Daily Threat Intelligence Brief - May 10, 2026

Executive Summary

CVE-2026-0300 (Palo Alto Networks PAN-OS): Critical buffer overflow in the User-ID Authentication Portal under active exploitation, granting unauthenticated root RCE on PA-Series and VM-Series firewalls. Patches expected May 13. Added to CISA KEV May 6, 2026.
CVE-2026-31431 (Linux Kernel "Copy Fail"): Local privilege escalation to root via a 732-byte Python script. Affects every major distro shipping kernels built since 2017. Added to CISA KEV May 1; FCEB deadline May 15.
CVE-2026-6973 (Ivanti EPMM): Zero-day RCE allowing authenticated administrators to execute arbitrary code on managed device infrastructure. Patches released this week.
CVE-2026-42208 (BerriAI LiteLLM): SQL injection in the LLM proxy gateway. Added to CISA KEV May 8 with a 3-day federal patch deadline (May 11).
ShinyHunters / Canvas (Instructure): 3.65 TB and roughly 275 million student and teacher records exfiltrated across 8,809 institutions. Largest education-sector breach on record.
Microsoft Patch Tuesday May 12: Final pre-deadline window before the June 26 Secure Boot certificate expiration that risks boot-level failures across the Windows fleet.
Iranian APT: Multi-sector disruption of internet-exposed Rockwell Automation PLCs across US water, energy, and government facilities, ongoing since March.
Microsoft Security Research: Disclosed RCE-class flaws in Semantic Kernel (CVE-2026-25592, CVE-2026-26030) where prompt injection escalates to code execution inside agent frameworks.
Five Eyes Joint Guidance: ACSC, CISA, NSA, CCCS, NCSC-NZ, NCSC-UK published coordinated guidance warning that agentic AI deployments outpace defensive controls.

Critical Vulnerabilities

CVE-2026-0300: Palo Alto Networks PAN-OS User-ID Portal RCE

CVSS: Critical. Status: Actively exploited. Vendor patch: May 13, 2026.

A buffer overflow in the PAN-OS User-ID Authentication Portal allows an unauthenticated remote attacker to execute arbitrary code as root on internet-facing PA-Series and VM-Series firewalls via specially crafted packets. CISA added the flaw to KEV on May 6 with a tight federal remediation deadline. Exploitation is in the wild and predates the patch by roughly a week, putting any exposed User-ID portal at immediate risk.

Mitigation guidance: restrict User-ID portal exposure to trusted management networks, enable threat prevention signatures from Palo Alto's content release as soon as available, and inventory internet-facing PA-Series and VM-Series devices for unexpected administrative sessions or new local accounts.

Reference: Help Net Security, The Hacker News, BleepingComputer.

CVE-2026-31431: Linux Kernel Incorrect Resource Transfer (LPE)

CVSS: 7.8. Status: Actively exploited. CWE: 699.

A local privilege escalation flaw in the kernel's resource-transfer path allows an unprivileged local user to obtain root with a 732-byte proof-of-concept Python script. Affects every major distribution running kernels built since 2017, including Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, SUSE 16, Debian, Fedora, and Arch. CISA added the bug to KEV May 1 with a federal remediation deadline of May 15. Distribution maintainers have shipped patched kernels.

Mitigation guidance: prioritize kernel updates on multi-tenant systems, container hosts, and CI runners where untrusted code executes. Validate kernel version through uname -r after reboot.

Reference: The Hacker News, Cybersecurity News, CISA Alert.

CVE-2026-6973: Ivanti EPMM Authenticated RCE

CVSS: High. Status: Exploited as zero-day prior to patch.

An improper input validation flaw in Ivanti Endpoint Manager Mobile (EPMM) allows remote attackers with administrative privileges to execute arbitrary code on vulnerable instances. EPMM administers mobile device fleets, so a compromise often pivots into managed corporate devices and the credentials they hold.

Mitigation guidance: apply Ivanti's published fixes immediately, audit administrative account use over the past 30 days, and review device enrollment events for anomalies.

Reference: Help Net Security.

CVE-2026-23918: Apache HTTP/2 Double-Free

CVSS: Critical. Status: Public PoC; DoS confirmed, RCE plausible.

A double-free in Apache HTTP/2 affects version 2.4.66, enabling denial of service and potential remote code execution. Given Apache's installed base, exposure is broad across web-facing infrastructure.

Mitigation guidance: upgrade to the patched Apache release, disable HTTP/2 if upgrade is not immediately feasible, and front Apache with a hardened reverse proxy where possible.

Reference: The Hacker News.

CVE-2026-31431 (cPanel): WebPros cPanel and WHM Auth Bypass

Status: Actively exploited.

An authentication bypass in the cPanel and WHM login flow lets unauthenticated remote attackers reach the control panel. A separate cPanel zero-day was used to compromise Government of Guam websites earlier this month, indicating active interest from both criminal and state-aligned operators in hosting-control-plane access.

Mitigation guidance: patch cPanel and WHM to the most recent release, restrict WHM access by source IP, and rotate credentials and API tokens scoped to affected hosts.

Reference: SharkStriker.

CVE-2026-32202: ConnectWise ScreenConnect Path Traversal

Status: In KEV.

A path traversal flaw in ConnectWise ScreenConnect allows attackers to execute remote code or directly affect confidential data and critical systems. ScreenConnect's MSP footprint makes a single compromise a many-tenant problem.

Mitigation guidance: confirm patch level, review on-prem ScreenConnect instances for unexpected sessions, and rotate any credentials operators have stored in the tool.

Reference: CISA KEV.

CVE-2026-42208: BerriAI LiteLLM SQL Injection

Status: In KEV; 3-day federal patch deadline (May 11).

LiteLLM is a widely deployed LLM proxy and gateway. A SQL injection in the management plane lets attackers read and modify the data store backing model-routing, key management, and usage logging. The short KEV deadline reflects how often LiteLLM sits in the credential path between applications and frontier model APIs. Compromise here exposes API keys, routing rules, and request and response logs.

Mitigation guidance: patch LiteLLM immediately, rotate every model-provider API key fronted by the affected gateway, and review request logs for unexpected key creation or rule changes.

Reference: CVEFeed CISA KEV.

AI Security Threats

The week's signal is consistent: AI agent frameworks have become a primary execution surface, and the boundary between "natural language input" and "code execution" continues to collapse.

Prompt Injection Becomes a Code Execution Primitive

Microsoft Security Research published a detailed analysis on May 7 walking through how prompt injection in agent frameworks crosses from content security into remote code execution. Their disclosures include CVE-2026-25592 and CVE-2026-26030 in Semantic Kernel, where an attacker-controlled prompt can chain into code execution inside the agent's host process. The pattern repeats across frameworks: once a model is wired to tools, every text input is potentially a function call. Reference: Microsoft Security Blog.

Indirect Prompt Injection in the Wild

Unit 42 documented the first large-scale indirect prompt injection attacks observed on commercial platforms in March, and the trend has accelerated. Confirmed techniques include ad-review evasion, system-prompt leakage, and instructions hidden in pages an agent is asked to summarize. Reference: Help Net Security, TechRepublic.

Mexican Government LLM-Assisted Breach

Earlier this year an attacker reportedly manipulated a frontier model during the compromise of Mexican government systems, leading to the exfiltration of roughly 150 GB of sensitive data. The incident illustrates the risk profile when agents have read access to operational data and tool access to outbound network paths. Reference: Sombra.

Agentic AI Supply Chain: ClawHavoc

Investigators uncovered ClawHavoc, a supply chain campaign that uploaded over 1,100 malicious skills to ClawHub for OpenClaw users, masquerading as productivity, crypto, and coding utilities. The campaign exploits the same trust pattern that drove npm and PyPI typosquats but at the agent-skill layer. Reference: IBM X-Force.

Five Eyes Joint Guidance on Agentic AI

ACSC, CISA, NSA, CCCS, NCSC-NZ, and NCSC-UK released coordinated guidance on May 4 cautioning against rapid agentic AI rollout in enterprise and federal environments. The guidance highlights confused-deputy attacks, prompt injection via logs and intermediate data, and "semantic mosaic" data leakage where benign individual disclosures aggregate into a sensitive whole. Reference: The Register, ASD ACSC PDF, Cyber.gov.au.

LiteLLM Adds an LLM Gateway to KEV

The CISA KEV addition of CVE-2026-42208 in BerriAI LiteLLM (see above) is a milestone: an LLM proxy is now a federal patch-deadline asset. Treat LLM gateways as Tier-0 infrastructure on par with identity providers. Reference: CVEFeed.

GitHub Actions Comment-and-Control

Researchers identified AI agents in GitHub Actions vulnerable to "comment-and-control" prompt injection, allowing attackers to use repository comments as a control channel and exfiltrate credentials from the runner environment. Multiple vendors patched quietly without public advisories. Reference: Adversa AI.

Industry Posture

A Dark Reading readership poll found 48% of cybersecurity professionals identify agentic AI and autonomous systems as the top attack vector heading into 2026. Reference: Dark Reading.

Threat Actor Activity

UAT-8302 (China-nexus)

Cisco Talos disclosed UAT-8302, a China-nexus group targeting government entities in South America since late 2024 and southeastern European government agencies through 2025. Tooling overlaps with prior China-nexus activity and includes VSHELL, the SNOWLIGHT stager, and a new Rust-based stager Talos tracks as SNOWRUST. Reference: Cisco Talos.

Iranian-Affiliated APT vs US Critical Infrastructure

Since at least March 2026, Iranian-affiliated APT operators have disrupted internet-facing Rockwell Automation and Allen-Bradley PLCs across US government services, water and wastewater systems, and the energy sector. CISA's joint advisory documents overseas-based IP infrastructure used to access exposed PLCs. Reference: CISA AA26-097A, Industrial Cyber, Dark Reading.

APT28 (Russia)

Through 2024 and into 2026, APT28 has been provisioning VPS infrastructure as operational platforms and exploiting routers to overwrite DHCP and DNS settings, redirecting victim traffic through attacker DNS resolvers for adversary-in-the-middle credential and OAuth-token harvesting. Reference: NCSC UK.

ShinyHunters

Most active criminal actor of the week. Claimed responsibility for the Canvas/Instructure breach, the Cushman and Wakefield compromise, and a Vimeo third-party vendor incident exposing customer email addresses, video metadata, and technical data. Operating tempo and target selection match a focused exfiltration-and-extortion model rather than encryption ransomware. Reference: Time, SharkStriker.

Ransomware and Data Breaches

Victim	Actor	Sector	Impact	Date
Canvas / Instructure	ShinyHunters	Education	3.65 TB, ~275M records, 8,809 institutions	2026-05-08
Cushman and Wakefield	ShinyHunters	Commercial RE	Corporate data exfiltration	2026-05
Vimeo (via vendor)	ShinyHunters	Media / SaaS	Customer emails, video metadata exposed	2026-05
AMS Group	Stormous	Industrial	33 GB exfiltrated	2026-05-10
Arup Group	Fulcrumsec	Engineering	Data theft, scope undisclosed	2026-05-10
Government of Guam	Unattributed	Government	cPanel zero-day exploited	2026-05
San Diego CCD	Unattributed	Education	Operational disruption	2026-05-02

The encryption-free exfiltration-and-extortion model dominates the week. ShinyHunters in particular continues to outpace traditional locker crews on victim count by leaning on cloud and SaaS access vectors rather than endpoint encryption. Reference: Morphisec, SharkStriker, Ransomware.live, Wikipedia.

KEV Patch Deadlines This Week

CVE	Product	KEV Added	Federal Deadline
CVE-2026-31431	Linux Kernel	2026-05-01	2026-05-15
CVE-2026-0300	Palo Alto PAN-OS	2026-05-06	Per CISA
CVE-2026-42208	BerriAI LiteLLM	2026-05-08	2026-05-11

CISA is also reportedly evaluating a 3-day patch deadline policy for KEV entries broadly, which would compress the LiteLLM-style timeline into the standard. Reference: SC Media.

Recommended Actions

Immediate (Next 24 to 72 Hours)

Patch Palo Alto PAN-OS the moment vendor fixes ship May 13. Until then, restrict User-ID portal exposure to management networks only.
Apply Linux kernel updates on multi-tenant hosts, container hosts, and CI runners. Confirm by uname -r post-reboot.
Patch Ivanti EPMM. Audit administrative account activity for the last 30 days.
Patch BerriAI LiteLLM and rotate every model-provider API key fronted by the affected gateway.
Patch ConnectWise ScreenConnect and cPanel and WHM. Rotate operator credentials.
Snapshot and isolate any internet-exposed PLC running Rockwell Automation and Allen-Bradley firmware. Pull from public addressing.

Short-Term (1 to 4 Weeks)

Stage and test Microsoft Patch Tuesday May 12 across the fleet. Confirm Secure Boot certificate deployment status against the June 26 deadline.
Inventory every LLM gateway and agent framework deployed in production. Treat them as Tier-0 alongside identity infrastructure.
Deploy detection for indirect prompt injection patterns in agent input streams (instructions in fetched HTML, PDF, image OCR, log lines).
Run a tabletop on a ShinyHunters-style cloud and SaaS exfiltration scenario. Validate that egress controls and DLP would catch a 1 TB pull.
Review GitHub Actions and CI configurations for AI agent steps. Eliminate comment-triggered agent execution paths.

Strategic (1 to 6 Months)

Implement a model-input provenance and signing layer: distinguish first-party prompts from data the model is asked to summarize or act on.
Adopt the OWASP ASI Top 10 controls for agentic systems. Apply confused-deputy mitigations: scope agent capabilities to the lowest privilege required per task, not per session.
Stand up a private skill and plugin registry for any agent platform in use. Hash-pin known-good agent skills. Block ad-hoc skill installation.
Move OT and PLC fleets behind explicit jump infrastructure. Internet-exposed PLCs are a closed question.
Build an LLM-aware logging pipeline. Capture prompt, retrieved context, tool calls, and tool results as a single auditable record.