Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0516

Daily Threat Intelligence Brief - May 16, 2026

May 16, 202612 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

Executive Summary

  • CISA added Linux Kernel CVE-2026-31431 (CVSS 7.8) to the Known Exploited Vulnerabilities catalog on May 1 with a federal remediation deadline of May 15, 2026.
  • Microsoft's May 2026 Patch Tuesday addressed 120 vulnerabilities, including 29 critical remote code execution flaws and CVE-2026-41089, a Windows Netlogon RCE rated CVSS 9.8.
  • ShinyHunters extorted Instructure over a Canvas LMS breach affecting roughly 275 million users across 8,809 educational institutions worldwide, with 3.65 TB of data on the line.
  • Google's Threat Intelligence Group disclosed the first confirmed AI-developed zero-day exploit in the wild, a 2FA bypass against a popular open-source web administration tool.
  • Microsoft Security disclosed CVE chains in Semantic Kernel allowing prompt injection to escalate to host-level remote code execution against AI agent infrastructure.
  • Nitrogen ransomware claimed Foxconn, alleging theft of 11 million files containing data from Apple, Dell, Google, Intel, and Nvidia.
  • Iranian-affiliated APT activity disrupting US critical infrastructure PLCs continued through May, with CISA reissuing advisory AA26-097A.
  • MCP supply chain exposure widened: a STDIO transport flaw and CVE-2026-33032 (CVSS 9.8) in nginx-ui MCP endpoint expose roughly 200,000 servers and 2,600 internet-facing instances.

Critical Vulnerabilities

CVE-2026-41089: Windows Netlogon Remote Code Execution

Microsoft addressed an unauthenticated RCE in the Windows Netlogon service, the authentication broker for Windows domains. CVSS 9.8. A remote attacker can send a crafted network request to a domain controller and execute code as SYSTEM. Patch immediately on any DC running Server 2019, 2022, or 2025. (Tenable, Cybersecurity News)

CVE-2026-42898: Microsoft Dynamics 365 RCE

CVSS 9.9. Any authenticated user, no elevated privileges required, can modify the saved state of a Dynamics CRM process session and cause the server to execute attacker-controlled code. Highest-rated bug in the May patch set. (Tenable)

CVE-2026-41096: Windows DNS Client RCE

A malicious DNS server can return a crafted response that corrupts memory on the Windows DNS client and yields code execution. Particularly relevant for endpoints on captive portals, public Wi-Fi, and hotel networks. (BleepingComputer)

CVE-2026-35421: Windows GDI Remote Code Execution

Triggered by viewing a malicious Enhanced Metafile via Microsoft Paint or the Outlook Preview Pane. No user interaction beyond rendering. Phishing payload risk is substantial. (Cybersecurity News)

CVE-2026-31431: Linux Kernel Privilege Escalation

Added to CISA KEV May 1, 2026. CVSS 7.8. An "incorrect resource transfer between spheres" bug yields local root on vulnerable kernels. Federal civilian deadline was May 15. Roll the May stable kernel and verify on long-running production hosts. (CISA, The Hacker News)

CVE-2026-6973: Ivanti EPMM Zero-Day

Exploited as a zero-day prior to Ivanti's May fix. EPMM customers should assume exposure, audit MDM enrollments, and rotate admin credentials. (Help Net Security)

CVE-2026-20182: Cisco Catalyst SD-WAN Manager Auth Bypass

CVSS 10.0. Limited in-the-wild exploitation observed. Sits at the top of the SD-WAN trust boundary. Patch first, audit configurations second. (CISA KEV)

CVE-2026-41940: cPanel/WHM Authentication Bypass

Mass exploitation underway since at least February 2026, two months before the April 28 patch. Any hosting provider running cPanel should assume compromise and triage. (Carthage Electronics Zero-Day Report)

CVE-2026-2441: Chrome / Chromium Zero-Day

High-severity RCE via malicious web content. Exploited in the wild before Google's emergency push. Enterprises with delayed Chrome update channels are still exposed. (Orca Security, SecurityWeek)

CVE-2026-33032: nginx-ui MCP Endpoint RCE

CVSS 9.8. Unauthenticated full takeover of any host exposing the nginx-ui MCP endpoint. Roughly 2,600 instances internet-facing at disclosure. See AI Security section for the broader MCP exposure picture. (Adversa AI MCP Roundup)

AI Security Threats

The agentic AI threat surface accelerated through May 2026. Three trend lines deserve immediate attention from any organization building, hosting, or consuming agentic systems.

First AI-Developed Zero-Day Exploit in the Wild

Google's Threat Intelligence Group published evidence that an unknown threat actor used an AI system to develop a zero-day exploit targeting two-factor authentication on a popular open-source web-based administration tool. This is the first publicly documented instance of an LLM being used end-to-end for vulnerability discovery and exploit generation against a live production target. Google says the campaign appeared aimed at a "mass exploitation event" and was intercepted before reaching scale. The implication: the asymmetry of offense over defense in vulnerability research is widening, and exploit timelines compress from weeks to days. (CNBC, The Hacker News, Help Net Security)

Prompt Injection Escalates from Output to Execution

Microsoft Security Research disclosed a vulnerable path in Microsoft Semantic Kernel where a single crafted prompt was sufficient to launch calc.exe on the device running the AI agent. The class of bug is "prompts become shells": a model with tool-use authority can be coerced into running native code if the host wrapping the model fails to enforce a strict tool-call boundary. This is no longer theoretical. (Microsoft Security Blog)

Prompt injection now appears in 73% of production AI deployments according to OWASP's 2026 Top 10 for Agentic Applications. Google researchers measured a 32% increase in malicious prompt injection payloads embedded in indexed web content between November 2025 and February 2026. The attack surface includes:

  • Direct injection through user inputs
  • Indirect injection through retrieved documents, web pages, emails, and file attachments
  • Memory poisoning persisting across sessions in long-context agents
  • Tool-chain hijack where one compromised tool call rewrites subsequent calls
  • Plan injection where the agent's planning step ingests adversarial instructions

(Kunal Ganglani: Prompt Injection 2026, Palo Alto Unit 42)

MCP Supply Chain Risk

The Model Context Protocol ecosystem, which is becoming the de facto integration bus for agentic systems, is dealing with two systemic issues this month:

  1. A fundamental design flaw in the STDIO transport mechanism allows arbitrary OS command execution. The issue impacts all supported SDKs and exposes roughly 200,000 servers.
  2. CVE-2026-33032 in the nginx-ui MCP endpoint allows unauthenticated full takeover, with 2,600+ exposed instances.

Financial institutions that built agentic AI on MCP are inheriting an unpatched command-injection flaw that maps directly to operational risk. Security leaders should mandate transport-layer isolation, centralized governance over MCP server allowlists, and continuous audit of internet-facing MCP integrations. (Adversa AI, The Hacker News on Anthropic MCP, OX Security on MCP)

Real-World Agentic Compromise

Early 2026 saw a major cyberattack against multiple Mexican government systems where an attacker manipulated a frontier AI model to extract roughly 150 GB of sensitive data. Indirect prompt injection has been observed in the wild against commercial AI agents, with attackers seeding payloads in documents that targets uploaded to AI assistants. The model never has to be jailbroken: the data it processes does the work. (Fluid AI Prompt Injection, Palo Alto Unit 42)

Threat Actor Activity

Iranian APT Targeting US Critical Infrastructure

Since at least March 2026, an Iranian-affiliated APT has been disrupting programmable logic controllers across US government services, water and wastewater systems, and energy sector targets. The actors deploy Dropbear SSH on victim endpoints for persistent remote access via port 22, then extract PLC project files and manipulate HMI and SCADA displays. Several victims reported operational disruption and financial loss. CISA advisory AA26-097A remains active. (CISA AA26-097A, Dark Reading)

Salt Typhoon (China MSS)

Salt Typhoon, attributed to China's Ministry of State Security, remains active inside US networks. FBI confirmed continuing operations in February 2026. The group has infiltrated 200+ targets across 80+ countries, with fresh penetration of US House Committee email reported this year. Initial access continues to come from configuration errors and known CVEs rather than novel zero-days. (TechCrunch, Security Affairs, Tenable Salt Typhoon Analysis)

APT28 (Fancy Bear, Russia GRU)

APT28 is running an ongoing global campaign using Prismex, a malware family combining steganography, COM hijacking, and abuse of legitimate cloud services for command and control. Prismex includes both espionage and sabotage modules, with the latter supporting wiper commands. Activity traceable to September 2025 picked up steam in January 2026 and continues through May. (Dark Reading)

Operational Tempo

Unit 42's 2026 research reports the fastest campaigns now move from initial access to data exfiltration in 72 minutes, four times faster than the prior year. Defensive windows have collapsed. (Palo Alto Networks Unit 42)

Ransomware and Data Breaches

Major Incidents (May 2026)

Victim Threat Actor Scale Sector
Instructure (Canvas) ShinyHunters 3.65 TB, ~275M users, 8,809 orgs Education
Foxconn Nitrogen 11M files claimed Manufacturing
Cushman & Wakefield ShinyHunters 500K+ Salesforce records, PII Commercial RE
Mayer LLP Qilin Undisclosed Legal
Navia Undisclosed 2.7M people impacted Benefits Admin

Instructure / Canvas LMS

The Canvas breach is the largest education sector compromise on record. Instructure disclosed an initial incident on May 1. After claiming containment, the Canvas login page was replaced with a ransomware message on May 7. ShinyHunters listed Instructure on their leak site claiming theft of 3.65 TB including private messages between students and teachers. Instructure later reached a ransom agreement with the group to prevent leak of the data. Exposed records include names, emails, IDs, and chat content. (CNN, The Hacker News, Malwarebytes, Bitdefender)

Foxconn

Nitrogen ransomware claimed Foxconn, the major contract manufacturer for Apple, Dell, Google, Intel, and Nvidia. The group alleges theft of 11 million files containing customer confidential data. If verified, downstream exposure for the named customers is substantial. (TechCrunch)

Cushman & Wakefield

ShinyHunters compromised a Salesforce environment at Cushman & Wakefield, exposing 500,000+ records including PII and internal corporate data. The pattern matches the broader 2026 Salesforce-targeted campaign run by the group. (Privacy Guides Data Breach Roundup)

Ransomware space

The ShinyHunters and Qilin groups dominate May 2026 leak activity. Initial access patterns continue to favor Salesforce OAuth abuse, exposed credentials from infostealers, and unpatched edge devices. Ransom negotiations are shifting toward pure extortion without encryption in many incidents. (BlackFog State of Ransomware 2026, Inside Higher Ed)

Recommended Actions

Immediate (next 24 to 72 hours)

  1. Apply the May 2026 Microsoft Patch Tuesday rollup with priority on domain controllers (CVE-2026-41089), Dynamics 365 (CVE-2026-42898), and DNS clients (CVE-2026-41096).
  2. Verify Linux kernel update covering CVE-2026-31431 on all production hosts. The federal KEV deadline was May 15.
  3. Patch Ivanti EPMM (CVE-2026-6973) and Cisco Catalyst SD-WAN Manager (CVE-2026-20182). Assume breach if patching is delayed and audit accordingly.
  4. For any cPanel/WHM hosting infrastructure, assume compromise from CVE-2026-41940. Triage authentication logs back to February 2026.
  5. Audit internet-facing MCP server inventory. Disable STDIO transport on shared hosts. Pull nginx-ui MCP endpoints behind authenticated reverse proxy or take offline pending patch.

Short-Term (next 2 to 4 weeks)

  1. Stand up monitoring for indirect prompt injection signatures in AI agent telemetry: anomalous tool-call sequences, plan rewrites mid-execution, unexpected privilege escalations from low-trust contexts.
  2. Tabletop the Canvas / Salesforce / OAuth pattern: how would your org detect a third-party SaaS extortion event before login pages get defaced?
  3. Refresh the SOC playbook for 72-minute initial-access-to-exfiltration windows. Detection that takes hours is now too slow for the median intrusion.
  4. Review all internally hosted AI agent frameworks for the Semantic Kernel class of prompt-to-shell vulnerability. Enforce a strict allowlist on tool execution and never trust model output as a command source.
  5. Confirm Chrome/Chromium update channels are pushing within 48 hours of release. Slower channels are accumulating exploitable exposure to CVE-2026-2441.

Strategic (next 1 to 2 quarters)

  1. Treat MCP and the broader agentic supply chain as production infrastructure: vendor risk reviews, SBOM equivalents for prompts and tools, signed manifests for tool registration.
  2. Build a red team capability that simulates AI-developed exploits. The Google disclosure means this is no longer a research artifact, it is the new attacker baseline.
  3. Move authentication off pure 2FA where the second factor is software-token only. The AI-developed 2FA bypass class will replicate.
  4. Re-evaluate the trust boundary around model output. Default posture: the model is hostile, the prompt corpus is hostile, the retrieved content is hostile. Design accordingly.
  5. Pressure-test vendor SaaS for the Salesforce / OAuth abuse pattern. The ShinyHunters tradecraft generalizes well beyond their current targets.

Sources