Coverage: May 8–10, 2026 · 5 areas · CVEs, AI threats, nation-state activity, breaches, and news
Palo Alto confirmed on May 7 that CVE-2026-0300 (CVSS 9.3 Critical, unauthenticated buffer overflow in the User-ID Authentication Portal) remains unpatched and under active exploitation against internet-exposed Captive Portals. First fixes are now confirmed for May 13, 2026 (PAN-OS 11.2.7-h13 and 11.2.10-h6), with additional releases through May 28. Affected trains: PAN-OS 11.2 (below 11.2.4-h17 / 11.2.7-h13 / 11.2.10-h6 / 11.2.12), PAN-OS 11.1 (below 11.1.13-h5 or 11.1.15), PAN-OS 10.2 (below 10.2.13-h21 or 10.2.16-h7). Exploitation is low-complexity, requires no credentials, and delivers root-level code execution. Prisma Access, Cloud NGFW, and Panorama are not affected.
CVE-2026-32202 (Windows Shell protection mechanism failure, CVSS 4.3) is being actively exploited by APT28/Fancy Bear to steal NTLM hashes from LNK files, enabling pass-the-hash lateral movement across enterprise networks. CISA's Federal FCEB remediation deadline is May 12, 2026 — tomorrow from the perspective of this brief. Akamai confirmed the flaw is an incomplete patch of CVE-2026-21510 (which APT28 exploited in February). The LNK file delivery is frictionless: a victim must open a malicious LNK file sent by email or shared drive, and NTLM hashes are leaked with no further interaction.
Help Net Security's May 2026 Patch Tuesday forecast (published May 8) notes that Microsoft is a participant in 'Project Glasswing' — a NIST/Anthropic AI-assisted vulnerability discovery agreement signed May 5 with 12 technology companies. Anthropic's AI models will analyze code for vulnerabilities before public release, with NIST receiving findings. Microsoft's participation signals a potentially record-breaking Patch Tuesday on May 13. Organizations should prepare patch management workflows now. Additionally, NIST announced it is shifting to threat-based CVE enrichment: only KEV-listed, federal-use, and critical software CVEs will receive NVD scoring enrichment — reducing noise but potentially delaying CVSS scores for non-critical findings.
CISA added CVE-2026-42208 (LiteLLM SQL injection CVSS 9.3) to the KEV catalog on May 8. The FCEB remediation deadline is May 11 — today. This unauthenticated SQL injection in LiteLLM Proxy 1.81.16-1.83.6 allows an attacker to read and modify the proxy database, extracting all LLM provider API keys (OpenAI, Anthropic, AWS Bedrock, Azure OpenAI). Active exploitation targeting production instances has been confirmed since April 26. Blast radius: a successful extraction grants cloud-grade credential access across every LLM provider the proxy manages.
Microsoft Security Blog (May 7, 2026) disclosed two patched vulnerabilities in Semantic Kernel that turn prompt injection into host-level RCE. CVE-2026-25592 (Semantic Kernel .NET SDK < 1.71.0): SessionsPythonPlugin exposed its file upload function to the AI model via [KernelFunction] attribute. Prompt injection bypasses the Azure Container Apps sandbox, writes a malicious payload to the Windows Startup folder, and achieves persistent host-level RCE. CVE-2026-26030 (Semantic Kernel Python < 1.39.4): In-Memory Vector Store Search Plugin applied filter logic through eval() on attacker-influenced input. A single crafted prompt achieves RCE by smuggling a Python AST-traversal payload through the eval() sink. Both vulnerabilities require only a prompt injection vector — no credentials, no memory corruption. Microsoft has published a live CTF demonstrating CVE-2026-26030.
BleepingComputer and Help Net Security (May 8) reported on Mythos, an AI-powered offensive security system that autonomously discovers and chains zero-days across internet-facing systems. Mythos demonstrated a four-zero-day chain that bypassed both the browser renderer sandbox and the OS sandbox. Cybersecurity firms warn that AI-driven attacks from systems like Mythos may soon outpace defensive response capacity — models can find hidden flaws across internet systems at machine speed, raising concerns among banks, regulators, and security leaders. Mythos represents the real-world weaponization of the M-Trends 2026 finding that 42% of 2025 CVEs were exploited before public disclosure, as AI can generate exploits directly from advisory text.
A May 3, 2026 compilation of confirmed prompt injection attack patterns documents five production-grade techniques: (1) Zero-click data exfiltration (Copilot CVE-2025-11 — crafted email extracts confidential data without user action; 60% of enterprise AI copilots share similar patterns in red-team assessments); (2) Tool manipulation — hijacking which action an agent takes mid-task; (3) Memory poisoning — persistent false beliefs injected into agent long-term memory; (4) Supply chain attacks via malicious MCP tools (ClawHavoc: 1,100+ malicious tools on ClawHub); (5) Multi-language evasion — fragmenting payloads across Mandarin, Arabic, and Portuguese to bypass English-trained classifiers. Unit 42 confirmed patterns 4 and 5 in real-world attacks.
Two major nation-state campaigns are active this period. APT28 (Russia/Fancy Bear) is exploiting CVE-2026-32202 LNK files to steal NTLM hashes, particularly targeting Ukraine, EU governments, and defense-adjacent organizations. Simultaneously, Salt Typhoon (China-linked) continues persistent access in U.S. and allied telecom networks — confirmed 'still very much ongoing' by FBI as of February 2026. Trend Micro's Q1 2026 report confirms Salt Typhoon successfully targeted U.S. congressional email systems and that related group UAT-7290 is simultaneously targeting U.S. and allied telecom infrastructure through edge device vulnerabilities. AI-enhanced ransomware (LAMEHUG, deployed by APT28) and DPRK's FAMOUS CHOLLIMA (Lazarus) activity doubled its incident rate in the past year.
The Kyber ransomware group demonstrated in April 2026 the first use of post-quantum encryption algorithms against Windows and VMware ESXi environments, including a confirmed attack on a U.S. defense contractor. The group deletes backups and disables recovery mechanisms before encrypting — making recovery extremely difficult. Kyber's post-quantum approach is designed to resist future decryption even if law enforcement seizes keys, eliminating any potential for future decryption of intercepted ransoms. CM Alliance confirmed the technique is now documented and is expected to be replicated by other groups.
A threat actor claimed in April 2026 to have exfiltrated 13 million Adobe customer support tickets, 15,000 employee records, and internal company documents. The breach raises significant concerns about how organizations protect operational data beyond standard customer PII. Customer support tickets commonly contain sensitive operational details — license keys, error logs with system metadata, internal communication, and sometimes credentials shared in troubleshooting sessions. The full scope and authentication of the claim is still being assessed, but multiple security researchers have validated samples of the data.
Rhysida ransomware group claimed responsibility for breaching STELIA Aerospace North America, exfiltrating approximately 10 TB of data including identity documents, employee records, and technical drawings — suggesting deep compromise of corporate and partner-related data. A 27 BTC (~$2.07M) ransom demand was issued. This breach is notable in the defense/aerospace sector context: technical drawings from aerospace suppliers can have export control implications, and partner data exposure extends the breach radius beyond the direct victim. Rhysida has been increasingly active against defense-adjacent organizations in 2026.
Pulled from AI Vuln Monitor run — May 10, 2026 · 3 findings
Affected: Microsoft Semantic Kernel .NET SDK — all versions prior to 1.71.0
Microsoft disclosed CVE-2026-25592 on May 7, 2026 — an arbitrary file write vulnerability in the Semantic Kernel .NET SDK's built-in SessionsPythonPlugin. The plugin allows AI agents to execute Python code inside Azure Container Apps dynamic sessions (cloud-isolated sandboxes). A flaw in how the plugin exposed its upload_file function to the AI model via the [KernelFunction] attribute allowed an attacker to reach this function through prompt injection: a single crafted prompt caused the agent to bypass the cloud-hosted sandbox, write a malicious payload directly to the host device's Windows Startup folder, and achieve persistent remote code execution. No memory corruption required — the agent simply did what it was designed to do. Affects any application using Semantic Kernel .NET SDK prior to 1.71.0 with SessionsPythonPlugin enabled.
Affected: Microsoft Semantic Kernel Python SDK — all versions prior to 1.39.4, using In-Memory Vector Store with Search Plugin default configuration
CVE-2026-26030 is the second Semantic Kernel vulnerability disclosed by Microsoft on May 7, 2026. In the Python Semantic Kernel package prior to 1.39.4, the In-Memory Vector Store Search Plugin applied filter logic through an eval() call on attacker-influenced input. When an agent used the default Search Plugin configuration backed by the In-Memory Vector Store, a prompt injection through any external content the agent processes (a web page, document, API response, or tool output) was sufficient to reach the eval() sink. Researchers demonstrated RCE by crafting a prompt injection that smuggled a Python AST-traversal payload through the vulnerable evaluation path, launching arbitrary code on the machine running the agent. Microsoft has published an interactive capture-the-flag challenge demonstrating the exploit chain. Affects any Python Semantic Kernel agent using In-Memory Vector Store with default filter configuration.
Affected: LiteLLM Proxy (AI Gateway) versions 1.81.16 through 1.83.6 — CISA KEV added May 8, 2026, FCEB deadline May 11
CISA added CVE-2026-42208 (LiteLLM SQL injection, CVSS 9.3) to the Known Exploited Vulnerabilities catalog on May 8, 2026, with a Federal FCEB remediation deadline of May 11, 2026. Previously covered in the May 3 run as an actively exploited vulnerability, the CISA KEV addition confirms federal-level severity classification and triggers mandatory remediation timelines for government environments. Active exploitation has been confirmed, with attackers targeting litellm_credentials tables storing multi-provider LLM API keys (OpenAI, Anthropic, AWS Bedrock, Azure). This KEV addition escalates the urgency for any organization still running LiteLLM Proxy 1.81.16 through 1.83.6 without patching.
The Center for AI Standards and Innovation (CAISI/NIST) announced on May 5, 2026 formal agreements with Google DeepMind, Microsoft, xAI, and 11 other companies to evaluate AI models in classified environments before public release. Simultaneously, NIST and Anthropic launched 'Project Glasswing,' in which Anthropic AI models analyze software for vulnerabilities before disclosure — findings go to NIST. Microsoft is a Project Glasswing participant, which is expected to surface a record number of CVEs in the May 13 Patch Tuesday. Separately, NIST announced a shift to threat-based CVE enrichment: NVD will prioritize scoring for KEV-listed, federal-software, and critical-category CVEs only — reducing noise but potentially delaying CVSS scores for lower-priority findings.
Multiple cybersecurity firms issued warnings on May 8, 2026 that AI-driven offensive tooling like Mythos has reached a capability threshold where it can autonomously discover and chain zero-days across internet systems faster than human defenders can respond. Mythos demonstrated a four-zero-day chain bypassing both browser renderer and OS-level sandboxes — a milestone previously requiring elite human operators. Security leaders in banking, fintech, and critical infrastructure are flagging concern about the asymmetric advantage this gives to well-resourced attackers. The implication is that organizations running on weekly or monthly patch cycles are now structurally disadvantaged against AI-speed exploitation.