// May 2026
158 articles published this month
Implementing the Active Directory Tier Model: A Practical Guide for Post-Netlogon Environments
Microsoft's Active Directory Tier Model separates administrative access by privilege level to prevent credential theft from cascading into full domain compromise. CVE-2026-41089's impact in poorly segmented environments makes the Tier Model the single highest-leverage post-incident investment. This guide covers the implementation sequence for organisations starting from scratch.
One Week After CVE-2026-41089: Taking Stock of the Netlogon Response Across Enterprise Environments
Seven days after Belgium's CCB confirmed active exploitation of the Netlogon CVSS 9.8 vulnerability, the picture of enterprise response is mixed. Domain controllers in well-governed environments are patched; a significant population of legacy and unmanaged DCs remain exposed. This review covers the response pattern and what it reveals about enterprise patch discipline.
Privileged Access Workstation Deployment: The Missing Piece of Most Active Directory Hardening Programmes
Privileged Access Workstations (PAWs) are the single most effective control for preventing credential theft from domain administrators. They are also the most consistently skipped step in enterprise AD hardening programmes. This guide covers a practical PAW deployment for Tier 0 domain controller administration.
Q2 2026 Enterprise Threat Landscape: Unprecedented Vulnerability Density and What It Means for Security Programmes
Q2 2026 (April–June) has produced more simultaneous high-severity vulnerabilities in enterprise-critical infrastructure than any comparable period in recent years. Netlogon CVSS 9.8, three CVSS 10.0 in UniFi OS, AMD microarchitecture flaws, Linux kernel LPEs, and two Citrix exploitation waves — analysing the pattern reveals structural implications for how enterprises manage vulnerability risk.
Windows Domain Controller Security Monitoring: Building an Event Log Detection Baseline
Effective detection of domain controller attacks requires more than collecting logs — it requires specific audit policy configuration, a curated set of detection rules, and a SIEM pipeline with alert response SLAs. This guide covers the complete baseline configuration for DC security monitoring after CVE-2026-41089 highlighted the importance of pre-compromise visibility.
CISA KEV May 2026: Complete List of Known Exploited Vulnerabilities Added This Month and Enterprise Response Guidance
CISA's Known Exploited Vulnerabilities catalogue received multiple additions in May 2026, including developer toolchain supply-chain compromises, network appliance vulnerabilities, and Microsoft Windows flaws. This guide consolidates the May 2026 KEV additions with enterprise response guidance for each category.
May 2026 Vulnerability Retrospective: Patch Prioritisation Guide for Enterprise Security Teams
May 2026 produced an unusually dense cluster of high-severity vulnerabilities: Netlogon CVSS 9.8, Ubiquiti CVSS 10.0 × 3, AMD Zen 2 CVSS 8.8, golang/crypto CVSS 10.0, Linux ptrace four-exploit-chain. This retrospective ranks them by risk for organisations still working through the patching backlog.
Identity Containment After Domain Controller Compromise: IAM Response for CVE-2026-41089 Post-Exploitation
If forensic investigation reveals CVE-2026-41089 exploitation occurred before patching, the identity response is as critical as the technical remediation. All credential material accessible from the domain controller must be treated as compromised. This guide covers the identity containment sequence for a confirmed Active Directory domain controller breach.
Zero-Day Response Maturity: Assessing Your Organisation's Capability Against May 2026's Vulnerability Cluster
May 2026 produced multiple simultaneous zero-days and CVSS 9.0+ vulnerabilities with active exploitation. The month serves as an inadvertent assessment of enterprise vulnerability response capability. This framework evaluates response maturity across five dimensions using the month's events as test cases.
Domain Controller Hardening After Netlogon CVE-2026-41089: Reducing the Attack Surface Beyond Patching
Patching CVE-2026-41089 closes the specific vulnerability, but domain controllers remain highly targeted infrastructure. This guide covers the access control, network segmentation, and monitoring controls that reduce DC attack surface against the class of unauthenticated RCE threats that Netlogon represents.
Netlogon CVE-2026-41089 Detection and Forensics: Hunting for Domain Controller Compromise
With active exploitation of CVE-2026-41089 confirmed, security teams must run parallel tracks: patching domain controllers and investigating whether exploitation has already occurred. A successful Netlogon exploitation typically leads to Golden Ticket persistence and stealthy domain admin account creation — the forensic indicators are specific and searchable.
Domain Controller Network Architecture: How DC Placement Determines Netlogon Attack Surface
CVE-2026-41089's exploitability in a given environment is almost entirely determined by which networks can reach domain controllers on TCP 445. DC placement decisions — made during infrastructure design, sometimes years ago — directly determine how many machines a Netlogon-class vulnerability exposes. Reviewing DC reachability is the highest-leverage response.
Netlogon CVE-2026-41089: Enterprise Risk Management Framework for Active Directory Compromise Scenarios
A CVSS 9.8 vulnerability with active exploitation and a public PoC against domain controllers requires risk management decisions at the business level, not just patching at the technical level. This guide covers the risk assessment, escalation triggers, and business continuity considerations that security leadership should present to boards and executives.
Windows Netlogon CVE-2026-41089 (CVSS 9.8): Unauthenticated Domain Controller RCE Now Actively Exploited
Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation of CVE-2026-41089 on 29 May — a stack-based buffer overflow in the Windows Netlogon Remote Protocol (MS-NRPC) that allows unauthenticated remote code execution on domain controllers. CVSS 9.8. A public PoC is available. Patch domain controllers as an emergency priority.
AMD Zen 2 Firmware Update Strategy: Managing CPU Microcode Patches Across Enterprise Hardware
CVE-2026-46174 requires a PI firmware (BIOS/UEFI) update to deliver the AMD Zen 2 microcode fix — not a software patch. For enterprises running AMD EPYC Rome servers or Zen 2-based workstations, this means a separate patch track from OS-level vulnerability management. An asset-based approach to CPU generation inventory is the prerequisite.
AMD Zen 2 CVE-2026-46174: Operation Cache Microarchitecture Flaw Enables Kernel Privilege Escalation
AMD published Security Bulletin AMD-SB-7052 on 28 May for CVE-2026-46174, a microarchitectural flaw in Zen 2 processor operation caches. A local attacker can exploit timing characteristics of the op-cache to execute code with kernel privileges from a userspace context. PI firmware updates are required; the Xen Project also issued XSA-490 for virtualisation platform impacts.
Citrix NetScaler CVE-2026-3055 Exploitation Escalates — Fortinet Confirms Large-Scale Attacks on Internet-Facing ADC
Fortinet's threat intelligence team has confirmed large-scale active exploitation of CVE-2026-3055, the Citrix NetScaler SAML IDP memory overread vulnerability (CVSSv4 9.3) patched in March. More than 65 days after the patch was available, thousands of internet-facing NetScaler ADC appliances remain unpatched and are being targeted by automated exploitation frameworks.
Citrix NetScaler CVE-2026-3055 Forensics: Post-Exploitation Detection for SAML IDP Compromise
With large-scale exploitation of CVE-2026-3055 confirmed as of 28 May, NetScaler ADC deployments that were internet-accessible while unpatched must be assessed for compromise. The SAML memory overread can leak session tokens and signing key material — understanding the forensic footprint helps determine whether compromise occurred.
Hardware Vulnerability Assessment: Methodology for CPU Microarchitecture and Firmware Security Evaluation
AMD CVE-2026-46174 and the broader class of CPU microarchitecture vulnerabilities require assessment methodology distinct from software vulnerability scanning. This guide covers the scoping, testing, and remediation verification steps for enterprise hardware security assessments covering processor vulnerabilities.
CISA Adds Three Developer Toolchain Supply-Chain Attacks to KEV — DAEMON Tools, TanStack Query, Nx Console Compromised
CISA added three software supply-chain vulnerabilities to the Known Exploited Vulnerabilities catalogue on 27 May: CVE-2026-8398 (DAEMON Tools signed installer trojanised), CVE-2026-45321 (TanStack Query malicious npm package), and CVE-2026-48027 (Nx Console VS Marketplace extension backdoored). All three are attributed to TeamPCP's 'Mini Shai-Hulud' campaign targeting developer workstations.
Developer Workstations as Supply-Chain Risk: Governance Framework for Engineering Environments
TeamPCP's simultaneous three-vector attack on developer tooling reveals a governance gap that exists in most organisations: developer workstations accumulate privileged access over time but operate outside the security governance processes that manage server infrastructure. A developer machine with production credentials is server-equivalent infrastructure.
TeamPCP 'Mini Shai-Hulud': Inside the Developer Toolchain Attack Campaign Now on CISA KEV
TeamPCP's simultaneous compromise of three developer toolchain components — a code-signed installer, an npm package, and a VS Code extension — follows a refined methodology the group has been developing across multiple 2026 campaigns. The technical approach explains why these attacks reach environments that are otherwise well-defended.
Auditing VS Code Extensions for Supply-Chain Risk: A Practical Assessment Guide
The Nx Console supply-chain compromise in TeamPCP's May 2026 campaign targeted an extension with millions of downloads. With over 60,000 extensions in the VS Marketplace, most organisations have no inventory of which extensions their developers run. This guide covers extension auditing, publisher verification, and policy controls.
Apple's Retroactive CVE Disclosure Practice Creates Systematic Gaps in Enterprise Patch Management
Apple's habit of retroactively adding CVE details to previously published security advisories creates operational complexity for enterprise vulnerability management programmes: vulnerabilities appear as 'new' in CVE feeds after they have already been patched in deployed OS versions, generating false-positive remediation workflows and obscuring the true patch state of Apple endpoints.
Apple Retroactively Publishes CVE Details for macOS, iOS, and visionOS — Including Root Escalation and Siri Privacy Bypass
Apple updated multiple security pages on 26 May to add CVE identifiers and technical details for vulnerabilities that were patched weeks or months earlier with minimal public disclosure. The retroactively disclosed issues include a CoreServices root escalation via malicious app, a Siri Private Browsing bypass, and a call history fingerprinting flaw — none were disclosed as separate security updates at the time of patching.
Food and Beverage Sector Ransomware: Why Critical Infrastructure Classification Has Not Improved Security Outcomes
The US food and agriculture sector was designated critical infrastructure in 2003. In 2026, ransomware attacks against it are rising 80 per cent year on year. The gap between regulatory classification and actual security maturity reflects structural problems in how cybersecurity investment decisions are made in distributed, margin-sensitive industries.
Qilin Claims Sysco on Ransomware Leak Site — World's Largest Food Distributor Faces Deadline
Qilin ransomware operators have listed Sysco Corporation — the world's largest foodservice distribution company — on their dark web extortion site, claiming to hold data extracted from the company's networks. Sysco has not confirmed a breach. The listing appears amid an 80 per cent rise in ransomware pressure against the food and beverage sector in Q2 2026.
CVE-2026-46333 Detection and Mitigation: Security Assessment Guide for Linux Environments
CVE-2026-46333, the Linux kernel ptrace race condition with four known exploit chains, requires both patching and verification that compromise has not already occurred. This guide covers the detection queries, audit configuration, and post-patch verification steps security teams need to assess exposure and confirm remediation.
Linux Kernel CVE-2026-46333: Nine-Year-Old ptrace Race Condition Leaks SSH Private Keys and Grants Root
Qualys Threat Research Unit has disclosed CVE-2026-46333, a race condition in the Linux kernel ptrace subsystem affecting all major distributions since kernel 4.8 (2016). Four working privilege escalation exploits exist using SUID binaries; successful exploitation also discloses /etc/shadow and SSH host private keys. Patch immediately.
MiniPlasma: PoC-Released Windows Zero-Day Exploits Cloud Files Mini Filter Driver for SYSTEM Access
A researcher published a working proof-of-concept for a Windows zero-day — dubbed MiniPlasma — that exploits the Cloud Files Mini Filter Driver to achieve SYSTEM-level access on fully-patched Windows 10, Windows 11, and Windows Server 2022/2025. Microsoft has not issued a patch or an out-of-band advisory. All unmitigated Windows systems with cloud sync enabled are affected.
Hardening Windows Environments When No Patch Exists: Response Architecture for MiniPlasma and Similar Zero-Days
When a working proof-of-concept for a Windows privilege escalation zero-day is public and no vendor patch exists, the defender's playbook shifts from patching to attack surface reduction. Layered controls can meaningfully raise the bar even when the vulnerable component cannot be removed.
GNU SASL CVE-2026-48829: DIGEST-MD5 Parser Crash Affects Enterprise Mail Servers and LDAP Stacks
A NULL pointer dereference in GNU SASL's DIGEST-MD5 authentication mechanism (CVE-2026-48829, CVSS 7.5) allows a remote attacker to crash any service using GNU SASL for DIGEST-MD5 authentication by sending a malformed authentication token. Debian and other distribution security advisories published 24 May. Services affected include Postfix, Cyrus IMAP, and LDAP servers using SASL for authentication.
SASL Authentication Security in Enterprise Mail Servers: Deprecating DIGEST-MD5 and Hardening SMTP AUTH
The GNU SASL CVE-2026-48829 DIGEST-MD5 crash is a reminder that legacy authentication mechanisms in enterprise mail infrastructure carry risk that is often invisible to security teams. A structured review of SASL mechanism configuration in Postfix, Dovecot, and Exchange environments can eliminate entire vulnerability classes while improving authentication security.
UniFi OS Bulletin 064 Post-Disclosure Forensics: Detecting Compromise on Ubiquiti Controllers
Two days after Ubiquiti published Security Bulletin 064 with three CVSS 10.0 vulnerabilities, security teams should be confirming that patches have applied and hunting for indicators of pre-patch compromise. This guide covers the specific log sources, indicators, and commands available on UniFi OS devices for detecting exploitation activity.
Linux Kernel CVE-2026-43503: Networking skbuff Frag-Transfer Bug Causes Memory Corruption — CVSS 8.8
Linux kernel stable branch patches published 23 May address CVE-2026-43503, a CVSS 8.8 memory corruption vulnerability in two networking helper functions that incorrectly handle the SKBFL_SHARED_FRAG flag during fragment transfers. The bug affects the skb_shift and __pskb_copy_fclone functions across multiple kernel versions and can be triggered by crafted network traffic on affected configurations.
WishList Member WordPress Plugin: Four CVSS 8.8 Vulnerabilities Enable Subscriber-to-Admin Escalation on 100,000+ Sites
Wordfence published advisories for four CVSS 8.8 authorization failure vulnerabilities in WishList Member, a WordPress membership plugin with 100,000+ active installs, on 23 May 2026. Subscriber-level authenticated attackers can exploit the flaws to escalate to administrator access, read sensitive member data, and modify arbitrary site content. Patches are available.
WordPress Plugin Security Is an Enterprise Problem That Keeps Getting Treated as a Web Developer Problem
Four CVSS 8.8 vulnerabilities in a 100,000-install WordPress plugin — discoverable by any registered member with a subscriber account — highlight the structural mismatch between how WordPress CMS security is governed in enterprise organisations and the actual risk it carries. Membership sites, intranet portals, and course platforms built on WordPress process regulated data and host privileged access, but rarely receive enterprise-grade security governance.
Enterprise Wi-Fi Security Assessment: Evaluating Ubiquiti UniFi Against Enterprise-Grade Alternatives After Bulletin 064
The three CVSS 10.0 vulnerabilities in Ubiquiti UniFi OS Bulletin 064 prompt a broader question: how does UniFi's security posture, vendor support, and enterprise control plane architecture compare to traditional enterprise Wi-Fi vendors? A structured assessment framework helps organisations evaluate whether UniFi is appropriate for their specific threat model.
Golang crypto/ssh Mass Advisory: Nine CVEs Including CVSS 10.0 Re-Opened SSH Auth Bypass Affect Enterprise DevOps Infrastructure
The Go security team published a coordinated batch of nine CVE fixes for the golang.org/x/crypto SSH library on 22 May, including CVE-2026-46595 (CVSS 10.0), which re-opens a previously patched SSH authentication bypass for services using non-public-key authentication callbacks. Enterprise environments using Go-based SSH tooling, CI/CD pipelines, Kubernetes components, and cloud management tooling are affected.
Nine CVEs in One Go Cryptography Library: What Mass Advisories in Open-Source Crypto Mean for Enterprise Risk Management
The nine-CVE golang.org/x/crypto advisory is the latest in a pattern of mass security advisories from widely used open-source cryptographic libraries. For enterprise risk managers, the recurring pattern raises questions about how dependency-level cryptography risk is assessed, tracked, and communicated — and whether current SCA tooling is adequate for the velocity of advisory publication.
SketchUp CVE-2026-9264: Malicious SKP File Delivers RCE via Embedded IE11 Browser — CVSS 9.3
Trimble disclosed CVE-2026-9264, a CVSS 9.3 remote code execution vulnerability in SketchUp 2026, on 22 May. An attacker who convinces a user to open a crafted .skp file can achieve code execution and local file exfiltration via XSS in SketchUp's Dynamic Components feature, which renders HTML content using an embedded IE11 browser with full local file system access.
Ubiquiti UniFi OS Security Bulletin 064: Three CVSS 10.0 Vulnerabilities Enable Unauthenticated Full Device Compromise
Ubiquiti published Security Bulletin 064 on 22 May disclosing five CVEs in UniFi OS devices, three of which score CVSS 10.0: an improper access control flaw, a path traversal enabling arbitrary file read and write, and a command injection that provides root shell access — all exploitable without authentication from the network. Enterprise environments using UniFi Wi-Fi infrastructure must update immediately.
GlobalProtect CVE-2026-0257 Compromise Indicators: Threat Hunting and Forensic Guide for VPN Gateway Authentication Bypass
Organisations running PAN-OS GlobalProtect gateways on versions vulnerable to CVE-2026-0257 must investigate for compromise during the exposure window, not just apply the patch. This guide covers the specific log sources, indicators of compromise, and post-exploitation patterns to hunt for on PAN-OS GlobalProtect gateways after an authentication bypass zero-day.
PAN-OS GlobalProtect CVE-2026-0257: Rapid7 Confirms Second Exploitation Wave — CISA Adds to KEV
Rapid7 MDR confirmed on 21 May that a second, larger exploitation wave of CVE-2026-0257, an authentication bypass in Palo Alto Networks GlobalProtect VPN, began on 21 May targeting enterprise sectors not covered in the initial wave. CISA added the CVE to the Known Exploited Vulnerabilities catalogue with a 1 June remediation deadline. The vulnerability affects PAN-OS 10.2, 11.1, 11.2, and 12.1 as well as Prisma Access.
VPN Authentication Bypass: Identity and Access Containment Response After GlobalProtect Compromise
When a VPN authentication bypass like CVE-2026-0257 is exploited, the attacker enters the network without leaving identity provider audit trails. Standard identity-based detection misses the initial access. This creates a specific response challenge: containing a network breach where the entry event did not generate authentication telemetry and the scope of subsequent access is unknown.
ChromaDB CVSS 10.0 Pre-Auth RCE CVE-2026-45829: AI Vector Database Compromise via HuggingFace Model Injection
HiddenLayer and the Cloud Security Alliance published disclosures of CVE-2026-45829, a CVSS 10.0 unauthenticated remote code execution vulnerability in ChromaDB's Python FastAPI server, on 18–20 May 2026. Attackers can inject malicious code via a crafted HuggingFace-hosted model before the authentication gate fires. Approximately 73% of ChromaDB deployments are internet-exposed. No patch exists for affected versions.
CISA Adds Seven to KEV Catalogue — Including Two Active Microsoft Defender Zero-Days Patched via Silent Engine Update
CISA's 20 May Known Exploited Vulnerabilities batch included CVE-2026-41091 (Microsoft Defender for Endpoint EoP, CVSS 7.8) and CVE-2026-45498 (Microsoft Defender DoS, CVSS 4.0), both patched via a silent Defender engine update pushed on 19 May. The batch also included five legacy Windows and Adobe vulnerabilities from 2008–2010 indicating re-exploitation of outdated systems in active campaigns.
Drupal SA-CORE-2026-004: Highly Critical SQL Injection CVE-2026-9082 — PostgreSQL Sites Must Patch Immediately
Drupal published SA-CORE-2026-004 on 20 May, disclosing CVE-2026-9082, a highly critical unauthenticated SQL injection vulnerability in Drupal's database abstraction API affecting sites running PostgreSQL. The flaw is zero-click and unauthenticated, and Drupal warned that exploit code turnaround would be measured in hours. CISA added the CVE to the Known Exploited Vulnerabilities catalogue on 22 May after confirmed exploitation.
Securing RAG Pipeline Architecture: Vector Databases Are the New Unmanaged Attack Surface in Enterprise AI
The ChromaDB CVE-2026-45829 disclosure exposes a systemic architectural gap in enterprise AI deployments: vector databases used in retrieval-augmented generation pipelines are being deployed without the security controls applied to comparable databases handling sensitive data. The attack surface analysis and architectural recommendations for secure RAG pipeline design apply regardless of which vector database product is in use.
SonicWall EoL Highlights an Asset Management Gap: Network Equipment Lifecycle Tracking in Enterprise Environments
The SonicWall Generation 6 end-of-life situation reveals a consistent gap in enterprise asset management: network equipment EoL dates are not tracked with the same rigour as software licence renewals or server hardware refresh cycles. Organisations with accurate, proactively managed network equipment lifecycle records have a weeks-to-months advantage in responding to EoL-driven security risks.
End-of-Life VPN Appliances: A Security Assessment Framework for Identifying Unsupportable Network Equipment
The SonicWall Generation 6 end-of-life situation is the latest instance of a recurring enterprise security problem: internet-facing network equipment that reaches vendor end-of-life while still actively exploited. A structured assessment approach helps security teams identify, prioritise, and communicate the risk of EoL perimeter equipment.
Exchange CVE-2026-42897 One Week On: Active Exploitation Continues, No Patch Available — Updated Guidance
Microsoft Exchange Server's OWA session hijacking zero-day CVE-2026-42897 entered its second week without a permanent patch. Microsoft's Emergency Mitigation Service (EEMS) rule remains the only automated protection for Exchange Online-connected on-premises environments. Security teams should now focus on identifying whether exploitation occurred during the disclosure week and verifying their mitigation status.
SonicWall Gen6 SSL-VPN: Patch for CVE-2024-12802 Fails to Close MFA Bypass — Akira Ransomware in 86% of Compromises
ReliaQuest published research on 19 May confirming that SonicWall's official firmware patch for CVE-2024-12802 on Generation 6 SSL-VPN devices requires six manual reconfiguration steps to fully close the MFA bypass vulnerability. Devices that reached end-of-life on 16 April 2026 will receive no further patches. Akira ransomware is present in 86% of SonicWall-involved intrusion claims reviewed by ReliaQuest.
AI Coding Agents in CI/CD Pipelines: Mapping the Attack Surface After Pwn2Own AI Category Results
The Pwn2Own Berlin 2026 AI category results — five products exploited — have a compounding implication for organisations where AI coding agents are integrated with CI/CD pipelines, code repositories, and cloud deployment infrastructure. An exploited AI agent running in a pipeline is not a developer workstation compromise; it is a supply chain entry point.
Pwn2Own Week Exposes the Limits of Identity as a Security Control — What IAM Teams Should Review
The week of 12–18 May 2026 produced two distinct scenarios where identity controls — Conditional Access, MFA, and Zero Trust enforcement — provided no meaningful protection: Exchange Server-side RCE (operating below the authentication layer) and Exchange OWA session hijacking (stealing tokens after authentication). Both are active or imminent threats. Both require defences that go beyond the identity layer.
The Pwn2Own 90-Day Clock: How Defenders Should Use the Patch Window Before Public Disclosure
Pwn2Own's 90-day coordinated disclosure rule gives vendors time to patch before technical details are made public. For enterprise defenders, the same 90 days is a known timeline during which the confirmed existence of specific zero-days — but not their technical details — is public. Understanding how to use that window is an underexplored aspect of enterprise vulnerability management.
After Pwn2Own Berlin 2026: A Risk Manager's Assessment of 47 Zero-Days in Enterprise Infrastructure
Pwn2Own Berlin 2026 produced 47 unique zero-day vulnerabilities across Windows 11, VMware ESXi, Exchange Server, SharePoint, Oracle VirtualBox, Red Hat Enterprise Linux, and five AI products. For enterprise risk managers and CISOs, the results require a structured response that goes beyond individual CVE patches and addresses the systemic implications.
Red Hat Enterprise Linux LPE at Pwn2Own: What the Results Mean for Enterprise Linux Patch Strategy
Red Hat Enterprise Linux was successfully exploited twice at Pwn2Own Berlin 2026 via local privilege escalation vulnerabilities. For enterprise security teams running RHEL, and the broader family of RHEL-derived distributions including CentOS Stream, Rocky Linux, and AlmaLinux, the results inform how Linux patching SLAs should be evaluated against the demonstrated threat model.
Why Exchange SYSTEM RCE Bypasses Conditional Access and MFA: The Authentication Architecture Problem
The Exchange SYSTEM RCE chain demonstrated by DEVCORE at Pwn2Own Berlin 2026 achieves code execution at the operating system level, bypassing all identity controls including Conditional Access policies, MFA requirements, and Azure AD authentication entirely. Understanding why server-side RCE renders identity controls irrelevant is essential for accurate risk assessment.
Pwn2Own Berlin 2026 Closes: DEVCORE Wins Master of Pwn with $505K and 50.5 Points — $1.3M Total Across 47 Zero-Days
Pwn2Own Berlin 2026 concluded with DEVCORE Research Team winning the Master of Pwn title with $505,000 in earnings and 50.5 points, driven by Orange Tsai's Exchange SYSTEM RCE chain and consistent results across multiple targets. The three-day competition produced 47 unique zero-day vulnerabilities across enterprise products, cloud infrastructure, and AI tools, with $1,298,250 in total prize money awarded.
Pwn2Own Demonstrates Second Distinct SharePoint RCE Chain — Five Days After Patch Tuesday Fixed CVE-2026-40365
Researchers at Pwn2Own Berlin 2026 demonstrated a multi-bug SharePoint Server remote code execution chain that is entirely distinct from CVE-2026-40365, the SharePoint RCE patched in the 12 May Patch Tuesday. The new chain, targeting SharePoint's server-side processing pipeline, has no patch and will not receive one for up to 90 days.
Windows 11 Yielded Four Independent LPE Paths at Pwn2Own Berlin — Kernel Attack Surface Analysis
By the close of Pwn2Own Berlin 2026, researchers had demonstrated four separate, independently discovered privilege escalation paths from standard user to SYSTEM on fully patched Windows 11. Each exploited a different component and vulnerability class. The results indicate the Windows kernel and user/kernel boundary remain a consistently productive attack surface for skilled researchers.
AI Coding Environments Join Pwn2Own Target List: LM Studio and OpenAI Codex Exploited via Sandbox Escapes
Pwn2Own Berlin 2026 introduced an AI products category and saw both LM Studio and OpenAI Codex exploited on the same day through sandbox escapes and environment variable injection. The results raise urgent questions about the security of AI development tools running inside enterprise environments with access to code repositories, credentials, and production pipelines.
Cisco SD-WAN CVE-2026-20182 Post-Compromise Forensics: Identifying Rogue Device Injection in Catalyst SD-WAN Deployments
CVE-2026-20182, the CVSS 10.0 Cisco Catalyst SD-WAN Manager zero-day added to CISA KEV on 14 May, was exploited before Cisco released the patch. Organisations that ran vManage on publicly accessible addresses during the exposure window must now forensically audit their SD-WAN device inventory and API authentication logs for signs of rogue device registration and traffic interception.
Exchange CVE-2026-42897 Threat Hunting Guide: Identifying Session Hijacking in OWA Logs
With no patch available for the actively exploited Exchange OWA session hijacking zero-day, security teams must hunt for existing compromise rather than waiting for a fix. This guide covers the specific log sources, KQL queries, and behavioural indicators that reveal CVE-2026-42897 exploitation in on-premises Exchange and Microsoft 365 hybrid environments.
Pwn2Own Berlin 2026 Day 2: DEVCORE Chains Three Bugs for Exchange SYSTEM RCE — 15 Zero-Days and $385K Awarded
The second day of Pwn2Own Berlin saw DEVCORE's Orange Tsai chain three previously unknown vulnerabilities to achieve SYSTEM-level remote code execution on fully patched Microsoft Exchange Server, earning $200,000. Day 2 also featured Red Hat Enterprise Linux LPE, additional Windows 11 privilege escalation, and LM Studio AI exploitation across 15 unique zero-days.
VMware ESXi Cross-Tenant Code Execution Demonstrated at Pwn2Own Berlin — $200K Prize for Single-Bug Hypervisor Escape
STARLabs SG earned $200,000 at Pwn2Own Berlin 2026 for a single vulnerability enabling cross-tenant code execution on VMware ESXi, allowing code running in one virtual machine to execute in a separate guest VM on the same hypervisor host. The bug has not been assigned a CVE and will not be publicly disclosed for up to 90 days.
Microsoft Exchange Server Zero-Day CVE-2026-42897 Actively Exploited in XSS Attacks — OOB Mitigation Available, No Patch Yet
Microsoft disclosed an actively exploited cross-site scripting zero-day in Exchange Server (CVE-2026-42897) that allows attackers to inject malicious scripts into Outlook Web App sessions, hijack authenticated user sessions, and exfiltrate email content. No patch is available. Microsoft deployed an Emergency Exchange Mitigation Service (EEMS) rule as an interim control while a patch is developed.
Microsoft Reverses Course on Edge Plaintext Password Exposure — Update Will Prevent Loading Saved Passwords into Process Memory
Following disclosure on 11 May that Microsoft Edge loads saved passwords as plaintext into process memory at startup, Microsoft confirmed it will release a patch preventing password data from being loaded into memory outside of active use contexts. The fix addresses the specific vulnerability class that allows process memory dumpers to extract Edge-saved credentials without user interaction.
REMUS Infostealer Deep-Dive: Session Token Theft Evolves into MaaS Platform Targeting Browser Credentials and SaaS Sessions
Security researchers published a technical analysis of REMUS, an infostealer-as-a-service platform that has rapidly evolved from simple credential harvesting to session token theft targeting enterprise SaaS applications. REMUS specifically targets Salesforce, Workday, ServiceNow, and Microsoft 365 session cookies to bypass MFA, and has been observed in initial access broker sales followed by ransomware deployments.
TeamPCP Gang Advertising Stolen Mistral AI Source Code Repositories for Sale — Part of Shai-Hulud Supply Chain Campaign
The TeamPCP extortion group is advertising stolen Mistral AI source code repositories on dark web forums, claiming access was obtained as a side effect of the Shai-Hulud npm supply chain campaign targeting AI development infrastructure. The breach potentially exposes Mistral's proprietary model training code, API infrastructure, and internal tooling to competitors and nation-state actors.
Burst Statistics WordPress Plugin Authentication Bypass Actively Exploited for Mass Site Takeovers
Threat actors are actively exploiting an authentication bypass vulnerability in the Burst Statistics WordPress analytics plugin, allowing unauthenticated attackers to gain administrative access to any WordPress site with the plugin installed. Over 100,000 WordPress sites use Burst Statistics. Sites have been observed being defaced, backdoored, and redirected to malicious domains within hours of exploitation.
Cisco Catalyst SD-WAN CVE-2026-20182 CVSS 10.0 Authentication Bypass Exploited as Zero-Day — Attackers Injecting Rogue SD-WAN Devices
Cisco disclosed a CVSS 10.0 authentication bypass in the Catalyst SD-WAN Manager that has been actively exploited as a zero-day, allowing unauthenticated attackers to inject rogue SD-WAN devices into the management plane and intercept or reroute enterprise WAN traffic. The vulnerability has been added to CISA's Known Exploited Vulnerabilities catalogue with a 72-hour patching deadline for federal agencies.
KongTuke Initial Access Broker Pivots to Microsoft Teams Social Engineering — Five-Minute Corporate Compromise via ModeloRAT
Initial access broker KongTuke has updated its tradecraft to use Microsoft Teams as the primary social engineering vector, impersonating IT helpdesk personas to deliver ModeloRAT via Teams file transfers to targeted employees. The group achieves credential theft and establishes persistence within five minutes of initial Teams contact, then sells access to ransomware affiliates within 24 hours.
Linux 'Fragnesia' Kernel Privilege Escalation CVE-2026-46300 — New Dirty Frag Class Bug Exploits XFRM ESP-in-TCP for Unprivileged Root
Security researchers disclosed 'Fragnesia,' a Linux kernel privilege escalation vulnerability (CVE-2026-46300) in the XFRM framework's ESP-in-TCP fragmentation handling. The flaw follows the Dirty Frag class of fragmentation-layer bugs and enables an unprivileged local user to gain root on any affected kernel version. A proof-of-concept exploit is available. Kernel patches are being distributed through Linux distribution channels.
NGINX 18-Year-Old Heap Buffer Overflow CVE-2026-42945 — CVSS 9.2 Flaw Affects All Versions Since 0.6.27 Including Modern API Gateways
A heap buffer overflow in NGINX's chunked transfer encoding handler, present since version 0.6.27 released in 2008, has been assigned CVE-2026-42945 with a CVSS score of 9.2. The vulnerability affects all NGINX versions through the latest release and has potential for both denial-of-service and remote code execution. Patches are available and the broad deployment of NGINX as a web server, reverse proxy, and API gateway makes this a wide-impact event.
OpenAI Confirms Developer Devices Breached via TanStack Supply Chain Attack — Code-Signing Certificates Rotated
OpenAI confirmed that two developer devices were compromised as a result of the TanStack npm supply chain attack disclosed on 12 May, with malicious postinstall hooks executing on machines running npm install within the six-minute poisoning window. OpenAI rotated all affected code-signing certificates and npm tokens and is investigating whether any internal packages published using the compromised credentials were delivered downstream.
Pwn2Own Berlin 2026 Day 1: Windows 11 Hacked Three Times, Edge Sandbox Escaped for $175K — 24 Zero-Days Demonstrated
The first day of Pwn2Own Berlin 2026 saw researchers demonstrate 24 previously unknown vulnerabilities across Windows 11, Microsoft Edge, VMware Workstation, and Oracle VirtualBox. Windows 11 was compromised three separate times by different teams, and a full Microsoft Edge sandbox escape earned a $175,000 award. No CVE IDs have been assigned yet as vendors begin the 90-day remediation process.
Apple Releases Safari and WebKit Security Update Patching Memory Corruption and CSP Bypass Vulnerabilities
Apple released a security update for Safari and WebKit on 13 May addressing more than ten vulnerabilities including memory corruption flaws enabling potential arbitrary code execution and a Content Security Policy bypass allowing cross-origin data access. The update applies to macOS Ventura, Sonoma, Sequoia, iOS, and iPadOS. Users should update immediately given WebKit's role as the rendering engine for all iOS browsers.
Critical Exim MTA Remote Code Execution CVE-2026-45185 — Use-After-Free in GnuTLS Shutdown Affects Millions of Linux Email Servers
A critical use-after-free vulnerability (CVE-2026-45185) in Exim's GnuTLS TLS session shutdown handler enables unauthenticated remote code execution on any Exim installation compiled with GnuTLS support. Exim is the default MTA on Debian, Ubuntu, and many Linux distributions, putting tens of millions of internet-facing mail servers at risk. Patches are available and should be applied immediately.
Foxconn Confirms Nitrogen Ransomware Attack on North American Factories — 8 TB of Customer Data Stolen
Electronics manufacturing giant Foxconn confirmed a Nitrogen ransomware attack on its North American operations that encrypted factory systems and exfiltrated approximately 8 TB of data including Apple, NVIDIA, and Intel supply chain documentation. Production lines at multiple facilities were disrupted before recovery procedures were activated.
MuddyWater Spent a Week Undetected Inside South Korean Electronics Giant's Network — Nine Organisations Compromised
Iranian state-sponsored threat group MuddyWater (Seedworm) conducted a sustained intrusion campaign against a major South Korean electronics manufacturer, maintaining persistence for over a week before detection. Nine connected organisations were compromised through the electronics firm's supplier and partner network. Lateral movement used living-off-the-land techniques to evade endpoint detection.
West Pharmaceutical Services Files SEC 8-K After Ransomware Encrypts Systems and Exfiltrates Manufacturing Data
West Pharmaceutical Services, an S&P 500 drug delivery component manufacturer, disclosed a ransomware attack via SEC Form 8-K, confirming system encryption and data exfiltration affecting its manufacturing and quality systems. The incident highlights regulatory obligations for publicly listed companies to disclose material cybersecurity incidents and the specific risks facing pharmaceutical supply chain manufacturers.
Windows BitLocker Zero-Day 'YellowKey' Published with PoC — WinRE Bypass Decrypts Protected Drives Without Authentication
Researcher collective Chaotic Eclipse released a proof-of-concept exploit for 'YellowKey,' an unpatched Windows BitLocker bypass that abuses the Windows Recovery Environment to gain access to encrypted drives without the PIN or password. No CVE has been assigned yet and Microsoft has not released a patch. Organisations relying on BitLocker for endpoint data protection should assess their exposure.
AMD Discloses Elevation of Privilege Vulnerability in Zen 2 Micro-Op Cache — Microcode and Firmware Updates Required
AMD has disclosed an elevation-of-privilege vulnerability in the micro-op cache of Zen 2 processors, where a low-privileged process can exploit speculative execution behaviour to access privileged memory content. Full remediation requires microcode updates delivered via OEM BIOS firmware. Zen 3 and later generations are not affected. Dell PowerEdge EPYC Rome servers and AMD EPYC Rome cloud instances require priority attention.
Fortinet Patches Critical Vulnerabilities in FortiAuthenticator and FortiSandbox — Enterprise SSO and Security Infrastructure at Risk
Fortinet released patches for critical vulnerabilities in FortiAuthenticator and FortiSandbox as part of the May 2026 patch cycle. FortiAuthenticator flaws can enable authentication bypass and session manipulation in enterprise SSO deployments, while FortiSandbox issues affect the analysis platform. Apply patches immediately given Fortinet's established exploitation history.
Microsoft May 2026 Patch Tuesday Fixes 120 Vulnerabilities — No Zero-Days but Wormable RCEs Demand Immediate Action
Microsoft released 120 security fixes in May's Patch Tuesday update, including 17 Critical-rated vulnerabilities and no actively exploited zero-days. Among the most significant are a network-based Windows DNS Client RCE and an authenticated SharePoint Server RCE. Security teams should prioritise network-facing systems within 48 hours.
SAP May 2026 Security Patch Day: Critical SQL Injection in S/4HANA and Unauthenticated RCE in Commerce Cloud
SAP's May 2026 Security Patch Day addresses 14 vulnerabilities including two Critical-rated flaws: a SQL injection in S/4HANA Enterprise Search (CVE-2026-34260, CVSS 9.6) and an unauthenticated remote code execution in Commerce Cloud's Spring Security configuration (CVE-2026-34263, CVSS 9.6). Organisations running SAP ERP or e-commerce infrastructure should patch immediately.
SharePoint Server RCE and Office Preview Pane Vulnerabilities Fixed in May Patch Tuesday — Enterprise Document Attack Surface Elevated
May's Patch Tuesday patches an authenticated RCE in SharePoint Server (CVE-2026-40365) and multiple Office vulnerabilities exploitable via the Windows Explorer and Outlook preview pane without opening files. Together they represent a significant enterprise document attack surface. Assess SharePoint exposure and validate Office update deployment this week.
TanStack npm Supply Chain Attack: GitHub Actions OIDC Token Hijack Used to Publish 84 Malicious Package Versions
Attackers exploited a GitHub Actions misconfiguration in the TanStack project to publish 84 malicious versions of popular React ecosystem packages to the npm registry. The attack chained a Pwn Request misconfiguration, workflow cache poisoning, and runtime OIDC token theft to operate under TanStack's trusted publisher identity.
Windows DNS Client RCE CVE-2026-41096: Attacker-Controlled DNS Servers Can Trigger Memory Corruption on All Windows Versions
CVE-2026-41096 in the Windows DNS Client allows an attacker controlling a DNS server to send a crafted response that triggers memory corruption on any Windows system performing standard DNS resolution. No user interaction or authentication is required, and the flaw affects all supported Windows versions. Patch network-facing systems within 24 hours.
Australia ACSC Warns of ClickFix Campaign Delivering Vidar Infostealer — Fake CAPTCHA Bypass Technique Targeting Enterprise Users
The Australian Cyber Security Centre has issued a warning about an active ClickFix social engineering campaign delivering Vidar infostealer malware. ClickFix presents victims with fake CAPTCHA or browser-fix dialogs that instruct them to run PowerShell commands, bypassing standard malware delivery defences. The campaign has been observed across multiple Australian industry sectors.
Google GTIG Confirms First AI-Developed Zero-Day Used in Active Exploitation — 2FA Bypass via Automated Vulnerability Discovery
Google's Threat Intelligence Group has confirmed the first documented case of a threat actor using AI tools to discover and develop a working zero-day exploit deployed in a live attack campaign. The target was a 2FA bypass in a widely-used open-source web administration tool. A separate China-aligned actor was also found using AI platforms for automated offensive reconnaissance.
Instructure Confirms ShinyHunters Exploited Canvas LMS to Deface University Login Portals in Mass Extortion Campaign
Instructure has confirmed that the ShinyHunters threat group exploited a vulnerability in Canvas LMS to deface login portals across multiple university clients with extortion messages. The attack moved beyond the data exposure incident disclosed on May 3 into active defacement — university login pages were replaced with ransom demands visible to students and staff. Instructure is notifying affected institutions and has issued an emergency patch.
Attackers Abuse Google Ads and Claude.ai Conversations to Deliver macOS Malware to Developers
A campaign targeting macOS users — particularly developers — is abusing both Google Ads and Claude.ai chat conversations as malware delivery vectors. Malicious ads impersonating developer tools redirect to sites hosting macOS malware, while a second vector embeds download links in Claude.ai conversations shared with targets. The campaign has updated the MacSync infostealer family with new macOS Sequoia-compatible components.
TrickMo Android Banking Trojan Moves C2 to TON Blockchain — Decentralised Infrastructure Makes Takedown Near-Impossible
The TrickMo Android banking trojan has been updated to use the Telegram Open Network (TON) blockchain as its command-and-control infrastructure. TON's decentralised architecture means law enforcement cannot seize or sink-hole C2 servers — TrickMo operators gain persistent, censorship-resistant communications regardless of takedowns. The move signals a broader industry shift toward blockchain-based C2 that defenders have limited ability to disrupt at the infrastructure level.
VENOM Phishing Kit Targets Senior Microsoft 365 Executives via AiTM Session Interception
A new phishing-as-a-service platform named VENOM is specifically targeting C-suite and senior executive Microsoft 365 accounts using adversary-in-the-middle (AiTM) infrastructure to intercept authenticated sessions. Unlike generic phishing kits, VENOM's targeting logic filters for high-value accounts — CFOs, CEOs, legal counsel, and board-level contacts — and includes executive-tailored lures designed for low suspicion.
Zara Confirms Data Breach Affecting 197,000 Customers — ShinyHunters' April Extortion Claim Now Substantiated
Inditex has confirmed that a breach of Zara customer data exposed the personal information of approximately 197,000 people, substantiating the ShinyHunters extortion claim from late April 2026. Exposed data includes names, email addresses, postal addresses, phone numbers, and purchase history. European GDPR notification has been filed and affected customers are being contacted.
FreeBSD CVE-2026-42511 — NFS Stack Vulnerability Affecting Network Appliances and BSD-Based Storage
A new vulnerability in FreeBSD's NFS networking stack has been disclosed as CVE-2026-42511, distinct from the previously covered CVE-2026-4747 (the 17-year-old NFSv4 daemon RCE). CVE-2026-42511 affects the NFS client implementation and is exploitable by a malicious NFS server to achieve code execution on FreeBSD hosts connecting to untrusted NFS mounts — a relevant threat model for enterprise environments mounting network storage from potentially compromised infrastructure.
Microsoft Edge Stores Saved Passwords as Plaintext in Process Memory — No CVE, No Patch
Security researchers have documented that Microsoft Edge's built-in password manager stores user-saved passwords in cleartext within the browser's process memory — readable by any process on the same system with the ability to dump Edge process memory. Microsoft has acknowledged the behaviour and characterised it as a performance design decision, not a vulnerability warranting a security fix. Users relying on Edge's password manager for credential storage should understand what this means for their threat model.
MicroStealer Infostealer Targets Education and Telecom via Discord Webhook Exfiltration
ANY.RUN analysts have documented MicroStealer, an infostealer active since December 2025 that specifically targets education and telecommunications sector organisations. MicroStealer uses multi-stage delivery, harvests browser credentials, session tokens, cryptocurrency wallets, and screenshots, and exfiltrates data exclusively via Discord webhooks — making it invisible to traditional network monitoring that blocks dedicated C2 domains. Detection rates on VirusTotal remain low.
pnpm 11 Defaults to 24-Hour Package Age Minimum — Blocking Automated Post-Publish Supply Chain Attacks
pnpm 11, released this week, introduces a package quarantine feature that by default blocks installation of any npm package published within the past 24 hours. The control targets the automated post-publish compromise pattern used by TeamPCP, CanisterSprawl, and similar supply chain threat actors who publish malicious package versions and immediately trigger mass installation before defenders can respond. It is the most substantive supply-chain-defensive default configuration added to a package manager since npm's provenance attestation.
Proton Mail Adds Post-Quantum Encryption for New Emails to Counter Harvest-Now-Decrypt-Later Attacks
Proton Mail has added optional post-quantum encryption for new emails sent between Proton Mail accounts, protecting against harvest-now-decrypt-later (HNDL) attacks in which adversaries collect encrypted communications today with the intention of decrypting them when sufficiently powerful quantum computers become available. The feature uses the CRYSTALS-Kyber (ML-KEM) algorithm standardised by NIST in 2024. Existing encrypted emails are not retroactively re-encrypted.
Calendly-Themed AiTM Phishing Kits Rise with Real-Time Socket.IO and Telegram Exfiltration
urlscan.io researchers have documented a surge in phishing kits impersonating Calendly booking pages, used as a step in multi-stage AiTM credential theft chains targeting enterprise users. The kits use real-time Socket.IO connections for live victim monitoring, fake CAPTCHA challenges for victim fingerprinting, and Telegram bot webhooks for credential exfiltration — a combination that makes the attack infrastructure highly operationally efficient while appearing to originate from legitimate Calendly sessions.
CallPhantom: 28 Fake Android Apps with 7.3M Play Store Downloads Charged for Fabricated Call Data
ESET researchers have identified 28 Android applications — collectively downloaded 7.3 million times from the Google Play Store — that charged users for access to fabricated call history, SMS logs, and WhatsApp message records that the apps could not actually retrieve. The CodedCallPhantom campaign, active primarily in India and South-East Asia, combines financial fraud (charging for non-existent data) with personal data collection used for follow-on targeting.
Fake OpenAI Repository on Hugging Face Reached #1 Trending, Delivered Rust Infostealer to 244,000 Users
A malicious repository impersonating an official OpenAI project reached the top trending position on Hugging Face before being removed — delivering a Rust-compiled infostealer to an estimated 244,000 users who executed the repository's loader script. The attack exploited Hugging Face's trending algorithm and the high trust developers place in repositories attributed to the OpenAI organisation. Affected users should rotate all credentials accessible from the compromised machine.
DOJ Indicts North Korean Developer for Leading Sales of DDoS and Cyberterrorism Tools for Regime Revenue
The US Department of Justice has indicted a North Korean software developer on charges of conspiracy to develop and sell cyberattack tools — including distributed denial-of-service infrastructure and cyberterrorism-enabling toolkits — through front companies operated by the Workers' Party of Korea. The indictment provides rare detail into how DPRK IT workers generate hard currency for the regime through offensive cyber tool sales, complementing the well-documented cryptocurrency theft and IT contractor programmes.
OpenAI Launches Advanced Account Security Programme with Mandatory Phishing-Resistant MFA
OpenAI has announced an opt-in Advanced Account Security programme for high-risk users — journalists, human rights advocates, executives, and researchers — offering phishing-resistant FIDO2 hardware key and passkey authentication, stricter account recovery controls, and session compromise mitigations. The programme, developed in partnership with Yubico, acknowledges that standard MFA is insufficient against sophisticated phishing and AiTM attacks targeting OpenAI accounts with access to sensitive workflows.
FTC Bans Kochava Subsidiary from Selling Sensitive Location Data in Landmark Enforcement Settlement
The US Federal Trade Commission has reached a settlement banning Kochava and its Collective Data Solutions subsidiary from selling sensitive location data derived from consumer mobile devices — marking the FTC's most significant enforcement action against the location data broker industry. The settlement establishes a precedent with direct implications for any organisation that monetises or purchases precise consumer location data, including advertising technology companies, retail analytics firms, and financial services using location data for fraud detection.
JDownloader Official Download Site Hijacked to Serve Python RAT in Supply Chain Attack
The official JDownloader download site was compromised during a window of approximately 18 hours between 6 and 7 May 2026, with legitimate installer downloads replaced by a trojanised package delivering a Python-based remote access trojan. JDownloader is a popular open-source download manager with millions of users. Users who installed JDownloader during the compromise window should treat their system as compromised and perform immediate credential rotation and system remediation.
PamDOORa: Linux Post-Exploitation PAM Module Backdoor Sold on Dark Web for $1,600
Flare.io researchers have identified PamDOORa, a commercially sold Linux backdoor sold for $1,600 on a Russian-language underground forum. PamDOORa installs as a malicious PAM (Pluggable Authentication Module) on compromised Linux systems, creating a persistent hidden SSH access mechanism that activates via a magic password and a TCP port — while also harvesting the credentials of all legitimate users who authenticate to the system.
QLNX Linux RAT Harvests Developer Credentials to Enable Malicious Package Publishing on npm and PyPI
Trend Micro researchers have identified QLNX (Quasar Linux), a Linux-targeting remote access trojan specifically designed to harvest developer credentials — npm tokens, PyPI upload credentials, AWS IAM keys, Docker registry credentials, and GitHub CLI tokens — from developer workstations. The harvested credentials are then used to publish malicious packages to npm and PyPI under the compromised developer's identity, enabling second-stage supply chain attacks against the developer's downstream users.
SonicWall CVE-2026-0204 — Authentication Bypass in SSLVPN Allows Unauthenticated Network Access
SonicWall has disclosed CVE-2026-0204, an authentication bypass vulnerability in the SonicWall SSLVPN product that allows a remote attacker to bypass VPN authentication and gain access to the protected network without valid credentials. SonicWall SSLVPN appliances are widely deployed as enterprise and SMB VPN concentrators. Patch available — update immediately.
TCLBanker Banking Trojan Spreads via WhatsApp and Outlook Worm Modules, Targets 59 Financial Platforms
Elastic Security has identified TCLBanker (tracked as REF3076 / Water Saci), an evolution of the Maverick banking trojan family, deploying worm modules that spread via WhatsApp message injection and Outlook email campaigns from infected machines. TCLBanker targets users of 59 financial platforms including online banking, cryptocurrency exchanges, and payment services. The malware uses DLL side-loading via legitimate Logitech software and employs anti-analysis watchdog processes to resist removal.
Eclipse BaSyx ICS Platform: CVE-2026-7411 CVSS 10.0 Path Traversal RCE Threatens Industrial Asset Administration
Two critical vulnerabilities in Eclipse BaSyx V2 — the open-source Industrial Internet of Things Asset Administration Shell implementation used in Industry 4.0 infrastructure — allow an unauthenticated attacker to achieve remote code execution and bypass network segmentation. CVE-2026-7411 (CVSS 10.0) enables arbitrary file write on the BaSyx server; CVE-2026-7412 (CVSS 8.6) enables blind SSRF that can bypass OT network isolation. Patches are available in BaSyx V2 milestone-10.
Firefox and Tor Browser CVE-2026-6770 — IndexedDB Cross-Origin Data Leak Exposes User Browsing Identity
A cross-origin data leakage vulnerability in Firefox and Tor Browser's IndexedDB implementation allows a malicious web page to read data stored by other origins in the IndexedDB API — potentially identifying users by their stored browsing data and breaking the origin isolation that Tor Browser's anonymity model depends on. CVE-2026-6770 is fixed in Firefox 130.0.1 and a Tor Browser update. Tor Browser users should update immediately given the privacy implications.
Ivanti EPMM CVE-2026-6973 — Remote Code Execution Added to CISA KEV, Patch Required
Ivanti has disclosed CVE-2026-6973, a remote code execution vulnerability in Endpoint Manager Mobile (EPMM, formerly MobileIron) that has been added to the CISA Known Exploited Vulnerabilities catalogue following confirmed limited exploitation. EPMM is a mobile device management platform used by government agencies and enterprises. Organisations should apply the available patch and audit administrator account activity. EPMM has a prior history of critical exploitation including the 2023 Norwegian government attack.
LiteLLM CVE-2026-42208 — SQL Injection in AI Gateway Proxy Added to CISA KEV
CVE-2026-42208, a SQL injection vulnerability in the LiteLLM AI gateway proxy, has been added to the CISA Known Exploited Vulnerabilities catalogue following confirmed exploitation. LiteLLM is widely deployed in enterprise environments as a unified API layer routing requests to multiple LLM providers (OpenAI, Anthropic, Azure OpenAI, Bedrock). Exploitation allows an attacker to read and modify the LiteLLM database, including API keys, user records, and model configuration. Update to LiteLLM 1.42.2 immediately.
OpenEMR: Three Critical Vulnerabilities Expose Patient Records Across 100,000 Healthcare Providers
Aisle security researchers have disclosed 38 vulnerabilities in OpenEMR — the world's most widely deployed open-source electronic medical records and practice management system, used by over 100,000 healthcare providers globally. Three of the vulnerabilities are critical, allowing unauthenticated remote code execution and patient record exfiltration. OpenEMR 7.0.2 patch 2 addresses all reported issues; unpatched instances are a direct patient data and regulatory liability.
ProFTPD CVE-2026-42167 — Authentication Bypass Leading to Remote Code Execution
A vulnerability in ProFTPD — one of the most widely deployed open-source FTP server implementations — allows a remote unauthenticated attacker to bypass authentication controls and achieve code execution on the server. CVE-2026-42167 affects ProFTPD versions prior to 1.3.9a. FTP servers are frequently forgotten in patch management programmes; administrators should verify ProFTPD version and apply the update.
Cisco CVE-2026-20188 — Unauthenticated DoS Permanently Crashes Crosswork Network Controller Until Manual Reboot
Cisco has disclosed a high-severity denial-of-service vulnerability in Crosswork Network Controller and NSO (Network Services Orchestrator) that allows an unauthenticated remote attacker to exhaust connection resources and permanently disable the device — requiring physical manual reboot to recover. CVE-2026-20188 affects the network automation and orchestration platforms used by major service providers and large enterprise networks for intent-based networking automation.
cPanel/WHM Patches Three New Vulnerabilities Including CVSS 8.8 Code Execution and Privilege Escalation
cPanel has released security updates addressing three new vulnerabilities distinct from the previously covered CVE-2026-41940 zero-day: CVE-2026-29202 (CVSS 8.8, Perl code execution), CVE-2026-29203 (CVSS 8.8, symlink-based privilege escalation), and CVE-2026-29201 (CVSS 4.3, arbitrary file read). Web hosting providers running cPanel/WHM should apply the updates urgently given the platform's current elevated threat posture following mass exploitation in May 2026.
GoDaddy ManageWP Credentials Targeted by AiTM Phishing Campaign via Malicious Google Ads
A real-time adversary-in-the-middle phishing campaign is targeting GoDaddy ManageWP administrators through malicious Google search advertisements that appear above legitimate results for ManageWP login queries. The campaign steals session tokens via a real-time proxy, bypassing MFA, and uses Telegram for credential exfiltration. Each compromised ManageWP account typically controls hundreds of WordPress sites, making this a high-leverage credential theft campaign.
Linux 'Dirty Frag' Zero-Day Chains Two Kernel Flaws for Deterministic Root — PoC Published, No Patch
Security researchers have published a proof-of-concept exploit for a new Linux kernel local privilege escalation vulnerability chain nicknamed Dirty Frag, which combines flaws in the xfrm-ESP and RxRPC page-cache subsystems to reliably achieve root access from an unprivileged user process. Unlike its predecessor CopyFail, Dirty Frag is deterministic — it does not rely on race conditions and succeeds reliably across Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE, and Fedora. No CVE ID or kernel patch has been issued at time of disclosure.
Salesforce Marketing Cloud Server-Side Template Injection Exposed Entire Customer Contact Database
SL Cyber researchers have disclosed five patched vulnerabilities in Salesforce Marketing Cloud (ExactTarget), the most critical of which — a server-side template injection flaw — allowed an authenticated marketing user to exfiltrate the complete contacts database and historical email campaign content of any Salesforce Marketing Cloud instance. The vulnerabilities were patched by Salesforce; organisations should verify which contact data and historical communications were accessible to marketing team members.
vm2 Node.js Sandbox Escape CVE-2026-26956 — 1.3 Million Weekly Downloads, PoC Published
A critical sandbox escape vulnerability in the vm2 Node.js sandboxing library allows a malicious script to break out of the sandbox and execute arbitrary code in the host Node.js process. CVE-2026-26956 affects all vm2 versions prior to 3.9.22 and is present in any application using vm2 to safely execute untrusted code — including serverless platforms, coding challenge sites, CI/CD systems, and plugin architectures. A PoC is publicly available.
Fortinet 2026 Global Threat Landscape: Ransomware Victims Up 389% Year-over-Year, AI Crime Industrialising
Fortinet's 2026 Global Threat Landscape Report documents 7,831 confirmed ransomware victims in 2025 — a 389% increase over 2024's approximately 1,600 — alongside the first systematic evidence of AI-enabled cybercrime tooling (WormGPT, FraudGPT, BruteForceAI) being used at scale. Manufacturing, business services, and retail are the hardest-hit sectors. The report reframes the threat environment as fundamentally changed, not merely intensified.
CISA ICS Advisory: GRASSMARLIN OT Network Visualisation Tool Vulnerability CVE-2026-6807
CISA has issued ICS advisory ICSA-26-118-01 for CVE-2026-6807, a vulnerability in GRASSMARLIN — the NSA-developed open-source network visualisation tool widely used by industrial control system operators and OT security teams to map and analyse operational technology networks. The vulnerability affects teams using GRASSMARLIN for defensive ICS visibility, creating a risk of compromise of the analyst workstations conducting that analysis.
KidsProtect Stalkerware Abuses VS Code Tunnels and Discord Webhooks as Covert C2 Infrastructure
A commercially marketed Android application called KidsProtect, presented as a parental control tool, has been analysed and found to function as stalkerware — secretly recording device location, SMS messages, call logs, and browser history without consent. The tool evades conventional network monitoring by routing command-and-control traffic through legitimate VS Code Remote Tunnels and Discord webhook endpoints. Its developer explicitly markets it as an undetectable monitoring solution on underground forums.
Microsoft Threat Intelligence: AiTM Phishing Campaign Hit 35,000 Users Across 26 Countries in Two Days
Microsoft Threat Intelligence has published analysis of a highly targeted adversary-in-the-middle phishing campaign that compromised 35,000 user accounts across healthcare and financial services organisations in 26 countries during a 48-hour window in April 2026. The campaign used polished enterprise-grade HTML templates impersonating Microsoft 365 compliance and code-of-conduct notifications, bypassing standard MFA via real-time session token interception.
OpenSSH CVE-2026-35414 — Certificate Authentication Bypass via Comma Bug Grants Root Access
A single-character defect in OpenSSH's certificate Subject Alternative Name parsing allows an attacker with a maliciously crafted certificate to bypass host-based and user certificate authentication entirely, potentially gaining unauthorised access to systems relying on certificate-based SSH for privileged access. Researchers have named the vulnerability SplitSSHell. Operators using OpenSSH certificate authentication for root or privileged user access should review their CA trust chains immediately.
PAN-OS CVE-2026-0300 — Unauthenticated RCE Zero-Day Actively Exploited in Firewall Espionage Attacks
A critical unauthenticated remote code execution vulnerability in Palo Alto Networks PAN-OS has been under active exploitation since at least early April 2026, linked to espionage-motivated threat actors targeting government and critical infrastructure networks. CVE-2026-0300 affects the User-ID authentication portal on VM-Series and hardware firewalls; CISA added it to the KEV catalogue on 6 May 2026. Patches are available — apply immediately.
108 Malicious Chrome Extensions Exfiltrating Browser Data Removed from Web Store
Google has removed 108 extensions from the Chrome Web Store after researchers identified a coordinated malicious extension campaign conducting browser credential harvesting, session cookie theft, and clipboard monitoring across millions of installations. The extensions impersonated productivity tools, ad blockers, and security tools — with some active for over 18 months before detection. Enterprise Chrome deployments should audit installed extensions against the published IOC list.
Europol Dismantles €50M Crypto Investment Fraud Network — 12 Arrested Across Six Countries
Europol has coordinated the dismantling of a €50 million cryptocurrency investment fraud network operating across six European countries, resulting in 12 arrests, 30 property searches, and the seizure of cryptocurrency holdings, luxury assets, and fraud operation infrastructure. The network ran AI-enhanced investment scam call centres and operated fraudulent crypto trading platforms that fabricated returns to sustain victim investment before executing exit scams.
Five Eyes Advisory: China-Nexus Volt Typhoon and Flax Typhoon Using SOHO Router Botnets to Pre-Position in Critical Infrastructure
A joint advisory from CISA, NCSC-UK, the Australian Signals Directorate, and Four Eyes partners confirms that China-linked threat actors including Volt Typhoon and Flax Typhoon are systematically compromising small-office and home-office routers to build operational relay networks for espionage and pre-positioned attacks against critical national infrastructure. Organisations should audit edge device inventories and enforce firmware update policies.
Lotus Wiper Targets Venezuelan Energy Infrastructure in ICS-Aware Sabotage Campaign
A destructive wiper malware tracked as Lotus Wiper has been deployed against Venezuelan state energy company PDVSA and associated electricity generation infrastructure. Unlike generic wipers, Lotus Wiper includes ICS-aware modules that identify and corrupt engineering workstation configurations, HMI databases, and OT historian data before wiping. The campaign represents the most targeted wiper deployment against Latin American energy infrastructure on record.
MacSync Stealer Delivered via Malicious Google Ad Targeting macOS Homebrew Users
A macOS infostealer tracked as MacSync has been distributed through a malicious Google search advertisement impersonating the Homebrew package manager — a tool used by virtually all macOS developers. The campaign harvests browser credentials, session tokens, macOS keychain data, and cryptocurrency wallet files from developer machines. macOS users who installed Homebrew via a Google search in the past 30 days should verify their installation source.
Progress MOVEit Automation — Critical Authentication Bypass Vulnerability Disclosed, Patch Immediately
Progress Software has disclosed a critical authentication bypass vulnerability in MOVEit Automation, the workflow automation component of the MOVEit managed file transfer platform. Given MOVEit's history as the most mass-exploited enterprise application of 2023 (Cl0p ransomware, 2,700+ organisations), any new critical vulnerability requires emergency patching. Organisations should apply the patch and review automation workflow configurations before exploitation begins.
Wireshark CVE-2026-5656 — Remote Code Execution via Malicious PCAP File, Update to 4.4.6
A code execution vulnerability in Wireshark's PCAP/PCAPNG file parser allows a malicious capture file to trigger arbitrary code execution when opened by an analyst. CVE-2026-5656 affects all Wireshark versions prior to 4.4.6 across Windows, macOS, and Linux. The attack vector is especially concerning for security teams that open externally-sourced capture files during incident response or threat hunting — update Wireshark to 4.4.6 immediately.
AccountDumpling Abuses Google AppSheet as Legitimate Phishing Relay to Compromise 30,000 Facebook Accounts
The AccountDumpling campaign has compromised approximately 30,000 Facebook accounts by routing phishing emails through Google AppSheet — a legitimate no-code application platform — to bypass spam filters and email security gateways. The technique exploits trusted sender reputation of Google infrastructure and demonstrates the growing difficulty of filtering phishing delivered through legitimate SaaS platforms.
Two Former Cybersecurity Professionals Sentenced to Four Years for BlackCat/ALPHV Ransomware Operations
A US federal court has sentenced two individuals with professional cybersecurity backgrounds to four-year prison terms for their roles in the BlackCat/ALPHV ransomware-as-a-service operation, marking a notable law enforcement outcome that demonstrates insider security knowledge is not a prosecution shield. The sentences follow guilty pleas and cooperation with investigators.
Cordial Spider and Snarky Spider Drive Multi-Sector SaaS Account Takeover via Vishing and SSO AiTM Attacks
Two newly-designated threat actor clusters — Cordial Spider (UNC6671) and Snarky Spider (UNC6661) — are conducting coordinated vishing and adversary-in-the-middle SSO phishing campaigns against enterprise organisations across finance, technology, and logistics sectors, bypassing MFA to harvest persistent OAuth tokens. Organisations should review SSO conditional access policies and verify help desk vishing verification procedures.
EtherRAT Uses Ethereum Blockchain Transactions as Immutable C2 Channel — Campaign Targeting Government and Finance
Researchers have disclosed EtherRAT, a remote access trojan that encodes command-and-control instructions directly into Ethereum blockchain transactions, creating a C2 channel that cannot be taken down, domain-blocked, or sinkholed. Active campaigns have targeted government and financial organisations in Eastern Europe and the Middle East.
Three Critical Buffer Overflow Vulnerabilities Disclosed in Hashcat — Penetration Testing Toolchain at Risk
Security researchers have disclosed three buffer overflow vulnerabilities (CVE-2026-42482, CVE-2026-42483, CVE-2026-42484) in Hashcat, the widely-used open-source password recovery and penetration testing tool. The flaws can be triggered via maliciously crafted hash files or wordlists and may allow code execution in environments where Hashcat processes untrusted input — including shared red team infrastructure and automated password auditing pipelines.
Instructure (Canvas LMS) Discloses Cybersecurity Incident — Scope of Student and Faculty Data Exposure Under Investigation
Instructure, the company behind Canvas Learning Management System used by thousands of universities and K-12 school districts globally, has disclosed a cybersecurity incident affecting an internal infrastructure component. The scope of student, faculty, and institutional data potentially exposed is under forensic investigation. Institutions running Canvas should activate their incident response contact with Instructure and review data sharing scope.
China-Linked SHADOW-EARTH-053 Targets Asian Governments and NATO Member With ShadowPad Implants
Security researchers have attributed a sustained intrusion campaign against at least seven government ministries across Southeast and Central Asia — and one NATO member state's foreign affairs ministry — to the China-nexus cluster SHADOW-EARTH-053, operating the ShadowPad remote access trojan. The campaign exploits legacy Microsoft Exchange vulnerabilities for initial access and uses living-off-the-land techniques to evade detection.
ConsentFix v3 Automates Azure OAuth Abuse at Scale — MFA-Bypassing Phishing Platform Circulating on Forums
The third iteration of the ConsentFix Azure OAuth phishing toolkit has been observed circulating on cybercriminal forums, adding Pipedream-powered automation to the consent flow abuse technique that allows attackers to gain persistent access to Microsoft 365 tenants without requiring MFA. Enterprise security teams should review conditional access policies governing OAuth app registrations and user consent.
'Sorry' Ransomware Deploys en Masse via cPanel CVE-2026-41940 — 44,000 Hosts Compromised Within 48 Hours of Patch
A ransomware group tracking as 'Sorry' has leveraged the recently-patched cPanel/WHM authentication bypass (CVE-2026-41940) to compromise at least 44,000 web hosting servers globally, deploying a Go-compiled Linux encryptor within 48 hours of the vulnerability's public patch release. The speed of mass exploitation underscores the extreme urgency of applying the cPanel/WHM hotfix.
DEEP#DOOR: Python Backdoor Abuses Cloudflare Tunnels to Bypass Network Detection and Exfiltrate Credentials
Securonix researchers have disclosed DEEP#DOOR, a Python-based backdoor framework that routes command-and-control traffic through legitimate Cloudflare Tunnel infrastructure to evade network security controls. The malware establishes persistence via multiple mechanisms, disables Windows security features at installation, and specifically targets browser-stored passwords, session tokens, and cloud provider credentials.
Linux CopyFail LPE Added to CISA KEV With Active Exploitation Confirmed — CVE-2026-31431
CISA has added CVE-2026-31431 — the Linux kernel copy-on-write race condition LPE disclosed last week as 'CopyFail' — to the Known Exploited Vulnerabilities catalogue following confirmed active exploitation. All major Linux distributions have patches available. Federal agencies face a May 20 remediation deadline and all enterprise organisations should treat kernel patching as urgent.
PyTorch Lightning PyPI Package Compromised — Credential-Stealing Payload Delivered to AI/ML Development Environments
PyTorch Lightning versions 2.6.2 and 2.6.3 on PyPI were found to contain a credential-stealing postinstall payload, extending the Mini Shai-Hulud supply chain campaign that previously compromised SAP's official npm packages. Organisations running AI/ML workloads should audit Python environments and rotate any credentials stored on affected development or CI/CD systems.
Trellix Confirms Source Code Repository Breach — Forensic Investigation Underway
Cybersecurity vendor Trellix has confirmed unauthorised access to an internal source code repository, with law enforcement notified and a forensic investigation ongoing. The breach raises concerns about potential weaponisation of security product internals against Trellix's enterprise customer base.
DPRK Scales npm Malware Campaign With AI-Generated Code, Fake Tech Firms, and Remote RAT Deployment
North Korean threat actors have launched a new wave of npm supply chain attacks using AI-generated malicious package code that bypasses static analysis tools, fake software development firms as cover identities, and a multi-stage RAT that exfiltrates source code, cryptographic keys, and credentials from developer workstations. The campaign targets blockchain, DeFi, and fintech developers — organisations in these sectors should audit npm dependencies and developer machine security.
FBI Warns of $725M Cyber-Enabled Cargo Theft Wave Targeting Transportation and Logistics
The FBI has issued a warning documenting a sharp surge in cyber-enabled cargo theft targeting the US transportation and logistics industry, with losses exceeding $725 million in 2025. Criminal organisations use phishing, broker impersonation, and freight marketplace account takeovers to divert physical shipments. Supply chain security teams and freight brokers should treat this advisory as a direct threat to physical goods in transit.
GitHub Enterprise Server CVE-2026-3854 — Critical RCE via Single Git Push, No Authentication Required
CVE-2026-3854, a critical-severity remote code execution vulnerability in GitHub Enterprise Server, allows an attacker to execute arbitrary code on the server with a single specially crafted Git push, requiring no authentication. Any internet-exposed or internally-accessible GHES instance is vulnerable. GitHub has released hotfixes across all supported branches; apply immediately.
Linux 'CopyFail' Kernel Privilege Escalation — Root Access on All Major Distributions Since 2017
A newly weaponised local privilege escalation vulnerability in the Linux kernel's copy-on-write mechanism allows unprivileged local users to gain root access on virtually all major Linux distributions running kernels from 2017 onwards. A working public exploit has been released. Kernel patches are available; organisations running Linux servers, containers, and cloud instances should patch immediately.
PhantomRPC — Unpatched Windows Privilege Escalation Technique Abuses COM Server Activation
Security researchers have disclosed PhantomRPC, an unpatched local privilege escalation technique in Windows that abuses the COM server activation mechanism to elevate from standard user to SYSTEM without triggering standard EDR alerts. Microsoft has acknowledged the report but not committed to a patch timeline. Defenders should implement mitigation controls; red teams should incorporate this technique into assessments.
VECT 2.0 Ransomware Irreversibly Corrupts Files Over 131KB on Windows, Linux, and ESXi
VECT 2.0 is a new cross-platform ransomware variant that partially corrupts files larger than 131KB rather than encrypting them — rendering files permanently unrecoverable even after ransom payment, as the overwritten data cannot be reconstructed. Active campaigns have targeted manufacturing, logistics, and healthcare. Standard backup-based recovery strategies may fail against VECT 2.0 if backups were mounted or reachable at the time of attack.