Daily Threat Intelligence Brief - May 22, 2026

Executive Summary

CISA added CVE-2026-34926 (Trend Micro Apex One on-premise) and CVE-2025-34291 (Langflow) to the Known Exploited Vulnerabilities catalog on May 21, 2026, with active exploitation confirmed in real-world campaigns.
Cisco SD-WAN Controller and Manager authentication bypass CVE-2026-20182 carries a CVSS 10.0 rating with a federal remediation deadline of May 17, 2026 that has now passed for non-compliant agencies.
Linux kernel local privilege escalation CVE-2026-31431 ("Copy Fail") is exploitable via a 732-byte Python script and was added to KEV on May 1, 2026.
Microsoft Exchange Server zero-day CVE-2026-42897, disclosed May 14, 2026, enables arbitrary JavaScript execution against Outlook Web Access users with no patch available at time of publication.
ShinyHunters claims theft of approximately 275 million records from Instructure's Canvas learning platform, naming 8,809 affected districts and universities.
Azure SRE Agent flaw CVE-2026-32173 (CVSS 8.6) exposed live command streams via an unauthenticated WebSocket endpoint, demonstrating that agentic AI infrastructure is now a primary attack surface.
Salt Typhoon (China-linked) maintains active presence inside US House Committee email systems and broader telecom infrastructure breached in 2024.
Adversary breakout time benchmark for 2026 now sits at 72 minutes from initial foothold to active exfiltration.
48% of surveyed cybersecurity professionals rank agentic AI as the top attack vector for 2026, outranking deepfakes and supply chain threats.

Critical Vulnerabilities

CVE-2026-20182: Cisco SD-WAN Authentication Bypass

CVSS: 10.0 (Critical)
Vendor: Cisco
Products: Catalyst SD-WAN Controller, Catalyst SD-WAN Manager (on-premises and SD-WAN Cloud)
Impact: Unauthenticated remote attackers can obtain administrative access to SD-WAN fabric, including policy modification and lateral movement into managed branch networks.
Status: Added to CISA KEV with federal remediation deadline of May 17, 2026.
Action: Apply Cisco patches immediately. Audit recent admin authentication logs for anomalous IPs and out-of-hours sessions. Rotate operator credentials and API tokens.
Source: https://thehackernews.com/2026/05/cisa-adds-cisco-sd-wan-cve-2026-20182.html

CVE-2026-34926: Trend Micro Apex One On-Premise

Vendor: Trend Micro
Product: Apex One (on-premise management console)
Impact: Active exploitation in real-world campaigns. KEV addition on May 21, 2026 indicates ongoing post-disclosure attacks against endpoint protection management.
Action: Apply Trend Micro patches immediately. Review console access logs back to early May 2026. Treat EPP management as a Tier 0 asset.
Source: https://windowsforum.com/threads/cisa-adds-kev-langflow-cve-2025-34291-and-trend-micro-apex-one-cve-2026-34926.419204/

CVE-2025-34291: Langflow Remote Code Execution

Vendor: Langflow (open-source LLM orchestration framework)
Impact: Active exploitation against deployed Langflow instances. KEV addition on May 21, 2026.
Notes: Langflow is widely deployed for prototyping LLM workflows and is often left internet-exposed during development. Exploitation can pivot directly into upstream model APIs and connected data sources.
Action: Patch immediately, remove public exposure, rotate any API keys stored in Langflow flows, audit connected vector stores and tool integrations.
Source: https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html

CVE-2026-31431: Linux Kernel "Copy Fail" Local Privilege Escalation

CVSS: 7.8 (High)
Vendor: Linux kernel
Impact: Unprivileged local user obtains root via a 732-byte Python script. Reliable, deterministic exploit.
Status: KEV addition May 1, 2026 with federal deadline May 15, 2026.
Action: Patch distribution kernels. Treat any multi-tenant Linux host, CI runner, or container host as critical. Audit recent root-level activity on developer workstations.
Source: https://cybersecuritynews.com/linux-kernel-0-day-vulnerability-exploited/

CVE-2026-42897: Microsoft Exchange Server Zero-Day

Vendor: Microsoft
Products: Exchange Server Subscription Edition, Exchange Server 2016, Exchange Server 2019
Impact: Spoofing and XSS. A crafted email opened in Outlook Web Access executes arbitrary JavaScript in the user's browser context, enabling session theft and follow-on mailbox access.
Status: Zero-day under active exploitation. No patch available at time of publication.
Action: Apply Microsoft mitigations as published. Disable OWA where feasible, restrict OWA to VPN, harden Content Security Policy on the OWA endpoint. Hunt for inbound emails matching known IOC patterns.
Sources: https://www.securityweek.com/microsoft-warns-of-exchange-server-zero-day-exploited-in-the-wild/ and https://www.darkreading.com/vulnerabilities-threats/microsoft-exchange-zero-day-no-patch

CVE-2026-26083 and CVE-2026-44277: Fortinet FortiSandbox and FortiAuthenticator

Vendor: Fortinet
Impact: CVE-2026-26083 is a missing authorization flaw in the FortiSandbox web UI affecting on-premise, Cloud, and PaaS deployments. CVE-2026-44277 is an access control flaw in FortiAuthenticator API endpoints allowing unauthenticated code execution.
Action: Apply Fortinet PSIRT updates. Restrict management plane access to known administrative ranges. Audit FortiAuthenticator API logs for unauthenticated requests.
Source: https://thehackernews.com/2026/05/ivanti-fortinet-sap-vmware-n8n-patch.html

CVE-2026-6973: Ivanti Endpoint Manager Mobile

Vendor: Ivanti
Impact: Improper input validation. Added to KEV earlier in May 2026 based on active exploitation.
Action: Apply Ivanti patches. EPMM is a recurring target with a long history of post-disclosure exploitation, so assume compromise if patching was delayed.
Source: https://thehackernews.com/2026/04/cisa-adds-4-exploited-flaws-to-kev-sets.html

AI Security Threats

The AI attack surface has matured from a research curiosity into operational threat infrastructure. The May 2026 picture shows three converging trends: agentic AI infrastructure now hosts critical zero-days, prompt injection has moved from model-level to infrastructure-level exploitation, and AI is being weaponized at scale by attackers themselves.

Agentic AI Infrastructure Under Attack

CVE-2026-32173 in the Azure SRE Agent (CVSS 8.6) exposed live command streams to any Entra ID account holder via an unauthenticated WebSocket endpoint. This is a watershed event. The SRE Agent is a production agentic system with execution authority over Azure infrastructure, and the vulnerability allowed observation of agent command flows by any tenant identity. Defensive implication: treat every agentic AI deployment as a Tier 0 asset with full audit, network isolation, and identity scoping.

Analysis of the Claude Code leak in 2026 surfaced three vulnerability classes that generalize across coding agents: context poisoning via context compaction (attacker content survives compaction and persists into long-term reasoning), sandbox bypass via shell parser differentials (the agent sandbox and the underlying shell disagree on what a command means), and supply chain risk via tool installation. Source: https://adversa.ai/blog/top-agentic-ai-security-resources-may-2026/

Prompt Injection as Infrastructure Threat

In March 2026, Unit 42 documented the first large-scale indirect prompt injection attacks in the wild, including ad review evasion and system prompt leakage against live commercial platforms. Munich Re's annual cyber risk report named prompt injection as a major attack vector, citing low cost and high scalability. CVE-2025-53773 demonstrated that hidden prompt injection inside pull request descriptions could trigger remote code execution through GitHub Copilot, with a CVSS score of 9.6. The June 2025 EchoLeak vulnerability in Microsoft 365 Copilot (CVSS 9.3) showed that zero-click prompt injection through email content is feasible against mainstream productivity AI.

Operational pattern: attackers embed instructions in documents, web pages, emails, PDFs, calendar invites, and ticket bodies. Models cannot reliably distinguish system prompt from user input from tool output because all three arrive as a single token stream. Source: https://www.securance.com/blog/prompt-injection-the-owasp-1-ai-threat-in-2026/

AI Used by Attackers at Scale

Google publicly stated in May 2026 that it "likely thwarted" an attempt by a hacker group to use AI for a mass exploitation event. ENISA 2025 data shows 80% of phishing campaigns now contain AI-generated content. APT36 has been observed using LLM-driven polymorphic malware generation, producing variants faster than signature-based detection can update. Source: https://www.cnbc.com/2026/05/11/google-thwarts-effort-hacker-group-use-ai-mass-exploitation-event.html

Agentic AI Governance Gap

Survey data from May 2026: every organization surveyed has agentic AI on its roadmap, yet only 37% enforce purpose binding on AI agents, and only 40% have implemented kill switches. Non-human machine identities created by AI agents now exceed human identities at a growing number of enterprises, and legacy IAM systems were not designed to scope or rotate agent credentials. Source: https://www.kiteworks.com/cybersecurity-risk-management/agentic-ai-machine-credentials-breach/

OWASP LLM Top 10: Current State

Prompt injection retains the number one position in the OWASP LLM Top 10. Researchers expect multi-agent chain exploits, where a vulnerability in one agent is amplified through orchestrated agent-to-agent communication, to become a dominant attack pattern over the next two quarters. Source: https://elevateconsult.com/insights/owasp-llm-top-10-security-vulnerabilities-every-ai-developer-must-know-in-2026/

Threat Actor Activity

Salt Typhoon (China-linked)

Salt Typhoon, the group responsible for the 2024 US telecom compromise, remains active inside US networks. Fresh penetration of US House Committee email systems was confirmed earlier in 2026, with focus on staff working on national security committees with oversight of China policy. Persistence inside previously compromised telecoms continues, with most victim organizations still unaware. Source: https://www.darkreading.com/cyberattacks-data-breaches/new-china-apt-strikes-precision-persistence

Broader Chinese Campaign Activity

A separate China-linked campaign disclosed in February 2026 targeted more than 50 telecoms and government agencies across 42 countries, using Google Sheets as a command-and-control channel to blend with legitimate traffic. Source: https://cybelangel.com/blog/cyber-espionage-apts/

Nightmare-Eclipse

A self-styled rogue researcher operating under the handle Nightmare-Eclipse has published six Microsoft Windows zero-day exploits since April 2026: BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma. All six have been weaponized in real-world intrusions and added to the CISA KEV catalog. Source: https://blog.barracuda.com/2026/05/19/nightmare-eclipse-zero-days-grudge

Adversary Speed

The 2026 industry benchmark for adversary breakout time is 72 minutes from initial foothold to lateral movement and exfiltration. Defenders operating with detection and response windows measured in hours are functionally outpaced.

Nation-State Priorities

China prioritizes long-term intellectual property theft and persistent access. Russia continues to focus on disruption and influence operations. North Korea targets revenue generation through cyber theft. Iran pursues regional influence and retaliation campaigns. Source: https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors

Ransomware and Data Breaches

Victim	Threat Actor	Impact	Date
Instructure Canvas	ShinyHunters	275M records, 8,809 districts and universities	May 2026
Grafana	Coinbase Cartel	Ransomware, scope under investigation	May 2026
West Pharmaceutical Services	Undisclosed	Active incident response, data scope unconfirmed	May 2026
GitHub	TeamPCP	4,000 private repositories via malicious Nx plugin	May 2026
NVIDIA GeForce NOW (Armenia)	ShinyHunters	User database including emails and usernames	May 2026

Instructure Canvas (275M records)

ShinyHunters claims theft of roughly 275 million records covering students, teachers, and staff across the Canvas learning management system. The group has published a list naming 8,809 affected school districts, universities, and online education platforms. Source: https://www.malwarebytes.com/blog/news/2026/05/millions-of-students-personal-data-stolen-in-major-education-cyberattack

GitHub Repository Compromise

GitHub is investigating a breach of internal repositories. TeamPCP claims access to approximately 4,000 repositories of private code, gained via a malicious version of the Nx Console VS Code extension. The Nx vector demonstrates the continued effectiveness of IDE extension supply chain attacks against developer credential and token material. Source: https://sharkstriker.com/blog/may-2026-data-breaches/

Grafana Ransomware

Grafana was hit by the Coinbase Cartel ransomware group. Operational impact and customer data exposure remain under investigation. Source: https://sharkstriker.com/blog/may-2026-data-breaches/

State of Ransomware 2026

Ransomware activity continues to climb year-over-year, with double extortion (encryption plus data publication) now standard and triple extortion (adding DDoS or direct customer harassment) increasingly common against high-value targets. Source: https://www.blackfog.com/the-state-of-ransomware-2026/

Recommended Actions

Immediate (next 72 hours)

Patch Cisco SD-WAN Controller and Manager for CVE-2026-20182 if not already complete. Audit administrative session logs for the last 30 days.
Patch Trend Micro Apex One on-premise for CVE-2026-34926 and review console activity for anomalous logins.
Patch or remove public exposure of Langflow deployments. Rotate any API keys, vector store credentials, and model provider keys configured inside Langflow flows.
Apply available Microsoft mitigations for Exchange Server CVE-2026-42897. Where feasible, restrict OWA to VPN. Hunt for matching inbound email patterns.
Patch Linux kernel CVE-2026-31431 on all multi-tenant hosts, CI runners, container hosts, and shared developer systems.
Patch FortiSandbox CVE-2026-26083 and FortiAuthenticator CVE-2026-44277. Restrict management plane access.

Short-Term (next 30 days)

Audit every agentic AI deployment for identity scoping, network isolation, and command audit logging. Treat agentic systems as Tier 0 assets.
Inventory non-human identities and machine credentials created by AI agents. Apply rotation, scoping, and revocation policies.
Review IDE extension policy. Enforce signed extension allowlists. Audit recent Nx, Copilot, and similar extension installations.
Validate detection coverage against a 72-minute breakout window. Tune SIEM and EDR alerting to fire on lateral movement indicators within minutes rather than hours.
Test prompt injection defenses against indirect injection in email, document ingestion, and RAG sources.

Strategic (next quarter)

Establish purpose binding and kill switches for every agentic AI deployment. Aim for 100% coverage rather than the industry baseline of 37-40%.
Build a threat model for multi-agent chain exploits. Identify which agents have authority to invoke other agents and where trust boundaries fail.
Integrate AI-generated phishing detection into email security. Assume 80%+ of inbound phishing now passes basic linguistic plausibility tests.
Develop a containment plan for long-dwell APT presence. Assume Salt Typhoon-style adversaries may already be inside high-value networks.
Adopt OWASP LLM Top 10 and OWASP AI Agent Security Top 10 as formal control frameworks for AI development pipelines.