// CIO Briefings
68 briefings — page 2 of 4
Microsoft May 2026 Patch Tuesday: 120 Vulnerabilities Including Wormable Network RCE Require Urgent Action
Microsoft's May 2026 update cycle addresses 120 security vulnerabilities, 17 rated Critical, including a wormable Remote Code Execution flaw in the Windows DNS Client that requires no user interaction. This release affects every Windows version in enterprise service. Security and IT leadership should authorise emergency patching of network-facing systems within 24 hours.
ShinyHunters Breach Canvas LMS — University Login Portals Defaced Across US, UK, Australia in Mass Extortion Campaign
Hackers exploited a vulnerability in Canvas LMS — the learning management platform used by over 5,000 universities and school districts globally — to deface university login portals with ransom demands visible to students and staff. The operator of Canvas, Instructure, has confirmed the breach and issued emergency patches. Student and faculty personal data was also exposed. Educational institutions running Canvas should apply the emergency patch and begin FERPA/GDPR notification assessments immediately.
CVSS 10.0 Vulnerability in Industrial IoT Platform Allows Unauthenticated Takeover of OT-Connected Systems
A maximum-severity (CVSS 10.0) vulnerability in Eclipse BaSyx — industrial automation software used to connect IT and manufacturing systems under Industry 4.0 programmes — allows an internet-accessible attacker to take complete control of the software and the systems it is connected to, without any credentials. A companion vulnerability allows the attacker to probe the manufacturing network from the internet, bypassing network controls. Organisations running BaSyx as part of smart factory or Industry 4.0 programmes must patch immediately.
Two Enterprise Products Added to US Exploited Vulnerabilities List This Week — Ivanti MDM and AI Gateway
CISA added two enterprise products to its Known Exploited Vulnerabilities catalogue this week: Ivanti EPMM (mobile device management platform) and LiteLLM (AI gateway proxy). Active exploitation of both has been confirmed. The LiteLLM addition is significant as the first AI infrastructure component to enter KEV, reflecting the rapid adoption of AI tooling into enterprise production environments and the corresponding attacker interest.
Linux Zero-Day 'Dirty Frag' — All Major Linux Distributions Vulnerable, No Patch Available
A new zero-day privilege escalation vulnerability in the Linux kernel, nicknamed Dirty Frag, has been publicly disclosed with a working proof-of-concept exploit. Unlike previous Linux kernel flaws, Dirty Frag is deterministic — it reliably succeeds on the first attempt, without requiring timing tricks. Every major Linux distribution (Ubuntu, Red Hat Enterprise Linux, CentOS, Fedora, openSUSE) is currently vulnerable, and no patch is available. Any person with a local account on a Linux server can use this to become a system administrator.
Palo Alto PAN-OS Zero-Day Actively Exploited — Espionage Actors Targeting Firewall Infrastructure
A critical remote code execution flaw in Palo Alto Networks firewall software (PAN-OS) has been under active exploitation by espionage-linked attackers since at least April 2026, with CISA confirming exploitation by adding it to the Known Exploited Vulnerabilities list. An attacker who exploits this flaw gains full control of the firewall — including the ability to read VPN credentials, intercept network traffic, and access connected networks. Emergency patching is required.
Five Eyes Warning: Chinese State Actors Pre-Positioning in Critical Infrastructure for Potential Sabotage
A joint advisory from the UK, US, Australian, Canadian, and New Zealand intelligence services has confirmed that Chinese state-sponsored hackers are systematically infiltrating Western critical infrastructure — energy, water, transport, and telecoms — not to steal information, but to establish the capability to disrupt or destroy services in a future conflict. This represents a strategic national security threat that directly affects organisations operating or supplying critical infrastructure.
MOVEit Automation Critical Vulnerability — Emergency Patching Required Immediately
Progress Software has disclosed a critical flaw in MOVEit Automation — the automated file-transfer workflow platform — that allows an attacker without any login credentials to gain full administrative access. Given that a previous vulnerability in the same product led to the largest mass data breach of 2023, affecting over 2,700 organisations globally, this disclosure demands emergency response, not a scheduled patch cycle.
New Multi-Sector Identity Attack Campaign Bypasses MFA via Vishing and SSO Hijacking — Finance, Technology, Logistics Targeted
Two coordinated threat actor clusters are conducting large-scale campaigns combining voice phishing against IT help desks and adversary-in-the-middle SSO attacks to gain persistent, MFA-bypassing access to enterprise Microsoft 365, Okta, and Entra ID environments. Active campaigns span finance, technology, and logistics sectors. Standard MFA provides no protection — only phishing-resistant authentication (FIDO2/passkeys) stops the SSO interception technique.
'Sorry' Ransomware Mass-Exploits Patched Web Server Vulnerability — 44,000 Servers Compromised in 48 Hours
A ransomware group called 'Sorry' has compromised at least 44,000 web hosting servers globally by exploiting a recently-patched critical vulnerability in cPanel/WHM web server management software. The attack began within hours of the official patch release, encrypting customer websites, databases, and email systems. Organisations running cPanel should confirm patch status immediately — unpatched servers face near-certain compromise.
Trellix Security Vendor Source Code Breached — Enterprise Customers Face Elevated Risk of Targeted Zero-Days
Trellix — a major enterprise cybersecurity vendor protecting thousands of organisations' endpoints, networks, and email systems — has confirmed that an attacker accessed and exfiltrated code from an internal source code repository. Security vendor breaches create a distinct risk profile: attackers with knowledge of how a security product works can use that knowledge to bypass its detections or identify undisclosed vulnerabilities. Customers should activate secondary detection controls while the investigation is ongoing.
VECT 2.0 Ransomware Permanently Destroys Data — Backups and Ransom Payment Cannot Recover Files
VECT 2.0 is a new cross-platform ransomware that deliberately corrupts large files beyond recovery before encrypting them, rendering both ransom payment and standard backup restoration ineffective. Active campaigns are hitting manufacturing, logistics, and healthcare. Organisations should immediately verify that at least one backup tier is fully isolated from production systems.
cPanel Zero-Day Exploited Before Patch — Hosting Infrastructure Under Active Attack
A critical authentication bypass in cPanel and WHM web hosting management software was exploited in the wild before the vendor issued a patch. The vulnerability gives attackers full administrative control of affected servers without needing a password. Organisations running cPanel/WHM directly or using cPanel-based hosting providers need immediate action.
Milesight AIOT Camera Fleet: Shared SSL Key Means Every Unit Is Compromised If One Is
CISA advisory ICSA-26-113-03 covers five CVEs in Milesight AIOT network cameras, including a CVSS 9.8 flaw where all cameras in a model family share a single factory-embedded SSL private key. Any attacker who extracts this key — achievable from any unit, including from publicly available firmware — can silently intercept and replace video feeds and steal management credentials across the entire deployed fleet without triggering certificate warnings. Camera firmware patches are available; immediate isolation and patching is required for safety-critical and OT-adjacent deployments.
Medtronic Data Breach — 9 Million Patient Records Exposed, Healthcare Operators Face Regulatory Notification Deadlines
Medtronic, the world's largest medical device manufacturer, has confirmed a breach of its patient therapy management platform affecting up to nine million records across 150 countries. Exposed data includes patient identities, implanted device serial numbers, and follow-up care records. Healthcare organisations that share patient data with Medtronic for device management face co-controller obligations under HIPAA and GDPR — notification deadlines are measured in hours to days.
Smart Grid Supplier Itron Breached — Utility Operators Must Assess Supply Chain Exposure Now
Itron, the world's largest smart metering and grid management technology company, has disclosed a breach of its internal IT systems via a mandatory SEC filing. With Itron's infrastructure embedded in over 8,000 utility networks globally, the breach demands immediate action from utility operators to audit vendor access, rotate shared credentials, and verify the integrity of software delivered through Itron's channels.
Russia's GRU Hijacked 18,000 Home Routers to Harvest Microsoft 365 Login Tokens
Russia's military intelligence service operated an 18,000-router network to silently intercept Microsoft 365 authentication tokens from businesses and government agencies across 120 countries. US authorities dismantled US-based infrastructure on April 7 2026, but the campaign continues globally. Organisations with remote workers using home or small-office internet connections should assume Microsoft 365 accounts may have been silently monitored and take immediate steps to invalidate authentication tokens and harden access controls.
North Korea Poisoned a Core Software Building Block Used by Virtually Every Organisation
North Korean state hackers took control of a publish account for axios — a software component used in an estimated 100 million weekly developer builds — and inserted surveillance software for three hours on March 31 2026. Any organisation whose automated software build systems ran during that window may have had credentials and secrets silently stolen. CISA issued a formal advisory on April 20. Organisations should audit build logs and rotate all secrets from potentially affected pipelines immediately.