brief reading path.
Sources used this window include NVD, CISA KEV, VulnCheck KEV, EPSS, healthcare incident sources, and regulatory watch data.
Breach Notification Trigger Framework: CVE presence alone is not a breach assessment; escalate only with local evidence of exploitation, unauthorized access, or PHI/ePHI exposure.
Full standing methodology: /methodology/.