Daily Threat Intelligence Brief - May 13, 2026

Executive Summary

• Microsoft's May 2026 Patch Tuesday shipped 120 fixes with 17 rated Critical, 14 of them remote code execution, headlined by Windows Netlogon (CVE-2026-41089, CVSS 9.8) and Windows DNS Client (CVE-2026-41096, CVSS 9.8) according to BleepingComputer and the Qualys Patch Tuesday review.
• Palo Alto Networks confirmed active exploitation of a critical unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal (CVE-2026-0300), with fixes targeted for May 13, per BleepingComputer.
• CISA added CVE-2026-6973 (Ivanti Endpoint Manager Mobile improper input validation) to the Known Exploited Vulnerabilities catalog after zero-day exploitation, according to Help Net Security and the CISA alert.
• A Linux kernel "Copy Fail" local privilege escalation flaw (CVE-2026-31431) was added to CISA KEV on May 1 with a May 15 federal deadline, per The Hacker News.
• ShinyHunters reached a ransom agreement with Instructure after exfiltrating 3.65 TB of Canvas LMS data covering roughly 275 million users across nearly 9,000 organizations, reported by The Hacker News and Malwarebytes.
• Fortinet released advisories for five product flaws including CVE-2026-26083, a critical unauthenticated missing authorization bug in FortiSandbox, summarized by Cybersecurity News.
• Microsoft Security published research on RCE primitives reachable through prompt injection in agent frameworks (CVE-2026-25592 and CVE-2026-26030 in Semantic Kernel) and an unauthenticated WebSocket exposure in Azure SRE Agent (CVE-2026-32173, CVSS 8.6), per the Microsoft Security Blog.
• BerriAI LiteLLM SQL injection landed in CISA KEV on May 8 with a May 11 due date, expanding pressure on AI proxy infrastructure, per the CISA KEV catalog.
• Anthropic's official Model Context Protocol SDK design weakness affects more than 7,000 publicly accessible MCP servers and over 150 million package downloads, per The Hacker News.

Critical Vulnerabilities

CVE-2026-41089: Windows Netlogon Stack Buffer Overflow (CVSS 9.8)

A critical stack-based buffer overflow in Windows Netlogon. Successful exploitation grants SYSTEM privileges on the domain controller, a direct path to forest compromise. Patched in the May 12 cumulative update. Treat as priority one for any Active Directory environment. Source: Infosecurity Magazine and Qualys.

CVE-2026-41096: Windows DNS Client RCE (CVSS 9.8)

Remote code execution in the Windows DNS Client implementation. Because DNS is a foundational networking service, the blast radius spans every workstation and server that resolves names, allowing rapid lateral propagation. Patched May 12. Source: Cybersecurity News.

CVE-2026-42898: Microsoft Dynamics 365 On-Premises RCE

Authenticated low-privilege RCE in Dynamics 365 On-Premises. No user interaction required, and the flaw escapes the original security scope of the vulnerable component, which is a hallmark of cross-tenant or cross-environment risk. Source: Talos Intelligence.

CVE-2026-41103: Microsoft Entra ID Elevation of Privilege

A critical EoP in Entra ID that allows an attacker to impersonate an existing user by presenting forged credentials, bypassing identity controls. Microsoft rated exploitation "more likely." Source: Cybersecurity News.

CVE-2026-0300: Palo Alto PAN-OS Authentication Portal RCE

Unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal on PA-Series and VM-Series firewalls. Crafted packets grant root-level arbitrary code execution. Palo Alto confirmed active exploitation, with fixes targeted for May 13. Disable the User-ID auth portal on internet-facing interfaces until patches are deployed. Source: BleepingComputer.

CVE-2026-6973: Ivanti EPMM Improper Input Validation

Authenticated administrative RCE in Ivanti Endpoint Manager Mobile, exploited in the wild before disclosure. Added to CISA KEV on May 7. EPMM compromise enables mobile device fleet manipulation and credential theft at scale. Source: Help Net Security and CISA.

CVE-2026-31431: Linux Kernel "Copy Fail" Local Privilege Escalation

Tracked by Theori and Xint as "Copy Fail." Allows an unprivileged local user to reach root on affected Linux kernels. Added to CISA KEV May 1, federal deadline May 15. Patch via distribution kernel updates and verify on multi-tenant hosts. Source: The Hacker News.

CVE-2026-32202: Windows Shell Authentication Coercion (Zero-Click)

Authentication coercion flaw in Windows Shell that exposes sensitive information without user interaction. Added to CISA KEV with a May 12 federal deadline. Microsoft's earlier patch for a related zero-day used by Russian operators was incomplete, leaving residual exposure. Source: The Register.

CVE-2026-41940: cPanel Authentication Bypass

Critical authentication bypass in cPanel. Exploited in the wild since at least February 23, 2026, well before the patch shipped. Hosting providers and shared environments are the primary target population. Source: Help Net Security.

CVE-2026-2441: Google Chrome Zero-Day RCE

Actively exploited zero-day in the Chrome rendering pipeline, patched in the latest stable release. Browser RCE remains a reliable initial access vector against employees who click. Source: Orca Security.

CVE-2026-26083: Fortinet FortiSandbox Missing Authorization (Critical)

Unauthenticated remote access to restricted sandbox functionality and sensitive analysis data through a GUI-accessible flaw. Affects FortiSandbox 5.0 and 4.4, FortiSandbox Cloud 24/23/5.0, and FortiSandbox PaaS 22.1 through 23.4. Source: Cybersecurity News.

CVE-2026-0073: Android System Component RCE

Critical RCE in the Android System component, exploitable by a proximal or adjacent attacker with no privileges or user interaction. Patched in the May 2026 Android Security Bulletin. Source: Carthage Electronics CVE roundup.

AI Security Threats

The AI attack surface continues to outrun defender tooling. Three trends define the current window.

Prompt Injection Crossed Into RCE

Microsoft Security published research on May 7 detailing how prompt injection in agentic frameworks now produces full code execution primitives, not just content abuse. Two new CVEs in Semantic Kernel, CVE-2026-25592 and CVE-2026-26030, demonstrate the pattern. CVE-2026-26030 is an RCE in a production agent framework where prompt injection escalates into a Python eval() sink. The lesson: any framework that accepts model output as a control signal for an interpreter is a code execution boundary, not a content boundary. Source: Microsoft Security Blog.

Agentic AI Infrastructure Under Active Attack

CVE-2026-32173 (CVSS 8.6) in the Azure SRE Agent exposed live command streams to any Entra ID account holder through an unauthenticated WebSocket endpoint. Cloud-side agent infrastructure is becoming a privileged trust boundary that lacks the maturity of traditional cloud control planes. Source: Microsoft Security Blog.

The BerriAI LiteLLM SQL injection added to CISA KEV on May 8 is the same story at the proxy layer. AI gateways aggregate sensitive prompts, completions, and keys, and they are now a federal-priority patching target. Source: CISA KEV catalog.

MCP and Tool Poisoning Hit Mainstream

Anthropic's official Model Context Protocol SDK was found to contain a systemic design flaw spanning every supported language (Python, TypeScript, Java, Rust). The exposure footprint is over 7,000 publicly accessible servers and more than 150 million package downloads. The flaw enables remote code execution against AI supply chains, with tool poisoning embedded in tool metadata identified as the most prevalent client-side vulnerability class. Source: The Hacker News.

The ContextCrush vulnerability disclosed by Noma Security on March 5 demonstrated that read-only MCP servers can still deliver attacker-controlled instructions into the model's working memory, which then exfiltrates secrets, invokes other tools, or destroys local state. The trust boundary is the context window itself, not the tool surface. Source: Authzed timeline of MCP breaches.

Real-World Agent Abuse for Offensive Operations

Between December 2025 and February 2026, a single threat actor used Anthropic Claude Code and OpenAI GPT-4.1 to breach nine Mexican government agencies, including the federal tax authority, Mexico City's civil registry, and the electoral institute. In September 2025, Anthropic detected a Chinese state-sponsored group hijacking Claude Code instances to conduct autonomous espionage against roughly 30 defense, energy, and technology targets, with AI handling 80 to 90 percent of tactical operations and discovering vulnerabilities at thousands of requests per second. Source: IBM X-Force on agentic AI risks.

Google researchers also recorded a 32 percent increase in malicious prompt injection payloads embedded in public web content between November 2025 and February 2026, evidence that the web itself is now a prompt injection delivery channel for any agent that browses. Source: Atlan analysis.

Time to Exploit Collapsed

Time from disclosure to exploitation has dropped from over 700 days in 2020 to roughly 44 days in 2025, with 28.3 percent of CVEs exploited within 24 hours of disclosure. ENISA reports that 80 percent of phishing campaigns now include AI-generated content. Source: Google Cloud threat intel.

Threat Actor Activity

China-linked operators continue to dominate the espionage signal. Salt Typhoon, behind the 2024 US telecom breach, remains active inside US networks with fresh penetration of House Committee email systems confirmed this year. A separate China-aligned campaign in February 2026 hit more than 50 telecoms and government agencies across 42 countries while abusing Google Sheets for command-and-control opacity. APT41 logged a 113 percent surge in Q1 2025 operations, focused on US trade policy officials, academic economists, and think tanks, the largest single-quarter increase recorded for any nation-state actor. Source: Hive Security state-sponsored actor review and Cybelangel.

APT36 has industrialized polymorphic malware generation through AI, producing variants faster than signature-based detection can keep pace. Russian SVR-aligned Midnight Blizzard (APT29) maintains active operations against NATO-aligned government and diplomatic networks. The 2026 industry benchmark for adversary breakout time, from initial foothold to active exfiltration, is 72 minutes. Source: Hive Security.

Ransomware and Data Breaches

Incident	Group	Impact	Disclosed
Instructure Canvas LMS	ShinyHunters	3.65 TB stolen, ~275M users, ~9,000 orgs	2026-05-07
Cushman & Wakefield	ShinyHunters	500,000+ Salesforce records, PII and internals	2026-05
Multiple US universities	Various	Finals-season disruption across higher ed	2026-05

Sources: The Hacker News on Instructure ransom agreement, Malwarebytes on the education breach, and FDD on ransomware crashing finals season.

Group	Q1 / May 2026 Posture	Notes
LockBit 5.0	163 victims Q1 2026, 4th most active globally	US share down to 21.5%, diversifying
Qilin	Expanding share post-RansomHub shutdown	Q1 2026 consolidation winner
The Gentlemen	Rising tier, sector-agnostic	Q1 2026 consolidation winner
INC_Ransom	4 new May victims	Steady operator
Akira	3 new May victims	Steady operator
Play	3 new May victims	Steady operator
RansomHub	Closed April 2025	Affiliates migrated to Qilin and LockBit

Sources: Industrial Cyber Q1 2026 report, Check Point Q1 2026 ransomware analysis, and PurpleOps live tracker.

Recommended Actions

Immediate (next 24 to 72 hours)

1. Deploy the May 12, 2026 Microsoft cumulative update across all Windows fleets, prioritizing domain controllers (CVE-2026-41089), DNS-resolving endpoints (CVE-2026-41096), Entra ID tenants (CVE-2026-41103), and Dynamics 365 On-Premises (CVE-2026-42898).
2. For PAN-OS PA-Series and VM-Series firewalls, disable the User-ID Authentication Portal on any internet-facing interface until CVE-2026-0300 hotfixes ship, then patch immediately.
3. Patch Ivanti EPMM against CVE-2026-6973 and audit administrative session logs for anomalous input that may indicate prior compromise.
4. Update Linux kernels to address CVE-2026-31431 ("Copy Fail") ahead of the May 15 federal deadline; on multi-tenant hosts, treat any non-trusted local account as a privilege escalation risk until patched.
5. Patch FortiSandbox against CVE-2026-26083 and restrict GUI access to known administrative networks.
6. Update BerriAI LiteLLM deployments to the fixed release and rotate any database credentials reachable from the proxy.
7. Push Chrome and Chromium-based browsers to the latest stable build to remediate CVE-2026-2441.

Short-Term (next 2 to 4 weeks)

1. Inventory every MCP server in use, internal and third-party, and validate against the Anthropic SDK advisory. Pin to patched SDK versions, restrict outbound network access from MCP runtimes, and disable unused tools.
2. Treat every agent framework that calls an interpreter (Python eval, shell, code-exec sandboxes) as an RCE boundary. Apply the same controls used for unauthenticated internet-facing services: input validation, capability scoping, and runtime sandboxing.
3. Implement output filtering and tool capability allowlists for any agent that browses the public web, given the 32 percent rise in injected payloads on public pages.
4. Audit Entra ID conditional access policies for impersonation-resistant configurations, with attention to forged credential paths exposed by CVE-2026-41103.
5. Hunt for Salt Typhoon and APT41 tradecraft in telecom, trade-policy, and academic-research network segments, with particular attention to Google Workspace abuse for command-and-control.

Strategic (next quarter)

1. Stand up an MCP and agent governance program that owns tool registries, sandbox policies, and prompt injection telemetry. Treat the context window as a privileged trust boundary equivalent to a service account.
2. Codify a 72-minute breakout-time response objective for incident response, aligning detection and containment SLAs with the current adversary benchmark.
3. Reduce dependence on knowledge management and edtech monocultures (Canvas, Salesforce attack surface) through data minimization, segmented tenants, and offline backup of authoritative records.
4. Adopt the OWASP Top 10 for Agentic Applications 2026 as a baseline review framework for any LLM system that has read or write access to other systems.
5. Stand up an AI-assisted phishing detection capability that does not rely solely on signature or template matching, given the ENISA finding that 80 percent of phishing campaigns now use AI-generated content.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• CISA Adds One Known Exploited Vulnerability to Catalog (May 7, 2026)
• The Hacker News: CISA Adds Linux "Copy Fail" CVE-2026-31431 to KEV
• BleepingComputer: Microsoft May 2026 Patch Tuesday
• Cybersecurity News: Patch Tuesday May 2026, 29 Critical RCE Flaws
• Qualys: Microsoft and Adobe Patch Tuesday May 2026 Review
• Infosecurity Magazine: 17 Critical Flaws in May Patch Tuesday
• Talos Intelligence: Microsoft Patch Tuesday May 2026
• BleepingComputer: Palo Alto Firewall Zero-Day CVE-2026-0300
• Help Net Security: Ivanti EPMM Zero-Day CVE-2026-6973
• Help Net Security: cPanel Zero-Day CVE-2026-41940
• The Register: Microsoft Patch Shortfall on Russian-Exploited 0-Day
• Orca Security: CVE-2026-2441 Chrome Zero-Day
• Cybersecurity News: Fortinet Enterprise Product Vulnerabilities
• Carthage Electronics: Critical CVEs to Patch May 2026
• Microsoft Security Blog: When Prompts Become Shells (May 7, 2026)
• The Hacker News: Anthropic MCP Design Vulnerability
• Authzed: Timeline of MCP Security Breaches
• Atlan: Prompt Injection Attacks on AI Agents 2026
• Google Cloud: Adversaries use AI for Vulnerability Exploitation
• IBM X-Force: Agentic AI Growing Fast With Vulnerabilities
• The Hacker News: Instructure Reaches Ransom Agreement with ShinyHunters
• Malwarebytes: Millions of Students' Data Stolen in Education Cyberattack
• FDD: Ransomware Hackers Crash Finals Season
• Industrial Cyber: Q1 2026 Ransomware Consolidation Report
• Check Point: Q1 2026 Ransomware Report
• PurpleOps: Ransomware Activity Tracker 2026
• Hive Security: State-Sponsored Threat Actors 2026 Deep Dive
• Cybelangel: Chinese APT Cyber Espionage in 2026