Unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal (Captive Portal) allows remote attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. No authentication or user interaction required. Exploit maturity is marked ATTACKED — nation-state exploitation confirmed by Palo Alto Networks. Prisma Access, Cloud NGFW, and Panorama are NOT affected. Affected: PAN-OS 10.2.x, 11.1.x, 11.2.x, 12.1.x (see vendor matrix for specific versions). First patches ETA May 13 (11.2.7-h13, 11.2.10-h6, 11.1.4-h33, 11.1.6-h32, 11.1.10-h25, 11.1.13-h5, 10.2.10-h36, 10.2.18-h6, 12.1.4-h5).
IMMEDIATE WORKAROUND (do now): Disable the User-ID Authentication Portal (Captive Portal) on all internet-facing L3 interfaces. In PAN-OS: Device > User Identification > User-ID Settings — disable Authentication Portal. Alternatively, restrict Response Pages on Interface Management Profiles to internal/trusted zones only. Apply patches as soon as available via Panorama or direct device upgrade. Check: https://security.paloaltonetworks.com/CVE-2026-0300 for the latest available versions.
DISABLE Captive Portal on all internet-facing interfaces NOW. Stage patches for May 13 deployment on priority tracks.
Microsoft's May 12, 2026 Patch Tuesday releases today — the final comfortable deployment window before Secure Boot certificates expire on June 26, 2026 (45 days). This is the last Patch Tuesday with adequate testing and phased deployment runway before the expiration. Organizations that miss this cycle face emergency deployment in June with only 17 days remaining. Expected scope: 80-100 vulnerabilities across Windows kernel, Office, SharePoint, and server components. Also includes OOB fix for CVE-2026-40372 (ASP.NET core CVSS 9.1 Critical EoP, rolled into today's update) and expected fixes for Bluehammer-related RedSun and UnDefend exploits targeting Microsoft Defender CVE-2026-33825.
Deploy May 12 patches immediately following accelerated test cycles — treat this cycle as urgent due to Secure Boot deadline. Verify Secure Boot 2023 certificate installation on 100% of Windows devices and complete OEM firmware updates (Dell, HP, Lenovo, ASUS) before June 26. Check Windows Update and WSUS for KB rollout. Run: 'Get-WindowsUpdateLog' to verify patch deployment status across fleet.
DEPLOY May Patch Tuesday today. VERIFY Secure Boot certificate installation on all Windows devices — June 26 deadline is absolute.
A logic flaw in the Linux kernel's cryptographic subsystem (algif_aead / AF_ALG + splice() interaction) allows any unprivileged local user to escalate to root using a deterministic 732-byte Python exploit. No race condition required. Affects virtually all Linux distributions running kernels released since 2017 — Ubuntu 24.04 LTS, RHEL 10.1, Amazon Linux 2023, SUSE 16, Debian, Fedora, Arch Linux. CVSS 7.8 High. CISA added to KEV May 3; FCEB deadline May 15. Critically: because containers share the host kernel, exploitation from any container foothold compromises the entire host node. PoC exploit is publicly available in Python, Go, and Rust implementations. Microsoft Defender detects via Exploit:Linux/CopyFailExpDl.A and Behavior:Linux/CVE-2026-31431.
Patch now: update to Linux kernel 6.18.22, 6.19.12, or 7.0. For major distributions: Ubuntu: 'sudo apt update && sudo apt upgrade linux-image-$(uname -r)'; RHEL/AlmaLinux: 'sudo dnf update kernel'; Debian: 'sudo apt dist-upgrade'. If immediate patching is not possible: block AF_ALG socket creation via seccomp or AppArmor rules, implement network isolation, apply strict access controls. For Kubernetes environments: treat any container RCE as potential host compromise and enforce rapid node recycling. FCEB agencies must patch by May 15.
PATCH Linux kernel to 6.18.22 / 6.19.12 / 7.0 on all systems by May 15 CISA deadline. Block AF_ALG sockets as interim mitigation.
Zero-click NTLM hash leak vulnerability in Windows Shell (LNK handling) — leftover from an incomplete February 2026 patch for CVE-2026-21510. Remote attackers can steal NTLM hashes via pass-the-hash to authenticate as compromised users and move laterally across networks. APT28 exploitation confirmed. CISA ordered FCEB agencies to patch by May 12 (today). CVSS 6.5 Important per Microsoft. Akamai disclosed the incomplete patch. Microsoft has confirmed it patched CVE-2026-32202 in today's May Patch Tuesday release.
Apply May 2026 Patch Tuesday updates today (KB available via Windows Update). Block outbound SMB (port 445) at perimeter firewalls to prevent NTLM hash relay to attacker-controlled servers. Enable 'Extended Protection for Authentication' on internal web services. Consider enforcing Kerberos-only authentication for sensitive systems and disabling NTLM where feasible via Group Policy: 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' set to Deny All.
APPLY May Patch Tuesday immediately. Block outbound SMB at perimeter. Enforce NTLM restrictions via Group Policy.
Source: BleepingComputer / CISA KEV
A prompt injection vulnerability in Windsurf 1.9544.26 (AI-powered IDE) allows remote attackers to execute arbitrary commands without user interaction. When Windsurf processes attacker-controlled HTML content (via a poisoned web page, README, code comment, or repository file), malicious instructions modify the local MCP configuration file (mcp.json) and automatically register a malicious MCP STDIO server, resulting in arbitrary command execution with the user's privileges. The MCP configuration file is writable by the AI agent, making it a direct attack surface. No CVSS score assigned by NVD at publication. Classified High by SentinelOne based on zero-privilege-required, low-complexity exploitation.
Update Windsurf immediately to the latest available version — check https://windsurf.com for patch status. Interim mitigations: (1) Disable automatic MCP STDIO server registration in Windsurf settings. (2) Restrict Windsurf from processing HTML content from untrusted sources. (3) Enable file integrity monitoring on the MCP configuration directory and alert on unauthorized mcp.json modifications. (4) Audit current mcp.json for unauthorized server registrations: review ~/.cursor/mcp.json or equivalent path. (5) Monitor for unexpected process spawning from Windsurf IDE processes.
UPDATE Windsurf immediately. Audit mcp.json for rogue entries. Monitor Windsurf process tree for unexpected child processes.
Source: NVD / SentinelOne / OX Security
FastGPT AI Agent Platform versions 4.14.11 and prior contain a Server-Side Request Forgery vulnerability in the isInternalAddress() function. The blocklist uses a fullUrl.startsWith() check that can be bypassed with at least 7 different URL encoding techniques. Additionally, the private IP validation (isInternalIPv4/isInternalIPv6) is disabled by default (CHECK_INTERNAL_IP defaults to false). Successful exploitation allows attackers to access AWS IMDS (169.254.169.254), GCP metadata, Azure IMDS, enumerate internal network services, steal cloud IAM credentials, and pivot to internal infrastructure. Published May 8, 2026. No patch available.
No patch available. Immediate mitigations: (1) Set CHECK_INTERNAL_IP environment variable to 'true' in your FastGPT deployment configuration. (2) Block egress to metadata endpoints at the network level: 169.254.169.254 (AWS/Azure), metadata.google.internal (GCP), 100.100.100.200 (Alibaba). (3) On AWS: enforce IMDSv2 (PUT-based token flow): 'aws ec2 modify-instance-metadata-options --http-tokens required'. (4) Restrict FastGPT container outbound traffic to an explicit URL allowlist. (5) Rotate all cloud IAM credentials if the system has been internet-exposed on an affected version. Watch https://github.com/labring/FastGPT for patch.
SET CHECK_INTERNAL_IP=true NOW. Block metadata endpoint egress at network layer. Rotate cloud IAM credentials if exposed.
Source: NVD
Google Threat Intelligence Group confirmed on May 11 the first known case of a threat actor using an AI-generated zero-day exploit in a planned mass exploitation campaign. The exploit — a Python script targeting a two-factor authentication bypass in an unnamed open-source web-based system administration tool — was identified by Google researchers who noted clear LLM authorship markers: educational docstrings, a hallucinated CVSS score, and textbook Pythonic structure. The underlying flaw is a semantic logic error where the developer hardcoded a trust assumption in the 2FA flow. Google worked with the impacted vendor and disrupted the campaign before launch. China-linked UNC2814 and DPRK-linked APT45 are confirmed using AI models for systematic vulnerability research. This confirms the structural escalation security teams have warned about: AI-speed exploit development at criminal threat actor level.
No single patch. Ecosystem-level response: (1) Immediately audit all internet-facing open-source web administration tools (Webmin, phpMyAdmin, Cockpit, Netdata, Grafana) — apply all pending security updates now. (2) Review any internally developed 2FA implementations for hardcoded trust assumptions. (3) Subscribe to vendor security advisories for all admin tooling — the specific targeted tool is undisclosed but patched. (4) Implement SAST rules to detect developer-embedded trust bypasses in authentication flows. (5) Monitor AI coding tool telemetry for anomalous MCP invocations or unexpected system access. (6) Treat all third-party AI integrations as potential supply chain compromise vectors following TeamPCP GitHub Actions campaign.
AUDIT and patch all web admin tools immediately. REVIEW 2FA implementations for hardcoded trust assumptions. MONITOR AI agent telemetry.
FastGPT versions 4.14.13 and prior — the code-sandbox component uses a 500ms application-level polling interval as its only memory constraint, with no OS-level cgroup or kernel namespace isolation. Attackers can exhaust the JavaScript worker pool via concurrent CPU-intensive requests, causing complete Denial of Service for all legitimate users. CVSS 6.3 Medium. Published May 8, 2026. No patch available.
No patch available. Rate-limit concurrent sandbox requests per IP using nginx or Cloudflare WAF. Manually configure OS-level cgroup memory and CPU quotas on the container running the code-sandbox component. Monitor JavaScript worker pool saturation and set automated alerting for pool exhaustion. Watch https://github.com/labring/FastGPT for patch releases.
APPLY rate limiting and cgroup constraints on FastGPT code-sandbox container. Monitor worker pool utilization.
Source: NVD
APT28 (Russia-linked) confirmed exploiting CVE-2026-32202 (Windows LNK NTLM hash leak) for credential theft and lateral movement across enterprise environments. Separately, Salt Typhoon (China-linked) confirmed still actively operating in 80+ countries with persistent access to telecommunications infrastructure. Salt Typhoon maintained persistent access to a congressional email system, representing the most sensitive confirmed breach of U.S. legislative communications infrastructure. FBI confirmed as recently as February 2026 that Salt Typhoon operations are 'still very much ongoing.' Related China group UAT-7290 simultaneously targeting U.S. and allied telecom providers via edge network device exploitation.
For APT28/LNK: Apply May Patch Tuesday immediately; block outbound SMB; disable NTLM where possible. For Salt Typhoon/telecom persistence: audit all telecom edge devices for unauthorized access; apply vendor patches for edge network devices; enable enhanced logging on all internet-facing infrastructure; assume persistent access and conduct full compromise assessment. Implement Zero Trust segmentation for legislative and executive communications systems. Report indicators to CISA via report@cisa.gov.
CONDUCT compromise assessment on all telecom edge infrastructure. APPLY LNK patches. ASSUME persistent access on unpatched systems.
Source: Trend Micro / BleepingComputer
Rhysida ransomware group claimed responsibility for a confirmed breach at STELIA Aerospace North America. Attackers exfiltrated approximately 10 TB of data including technical drawings, employee identity documents, and partner records, and issued a 27 BTC (~$2.07M) ransom demand. STELIA confirmed the incident and activated incident response protocols. April 2026 was a record month for ransomware with 105 publicly disclosed attacks — the highest April total since tracking began in 2020. Defense and aerospace supply chains are prime targets due to technical IP value and dual civilian/military customer relationships.
For defense/aerospace organizations: Enforce immutable offsite backups and verify restore capability. Implement network segmentation isolating design/engineering systems from internet-accessible networks. Apply strict least-privilege access controls to CAD/CAM and technical drawing repositories. Enable EDR on all engineering workstations. Verify MFA is enforced on all remote access paths. Conduct tabletop ransomware exercises and validate incident response playbooks.
VERIFY immutable backup status. SEGMENT engineering systems from internet-accessible networks. TEST restore capability now.
Source: BlackFog / PKWARE
An OAuth supply-chain compromise via a Lumma Stealer infection at Context.ai resulted in the exposure of employee records, access keys, API keys, GitHub tokens, NPM tokens, and non-sensitive environment variables. The threat actor claimed 580 employee records plus access keys, source code, and tokens. The breach vector was an infostealer infecting a developer's machine that harvested OAuth credentials. This represents a growing pattern: infostealers targeting developer machines to harvest service tokens provide direct access to CI/CD pipelines, source code, and cloud infrastructure without requiring vulnerability exploitation.
For affected Context.ai users: Rotate all API keys, GitHub tokens, and NPM tokens immediately. Revoke and reissue OAuth credentials. Review GitHub audit logs for unauthorized repository access, cloning, or Actions modifications. Check NPM for unauthorized package publishes. For general defense against this attack class: Enforce MFA on all GitHub and NPM accounts; enable short-lived token policies; deploy endpoint security on developer machines to detect infostealer activity; implement GitHub audit log monitoring with SIEM integration.
ROTATE all GitHub tokens, NPM tokens, and API keys sourced from Context.ai integrations. AUDIT repository access logs immediately.
Source: PKWARE 2026 Breach Report
Everest ransomware group breached both Citizens Financial Group and Frost Bank via a shared unnamed third-party vendor, posting both on the dark web leak site on April 20. The shared document-production vendor compromise highlights the compounding exposure of third-party relationships. Class action lawsuits were filed within days. Both banks confirmed the breach originated at the vendor, not their own networks. This pattern — single vendor breach producing multi-victim exposure — is increasingly common across financial services.
Review all third-party vendor relationships with shared data access. Require vendors to produce current SOC 2 Type II reports, penetration test results, and incident notification SLAs. Implement contractual breach notification requirements of 24-48 hours. Limit third-party access to minimum necessary data scope. Conduct third-party risk assessments specifically for document production and legal discovery vendors. Enable vendor-specific access logging.
AUDIT third-party vendor access rights. REQUIRE breach notification SLAs in all vendor contracts. REVIEW document-production vendor relationships.
Source: PKWARE 2026 Breach Report
AI-Enhanced IDEs (Cursor, Windsurf, GitHub Copilot, Zed, Roo Code, Junie)
Comprehensive security analysis uncovered 24 CVE-assigned vulnerabilities across popular AI-enhanced IDEs. 100% of tested AI IDEs vulnerable to prompt injection attacks that ena...
Update all AI IDE tools to latest versions. Disable AI features when working with untrusted code, implement code review for AI-generated suggestions, use isolated development en...
Source: Web
GitHub Copilot, Cursor, Windsurf, Kiro.dev, Zed.dev, Roo Code, JetBrains Junie, Cline, Gemini CLI, Claude Code
Six-month research identified 30+ security vulnerabilities across 10+ AI IDE products. Attackers can silently compromise AI-generated code by injecting hidden malicious instruct...
Update AI development tools immediately. Implement strict code review processes for AI-generated code, disable automatic code execution, use static analysis tools to detect hidd...
Source: Web
nginx-ui MCP Server
Critical vulnerability (CVSS 9.8) in nginx-ui due to insecure Model Context Protocol (MCP) implementation. MCP message endpoint failed to authenticate command execution requests...
Update nginx-ui immediately. Implement authentication for all MCP endpoints, restrict MCP access to trusted clients only, enable audit logging, monitor for unauthorized configur...
Source: Web
Model Context Protocol (MCP) Implementations
First rigorous security analysis of MCP architecture identified three fundamental protocol-level vulnerabilities: absence of capability attestation, bidirectional sampling witho...
Implement strict MCP server validation, use capability attestation mechanisms, authenticate all sampling requests, isolate MCP servers from sensitive resources, review tool meta...
Source: Web
TanStack npm packages and downstream dependencies
TeamPCP threat group compromised TanStack GitHub repository and npm publishing pipeline, publishing 84 malicious versions across 42 @tanstack packages. Attack propagated to Mist...
Audit all TanStack package versions immediately, roll back to pre-compromise versions, rotate all npm tokens and GitHub Actions secrets, implement package signature verification...
Source: Web
npm ecosystem (317 packages compromised)
Attackers compromised developer account and released over 630 malicious versions across 317 npm packages in 20 minutes. Attack targets credentials for password managers and vari...
Review npm dependencies immediately, check for suspicious package updates, rotate credentials for password managers and cloud services, implement package lock files, use npm aud...
Source: Web
SAP Cloud Application Programming (CAP) npm packages
Supply chain attack (Mini Shai-Hulud) targeting SAP developer ecosystem via four compromised npm packages with combined 570,000 weekly downloads. Packages include @cap-js/sqlite...
Audit SAP CAP dependencies immediately, verify package integrity using checksums, update to clean versions, review build pipeline for compromise, rotate SAP system credentials, ...
Source: Web
Vercel customer environments
Supply chain attack beginning with Lumma Stealer infection at Context.ai in February 2026 led to compromise of Google Workspace OAuth tokens. Attackers leveraged Context.ai comp...
Rotate all environment variables and secrets stored in Vercel, review OAuth token grants and revoke unnecessary permissions, implement OAuth scope restrictions, enable OAuth aud...
Source: Web
Axios npm package and downstream consumers
North Korean threat actor UNC1069 compromised Axios npm package in March 2026 as part of software supply chain attack surge. Malicious package downloaded by GitHub Actions workf...
Verify Axios package integrity, update to verified clean version, scan systems that downloaded compromised package for malware, rotate code signing certificates if used in build...
Source: Web
Microsoft, Apple, Google, and other major tech vendors
Anthropic's Project Glasswing AI capability for vulnerability discovery provided to major tech companies is dramatically increasing security flaw identification rates. Microsoft...
Security teams must prepare for accelerating patch cycles as AI vulnerability discovery becomes mainstream. Implement automated patch testing and deployment pipelines, enhance c...
Source: Web
Federal Civilian Executive Branch (FCEB) agencies
CISA Acting Director Nick Anderson and US National Cyber Director Sean Cairncross discussing proposals to cut KEV patch deadlines for federal agencies from 2-3 weeks to just 3 d...
Federal agencies and critical infrastructure organizations should prepare for dramatically shortened patch windows. Implement automated patch deployment systems, pre-test patche...
Source: Web
LLM applications globally
Prompt injection remains OWASP LLM01 — the #1 LLM application security risk as of April 2026. Threat evolution includes multi-turn jailbreaks as preferred attack vector, mature ...
Implement prompt injection defenses including input validation, output filtering, privilege separation between LLM and backend systems, user intent confirmation for sensitive ac...
Source: OWASP
Organizations deploying AI systems in EU
EU AI Act taking effect in 2026 imposes strict transparency, data governance, and risk management requirements on AI systems. Organizations must prepare for compliance with comp...
Work with legal and compliance teams to ensure EU AI Act compliance. Implement AI risk management frameworks, establish data governance processes, document AI system capabilitie...
Source: Web
Organizations deploying AI systems
Gartner predicts that by 2026, over half of governments will mandate compliance with AI risk controls. Organizations must proactively build AI risk management processes to prepa...
Establish AI governance frameworks now before regulations mandate them. Implement AI risk assessment processes, document AI system risks and mitigations, establish AI ethics gui...
Source: Web
Google's full threat intelligence report (May 11) documents AI's maturation as an offensive tool across multiple dimensions: criminal groups using AI to generate zero-day exploits, nation-states using AI for systematic vulnerability research, Russia-nexus actors using AI to generate polymorphic malware with obfuscation, and TeamPCP (UNC6780) conducting AI supply-chain attacks against Trivy, Checkmarx, LiteLLM, and BerriAI. The report also covers PROMPTSPY Android malware using Gemini API for UI automation, and the emergence of professionalized LLM access black markets with account pooling, CAPTCHA bypassing, and premium tier abuse at scale. The clear message: AI has accelerated the collapse of the window between vulnerability disclosure and exploit weaponization.
Accelerate patch deployment cycles to match AI-speed exploit development. Implement automated vulnerability scanning on all public-facing services. Subscribe to real-time CVE feeds and set SLA targets for patch deployment measured in hours for CVSS 9+, days for CVSS 7-8. Review all AI integrations and MCP server configurations as potential supply-chain attack surfaces. Implement behavioral monitoring for AI workloads (unusual API call patterns, unexpected tool invocations).
REVIEW and ACCELERATE patch cycle SLAs. AUDIT all AI/MCP integrations as potential supply chain attack surfaces.
Phase two of the EU AI Act takes effect August 2, 2026, imposing transparency requirements and mandatory controls on high-risk AI systems (those used in critical infrastructure, education, employment, healthcare, law enforcement, and immigration). Organizations operating AI in these sectors face immediate compliance timelines. Colorado's AI Act also takes effect June 30, 2026, requiring documented risk management programs. The SEC has identified AI-driven threats to data integrity as an FY2026 examination priority. Cyber insurance carriers are increasingly requiring AI-specific security controls, including adversarial red-teaming and model-level risk assessments, as conditions of coverage.
Conduct an AI system inventory across your organization to identify which systems fall under EU AI Act high-risk categories. Establish a compliance program with legal and security co-ownership. Implement AI security riders documentation for cyber insurance renewal. Conduct adversarial red-teaming of all AI systems with external access. Document all AI model governance processes, training data provenance, and output monitoring.
INVENTORY all AI systems for EU AI Act high-risk classification. BEGIN compliance program — August 2 deadline is 81 days away.
Source: Kiteworks / Politico
PAN-OS CVE-2026-0300 CVSS 9.3 patches begin arriving TODAY (May 13 ETA for first batches) — nation-state exploitation confirmed, Captive Portal must be disabled immediately on all internet-facing firewalls while patches are staged.