Daily Threat Intelligence Brief - May 23, 2026
Executive Summary
- CISA expanded the Known Exploited Vulnerabilities catalog with ten additions across May 7, May 20, and May 21, spanning Ivanti EPMM, Microsoft Defender, Cisco SD-WAN, Langflow, and Trend Micro Apex One.
- Microsoft confirmed in-the-wild exploitation of Exchange Server zero-day CVE-2026-42897 (CVSS 8.1), a spoofing and cross-site scripting flaw affecting Exchange Subscription Edition, 2016, and 2019.
- Cisco Catalyst SD-WAN Controller CVE-2026-20182 is being abused for unauthenticated administrative access on production deployments, with CISA setting a federal patch deadline of May 17, 2026.
- Instructure (Canvas LMS) is the largest education breach disclosed this month, with attackers claiming theft of more than 240 million student, teacher, and staff records spanning 15,000 institutions.
- MCP (Model Context Protocol) security continues to deteriorate: BlueRock Security found 36.7% of 7,000 public MCP servers vulnerable to SSRF, and an OX Security disclosure now ties 200,000 servers and 150 million SDK downloads to a single architectural flaw.
- Microsoft's May Patch Tuesday shipped 118 fixes with 16 Critical, including the Netlogon RCE (CVE-2026-41089) and a CVSS 9.9 RCE in on-premises Dynamics 365 (CVE-2026-42898).
- ShinyHunters extortion activity persists: Pitney Bowes (8.2M emails), Udemy (1.4M user records), and 7-Eleven are confirmed victims.
- Microsoft Security Research disclosed CVE-2026-25592 and related Semantic Kernel flaws showing that prompt injection in agentic AI now reliably converts into remote code execution.
Critical Vulnerabilities
CVE-2026-42897: Microsoft Exchange Server Spoofing/XSS Zero-Day
A spoofing and cross-site scripting flaw in Exchange Server Subscription Edition, 2016, and 2019, CVSS 8.1. Microsoft confirmed active exploitation and published interim mitigation guidance while a full patch is in development. Defenders should treat any internet-exposed Exchange surface as at-risk and review OWA and ECP logs for crafted authentication or redirect activity.
Source: SecurityWeek, Security Affairs
CVE-2026-20182: Cisco Catalyst SD-WAN Controller Authentication Bypass
Critical authentication bypass on Cisco Catalyst SD-WAN Controllers exploited in zero-day attacks to gain administrative privileges. CISA added the flaw to KEV with a May 17, 2026 federal patch deadline. Operators should validate Controller versions, isolate management interfaces, and review admin account creation audit trails.
Source: The Hacker News, BleepingComputer
CVE-2026-6973: Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation
Added to KEV on May 7. Improper input validation in Ivanti EPMM allows attacker-controlled payloads to alter device or user enrollment state. Ivanti customers should apply vendor hotfixes immediately and audit MDM policy changes from the past 90 days.
Source: CISA Alert May 7, 2026
CVE-2026-41091 and CVE-2026-45498: Microsoft Defender Elevation of Privilege and Denial of Service
Both added to KEV on May 20. CVE-2026-41091 permits local privilege escalation, while CVE-2026-45498 enables a denial of service on Defender itself, which can mask follow-on intrusion activity. Defender platform updates should be confirmed at endpoint scale.
Source: Malwarebytes, CISA Alert May 20, 2026
CVE-2025-34291: Langflow Origin Validation Error
Added to KEV on May 21. Langflow, a popular framework for building LLM workflows, fails to validate request origin, enabling cross-origin abuse of agent endpoints. Self-hosted Langflow installations should be moved behind authenticated reverse proxies, with the most recent vendor patch applied.
Source: CISA Alert May 21, 2026
CVE-2026-34926: Trend Micro Apex One Directory Traversal
Added to KEV on May 21. On-premises Apex One is vulnerable to directory traversal usable to read or overwrite arbitrary files on the management server. Trend Micro customers should confirm patch level and review management console access logs.
Source: CISA Alert May 21, 2026
CVE-2026-41089: Windows Netlogon Remote Code Execution
Unauthenticated remote attacker can send a crafted Netlogon packet to a domain controller and trigger a stack-based buffer overflow leading to SYSTEM execution. Highest priority Patch Tuesday item for any environment running on-prem Active Directory.
Source: Cybersecurity News
CVE-2026-42898: Microsoft Dynamics 365 (On-Prem) Remote Code Execution
CVSS 9.9. No user interaction required. Affects on-premises Dynamics 365 deployments and represents one of the highest-severity items shipped in May Patch Tuesday.
Source: Cybersecurity News, BleepingComputer
CVE-2026-0073: Android System Component Remote Code Execution
Disclosed in Google's May 2026 Android Security Bulletin. Critical RCE in the Android System component, exploitable by a proximal or adjacent attacker with no privileges and no user interaction. Mobile fleets should validate the May 2026 patch level.
Source: Carthage Electronics
AI Security Threats
The AI security landscape this month is best described as the formalization of agentic AI as a first-class attack surface. Three trends are reinforcing one another.
Agent frameworks now reliably convert prompt injection into code execution. Microsoft Security Research published "When prompts become shells" on May 7, 2026, detailing remote code execution paths in Semantic Kernel and adjacent AI agent frameworks (including CVE-2026-25592). The thesis: once a model is wired to tools, prompt injection is no longer a content-safety issue, it is an arbitrary code execution primitive. Defenders should assume any tool-enabled LLM with untrusted input is one well-crafted prompt away from shell.
Source: Microsoft Security Blog
MCP servers remain the soft underbelly of the agent stack. BlueRock Security analyzed over 7,000 publicly reachable MCP servers and found 36.7% potentially vulnerable to server-side request forgery. In a published proof of concept against Microsoft's MarkItDown MCP server, researchers retrieved AWS IAM access keys, secret keys, and session tokens from an EC2 instance's metadata endpoint. OX Security disclosed a systemic flaw rooted in MCP SDK design across Python, TypeScript, Java, and Rust, affecting an estimated 200,000 servers and 150 million SDK downloads. Trend Micro identified 492 internet-exposed MCP servers with zero client authentication and zero transport encryption.
Source: AI2Work, Medium / Nyami, CSO Online
Prompt injection moved from theory to mass-market exposure. Oasis Security disclosed a Claude.ai prompt injection and data exfiltration chain, updated on May 1, 2026, in which invisible HTML tags embedded in URL parameters pre-populate a Claude chat with hostile instructions. Earlier in 2026, CVE-2025-53773 (CVSS 9.6) confirmed that hidden prompt injection in pull request descriptions could trigger remote code execution via GitHub Copilot, and Unit 42 documented the first large-scale indirect prompt injection campaigns observed in production ad-review and customer-facing assistant platforms. The OWASP Foundation continues to rank prompt injection as LLM01:2025, the single most critical category in AI applications.
Source: Oasis Security, Securance, Airia
Tool poisoning is operational. The WhatsApp MCP Server was confirmed vulnerable to tool poisoning, where attackers inject malicious instructions into tool descriptions to coerce AI agents into exfiltrating entire chat histories. This pattern generalizes: any agent that reads tool metadata at runtime is exposed if any element of that metadata can be influenced by untrusted parties.
Source: Aembit
The composite picture: agentic AI is not a future risk. The control plane is already exposed, the exploitation primitives are reliable, and the supply chain is concentrated in a small number of SDKs with known architectural flaws.
Threat Actor Activity
Salt Typhoon, the China-linked group responsible for the 2024 US telecom intrusions, remains active inside US networks and was confirmed this year to have penetrated House Committee email systems. A separate February 2026 China-linked campaign hit more than 50 telecoms and government agencies across 42 countries, abusing Google Sheets as a covert command-and-control channel.
Source: Dark Reading, CybelAngel
Phantom Taurus, a previously undocumented Chinese nation-state actor, has been targeting government agencies, embassies, military operations, and other entities across Africa, the Middle East, and Asia. The group is characterized by surgical operational precision, multi-year persistence, and a custom-built post-exploitation toolkit.
Source: CybelAngel
APT36 is now the first documented nation-state actor using AI as a "malware assembly line", producing polymorphic variants at machine speed. APT41 has demonstrated abuse of Google Calendar events as a command-and-control channel, with commands hidden as base64-encoded strings in event descriptions, blending into legitimate HTTPS Google traffic. The 2026 benchmark adversary breakout time is 72 minutes from initial foothold to active data exfiltration.
Source: CybelAngel, N-able
Ransomware and Data Breaches
| Victim | Actor | Impact |
|---|---|---|
| Instructure | Unattributed | 240M+ student/teacher/staff records, 15,000 schools |
| Foxconn (NA) | Nitrogen | 8 TB data, 11M files, internal project documents |
| Pitney Bowes | ShinyHunters | 8.2M unique email addresses, names, phones, addresses |
| Udemy | ShinyHunters | 1.4M user records, PII and internal corporate data |
| 7-Eleven | ShinyHunters | Breach confirmed, scope under disclosure |
| Zara (Spain) | Unattributed | 197,000+ customer records |
| Gelatissimo | DragonForce | Cyber incident confirmed, scope under investigation |
Source: SharkStriker May 2026 Breaches, Malwarebytes Education Breach, Privacy Guides Roundup
| Group | Status | Notes |
|---|---|---|
| Qilin | Most active in 2026 | Dominant from Q2 2025 onward, broad sector targeting |
| ShinyHunters | Extortion, data leak focus | Active US enterprise campaigns this month |
| DragonForce | Multi-region affiliates | Recent APAC retail and food sector listings |
| Nitrogen | Targeted enterprise | Foxconn NA breach, large-volume data theft |
| The Gentlemen | High-activity emerging group | Cited alongside Qilin in 2026 baseline data |
Source: BlackFog State of Ransomware 2026, Securelist State of Ransomware, Industrial Cyber
Recommended Actions
Immediate (0 to 72 hours)
- Patch or mitigate Exchange Server (CVE-2026-42897), Cisco Catalyst SD-WAN (CVE-2026-20182), and Ivanti EPMM (CVE-2026-6973). Treat as breach-likely if internet-exposed.
- Apply Microsoft May Patch Tuesday updates with priority on CVE-2026-41089 (Netlogon RCE), CVE-2026-42898 (Dynamics 365), CVE-2026-41103 (Entra ID impersonation), and CVE-2026-35421 (GDI/EMF RCE).
- Confirm May 2026 Android Security Bulletin patch level across mobile fleet for CVE-2026-0073.
- Audit Microsoft Defender platform versions to close CVE-2026-41091 and CVE-2026-45498.
- For any deployed Langflow instance, apply vendor patch and place behind an authenticated reverse proxy.
Short-Term (1 to 4 weeks)
- Inventory every MCP server in the environment. Require client authentication, transport encryption, and an allowlist of outbound destinations. Treat the IMDS endpoint as adversary-reachable.
- Add prompt injection and tool poisoning test cases to AI application CI. Static descriptions for tools should be signed or pinned at build time.
- Subscribe to and operationalize CISA KEV updates as a forcing function for patch SLAs.
- Add detections for Google Calendar and Google Sheets command-and-control patterns (rare DNS resolution paths, anomalous HTTPS volume from non-collaboration users).
Strategic (Quarter and Beyond)
- Adopt a zero-trust architecture for agentic AI: agents authenticate per tool call, tools authorize per agent identity, and every tool invocation is logged and replay-auditable.
- Plan for a 72-minute adversary breakout window. Investments in identity-tier segmentation, EDR-driven containment, and out-of-band response paths yield more than perimeter improvements.
- Treat extortion-only groups (ShinyHunters class) as data-protection adversaries, not encryption adversaries. Data minimization, tokenization, and field-level encryption shrink their leverage.
- Build a vendor concentration map for AI infrastructure (LLM providers, MCP SDKs, agent frameworks). The 200,000-server MCP exposure shows one architectural flaw can cross every business unit at once.
Sources
- CISA Adds One Known Exploited Vulnerability to Catalog, May 7, 2026
- CISA Adds Seven Known Exploited Vulnerabilities to Catalog, May 20, 2026
- CISA Adds Two Known Exploited Vulnerabilities to Catalog, May 21, 2026
- Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild (SecurityWeek)
- CVE-2026-42897 Microsoft Confirms Active Exploitation (Security Affairs)
- Cisco SD-WAN Flaw Exploited (The Hacker News)
- Cisco SD-WAN Zero-Day (BleepingComputer)
- Microsoft Defender Vulnerabilities Exploited in the Wild (Malwarebytes)
- Microsoft Patch Tuesday May 2026 (BleepingComputer)
- Microsoft Patch Tuesday May 2026 (Cybersecurity News)
- Talos Microsoft Patch Tuesday May 2026
- Krebs on Security Patch Tuesday May 2026
- Zero-Day Threat Alert May 2026 (Carthage Electronics)
- Microsoft: When Prompts Become Shells
- Claude.ai Prompt Injection Vulnerability (Oasis Security)
- Prompt Injection OWASP #1 AI Threat (Securance)
- AI Security in 2026 (Airia)
- MCP Security Crisis (Medium)
- Critical MCP Security Flaw 200,000 Servers (AI2Work)
- MCP Security Vulnerabilities Guide (Aembit)
- MCP Risks (CSO Online)
- China APT Activity (Dark Reading)
- Chinese APTs in 2026 (CybelAngel)
- Threat Actors in 2026 (N-able)
- May 2026 Data Breaches (SharkStriker)
- Millions of Students Personal Data Stolen (Malwarebytes)
- Data Breach Roundup May 15-21 2026 (Privacy Guides)
- State of Ransomware 2026 (BlackFog)
- State of Ransomware in 2026 (Securelist)
- Ransomware Elevated New Normal (Industrial Cyber)