Daily Threat Intelligence Brief - May 19, 2026

Executive Summary

Microsoft confirmed in-the-wild exploitation of CVE-2026-42897, an Exchange Server spoofing and XSS zero-day affecting Subscription Edition, 2019, and 2016; CISA added the flaw to KEV on May 15 with a May 29 federal remediation deadline.
Cisco disclosed CVE-2026-20182, a maximum-severity (CVSS 10.0) authentication bypass in Catalyst SD-WAN Controller and Manager exploited as a zero-day before public disclosure on May 14.
Ivanti EPMM RCE CVE-2026-6973 is under active exploitation against a limited set of customers; CISA shortened the federal patch window to four days, requiring remediation by May 12.
ShinyHunters extorted Instructure into paying a ransom after stealing 3.65TB and roughly 275 million records from Canvas, the largest education sector compromise of the year.
Grafana Labs disclosed a token theft incident attributed to the Coinbase Cartel extortion crew that gave the attacker access to its GitHub environment and source repositories.
CVE-2026-33032 (CVSS 9.8) in nginx-ui MCP endpoints exposes more than 2,600 agentic AI deployments to unauthenticated full takeover; CVE-2026-32173 (CVSS 8.6) in Azure SRE Agent leaks live command streams via an unauthenticated WebSocket.
Linux LPE CVE-2026-31431 (CVSS 7.8) added to CISA KEV after evidence of in-the-wild abuse for root-level access on multiple distributions.
NSA issued an urgent advisory on May 1 warning that pro-Russia hacktivists are actively targeting OT and SCADA assets in North American and European water and wastewater systems.
MuddyWater (Iran-linked) observed abusing Microsoft Teams for credential theft in a false-flag ransomware campaign, expanding the group's social-engineering tradecraft beyond traditional spear phishing.

Critical Vulnerabilities

CVE-2026-42897: Microsoft Exchange Server zero-day (spoofing + XSS)

Microsoft published an emergency advisory after detecting in-the-wild exploitation of CVE-2026-42897, a spoofing and cross-site scripting vulnerability in on-premises Exchange Server Subscription Edition, 2019, and 2016. The flaw allows an attacker to send a specially crafted email that triggers JavaScript execution in Outlook Web Access under specific conditions, enabling session theft and inbox access. CISA added the CVE to KEV on May 15, 2026 with a remediation deadline of May 29. Organizations running on-prem Exchange should apply the May out-of-band update immediately and audit OWA logs for anomalous redirects and script execution.

Sources: SecurityWeek, Security Affairs, Infosecurity Magazine.

CVE-2026-20182: Cisco Catalyst SD-WAN authentication bypass (CVSS 10.0)

Cisco disclosed a maximum-severity authentication bypass in Catalyst SD-WAN Controller and Manager on May 14. Threat actors were already exploiting the flaw before public disclosure, granting admin-level control over the SD-WAN fabric of victim networks. CISA added the CVE to KEV the same week with a May 17 federal deadline. Cisco has released patched builds; operators should apply the fix, rotate controller credentials, and review configuration changes since early April.

Sources: The Hacker News, Tenable, BleepingComputer.

CVE-2026-6973: Ivanti EPMM authenticated RCE

Ivanti patched a high-severity remote code execution flaw (CVSS 7.2) in Endpoint Manager Mobile after detecting active exploitation against a limited customer set. Successful exploitation requires admin authentication, but researchers assess that attackers are chaining the issue with earlier unauthenticated Ivanti flaws to harvest the required credentials before pivoting to RCE. Fixed versions are 12.6.1.1, 12.7.0.1, and 12.8.0.1. CISA gave federal agencies only four days to remediate, an unusually compressed window.

Sources: The Hacker News, Help Net Security, SecurityWeek, SOCRadar.

CVE-2026-31431: Linux kernel local privilege escalation

CISA added CVE-2026-31431 (CVSS 7.8) to KEV after confirming exploitation in the wild. The bug enables an unprivileged local user to escalate to root across multiple mainstream Linux distributions and is well-suited for second-stage tooling after initial container or web-shell access. Distros have shipped patched kernels; operators should apply updates and review eBPF and auditd telemetry for suspicious privilege transitions.

Source: The Hacker News.

CVE-2026-41089: Windows Netlogon stack overflow (Critical RCE)

Patch Tuesday for May 2026 shipped fixes for 137 vulnerabilities, with 31 rated Critical. The standout is CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon. An unauthenticated attacker can deliver a crafted network request to a domain controller and gain code execution at the highest possible privilege tier. No exploitation has been observed yet, but DCs should be patched first across the fleet.

Sources: Cisco Talos, BleepingComputer, Qualys.

CVE-2026-42898: Microsoft Dynamics 365 on-prem RCE (CVSS 9.9)

A near-maximum severity RCE in on-prem Dynamics 365 requires no user interaction and yields code execution in the application context. Customers running on-prem deployments should treat this as the highest priority Dynamics fix of the year.

Source: Cybersecurity News.

CVE-2026-0073: Android System component RCE

Google's May 2026 Android Security Bulletin patched a critical RCE in the Android System component exploitable by a proximal or adjacent attacker with no privileges and no user interaction. Devices on shared Wi-Fi or corporate networks face the highest risk; mobile fleets should be force-updated.

Source: Carthage Electronics.

AI Security Threats

The agentic AI attack surface continued to mature in May, with the first generation of MCP-native CVEs landing alongside fresh data on prompt injection prevalence in production deployments. Two themes dominate this month's reporting: infrastructure-level prompt injection (versus model-level) and unauthenticated exposure of agent control planes.

CVE-2026-33032: nginx-ui MCP unauthenticated takeover (CVSS 9.8)

A critical flaw in the nginx-ui MCP endpoint allows unauthenticated attackers to seize full control of any exposed instance. Researchers identified more than 2,600 internet-exposed deployments at the time of disclosure, many of them fronting agent toolchains for financial-services pilots. Because MCP endpoints typically wrap shell, file, and HTTP primitives, takeover translates directly into arbitrary command execution on the host. Treat any MCP server as a Tier-0 asset and gate it behind authenticated proxies.

Source: Aembit.

CVE-2026-32173: Azure SRE Agent live command stream exposure (CVSS 8.6)

The Azure SRE Agent shipped with an unauthenticated WebSocket endpoint that allowed any Entra ID account holder to subscribe to live command streams from in-flight remediation jobs. This effectively turns a cloud-native SRE agent into a passive credential and command harvester. Microsoft has patched the agent; tenants should audit deployment manifests and rotate any secrets that traversed the agent in April or May.

Source: Adversa AI MCP roundup.

Prompt injection prevalence and the OWASP LLM Top 10

Independent audits aggregated in May 2026 reporting found prompt injection vectors present in roughly 73 percent of production AI deployments. OWASP retains prompt injection as LLM01 in its updated LLM Top 10, and Munich Re's 2026 cyber risk report classifies it as a "major attack vector" because of its low cost, high scalability, and absence of a deterministic fix. The probabilistic nature of LLMs makes a perfect instruction-versus-data boundary impossible; defenders should plan for defense in depth (input sanitization, output filtering, allowlisted tool sets, human-in-the-loop on irreversible actions), not prevention.

Sources: Kunal Ganglani, Securance, Cycode.

Carryover exploits still being weaponized

Two 2025 disclosures continue to drive incidents in 2026:

EchoLeak (CVE-2025-32711, CVSS 9.3): zero-click extraction of sensitive content from Microsoft 365 Copilot via crafted messages.
CVE-2025-53773 (CVSS 9.6): hidden prompt injection in pull request descriptions yielding RCE via GitHub Copilot agents.

Both vectors are now showing up in red-team engagements targeting financial-services and software-vendor environments that adopted Copilot in 2025 without subsequently revisiting permissions.

Source: The Hacker News (referenced in Cygeniq roundup).

Claude Code 512K leak: three vulnerability classes

Analysis of the 512K-line Claude Code source leak reported in May identifies three structural vulnerability classes worth tracking even by teams that do not use the product: context poisoning during compaction, sandbox bypass via shell parser differentials, and supply-chain risk where extension authors can mutate effective agent permissions at runtime. The lesson generalizes to any coding agent that supports plugins or session compaction.

Source: Adversa AI agentic AI roundup.

Defender takeaway

Treat MCP servers, agent runtimes, and Copilot-style integrations as production identity and execution surfaces. The 2026 control set should include: MCP egress isolation, signed tool manifests, immutable audit trails for tool calls, explicit human approval gates on destructive primitives (deploy, send, delete), and continuous red-teaming with at least the OWASP LLM01 through LLM10 test corpus.

Threat Actor Activity

Salt Typhoon (China) continues US telecom and government persistence

Salt Typhoon, the Chinese state-aligned actor behind the 2024 US telecom intrusions, remains active inside US networks. Fresh penetration of House Committee email environments has been confirmed in 2026. The group's tradecraft favors long-dwell positioning over data theft, consistent with strategic pre-positioning.

Source: Hive Security.

MuddyWater (Iran) abuses Microsoft Teams for credential theft

MuddyWater shifted away from email-only delivery and is now abusing Microsoft Teams chat to deliver phishing payloads and harvest corporate credentials under the cover of a false-flag ransomware narrative. Detection engineering should add Teams external-message anomaly rules and flag any tenant where external federation was recently enabled.

Source: The Hacker News.

NSA: pro-Russia hacktivists targeting OT in water and wastewater

On May 1, NSA issued an urgent advisory warning that pro-Russia hacktivist crews are actively probing and attacking small-scale OT devices in North American and European water and wastewater systems. Mitigations include disconnecting HMIs from the public internet, enforcing MFA on remote access, and changing default credentials on PLCs and SCADA appliances.

Source: ReversingLabs.

Adversary breakout time

CrowdStrike telemetry referenced across May reporting puts the 2026 average breakout time (initial access to lateral movement) at 72 minutes. Detection and response programs that still target multi-hour SLAs are out of policy versus current adversary speed.

Source: Hive Security.

Ransomware and Data Breaches

Victim	Actor	Impact	Disclosed
Instructure (Canvas LMS)	ShinyHunters	3.65TB stolen, ~275M records, ransom paid	2026-05-12
Grafana Labs	Coinbase Cartel	GitHub token theft, source code accessed	2026-05-09
West Pharmaceutical Services	Undisclosed	Incident response active, data scope unclear	2026-05-04
Ocean City Radio	Undisclosed	Operational shutdown after ransom event	2026-05-12
OpenAI (third-party vector)	Undisclosed	Limited data theft via code security incident	2026-05-14

Sector	Notable trend in May 2026
Education	Largest single-event record exposure of 2026 to date
Software vendors	Source-repo theft via stolen CI and integration tokens
Pharma and biotech	Recurring targeting of manufacturing IT and OT seams
Local media	Small-market victims forced offline by ransom economics
AI labs	Code-security regressions surfacing as data exfil paths

Sources: The Hacker News on Instructure, Malwarebytes on student data theft, SharkStriker May 2026 breach digest, TechCrunch on OpenAI.

Recommended Actions

Immediate (next 72 hours)

Patch on-prem Exchange Server for CVE-2026-42897 and audit OWA logs for anomalous JavaScript execution and session redirects.
Apply Cisco Catalyst SD-WAN updates for CVE-2026-20182, rotate controller credentials, and review fabric configuration history.
Patch Ivanti EPMM to 12.6.1.1, 12.7.0.1, or 12.8.0.1 and rotate all administrative credentials, especially if January credential-rotation guidance was skipped.
Inventory and remove internet exposure of any nginx-ui MCP endpoint pending the CVE-2026-33032 fix; place MCP behind authenticated reverse proxies.
Update Azure SRE Agent and rotate any secrets that flowed through it in April or May for CVE-2026-32173.

Short-Term (next 30 days)

Roll Windows updates for CVE-2026-41089 (Netlogon) starting with domain controllers, and CVE-2026-42898 (Dynamics 365 on-prem).
Patch Linux fleets for CVE-2026-31431 and add detections for unexpected privilege transitions to root.
Force-update Android device fleets for CVE-2026-0073, especially BYOD on corporate Wi-Fi.
Add detections for Microsoft Teams external phishing patterns associated with the MuddyWater shift, and review tenant federation changes since April.
Stand up an MCP and agent inventory: enumerate every tool the agent can call, who can invoke it, and which actions are reversible versus destructive.

Strategic (next quarter)

Adopt MCP and agent-tier controls as a discrete program: signed tool manifests, scoped credentials per tool, human approval gates on destructive primitives, and immutable audit trails.
Run a continuous prompt-injection red team using at least the OWASP LLM Top 10 test corpus, with explicit coverage of indirect injection via documents, web pages, and ticket comments.
Reduce mean time to contain to under the 72-minute adversary breakout benchmark by automating containment for high-confidence detections in EDR and identity.
For critical infrastructure operators, treat the May 1 NSA OT advisory as the impetus to disconnect HMIs from the public internet, enforce MFA on remote OT access, and replace default credentials on PLCs and SCADA appliances.
Build a third-party software supply-chain inventory that explicitly captures CI tokens, registry credentials, and any GitHub or GitLab access granted to integration vendors; rotate quarterly.