Daily Threat Intelligence Brief - May 9, 2026
Executive Summary
- Palo Alto Networks confirmed in-the-wild exploitation of CVE-2026-0300, an unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal yielding root RCE on PA and VM-Series firewalls. First fixes land May 13, 2026.
- Ivanti patched CVE-2026-6973 in Endpoint Manager Mobile (EPMM) after observed zero-day exploitation by an authenticated administrative attacker chain.
- CISA added CVE-2026-31431, a Linux kernel local privilege escalation, to the KEV catalog with a federal remediation deadline this month.
- ShinyHunters claims a 3.65 TB exfiltration from Instructure (Canvas LMS) covering roughly 275 million students, teachers, and staff across nearly 9,000 institutions, including Harvard, MIT, Oxford, Stanford, and Cambridge.
- Microsoft Security disclosed a class of RCE bugs in AI agent frameworks (notably Semantic Kernel) where prompt injection becomes a code execution primitive once tools are wired in.
- Google Threat Intelligence Group reports a 32% increase in malicious indirect prompt injection payloads between November 2025 and February 2026.
- Iranian state group MuddyWater observed running a false-flag intrusion masquerading as Chaos ransomware via Microsoft Teams social engineering.
- Cushman & Wakefield disclosed exposure of more than 500,000 Salesforce records in a ShinyHunters-attributed incident.
- Salt Typhoon remains entrenched in US telecom and federal infrastructure with fresh activity confirmed against House Committee email systems in 2026.
Critical Vulnerabilities
CVE-2026-0300: Palo Alto PAN-OS Unauthenticated RCE
| Attribute | Value |
|---|---|
| CVSS | 9.3 (Critical) |
| Product | PAN-OS PA-Series, VM-Series |
| Component | User-ID Authentication Portal (Captive) |
| Vector | Network, unauthenticated |
| Status | Actively exploited, limited campaigns |
A specially crafted packet to the captive portal triggers a buffer overflow yielding root code execution on the firewall plane. Initial fixes are scheduled for May 13, 2026 with follow-on coverage May 28. Operators should disable the User-ID portal on internet-facing interfaces immediately and apply Threat Prevention signatures as released. References: Wiz Research, SecurityWeek, Triskele Labs.
CVE-2026-6973: Ivanti EPMM Authenticated RCE Zero-Day
| Attribute | Value |
|---|---|
| Severity | High |
| Product | Ivanti Endpoint Manager Mobile |
| Vector | Network, authenticated administrator |
| Root cause | Improper input validation |
| Status | Exploited as zero-day |
Ivanti shipped fixes for five high-severity EPMM bugs, with CVE-2026-6973 confirmed exploited in the wild. The chain typically requires a compromised or credential-stuffed admin account, so monitor admin sessions for anomalous post-authentication behavior. Reference: Help Net Security.
CVE-2026-31431: Linux Kernel Local Privilege Escalation
| Attribute | Value |
|---|---|
| CVSS | 7.8 (High) |
| Product | Linux kernel |
| Vector | Local, low privilege |
| Impact | Root shell, container escape risk |
| Status | KEV-listed, active exploitation |
The flaw is an incorrect resource transfer between security spheres. Containerized workloads are at elevated risk because escape from a compromised container to host root becomes trivial. Patch kernels and validate seccomp/AppArmor profiles on shared multi-tenant nodes. References: The Hacker News, CISA Alert.
CVE-2026-23918: Apache HTTP/2 DoS and Potential RCE
| Attribute | Value |
|---|---|
| Severity | Critical |
| Product | Apache HTTPD mod_http2 |
| Vector | Network, unauthenticated |
| Impact | Denial of service, possible RCE |
| Exposure | Default builds, HTTP/2 widely enabled |
mod_http2 ships in default Apache builds, so the exposure footprint is broad across enterprise web tiers. Operators should patch and consider WAF mitigations against malformed HTTP/2 frame sequences. Reference: The Hacker News.
CISA KEV Activity
CISA pushed eight additions in late April with federal remediation deadlines spanning April through May 2026, including SimpleHelp, Samsung MagicINFO 9, D-Link DIR-823X, WebPros cPanel & WHM, and ConnectWise ScreenConnect. The May 1 update added CVE-2026-31431 with the standard 21-day FCEB clock. References: CISA Alert April 20, The Hacker News KEV update.
AI Security Threats
The AI threat surface in May 2026 is no longer theoretical. Three concurrent stories matter for any organization shipping LLM features, autonomous agents, or MCP integrations.
Prompts as Shells: RCE in Agent Frameworks
Microsoft Security Response Center published a research disclosure on May 7, 2026 documenting a class of remote code execution flaws in AI agent frameworks. The thesis is direct: once a model is wired to tools, the conceptual line between "content" and "code" collapses. Two specific issues in Semantic Kernel were demonstrated to convert prompt injection into a code execution primitive. The implication is that any agent that loads untrusted documents, scrapes web pages, or processes third-party tickets is, in effect, a remote code execution surface. Reference: Microsoft Security Blog.
Indirect Prompt Injection Volume Surge
Google's Threat Intelligence Group observed a 32% relative increase in malicious indirect prompt injection payloads between November 2025 and February 2026. Unit 42 catalogued ten in-the-wild indirect prompt injection payloads targeting AI agents. Documented payload intents include financial fraud (PayPal.me $5,000 redirects aimed at agents with payment tools), data destruction commands targeting agentic coding assistants, API key exfiltration, and shell command execution against AI-powered CI/CD reviewers. References: Google Security Blog, Unit 42, Infosecurity Magazine.
One Million Exposed AI Services
A scan of one million internet-exposed AI services published this week concludes that AI infrastructure is more vulnerable, more exposed, and more misconfigured than any prior software category measured. The dominant findings are unauthenticated inference endpoints, default credentials on vector databases, and writable model registries. Reference: The Hacker News.
Defensive Posture for Agentic AI
| Control | Why it matters |
|---|---|
| Tool allow-listing | Removes the most dangerous capabilities before injection lands |
| Output gating | Prevents direct shell, file, or network actions from raw LLM output |
| Provenance tagging | Tracks which content was untrusted at retrieval time |
| Per-tool capability scopes | Limits blast radius of a compromised step |
| Human-in-the-loop on writes | Forces approval for irreversible actions |
Treat every agent as a shell with bad input validation. The "lethal trifecta" of untrusted input, sensitive data access, and external action capability is the failure pattern. Cut any one of those edges and the chain breaks. References: Airia AI Security, Sombra LLM Risks 2026.
Time to Exploit Compression
Time from disclosure to exploitation has fallen from over 700 days in 2020 to roughly 44 days in 2025 and trending lower in 2026, driven in part by AI-assisted exploit development and automated reconnaissance. Patch SLAs designed around quarterly cycles are now a compliance fiction. Reference: The Hacker News, Year of AI-Assisted Attacks.
Threat Actor Activity
Salt Typhoon (China)
Salt Typhoon, the actor behind the 2024 US telecom intrusions, remains active inside US networks with fresh penetration of House Committee email systems confirmed in 2026. A separate China-linked February 2026 campaign hit more than 50 telecom and government targets across 42 countries, using Google Sheets as a covert command channel. Singapore disclosed a China-linked breach of all four of its major telecom providers. Reference: Hive Security State-Sponsored 2026.
MuddyWater (Iran)
Rapid7 attributed a recent intrusion to MuddyWater (Mango Sandstorm, Seedworm, Static Kitten) that masqueraded as Chaos ransomware. The chain begins with Microsoft Teams social engineering, harvests credentials, and plants Chaos artifacts as a false flag to obscure state-sponsored intent. No file encryption ever fired, which is itself the indicator. Reference: SecurityWeek, The Hacker News.
APT41 (China)
APT41 operations rose 113% in Q1 2025 and remain elevated through 2026, with a tilt toward US trade policy officials, academic economists, and think tanks. The targeting tracks geopolitical posture rather than incidental opportunity.
APT36 (Pakistan)
APT36 is the first documented nation-state actor running an AI-driven malware assembly line, producing polymorphic variants at machine speed. Detection engineering relying on file hashes alone is now a losing proposition against this actor.
Adversary Breakout Time
The 2026 benchmark for adversary breakout, defined as initial foothold to active lateral exfiltration, sits at roughly 72 minutes. Detection pipelines that page on a 6-hour SLA are arriving after the data is gone.
Ransomware and Data Breaches
Major Incidents This Week
| Victim | Actor | Impact | Source |
|---|---|---|---|
| Instructure (Canvas) | ShinyHunters | 275M records, 3.65 TB, ~9,000 orgs | TechCrunch |
| Cushman & Wakefield | ShinyHunters | 500,000+ Salesforce records | SharkStriker |
| Vimeo | ShinyHunters | 119,000 names and emails leaked | SharkStriker |
| RXNT | Undisclosed | Patient EHR data exposed | ClaimDepot |
| QLearn (Queensland) | Linked Canvas | Student/teacher data since 2020 | Malwarebytes |
Instructure / Canvas Deep Dive
Instructure confirmed the cybersecurity incident on May 1, 2026 and said the event was contained the next day. Preliminary scope includes names, email addresses, student ID numbers, and message content among users. ShinyHunters published a list of 8,809 affected school districts, universities, and education platforms with per-org record counts ranging from tens of thousands to several million. Newly named victims include Harvard, MIT, Oxford, Stanford, and Cambridge. Class action work is already underway. References: Time, TechRadar, Inside Higher Ed, CNN.
ShinyHunters Pattern
Three of the five named incidents this week trace to ShinyHunters, all involving SaaS or cloud SaaS-adjacent data stores (Salesforce, LMS, video). Treat the actor as a SaaS supply chain threat rather than an endpoint problem. Audit OAuth grants, third-party integrations, and connected-app inventories before assuming endpoint controls cover the risk.
Recommended Actions
Immediate (within 72 hours)
- Apply Palo Alto Networks fixes for CVE-2026-0300 as soon as released on May 13. Until then, disable User-ID Authentication Portal on any internet-exposed interface and constrain management plane access to known admin networks.
- Patch Ivanti EPMM for CVE-2026-6973. Force admin credential rotation and review admin session logs for anomalous post-auth activity over the last 30 days.
- Patch Linux kernel for CVE-2026-31431 across container hosts and shared-tenant nodes. Re-validate seccomp, AppArmor, and SELinux policies on production workloads.
- Inventory exposure to Apache mod_http2 and patch for CVE-2026-23918. Add WAF rules for malformed HTTP/2 frame sequences as defense in depth.
- Verify your organization is not in the published Instructure breach victim list. If yes, force student and staff password resets and watch for spear-phishing using exposed student ID and message context.
Short-Term (within 30 days)
- Audit OAuth grants and third-party SaaS integrations on Salesforce, M365, Google Workspace, and any LMS. Revoke unused, over-scoped, or unowned tokens.
- Stand up a tool allow-list and output gate for any internal AI agent that has shell, file, or network capability. Treat the agent as a shell with bad input validation.
- Add provenance tagging to all retrieval pipelines so untrusted content is marked at ingest time and downstream tools can refuse to act on it.
- Review and shorten patch SLAs to reflect a 44-day exploitation window, not a quarterly cycle.
- Tabletop a ShinyHunters-style SaaS data theft scenario, with focus on detection of large outbound API reads and OAuth abuse, not endpoint encryption.
Strategic (this quarter)
- Move from file-hash detection to behavioral detection. APT36's AI-generated polymorphic pipeline makes signature-based defense increasingly cosmetic.
- Build a measurable detection SLA against the 72-minute breakout benchmark. Anything slower is decoration.
- Stand up an AI red team practice covering indirect prompt injection, tool abuse, and memory poisoning. Borrow from the OWASP LLM Top 10 and the agentic AI threat model literature. Reference: OWASP LLM Top 10.
- Establish a SaaS supply chain inventory with named owners, last-reviewed dates, and revocation playbooks.
- Add contractual security floors for any LMS, EHR, or collaboration vendor handling regulated data.
Sources
- CISA Known Exploited Vulnerabilities Catalog
- CISA Alert, May 1, 2026
- CISA Alert, April 20, 2026
- Wiz, PAN-OS CVE-2026-0300
- SecurityWeek, Palo Alto Zero-Day
- Triskele Labs, PAN-OS CVE-2026-0300
- Help Net Security, Ivanti EPMM CVE-2026-6973
- The Hacker News, Linux Kernel CVE-2026-31431
- The Hacker News, Apache HTTP/2 CVE-2026-23918
- The Hacker News, KEV April-May Deadlines
- Microsoft Security Blog, Prompts Become Shells
- Google Security Blog, Prompt Injections in the Wild
- Unit 42, Indirect Prompt Injection
- Infosecurity Magazine, 10 In-the-Wild IPI Attacks
- The Hacker News, One Million Exposed AI Services
- The Hacker News, Year of AI-Assisted Attacks
- Airia, Lethal Trifecta
- Sombra, LLM Security Risks 2026
- OWASP LLM Top 10
- SecurityWeek, MuddyWater False Flag
- The Hacker News, MuddyWater via Teams
- Hive Security, State-Sponsored Actors 2026
- TechCrunch, Instructure Breach
- Time, Canvas Cyberattack Explainer
- TechRadar, Universities Named in Canvas Breach
- Inside Higher Ed, Pay or Leak
- CNN, Canvas Hack Impact
- Malwarebytes, Education Breach
- SharkStriker, May 2026 Breach Roundup
- ClaimDepot, RXNT Breach