Buffer overflow in User-ID Authentication Portal (Captive Portal) allowing unauthenticated remote code execution with root privileges via specially crafted network packets. CVSS 9.3. Actively exploited by state-sponsored threat actor CL-STA-1132 since April 9, 2026.
Apply patches released May 13, 2026. Immediately restrict Captive Portal exposure to trusted IP addresses only. Federal agencies must remediate per CISA KEV catalog requirements.
Source: CISA • Published: 2026-05-06
Authentication bypass vulnerability allowing attackers to gain administrative privileges on SD-WAN devices. CVSS 10.0. Exploited by UAT-8616 threat actor since 2023, with 10 additional threat clusters exploiting after PoC publication. Discovered by Rapid7.
Apply patches immediately for all supported Cisco Catalyst SD-WAN releases. Federal agencies must remediate by May 17, 2026 per Emergency Directive 26-03. Review administrative access logs for compromise indicators.
Source: CISA • Published: 2026-05-14
Remote code execution vulnerability in Windows GDI exploitable by opening malicious Enhanced Metafile (EMF) file in Microsoft Paint or other GDI-enabled applications. Part of May 2026 Patch Tuesday.
Apply May 2026 Windows security updates. Warn users not to open EMF files from untrusted sources. Consider blocking EMF attachments at email gateway.
Source: MSRC • Published: 2026-05-14
Stack-based buffer overflow in Windows Netlogon allowing unauthenticated remote code execution over network. Part of May 2026 Patch Tuesday.
Apply May 2026 Windows security updates immediately. Segment network to limit Netlogon exposure. Monitor domain controller logs for anomalies.
Source: MSRC • Published: 2026-05-14
Elevation of privilege vulnerability in Microsoft SSO Plugin for Atlassian products. CVSS 9.1. Part of May 2026 Patch Tuesday.
Update Microsoft SSO Plugin for Jira and Confluence immediately. Review SSO authentication logs for unauthorized access. Validate SSO configuration security.
Source: MSRC • Published: 2026-05-14
MiniPlasma zero-day allows unprivileged users to create arbitrary registry keys in .DEFAULT hive without access checks, enabling SYSTEM-level privilege escalation. Weaponized exploit released on GitHub by researcher Nightmare-Eclipse claiming Microsoft failed to fix or rolled back 6-year-old vulnerability. Flaw in HsmOsBlockPlaceholderAccess function missing OBJ_FORCE_ACCESS_CHECK flag.
Monitor Microsoft security advisories for emergency patch. Restrict user permissions and audit registry access. Deploy enhanced monitoring for unauthorized registry modifications in .DEFAULT hive. Consider disabling vulnerable functionality if possible.
Source: Web • Published: 2026-05-13
Authentication bypass vulnerability in cPanel being mass-exploited to breach websites and deploy "Sorry" ransomware. At least 44,000 IP addresses running cPanel compromised according to Shadowserver. Emergency update released.
Apply cPanel emergency security update immediately. Audit all cPanel/WHM installations for compromise indicators. Implement strong authentication controls and network segmentation. Restore from clean backups if compromised.
Source: Web • Published: 2026-05-14
Zero-day spoofing and XSS vulnerability in Exchange Outlook Web Access (OWA) allowing attackers to execute arbitrary JavaScript in browser context by sending specially crafted emails. CVSS 8.1. No patch available yet, only mitigation strategies published.
Apply mitigation steps from Microsoft security advisory published May 14. Monitor for patches. Restrict OWA access and implement email filtering rules until patches are released.
Source: MSRC • Published: 2026-05-14
Improper input validation allowing remote authenticated attackers with admin privileges to execute arbitrary code. Limited active exploitation observed. Connected to earlier zero-day exploitation of CVE-2026-1281 and CVE-2026-1340 in January.
Apply Ivanti security updates immediately. Rotate all administrative credentials if not done after January CVE-2026-1281/1340 incidents. Federal agencies must remediate within 3 days per CISA order. Also patch CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, CVE-2026-7821.
Source: CISA • Published: 2026-05-14
"Copy Fail" vulnerability in algif_aead module of Linux AF_ALG cryptographic subsystem allowing unprivileged local users to escalate privileges to root via 732-byte Python exploit. CVSS 7.8. Affects Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, SUSE 16, Debian, Fedora, Arch.
Upgrade to patched Linux kernel versions 6.18.22, 6.19.12, or 7.0 immediately. Federal agencies must remediate by May 15, 2026 per CISA KEV catalog. Audit systems for unauthorized privilege escalation.
Source: CISA • Published: 2026-05-01
May 2026 Patch Tuesday addresses 120 vulnerabilities including 17 Critical (14 RCE, 2 privilege escalation, 1 info disclosure). Key flaws: CVE-2026-35421 (Windows GDI RCE via malicious EMF), CVE-2026-41089 (Windows Netlogon stack overflow), CVE-2026-41103 (Microsoft SSO Plugin for Jira/Confluence, CVSS 9.1). No zero-days disclosed.
Deploy May 2026 patches immediately. Prioritize CVE-2026-35421, CVE-2026-41089, and CVE-2026-41103. Restrict opening of untrusted EMF files. Test SSO plugin configurations.
Source: MSRC • Published: 2026-05-14
SQL injection vulnerability in LiteLLM proxy API key verification logic allowing attackers to steal sensitive data and LLM provider API keys. CVSS 9.3. First exploitation observed April 26, 2026 at 16:17 UTC, approximately 26 hours after GitHub advisory publication. User-supplied keys concatenated directly into SQL queries without sanitization.
Upgrade to LiteLLM version 1.83.7-stable or later immediately. Rotate all LLM provider API keys. Review access logs for SQL injection attempts. Federal agencies must remediate by May 11, 2026 per CISA KEV catalog.
Source: CISA • Published: 2026-04-26
Systemic "by design" vulnerability in MCP architecture enabling remote code execution on any system running vulnerable MCP implementation. Affects 7,000+ publicly accessible servers and 150+ million package downloads. Flaw baked into official Anthropic SDK across all supported languages. Anthropic confirmed behavior is intentional, declining protocol modification and stating sanitization is developer responsibility.
Implement strict input sanitization for all MCP integrations. Deploy runtime application self-protection (RASP) for MCP servers. Segment MCP infrastructure from sensitive systems. Review all MCP implementations for proper input validation. Consider alternative protocols if possible.
Source: Web • Published: 2026-05-14
Vulnerability in Microsoft Semantic Kernel enabling prompt injection to escalate to host-level remote code execution. Single prompt sufficient to launch calc.exe on device running AI agent. Discovered during Microsoft internal security research. Patched.
Update Microsoft Semantic Kernel to latest patched version. Implement strict prompt sanitization and validation. Deploy runtime monitoring for unexpected process execution from AI agents. Segment AI agent infrastructure.
Source: MSRC • Published: 2026-05-14
Second critical vulnerability in Microsoft Semantic Kernel allowing unauthorized code execution via injection attacks. Discovered during Microsoft security research. Patched.
Update Microsoft Semantic Kernel to latest patched version. Review all Semantic Kernel integrations for injection vulnerabilities. Implement defense-in-depth controls including input validation, output encoding, and runtime protection.
Source: MSRC • Published: 2026-05-14
Hidden prompt injection in pull request descriptions enabling remote code execution with GitHub Copilot. CVSS 9.6. Attackers can embed malicious prompts in PR descriptions to execute arbitrary code in developer environments.
Update GitHub Copilot to patched version. Review and sanitize PR descriptions before review. Implement code review policies that include prompt injection checks. Deploy static analysis for AI-generated code before merge.
Source: Web • Published: 2026-05-14
Server-Side Request Forgery (SSRF) vulnerability in LMDeploy exploited within 12 hours of disclosure. Enables attackers to use vision-LLM endpoints for internal network scanning, cloud metadata access, and service enumeration. Advisory included affected file, parameter, root cause, and sample code—effectively an LLM prompt for exploit generation.
Apply LMDeploy security patches immediately. Implement network segmentation to restrict LLM endpoint access to internal resources. Deploy SSRF protections at application and network layers. Monitor for unusual outbound connections from LLM infrastructure.
Source: Web • Published: 2026-04-21
Zero-click prompt injection vulnerability in Windsurf AI IDE related to MCP systemic weakness. Similar vulnerabilities exist in Claude Code, Cursor, Gemini-CLI, and GitHub Copilot but only Windsurf has assigned CVE.
Update Windsurf to patched version. Implement prompt injection detection and filtering. Review and sanitize all AI IDE integrations. Apply principle of least privilege to AI assistant permissions.
Source: Web • Published: 2026-05-14
Nation-state threat actor UAT-8616 exploiting CVE-2026-20182 and CVE-2026-20127 since at least 2023 for initial access to critical infrastructure. Cisco Talos reports infrastructure overlaps with monitored Operational Relay Box (ORB) networks. 10 additional threat clusters began exploitation after PoC publication.
Apply Cisco SD-WAN patches immediately. Hunt for UAT-8616 IOCs in network logs. Review SD-WAN administrative access for compromise. Implement network segmentation to limit SD-WAN lateral movement. Follow Emergency Directive 26-03 requirements.
Source: Web • Published: 2026-05-14
State-sponsored threat cluster CL-STA-1132 exploiting CVE-2026-0300 for unauthenticated RCE in PAN-OS software. Active exploitation observed since April 9, 2026. Unit 42 tracking as likely nation-state activity targeting exposed Captive Portal implementations.
Apply PAN-OS patches released May 13. Restrict Captive Portal access to trusted networks only. Hunt for CL-STA-1132 indicators in firewall logs. Review administrative access and configuration changes for signs of compromise.
Source: Web • Published: 2026-05-06
Between January-May 2026, state-sponsored actors conducted 297+ documented supply chain attacks, breached 200+ telecom operators across six continents, deployed at least four new wiper families against Ukrainian infrastructure, and integrated AI-generated content into majority of phishing operations. ENISA reports 80% of 2025 phishing campaigns contained AI-generated content.
Implement supply chain security controls per NIST SSDF and C-SCRM guidance. Deploy advanced email security with AI-generated content detection. Enhance telecom security monitoring and segmentation. Coordinate with national CERT/CSIRT for threat intelligence. Prepare incident response plans for wiper attacks.
Source: Web • Published: 2026-05-14
ShinyHunters ransomware group stole 275 million records from Instructure Canvas platform affecting students, teachers, staff at Harvard, Stanford, NUS, Rutgers, and 9,000+ schools globally. Initial breach April 25, detected April 29, disclosed May 1. Second attack May 7 replaced login page with ransom demand. Instructure claimed May 11 agreement with ShinyHunters and data destruction, but verification impossible.
Force password resets for all Canvas users. Enable MFA on all accounts. Monitor for credential stuffing and phishing targeting affected individuals. Review Canvas integration security. Implement enhanced data loss prevention and access controls. Consider contract review regarding Instructure security guarantees.
Source: Web • Published: 2026-05-01
"Sorry" ransomware campaign mass-exploiting CVE-2026-41940 cPanel authentication bypass to breach websites and encrypt data. Shadowserver reports at least 44,000 compromised IP addresses running cPanel. Widespread automated exploitation ongoing.
Apply cPanel emergency patches immediately. Audit all cPanel/WHM servers for compromise. Restore from clean backups if affected. Implement network-based protections to block exploit traffic. Consider migrating to alternative hosting control panels if patching delayed.
Source: Web • Published: 2026-05-14
Russian APT28 (UAC-0001, Fancy Bear) cyberespionage group exploited CVE-2026-21510 in attacks against Ukraine and EU countries in December 2025. CERT-UA disclosure indicates ongoing GRU cyber operations targeting European entities.
Patch CVE-2026-21510 immediately if not already applied. Review December 2025-May 2026 logs for APT28 IOCs. Implement enhanced monitoring for Russian threat actor TTPs. Coordinate with CERT-UA and EU-CERT for threat intelligence sharing.
Source: Web • Published: 2025-12-01
ShinyHunters stole personal information of 119,000+ Vimeo users via third-party vendor breach in April. Compromised data includes technical data, video titles, metadata, and customer email addresses.
Reset Vimeo passwords and enable MFA. Monitor for phishing targeting affected users. Review third-party vendor security controls. Assess data exposure risk and implement additional monitoring.
Source: Web • Published: 2026-04-01
ShinyHunters ransomware group conducted cyberattack against Cushman & Wakefield commercial real estate services firm. Full scope of data theft unclear.
Await official Cushman & Wakefield breach notification. Reset credentials for any accounts shared with Cushman & Wakefield systems. Monitor for targeted phishing and social engineering. Review third-party risk management for Cushman & Wakefield relationships.
Source: Web • Published: 2026-05-14
Nitrogen ransomware operation stole 8TB of data and 11+ million documents from Foxconn factories in North America. Stolen files allegedly contain confidential instructions, projects, and drawings from Apple, Intel, Google, Nvidia, AMD, and other Foxconn customers. Production resuming after incident response.
If Foxconn supplier/partner: assess exposure of shared confidential data. Review contracts regarding data protection obligations. Monitor for IP theft or competitive intelligence use of stolen data. Implement enhanced due diligence for Foxconn data sharing.
Source: BleepingComputer • Published: 2026-05-14
2026 ransomware landscape shows operators prioritizing EDR neutralization before payload execution using "EDR killer" tools. Ransom payment rates dropped to 28% in 2025, driving shift to extortion-only attacks without encryption. Ransomware present in 44% of confirmed 2025 breaches, up 37% YoY from 32%.
Implement tamper-resistant EDR with cloud-based management. Deploy defense-in-depth with multiple security layers. Maintain offline encrypted backups. Implement data loss prevention to detect exfiltration. Train incident response teams on EDR bypass techniques.
Source: Web • Published: 2026-05-14
West Pharmaceutical Services experienced material cybersecurity attack with data exfiltration and system encryption detected May 4. Company engaged Palo Alto Networks Unit 42 for incident response, containment, and recovery.
If West Pharmaceutical supplier/customer: monitor for breach notification letters. Reset shared credentials. Review data protection agreements. Prepare for potential supply chain disruption. Monitor for targeted follow-on attacks.
Source: BleepingComputer • Published: 2026-05-04
Medtronic data breach April 18, 2026 with unauthorized access to sensitive personal and health-related information affecting approximately 9 million records. Full scope of compromised data and incident details pending.
Affected individuals: monitor for breach notification, enroll in offered credit monitoring, watch for medical identity theft. Organizations: review Medtronic data sharing agreements, assess exposure of shared patient/customer data.
Source: Web • Published: 2026-04-18
France Titres (ANTS) detected security incident April 13 exposing data from individual and professional accounts. Compromised data includes login IDs, names, email addresses, birth dates, account identifiers, and in some cases postal addresses, birthplaces, phone numbers. Suspect "breach3d" allegedly attempted to sell 12-18 million stolen records. 11.7 million accounts impacted.
Affected French residents: reset ANTS passwords immediately, enable MFA if available, monitor for identity theft and targeted phishing. Organizations: review identity verification processes for French government document fraud risk.
Source: Web • Published: 2026-04-13
First confirmed use of AI to develop zero-day exploit in the wild. Google Threat Intelligence Group identified unknown threat actor using likely AI-generated Python script to bypass two-factor authentication on popular open-source web admin tool. High confidence AI model used for vulnerability discovery and exploit generation. Planned for mass exploitation but Google proactive discovery may have prevented deployment. Not using Google Gemini.
Update affected system administration tools to latest versions. Implement enhanced 2FA with hardware tokens or biometrics. Monitor authentication systems for bypass attempts. Deploy AI-powered threat detection to identify AI-generated exploits. Assume AI will accelerate exploit development timelines.
Source: GTIG • Published: 2026-05-14
Security landscape analysis reveals 48% of AI-generated code contains security flaws. 75% of senior developers still review every AI code snippet before merging. Cursor and similar tools expand attack surfaces in ways traditional security tools cannot monitor. AI shifts time allocation but does not eliminate need for security review.
Implement mandatory security review for all AI-generated code. Deploy SAST/DAST tools adapted for AI code patterns. Train developers on AI-specific security risks. Establish AI code acceptance policies requiring manual validation of security-critical functions.
Source: Web • Published: 2026-05-14
Generative AI accelerating collapse of time-to-exploit. CVE-2026-33626 (LMDeploy) exploited within 12 hours of disclosure. Detailed security advisories with code samples effectively serve as LLM prompts for exploit generation. Organizations must assume dramatically shorter patch windows.
Establish emergency patching procedures with <24 hour SLAs for critical systems. Implement virtual patching and runtime protection where immediate patching not feasible. Prioritize vulnerability disclosure handling and patch testing automation. Deploy threat intelligence feeds tracking exploit development.
Source: Web • Published: 2026-05-14
Google Threat Intelligence Group tracking maturation from nascent AI-enabled operations to industrial-scale application of generative models in adversarial workflows. Malware families PROMPTFLUX and PROMPTSTEAL actively query LLMs mid-execution to evade detection. Trend toward AI-native attack tools and techniques.
Implement AI-specific security controls including prompt injection detection, LLM output validation, and model access logging. Deploy behavioral analytics to detect AI-assisted attacks. Train security teams on AI threat actor TTPs. Establish AI security governance program.
Source: GTIG • Published: 2026-05-14
CVE-2026-0300: Buffer overflow in User-ID Authentication Portal (Captive Portal) allowing unauthenticated remote code execution with root privileges via specially crafted network packets. CVSS 9.3. Actively exploited by state-sponsored threat actor CL-STA-1132 since April 9, 2026.