Daily Threat Intelligence Brief - May 5, 2026

Executive Summary

CISA added CVE-2026-31431, a Linux kernel "incorrect resource transfer between spheres" flaw, to the Known Exploited Vulnerabilities catalog on May 1, 2026, citing active in-the-wild exploitation against federal-class infrastructure. CISA Alert, May 1, 2026
CVE-2026-32202, a zero-click NTLM hash leak in Windows Shell discovered by Akamai after Microsoft's incomplete patch for CVE-2026-21510, is under active exploitation by Russia-linked operators. CISA set a remediation deadline of May 12, 2026 for federal agencies. The Register, April 29, 2026 | BleepingComputer
Google patched CVE-2026-2441, an actively exploited high-severity Chrome and Chromium remote code execution flaw with public exploit code circulating; the bug is reachable via malicious web content and impacts enterprise, developer, and CI/CD automation environments. Orca Security, May 2026
Iran-affiliated APT actors (linked to IRGC's Cyber Electronic Command and CyberAv3ngers / Shahid Kaveh) continue disrupting Rockwell Automation Allen-Bradley PLCs across US water, wastewater, energy, and government sectors per the April 8, 2026 joint CISA, FBI, NSA, EPA, DOE, and CYBERCOM advisory. CISA Advisory AA26-097A | IC3 PDF
Russian APT28 is hijacking DHCP and DNS settings on vulnerable routers to redirect traffic through attacker-controlled DNS, enabling adversary-in-the-middle credential and token theft, per the UK NCSC. NCSC, 2026
Fiserv was newly listed on the Everest ransomware leak site on May 4, 2026; Nike (481,409 employee records) by Worldleaks; Brightspeed by Crimson Collective; and England Hockey (129 GB exfiltrated) by AiLock. BlackFog State of Ransomware 2026 | BreachSense
Agentic AI risk is now operational, not theoretical: AgentPoison achieves over 80% attack success at <0.1% poison rate against RAG-based agents, MINJA reports >95% injection success against production agents, and meta-analysis of 78 studies shows >85% success against state-of-the-art defenses when adaptive strategies are used. SwarmSignal | Lakera
Over 8,000 Model Context Protocol (MCP) servers are reachable from the public internet, many with default 0.0.0.0:8080 admin bindings exposing tool registries and credentials. Medium, Feb 2026 | Unit 42
The 2025 CISA KEV closed at 1,484 entries, and the 2026 trajectory points higher; vendor advisory volume from Fortinet, Microsoft, Cisco, and Google is sustaining the spike. Cyble

Critical Vulnerabilities

CVE-2026-31431: Linux Kernel Incorrect Resource Transfer Between Spheres

CISA added this Linux kernel flaw to the KEV catalog on May 1, 2026 based on confirmed in-the-wild exploitation. The class of bug, "incorrect resource transfer between spheres," is a recurring privilege boundary violation that allows kernel-mode resources to leak into user-mode contexts (or vice versa), a frequent attack vector in container escapes and local privilege escalation chains. Federal civilian executive branch agencies are required to remediate per BOD 22-01 timelines; private sector defenders should treat it as urgent on any internet-adjacent Linux fleet. CISA, May 1, 2026

CVE-2026-32202: Windows Shell Zero-Click NTLM Hash Leak

Akamai researchers reported this vulnerability after observing that Microsoft's February 2026 patch for CVE-2026-21510 (a remote code execution flaw exploited by Russian state-aligned operators) was incomplete. The residual bug allows an attacker to coerce NTLM authentication and exfiltrate hashes with no user interaction, via network spoofing techniques. CISA's deadline for FCEB patching is May 12, 2026. Windows endpoints and servers across the enterprise are in scope. BleepingComputer | The Register

CVE-2026-2441: Google Chrome and Chromium RCE Zero-Day

Google issued an emergency Chrome update for an actively exploited high-severity flaw allowing arbitrary code execution via crafted web content. Public exploit details are circulating. Beyond traditional desktop exposure, Orca highlighted blast radius into enterprise developer workstations, headless Chromium in CI pipelines, Electron-based apps, and automation tooling that loads remote content. Orca Security

CVE-2026-35616: FortiClient EMS Improper Access Control

Fortinet disclosed a 9.1 CVSS unauthenticated code execution vulnerability in FortiClient Endpoint Management Server, confirmed exploited in the wild. Hotfixes are available for 7.4.5 and 7.4.6; 7.4.7 includes the fix natively. CISA placed it in KEV with a federal remediation deadline of April 9, 2026; any organization not yet patched is now operating outside CISA's window and inside the active exploitation envelope. Fortinet PSIRT FG-IR-26-099 | Greenbone

CVE-2026-24858: FortiOS SSO Authentication Bypass

Disclosed in January 2026 with confirmed in-the-wild exploitation, this FortiOS administrative SSO bypass continues to surface in incident response engagements. Cyberscoop observed the pattern is "frustratingly familiar" for Fortinet customers, mirroring prior administrative interface bypasses. Verify all FortiCloud SSO configurations and audit privileged session logs. The Hacker News | SecurityAffairs

CVE-2026-41940: cPanel Zero-Day Exploited For Months

cPanel patched a zero-day that researchers determined had been exploited for months prior to disclosure, mirroring the Gogs zero-day pattern. Hosting providers and shared infrastructure environments should review web shell artifacts and outbound C2 telemetry for the affected window. Help Net Security, April 30, 2026

D-Link End-of-Life Router Zero-Day

Attackers are exploiting an unpatched flaw in discontinued D-Link router models. Because the affected hardware is past end-of-life, no fix is forthcoming. Replacement is the only mitigation. Small-business and home-office networks dominate the exposed population. Dark Reading | SecurityWeek

AI Security Threats

The AI security landscape in May 2026 is no longer dominated by abstract jailbreak research. The dominant story is operational compromise of agentic systems: prompt injection has moved from a chat-window curiosity to a vehicle for persistent, cross-session, cross-tool, cross-system compromise.

Prompt Injection Has Become Agent Hijacking

According to the OWASP Top 10 for Agentic Applications 2026, prompt injection now hijacks an agent's planning loop, executes privileged tool calls, persists malicious instructions in memory, and propagates attacks across connected systems. The class of attack has effectively merged with command and control. Airia | SwarmSignal

A meta-analysis of 78 studies between 2021 and 2026 shows attack success rates exceeding 85% against state-of-the-art defenses when adaptive strategies are used. Multi-turn attacks lift baseline success rates to between 39.5% and 54.6% on average, and in enterprise red-team testing reach over 90%. SQ Magazine

Memory Poisoning: Persistent, Cross-Session Compromise

Memory poisoning is the most consequential evolution. Where prompt injection was stateless and ended with the chat window, memory poisoning persists. The agent "learns" the malicious instruction, recalls it days or weeks later, and defends the false belief when challenged. Dev.to | Christian Schneider

Documented benchmarks:

Attack	Target	Poison Rate	Success Rate	Source
AgentPoison	RAG-based agents	<0.1%	>80%	SwarmSignal
MINJA	Production agents	n/a	>95%	SwarmSignal
Memory Poison	Long-term agent mem	low	persistent	BeyondScale
Multi-turn JB	Enterprise chatbots	n/a	>90%	SQ Magazine

Microsoft Security observed a related class of attack, "AI recommendation poisoning," where adversaries manipulate an agent's memory to bias future recommendations toward attacker-controlled vendors, products, or services for direct monetary gain. The attack does not require model retraining. Microsoft Security Blog, Feb 10, 2026

Memory poisoning incident counts have reached approximately 380 documented cases tracked across vendor and academic reporting. Stellar Cyber

MCP Servers: The Agentic Attack Surface

Over 8,000 Model Context Protocol servers are reachable from the public internet. Common misconfigurations include default admin panels bound to 0.0.0.0:8080, no authentication on tool registration endpoints, and tool descriptions that double as injection vectors. Medium

Palo Alto Unit 42 documented new attack vectors using MCP sampling, where compromised servers manipulate the LLM's reasoning by serving poisoned context. Three primary patterns:

Pattern	Description	Source
Tool Poisoning	Malicious instructions hidden in tool descriptions	Unit 42
Rug Pull	Tool changes behavior after user approval, bypassing consent	Unit 42
Cross-Tool Contamination	Compromised server influences other legitimate tools via shared context	Unit 42

The arXiv preprint "Prompt Injection Attacks on Agentic Coding Assistants" provides a systematic taxonomy of vulnerabilities across skills, tools, and protocol ecosystems, covering Claude Code, GitHub Copilot, and Cursor. arXiv 2601.17548

Enterprise Readiness Lags Sharply

Only 24% of generative AI projects include security safeguards, and only 29% of enterprises report being prepared to secure agentic AI deployments. The gap between deployment velocity and security maturity continues to widen. Help Net Security, Feb 23, 2026

The Clawdbot Incident

In January 2026, the Clawdbot ecosystem suffered a catastrophic compromise rooted in default 0.0.0.0:8080 admin bindings, publicly accessible from first deployment. The incident is now used as a reference case for why agentic platforms must default to localhost binding, mutual TLS, and explicit network policy. Medium

The Lethal Trifecta

The "lethal trifecta" framing has crystallized: an agent that has (1) access to private data, (2) ability to communicate externally, and (3) exposure to untrusted input is, by construction, exploitable. Defenders must break at least one leg of the trifecta or accept residual risk. Airia

Threat Actor Activity

Iran: IRGC-Linked PLC Disruption (CyberAv3ngers / Shahid Kaveh)

The April 8, 2026 joint advisory from CISA, FBI, NSA, EPA, DOE, and US Cyber Command (AA26-097A) reports active disruption of Rockwell Automation Allen-Bradley PLCs since at least March 2026. Sectors hit include water and wastewater, energy, and government services. The FBI confirmed extraction of PLC project files and manipulation of HMI and SCADA displays. The actor is affiliated with the IRGC Cyber Electronic Command and tracked publicly as CyberAv3ngers (aka Shahid Kaveh Group). CISA AA26-097A | Industrial Cyber | HSToday

Russia: APT28 Router DHCP and DNS Hijacking

The UK NCSC reports APT28 (GRU Unit 26165) exploiting vulnerable routers to overwrite DHCP and DNS settings, redirecting victim traffic through attacker-controlled resolvers. The post-compromise objective is adversary-in-the-middle interception and theft of credentials and authentication tokens. SOHO and edge device fleets remain the soft target. NCSC

Russia: NTLM Coercion via CVE-2026-32202

The Windows Shell zero-click hash leak is being chained with NTLM relay tooling for lateral movement, in continuation of patterns observed against the original CVE-2026-21510 in early 2026. The Register

Southeast Asia: TrueConf Government Targeting

A TrueConf zero-day was leveraged in attacks against Southeast Asian government networks earlier in 2026; defenders in adjacent geographies should audit conferencing platform exposure. The Hacker News

VMware ESXi: Active VM Escape Exploitation

Huntress documented in-the-wild VM escape exploitation against ESXi, a high-blast-radius scenario for any virtualized estate. Hypervisor escape converts a single-tenant compromise into a multi-tenant breach. Huntress

Ransomware and Data Breaches

Date	Victim	Sector	Actor	Impact	Source
2026-05-04	Fiserv	Financial Tech	Everest	Listed on leak site	BreachSense
2026-Q2	Nike	Retail / Apparel	Worldleaks	481,409 employee records, 491,189 users	BlackFog
2026-Q2	Brightspeed	Telecom / ISP	Crimson Collective	Service disruption claimed	BlackFog
2026-Q2	England Hockey	Sports Governance	AiLock	129 GB exfiltrated	BlackFog

Ransomware volume in 2026 has settled into what Industrial Cyber describes as an "elevated new normal," resetting baseline risk expectations rather than declining. New entrant groups continue to emerge, accelerating the long-tail leak-site landscape. Industrial Cyber | Cyble

The Cyber Express April 2026 threat landscape report and PKWARE 2026 breach roundup catalog dozens of additional incidents across healthcare, education, manufacturing, and public sector. The Cyber Express | PKWARE

Recommended Actions

Immediate (next 24 to 72 hours)

Patch CVE-2026-32202 on all Windows endpoints and servers ahead of the May 12 CISA deadline. Hunt for prior NTLM hash exfiltration attempts in network and SMB telemetry. CISA
Patch CVE-2026-31431 across Linux fleet, with priority on internet-facing hosts, container hosts, and CI runners. CISA
Deploy the Chrome update for CVE-2026-2441 across user workstations, developer endpoints, and any headless Chromium running in build pipelines. Orca
Inventory FortiClient EMS instances, confirm 7.4.5 / 7.4.6 hotfix or 7.4.7 deployment for CVE-2026-35616, and audit logs for indicators of past exploitation. Fortinet PSIRT
ICS and OT operators in water, wastewater, energy, and government services: review the joint advisory AA26-097A and apply Rockwell Allen-Bradley PLC mitigations including changing default credentials, disabling unused services, and removing internet exposure. CISA
Audit MCP server inventory: identify any servers bound to 0.0.0.0, restrict to localhost or private network, enforce authentication, and review tool descriptions for embedded instructions. Unit 42

Short-Term (next 2 to 4 weeks)

Replace end-of-life D-Link routers across remote and SOHO fleets; the only fix is hardware refresh. Dark Reading
Audit DHCP and DNS configuration on all edge routers for APT28-style hijack indicators; lock management interfaces to internal networks only. NCSC
Review AI agent memory stores for poisoning indicators: anomalous long-lived facts, vendor recommendations skewed toward unfamiliar entities, persistent policy beliefs that contradict source-of-truth documents. Microsoft Security Blog | BeyondScale
Implement input validation, goal-lock mechanisms, tool sandboxing with least privilege, and human-in-the-loop approval gates on all high-impact agentic workflows. SwarmSignal
Review hypervisor patch level and ESXi configuration in light of active VM escape exploitation. Huntress
Confirm cPanel patch deployment for CVE-2026-41940 and review web shell, outbound C2, and authentication anomalies for the months-long exposure window. Help Net Security

Strategic (next quarter)

Adopt the OWASP Top 10 for Agentic Applications 2026 as the baseline framework for AI agent security review, including prompt injection, memory poisoning, tool poisoning, rug pull, and cross-tool contamination scenarios. SwarmSignal
Break the lethal trifecta architecturally. For each agent deployment, decide which leg you are removing: private data access, external communication, or untrusted input ingestion. Airia
Stand up a memory hygiene program for stateful AI agents: signed memory writes, provenance tagging, periodic memory diffs against source-of-truth, and human review for long-lived facts. Christian Schneider
Move FortiCloud and similar SSO admin paths behind dedicated bastion controls; the recurring administrative bypass pattern in Fortinet products warrants compensating architecture, not patch-only response. Cyberscoop
Tabletop the Iran-PLC scenario for any organization with OT exposure. The TTPs are public, the targeting pattern is clear, and the kinetic impact path is documented. CISA
Build ransomware leak-site monitoring into third-party risk management. With Fiserv, Nike, Brightspeed, and others surfacing weekly, supplier-driven exposure is a credible primary breach path.