Embedded malicious code vulnerability in Daemon Tools Lite with high impact on confidentiality, integrity, and availability. CISA added to KEV catalog May 27, 2026 with action due date May 30, 2026.
Uninstall affected Daemon Tools versions immediately. Scan systems for indicators of compromise. Rotate credentials accessible from machines running vulnerable versions. Deploy endpoint detection to identify malicious activity.
Source: CISA • Published: 2026-05-27
Critical SQL injection vulnerability in Ghost CMS allowing unauthenticated attackers to read database including Admin API Keys. Large-scale exploitation campaign injecting malicious JavaScript for ClickFix attacks. Over 700 domains compromised including Harvard, Oxford, Auburn universities and DuckDuckGo. XLab first detected May 7, 2026.
Urgently upgrade Ghost CMS to patched version. Rotate all credentials: Admin API Key, Content API Key, administrator passwords, sessions. Clean implanted content at database level. Review web application firewall logs.
Source: NVD • Published: 2026-05-07
ShinyHunters ransomware group breached Canvas LMS stealing approximately 275 million records of students, teachers, and staff. Attackers demanded ransom by May 6, 2026. Affected 8,809 school districts, universities, and online education platforms per shared victim list.
Schools and universities must notify affected students and staff immediately. Reset all Canvas credentials. Enable MFA on all education platform accounts. Monitor for phishing campaigns using personalized breach data.
Source: BleepingComputer • Published: 2026-05-06
NYC public healthcare system breach affecting 1.8+ million individuals with theft of personal data, medical records, and biometric scans including fingerprints. One of largest recorded healthcare breaches of 2026 with highly sensitive biometric data compromise.
Affected individuals should enroll in provided identity theft protection services. Monitor medical records for fraudulent activity. Healthcare organizations must review biometric data storage practices and implement enhanced encryption.
Source: BleepingComputer • Published: 2026-05-29
Russia-linked APT28 (Forest Blizzard/Storm-2754) DNS hijacking campaign compromising insecure SOHO routers since May 2025. Modified DNS settings to capture authentication credentials. Microsoft identified 200+ organizations and 5,000+ consumer devices impacted. FBI Operation Masquerade neutralized U.S. infrastructure across 23+ states.
Factory reset SOHO routers and update to latest firmware. Verify DNS settings point to legitimate ISP or trusted resolvers. Implement network segmentation isolating SOHO devices from critical assets. Monitor DNS query anomalies.
Source: GTIG • Published: 2026-05-29
CVE-2026-26980: Critical SQL injection vulnerability in Ghost CMS allowing unauthenticated attackers to read database including Admin API Keys. Large-scale exploitation campaign injecting malicious JavaScript for ClickFix attacks. Over 700 domains compromised including Harvard, Oxford, Auburn universities and DuckDuckGo. XLab first detected May 7, 2026.