Daily Threat Intelligence Brief - May 12, 2026

Executive Summary

CISA added LiteLLM pre-authentication SQL injection CVE-2026-42208 (CVSS 9.3) to the KEV catalog on May 8 with a federal patch deadline of May 11. First in-the-wild exploitation was recorded approximately 26 hours after the GitHub advisory was indexed, confirming a sub-two-day disclosure-to-exploitation window for AI infrastructure bugs.
Linux kernel "Copy Fail" vulnerability CVE-2026-31431 (CVSS 7.8) grants unprivileged local root via a 732-byte Python script. CISA KEV addition May 1, federal deadline May 15. Fixes in Linux 6.18.22, 6.19.12, and 7.0.
Ivanti Endpoint Manager Mobile CVE-2026-6973 RCE is under active exploitation; FCEB agencies were ordered to remediate by May 10. Four sibling high-severity Ivanti EPMM flaws were disclosed in the same advisory cycle.
ShinyHunters compromised Instructure's Canvas LMS, claiming exfiltration of 3.65 TB / 275 million records across 8,809 institutions worldwide. Instructure announced an undisclosed settlement on May 11 and claims the data was destroyed.
Anthropic's Model Context Protocol (MCP) reference SDK contains a "by design" remote command execution class affecting up to 200,000 exposed servers and 150M+ downloads across the Python, TypeScript, Java, and Rust SDKs. Anthropic has declined to change the protocol.
Microsoft Patch Tuesday lands today (May 12) and is described by deployment vendors as the most consequential Windows update in years, ahead of the June 26 Secure Boot certificate expiration. CVE-2026-32202 carries a May 12 FCEB deadline.
Salt Typhoon (PRC MSS) confirmed in 2026 with fresh penetration of US House Committee email; total footprint now spans 200+ companies in 80+ countries. Singapore disclosed all four of its major telecoms were breached by a China-linked group.
The 2026 industry benchmark for adversary breakout time has compressed to 72 minutes from foothold to active exfiltration.

Critical Vulnerabilities

CVE-2026-42208: LiteLLM Pre-Auth SQL Injection (CVSS 9.3)

LiteLLM is an open-source AI gateway with more than 22,000 GitHub stars, used to proxy LLM traffic across enterprise stacks. A database query in the proxy API key check concatenated the caller-supplied Bearer token directly into a SELECT against the LiteLLM_VerificationToken table without parameter binding. An unauthenticated attacker can send a crafted Authorization header to any LLM API route (for example, POST /chat/completions) and read or modify the proxy database, exposing virtual API keys, stored provider credentials, and environment configurations.

Affected versions: 1.81.16 through 1.83.6. Fixed in 1.83.7-stable (released April 19, 2026); upgrade target is 1.83.10-stable. CISA KEV addition: May 8, 2026. FCEB patch deadline: May 11. First exploitation observed at 16:17 UTC on April 26, roughly 26 hours after the advisory was indexed.

Sysdig and Bishop Fox both observed targeted exploitation against three tables: LiteLLM_VerificationToken, litellm_credentials, and litellm_config. Defenders should assume every unpatched, internet-reachable LiteLLM proxy is compromised and rotate every secret it has ever held.

CVE-2026-31431: Linux Kernel "Copy Fail" LPE (CVSS 7.8)

Local privilege escalation caused by incorrect resource transfer between memory spheres in the Linux kernel. Public proof of concept is a 732-byte Python script that reliably yields root from an unprivileged shell. Fixed in kernel 6.18.22, 6.19.12, and 7.0. CISA KEV addition May 1, FCEB deadline May 15.

Risk weighting is acute for multi-tenant Linux: container hosts, CI runners, VPS providers, and shared developer boxes. Any environment where untrusted code already runs as a non-root user should treat this as immediate.

CVE-2026-6973: Ivanti EPMM Authenticated RCE

Improper input validation in Ivanti Endpoint Manager Mobile that allows a remotely authenticated administrative user to execute arbitrary code on the EPMM server. CISA KEV with FCEB deadline of May 10. Ivanti disclosed four additional high-severity EPMM bugs in the same advisory cycle. Hunt for post-exploit indicators on any internet-facing EPMM host that was not patched before May 8.

CVE-2026-32202: Windows Spoofing / Kernel Flaw

Added to KEV with a May 12 FCEB deadline, aligned with today's Patch Tuesday. Sits inside the May 12 Microsoft release window that the industry has flagged as the final comfortable deployment window before the June 26 Secure Boot certificate expiration.

CVE-2026-32201: SharePoint Spoofing (CVSS 6.5)

Active exploitation against on-prem SharePoint Server. Commonly chained with prior SharePoint RCE primitives for full takeover.

CVE-2026-33825: "BlueHammer"

Patched in the prior Microsoft cycle. CISA KEV deadline was May 6. Continued post-patch exploitation observed against unpatched fleets; remediation cadence remains uneven across enterprise estates.

Anthropic MCP SDK Design Class

Multiple independent researchers (Oligo, OX Security, others) reported a class of unauthenticated command injection bugs across Anthropic's official MCP SDK in Python, TypeScript, Java, and Rust. Categories include: command injection via stdio transport, command injection via direct stdio configuration with hardening bypass, command injection via MCP configuration edit triggered by zero-click prompt injection, and command injection via MCP marketplaces over network requests.

Related CVEs sharing the same root cause: CVE-2025-49596 (MCP Inspector), CVE-2026-22252 (LibreChat), CVE-2026-22688 (WeKnora), CVE-2025-54994 (@akoskm/create-mcp-server-stdio), CVE-2025-54136 (Cursor), and Microsoft MCP server CVE-2026-26118. Anthropic's position is that the behavior is "expected" and the protocol architecture will not change. Up to 200,000 MCP server instances are estimated exposed, with 7,000+ publicly accessible.

AI Security Threats

AI-specific risk surfaces are no longer hypothetical. They are now resident in the CISA KEV catalog alongside traditional infrastructure CVEs, with sub-two-day exploitation windows from disclosure.

Prompt Injection Remains Architecturally Unsolved

OWASP retains prompt injection as LLM01 in its 2025 Top 10. The UK National Cyber Security Centre's December 2025 guidance reaffirmed that prompt injection "may be a problem that is never fully fixed" because it derives from how LLMs interpret natural language without a hard boundary between instruction and data.

Two 2026 vulnerabilities illustrate the prompt-injection-to-RCE escalation pattern that has now become standard:

CVE-2026-25592 and CVE-2026-26030 in Microsoft Semantic Kernel allow escalation from prompt injection to code execution inside the agent runtime.
CVE-2025-53773 (CVSS 9.6) demonstrated that hidden prompt injection embedded in a pull request description was sufficient to achieve remote code execution through GitHub Copilot.

EchoLeak: Zero-Click M365 Copilot Exfiltration

The EchoLeak vulnerability in Microsoft 365 Copilot proved that a fully zero-click prompt injection could access and silently exfiltrate enterprise data through the assistant's authorized tool context. No user click, no link, no obvious indicator of compromise.

Agentic AI: The MCP Crisis

Agentic systems combine three risks at once: ambient credentials, network reach, and a natural-language command surface. The MCP design class is the canonical 2026 example. Microsoft's May 7 Security Blog post "When prompts become shells" cataloged the RCE patterns now common in AI agent frameworks.

Practical operating assumptions for 2026:

Any MCP server reachable on the network with a default stdio transport is potentially a remote shell.
An LLM ingesting third-party content (PRs, tickets, emails, web pages) with tool use enabled is an exploit primitive.
The "Mother of All AI Supply Chains" framing from OX Security is accurate; one weakness propagates across 150M+ downloads in days, not quarters.

AI in Offensive Operations

ENISA 2025 telemetry shows 80% of phishing campaigns now contain AI-generated content. APT36 has been observed running LLMs as a polymorphic malware assembly line, producing fresh variants faster than signature-based detection adapts. AI in offense is the operating assumption for defenders in 2026, not a forecast.

Defense Posture for AI Workloads

Assume prompt injection will succeed. Defend the blast radius, not the prompt boundary.

Least privilege for every agent's tool set; no ambient credentials.
Output validation with structured response schemas wherever possible.
Network egress filtering on LLM and MCP traffic; deny by default.
Logging every tool invocation with full input and output for forensic replay.
Clear separation between trusted instructions and untrusted retrieved content.
Treat any MCP server as a remote code execution surface until proven otherwise.

Threat Actor Activity

Salt Typhoon (PRC Ministry of State Security)

Confirmed 2026 activity inside US House Committee email systems. Total reported footprint exceeds 200 companies across 80+ countries. The Singapore disclosure that all four major Singaporean telecoms were breached by a China-linked group is consistent with Salt Typhoon TTPs. The CALEA wiretap-portal compromise across US carriers (Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, Windstream) remains the most significant publicly known intelligence-collection compromise of US telecom infrastructure.

Volt Typhoon (PLA Cyberspace Force)

Continued pre-positioning across US critical infrastructure (power, water, ports, communications) for disruption rather than collection. No new public 2026 disclosures, but remediation activity across affected sectors is ongoing and incomplete.

APT41

Q1 2025 recorded a 113% surge in operations correlating with US-China trade tensions. Targets included US trade policy officials, academic economists, and think tanks. Tempo into 2026 remains elevated.

APT36 / Transparent Tribe

Continued operational use of AI-assisted malware generation, flagged by ENISA for polymorphic variant production tempo.

ShinyHunters

Highest-impact criminal actor of May 2026. Claimed responsibility for both the Canvas / Instructure compromise and the Cushman & Wakefield Salesforce theft. Pattern: large-scale exfiltration from SaaS tenants, public extortion via login-page defacement, time-bound ransom demands.

Ransomware and Data Breaches

Victim	Actor	Records / Volume	Date	Sector
Canvas / Instructure	ShinyHunters	275M records / 3.65TB	2026-05-07	EdTech
Cushman & Wakefield	ShinyHunters	500K+ Salesforce recs	2026-05	Commercial RE
US Telecoms (multi)	Salt Typhoon	Metadata, 1M+ users	Ongoing	Telecom
US House Committees	Salt Typhoon	Email content	2026 (conf)	Government
Singapore Telecoms	China-linked	Carrier infrastructure	2026	Telecom

Attack Type	Notable May 2026 Activity
SaaS data extortion	ShinyHunters dominant, Salesforce-tenant targeting at scale
LMS compromise	Canvas / Instructure global outage and ransom event
AI proxy compromise	LiteLLM SQLi exploited at scale within 36 hours of disclosure
MCP server abuse	Cursor, LibreChat, WeKnora, Inspector tracked under shared root
Telecom espionage	Salt Typhoon active across US, Singapore, and 80+ countries
Kernel privesc	Linux "Copy Fail" PoC compact, stable, multi-tenant impact

The Canvas / Instructure incident is the largest education-sector breach on record per Wikipedia and Time, with confirmed impact to 8,809 universities, ministries, and other institutions. Instructure's May 11 statement announced an undisclosed settlement and claimed the data was destroyed; verification of destruction is not feasible from the outside.

Recommended Actions

Immediate (Next 24 Hours)

Patch LiteLLM to 1.83.10-stable or later on every proxy instance. Rotate every API key and provider credential stored in LiteLLM_VerificationToken, litellm_credentials, and litellm_config. Assume compromise on any unpatched instance exposed to the internet since April 19.
Apply May 12 Microsoft Patch Tuesday across the Windows estate, with priority on SharePoint, the Windows kernel, and any Secure Boot infrastructure. Validate Secure Boot certificate deployment ahead of June 26.
Patch Ivanti EPMM for CVE-2026-6973 and the four sibling high-severity bugs. Hunt for post-exploit indicators on EPMM hosts that were not patched before May 8.
Patch Linux kernel to 6.18.22, 6.19.12, or 7.0 across multi-tenant systems. The CVE-2026-31431 PoC is small, stable, and trivially weaponized.
Audit every internet-reachable MCP server. Disable stdio MCP transports for anything not behind authenticated, network-isolated channels. Treat exposure as RCE.

Short-Term (Next 30 Days)

Inventory all AI proxies and gateways (LiteLLM, OpenRouter, custom). Patch all, rotate all secrets, place behind network segmentation with explicit egress allowlists.
Build an MCP server inventory across the enterprise. Classify each as trusted, untrusted, or unknown. Default deny on unknown.
Tabletop the AI agent compromise scenario. Walk the path: a Copilot or agent ingests poisoned content, calls a tool with ambient credentials, exfiltrates data. Who notices? When? How is it stopped?
Salesforce hygiene sweep against the ShinyHunters TTP set. Review external connected apps, audit OAuth tokens, enforce IP restrictions, enable Shield monitoring.
Verify Secure Boot certificate posture on every Windows endpoint and server before June 26. Document exceptions explicitly.

Strategic (Next 90 Days)

Adopt an AI security policy that names prompt injection, agentic RCE, and MCP exposure as first-class risks. Tie procurement of any AI tool to a security review covering least privilege, output validation, and network reach.
Treat any LLM with tool use as a privileged identity. Apply service-account controls: rotation, scoping, monitoring, revocation.
Reduce blast radius from criminal SaaS extortion. Minimize the data each SaaS tenant holds. Tokenize PII. Federate identity to a single auditable IdP. Practice the response playbook against the ShinyHunters pattern.
Track Salt Typhoon and Volt Typhoon detection guidance from CISA. Apply network detection rules even outside directly named sectors; pre-positioning targets have expanded.
Plan for AI proxy and MCP being part of standard attack surface in 2027 scoping. They are CISA KEV residents now, not future risk.