Daily Threat Intelligence Brief - May 15, 2026

Executive Summary

CISA added Cisco Catalyst SD-WAN Controller authentication bypass CVE-2026-20182 to the Known Exploited Vulnerabilities catalog on May 14 after evidence of active in-the-wild exploitation granting attackers administrative privileges.
Microsoft shipped its May 2026 Patch Tuesday addressing 118 CVEs (16 critical, 102 important), the first month since June 2024 with zero actively exploited or publicly disclosed zero-days; critical RCEs in Windows DNS Client (CVE-2026-41096) and Netlogon (CVE-2026-41089) lead the queue.
Foxconn confirmed a cyberattack by the Nitrogen ransomware gang, which claims theft of 11 million files including confidential customer data tied to Apple, Dell, Google, Intel, and Nvidia.
The Instructure Canvas breach escalated; ShinyHunters claims 275 million records covering 8,809 institutions, with Instructure reportedly reaching a ransom agreement on May 11 (unconfirmed $10M payment).
A systemic "by design" flaw in Anthropic's Model Context Protocol SDK exposes more than 7,000 publicly accessible MCP servers and 150 million+ downloaded packages to remote code execution risk.
Microsoft Semantic Kernel disclosed CVE-2026-25592 and CVE-2026-26030, prompt-injection-to-code-execution chains in production AI agent frameworks.
Palo Alto Networks warned of CVE-2026-0300, an unauthenticated buffer overflow in PAN-OS User-ID Authentication Portal allowing root RCE on internet-exposed firewalls.
China-linked Salt Typhoon continues operations inside US networks with confirmed penetration of House Committee email systems; Twill Typhoon updated its modular .NET RAT framework targeting Asia-Pacific.
Carthage Electronics flagged cPanel/WHM authentication bypass CVE-2026-41940 as arguably the most actively exploited vulnerability on the internet, with exploitation traced back to February 2026.

Critical Vulnerabilities

CVE-2026-20182: Cisco Catalyst SD-WAN Controller Authentication Bypass

A critical authentication bypass in Cisco Catalyst SD-WAN Controller is being exploited in zero-day attacks. Successful exploitation grants attackers full administrative privileges on the device, enabling lateral movement into managed branch networks. CISA added the flaw to the KEV catalog on May 14, 2026. Federal agencies have a near-term remediation deadline.

Source: BleepingComputer, Cisco SD-WAN zero-day attacks; Windows Forum, KEV alert.

CVE-2026-41940: cPanel/WHM Authentication Bypass

cPanel disclosed a critical authentication bypass in cPanel and WebHost Manager on April 28, 2026. Exploitation in the wild has been traced to at least February 2026, putting roughly two months of unpatched live abuse behind the disclosure. Given the prevalence of cPanel across hosting providers, exposure is broad and exploitation is trivial.

Source: Carthage Electronics, Zero-Day Threat Alert May 2026.

CVE-2026-0300: Palo Alto Networks PAN-OS Buffer Overflow

A pre-authentication buffer overflow in PAN-OS User-ID Authentication Portal permits arbitrary code execution with root privileges over the network via specially crafted packets. Internet-exposed PA-Series and VM-Series firewalls are affected. No authentication is required. Palo Alto issued workarounds and a phased patch.

Source: BleepingComputer, Palo Alto firewall zero-day.

CVE-2026-41096: Windows DNS Client Heap Overflow (RCE)

A heap-based buffer overflow in the Windows DNS Client is exploitable without authentication or user interaction. CVSS 9.8. Microsoft patched the issue in the May 2026 cumulative update. No known active exploitation at publication, but the unauthenticated network attack vector makes proof-of-concept publication a likely accelerant.

Source: Tenable, May 2026 Patch Tuesday analysis.

CVE-2026-41089: Windows Netlogon RCE

Remote code execution in Windows Netlogon, the authentication service for Active Directory domains. CVSS 9.8. Successful exploitation against a domain controller would be catastrophic. Patch via May 2026 Patch Tuesday.

Source: Lansweeper, Microsoft Patch Tuesday May 2026.

CVE-2026-42898: Microsoft Dynamics 365 RCE

A remote code execution flaw in on-premises Dynamics 365 with CVSS 9.9 requires no user interaction. Patch immediately for any on-prem D365 instance with HTTP exposure.

Source: Cybersecurity News, Microsoft Patch Tuesday May 2026.

CVE-2026-31431: Linux Kernel Privilege Escalation

CISA added a Linux kernel "Incorrect Resource Transfer Between Spheres" vulnerability to KEV based on evidence of active exploitation. Local privilege escalation primitive on affected kernel branches.

Source: CISA, Adds One Known Exploited Vulnerability to Catalog.

CVE-2026-0073: Android System RCE

Google's May 2026 Android Security Bulletin discloses a critical remote code execution flaw in the Android System component, exploitable by a proximal/adjacent attacker with no privileges and no user interaction. OEM rollouts staggered through May and June.

Source: Carthage Electronics, Zero-Day Threat Report May 2026.

AI Security Threats

The agentic AI threat surface materially expanded in the past 30 days, with three converging stories shaping the threat picture: an architectural flaw in the Model Context Protocol itself, weaponized prompt injection escalating to remote code execution in production AI agent frameworks, and the first wave of nation-state actors abusing commercial LLMs as offensive tooling.

Anthropic MCP "By Design" Architectural Flaw

Security researchers disclosed a systemic vulnerability in Anthropic's Model Context Protocol SDK affecting Python, TypeScript, Java, and Rust implementations. The flaw enables arbitrary command execution on any system running a vulnerable MCP server, granting direct access to user data, internal databases, API keys, and chat history. Exposure is severe: more than 7,000 publicly accessible MCP servers and software packages totaling 150 million+ downloads. Anthropic declined to modify the protocol architecture, citing the behavior as expected. Some vendors have issued patches; the reference implementation remains unaddressed. This is the agentic AI supply chain equivalent of a Log4j-class issue: a foundational library, broad deployment, vendor unwilling to mitigate at the source.

Source: The Hacker News, Anthropic MCP Design Vulnerability; SecurityWeek, "By Design" Flaw in MCP.

CVE-2026-33032: nginx-ui MCP Endpoint RCE

An unauthenticated remote code execution flaw in the nginx-ui MCP endpoint scores CVSS 9.8 and exposes more than 2,600 internet-facing instances to full system takeover.

Source: Adversa AI, Top MCP security resources May 2026.

CVE-2026-25592 and CVE-2026-26030: Microsoft Semantic Kernel

Microsoft's Security Research team disclosed two critical vulnerabilities in Semantic Kernel, a widely deployed AI agent orchestration framework. Both bugs cross the boundary from content security weakness to code execution primitive. CVE-2026-26030 is the cleaner demonstrator: a prompt injection escalates into a Python eval() execution sink, converting a user-supplied string into native code on the agent host. Microsoft's mitigation removes the AI model's ability to autonomously trigger the vulnerable functions, but agent operators must upgrade.

Source: Microsoft Security Blog, When prompts become shells.

CVE-2025-53773: GitHub Copilot Indirect Prompt Injection to RCE

Hidden prompt injection placed inside a pull request description achieves remote code execution via GitHub Copilot agent actions. CVSS 9.6. The attack model is fully indirect: the victim does not need to author or even read the malicious prompt; merely having Copilot operate on the PR is sufficient.

Source: Securance, Prompt injection OWASP #1 AI threat 2026.

EchoLeak: Microsoft 365 Copilot Zero-Click Exfiltration

The EchoLeak vulnerability in Microsoft 365 Copilot demonstrated zero-click indirect prompt injection capable of silently exfiltrating enterprise data accessible to the user. The path-of-least-resistance attack chain: drop a poisoned document into a shared SharePoint location, wait for Copilot to ingest it during summarization or search, extraction occurs without any user interaction with the document.

Source: Sombra, LLM Security Risks 2026.

Anthropic Claude Abused in Mexican Government Intrusion

In early 2026, a multi-agency intrusion campaign against Mexican federal government systems was attributed to an actor who used Anthropic's Claude as an offensive vulnerability discovery aid. This is one of the first publicly documented nation-state-scale uses of a commercial LLM as an active intrusion-development tool, not merely a content-generation tool.

Source: Security Journey, Prompt Injection Attacks 2026.

Field Telemetry

Recent security audit aggregates put prompt injection vulnerabilities in roughly 73% of production AI deployments. Unit 42 documented the first large-scale indirect prompt injection campaigns in the wild during March 2026, including ad-review evasion and live system-prompt leakage on commercial platforms. 48% of surveyed security professionals now name agentic AI as the top attack vector for 2026.

Sources: Cycode, Top AI Security Vulnerabilities 2026; The Hacker News, Why Agentic AI Is Security's Next Blind Spot.

Threat Actor Activity

Actor	Affiliation	Recent Activity	Source
Salt Typhoon	China (PRC)	Continued access in US networks, House Committee email penetration	Hive Security
Twill Typhoon	China (PRC)	Updated .NET modular RAT, Asia-Pacific and Japan targeting	SecurityWeek, Chinese APTs Expand
MuddyWater	Iran (MOIS)	False-flag intrusion masquerading as Chaos ransomware affiliate	Infosecurity Magazine
Iranian APTs	Iran	Direct interaction with US water and energy SCADA/HMI systems	Trellix, Iranian Cyber Capability 2026
ShinyHunters	Criminal	Instructure Canvas extortion, Cushman & Wakefield Salesforce theft	The Hacker News, ShinyHunters Canvas
Nitrogen	Criminal	Foxconn breach, claimed exfiltration of 11M files	TechCrunch, Foxconn breach

Operational note: state-sponsored actors have conducted more than 297 documented supply chain attacks and breached 200+ telecom operators across six continents in the recent reporting window, with AI-generated content embedded in the majority of phishing operations. Ukrainian infrastructure has seen at least four new wiper families deployed in the same period.

Ransomware and Data Breaches

Target	Sector	Actor	Impact	Source
Instructure	EdTech	ShinyHunters	275M records, 8,809 institutions, alleged $10M ransom	The Hacker News
Foxconn	Manufacturing	Nitrogen	11M files claimed, customer data for Apple/Nvidia	TechCrunch
Cushman & Wakefield	Real Estate	ShinyHunters	500K+ Salesforce records, PII and corporate data	SharkStriker, May 2026 Data Breaches
Multiple Universities	Education	ShinyHunters	Finals-season disruption, Canvas downtime	FDD, Ransomware Hackers Crash Finals

The Instructure incident is the headline. After an initial May 1 disclosure and apparent containment, attackers reasserted access on May 7 by replacing the Canvas login page with a ransom message during the US college finals window. Operational pressure on Instructure peaked, and a settlement was reportedly reached on May 11 with rumors of a $10 million payment and a claim of data destruction. Defenders should treat any "data destroyed" claim from a criminal counterparty as a marketing line, not a control.

Sources: Malwarebytes, Millions of students' personal data stolen; Wikipedia, 2026 Canvas security incident; Inside Higher Ed.

Recommended Actions

Immediate (next 24 to 72 hours)

Patch Cisco Catalyst SD-WAN Controller for CVE-2026-20182 and audit administrative accounts for recent unauthorized creation or privilege change.
Apply Microsoft May 2026 Patch Tuesday across the estate, prioritizing domain controllers (CVE-2026-41089 Netlogon), internet-exposed Windows hosts (CVE-2026-41096 DNS Client), and on-prem Dynamics 365 (CVE-2026-42898).
Apply cPanel/WHM update for CVE-2026-41940 on any owned or managed hosting infrastructure, and review web access logs for indicators of exploitation back to February 2026.
Apply Palo Alto PAN-OS update or workaround for CVE-2026-0300 on any internet-facing PA-Series or VM-Series firewall, and review GlobalProtect portal logs for anomalous activity.
Inventory all internet-exposed MCP servers and nginx-ui instances. Patch CVE-2026-33032 immediately; for Anthropic SDK-based servers, restrict to authenticated internal callers until vendor mitigation is available.

Short-Term (next 30 days)

Upgrade Microsoft Semantic Kernel deployments and any other AI agent frameworks that allow tool invocation triggered by model output. Validate the upgrade actually removes autonomous invocation of high-risk sinks.
Disable GitHub Copilot agent actions on pull requests authored by untrusted contributors until CVE-2025-53773 mitigations are confirmed deployed.
Implement allow-listing for tool calls and content sources ingested by enterprise Copilot, ChatGPT Enterprise, and equivalent assistants. Treat untrusted documents as untrusted code.
Conduct a tabletop exercise specifically scoped to the EchoLeak-style zero-click prompt injection scenario: poisoned document, automated assistant ingestion, silent exfiltration.
For higher-education and SaaS-dependent organizations, audit third-party data residency and incident notification clauses against the Instructure case. The vendor took 10 days to resolution; your contractual recovery time may not match that.

Strategic (next quarter)

Stand up an AI Bill of Materials practice covering models, prompts, tools, agents, MCP servers, and data sources. The Anthropic MCP situation makes clear that protocol-level supply chain risk is now a first-class concern.
Add prompt injection and agent escape test cases to the standard penetration testing scope. Treat agentic AI assets with the same rigor as internet-exposed web applications.
Build human-in-the-loop guardrails for any agent capable of executing code, accessing privileged credentials, or modifying production systems. Autonomous loops with privileged tools are the new public-facing admin console.
Reassess your reliance on Anthropic, OpenAI, and Microsoft hosted AI services for high-sensitivity work given documented commercial-LLM abuse in nation-state intrusions and the protocol-level MCP exposure.
Validate ransomware tabletop assumptions against the dual reality of the May 2026 wave: actors are willing to re-extort after settlement (Canvas) and willing to publish customer-of-customer data (Foxconn) to amplify leverage.