Daily Threat Intelligence Brief - May 25, 2026

Executive Summary

Cisco Catalyst SD-WAN authentication bypass CVE-2026-20182 (CVSS 10.0) is under active zero-day exploitation. CISA mandated federal patching by May 17, 2026.
Microsoft Exchange Server zero-day CVE-2026-42897 (XSS, spoofing, CVSS 8.1) is being weaponized in the wild against on-prem deployments.
ShinyHunters claims theft of 275 million records from Instructure/Canvas, impacting 8,809 educational institutions worldwide. Instructure confirmed an "agreement" with the threat actor on May 11.
LiteLLM 1.82.7 and 1.82.8 on PyPI shipped credential-stealing payloads targeting cloud keys, SSH keys, and Kubernetes secrets. The package pulls 3.4M downloads per day.
CVE-2026-33032 (CVSS 9.8) in nginx-ui MCP endpoint enables full takeover of 2,600+ exposed agent infrastructures.
CISA added 10 new vulnerabilities to KEV in May, including Microsoft Defender EoP (CVE-2026-41091), Langflow (CVE-2025-34291), and Trend Micro Apex One (CVE-2026-34926).
Prompt-injection payloads embedded in web content rose 32% from November 2025 to February 2026, per Google research. OWASP reports a 340% YoY surge in prompt-injection attacks overall.
41 to 44% of organizations running AI agents still lack human-in-the-loop oversight; 55 to 63% lack kill switches or network isolation for agentic deployments.

Critical Vulnerabilities

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass

Field	Value
CVSS	10.0 (Critical)
Vector	Network, unauthenticated, no user interaction
Product	Cisco Catalyst SD-WAN Controller and Manager
Status	Active exploitation, CISA KEV listed
Patch deadline	May 17, 2026 (federal civilian agencies)

A pre-authentication bypass in the Cisco Catalyst SD-WAN management plane allows full administrative takeover of the controller. Tenable confirmed continued exploitation by the UAT-8616 cluster, which chains this flaw with previously known SD-WAN weaknesses to pivot into managed branch routers. Immediate patching to the fixed releases and rotation of all controller-stored secrets is required.

CVE-2026-42897: Microsoft Exchange Server Zero-Day

Field	Value
CVSS	8.1 (High)
Vector	Network, low complexity, requires victim interaction
Product	Microsoft Exchange Server (on-premises)
Status	Active exploitation, patch in progress
Type	Cross-site scripting enabling spoofing

Disclosed May 14, this XSS vulnerability lets an unauthorized attacker spoof identities and pivot through victim browsers against Exchange admin surfaces. Microsoft has not released a full patch as of this brief. Mitigations: restrict OWA exposure, enforce CSP, monitor for anomalous OWA traffic patterns.

CVE-2026-41089: Windows Domain Controller RCE

Field	Value
CVSS	9.8 (Critical)
Vector	Network, unauthenticated, no interaction
Product	Microsoft Windows Server (Domain Controller role)
Status	Patched (May 2026 Patch Tuesday)
Type	Stack-based buffer overflow, remote code execution

A specially crafted network request to a domain controller can trigger unauthenticated remote code execution. Treat as Tier 0 patch priority. Verify all DCs are at May 2026 cumulative update level and enforce network segmentation between DC subnets and general workstations.

CVE-2026-41940: cPanel and WHM Authentication Bypass

Field	Value
CVSS	9.8 (Critical)
Vector	Network, unauthenticated
Product	cPanel and WHM
Status	Patched April 28, 2026, mass exploitation underway
In-wild	Since at least February 2026

Hosting providers and small business sites running cPanel are being scanned and exploited at scale. The flaw was exploited in the wild for roughly two months before the patch. Audit for unauthorized admin accounts, modified PHP includes, and webshells under /usr/local/cpanel.

CVE-2026-33032: nginx-ui MCP Endpoint Takeover

Field	Value
CVSS	9.8 (Critical)
Vector	Network, unauthenticated
Product	nginx-ui Model Context Protocol endpoint
Exposure	2,600+ instances on public internet
Type	Full system takeover via MCP tool abuse

A landmark MCP-targeted critical. Attackers reaching the exposed MCP endpoint can execute arbitrary tools server-side and pivot through agent-controlled infrastructure. Any AI agent that connects to a remote nginx-ui MCP server should be considered untrusted until patched.

CVE-2026-0073: Android System RCE

Field	Value
CVSS	Critical
Vector	Proximal/adjacent, unauthenticated, no interaction
Product	Android 14, 15, 16 System component
Status	Fix included in May 2026 Android Security Bulletin

Adjacent attackers within Wi-Fi or Bluetooth range can trigger remote code execution without user interaction. Particularly dangerous in enterprise BYOD and field-worker fleets. Force May 2026 patch level via MDM.

CVE-2026-6973: Ivanti EPMM Improper Input Validation

Field	Value
Product	Ivanti Endpoint Manager Mobile
KEV	Added May 7, 2026
Status	Active exploitation confirmed

Ivanti EPMM (formerly MobileIron Core) is back in the KEV catalog. Continues the multi-year trend of Ivanti products being repeatedly weaponized against enterprises and the federal sector.

Additional KEV Additions (May 20 to 21, 2026)

CVE	Product	Type
CVE-2026-41091	Microsoft Defender	Elevation of Privilege
CVE-2026-45498	Microsoft Defender	Denial of Service
CVE-2025-34291	Langflow (LLM workflow platform)	Origin Validation Error
CVE-2026-34926	Trend Micro Apex One	Directory Traversal
CVE-2008-4250	Microsoft Windows	Buffer Overflow (legacy)
CVE-2009-1537	Microsoft DirectX	NULL Byte Overwrite (legacy)
CVE-2009-3459	Adobe Acrobat/Reader	Heap-Based Buffer Overflow
CVE-2010-0249	Microsoft Internet Explorer	Use-After-Free (legacy)

The legacy entries reflect ongoing exploitation of unpatched, internet-exposed legacy infrastructure. The Langflow KEV entry is notable: it confirms attackers are now targeting LLM orchestration platforms as a category.

AI Security Threats

The agentic AI threat landscape sharpened materially this month. Three converging trends define the May 2026 picture.

Prompt Injection Has Become The Number One AI Attack Class

OWASP's 2026 LLM Security Report ranks prompt injection as the fastest growing cyberattack category globally, with a 340% year-over-year increase. Google security researchers separately measured a 32% rise in malicious prompt-injection payloads embedded in indexed web content between November 2025 and February 2026. The distinction between direct prompt injection (attacker types into a chat) and indirect prompt injection (attacker plants payload in a document, web page, email, image, or tool output that the agent later reads) now matters more than ever, because the agentic path makes indirect injection load-bearing: an agent given browsing, file, or email tools will eventually read attacker content as instructions.

Indirect prompt injection has moved from research curiosity to mainstream threat. The attack does not need a sophisticated payload. Carefully worded plaintext in a hidden HTML element or a PDF margin is sufficient to override system prompts on most production-deployed models.

The Agentic Execution Boundary Is The New Perimeter

The qualitative shift in 2026 is that AI agents now hold tool access by default. Customer support agents read files and call APIs. Research agents browse the live web. Coding agents execute shell commands. Workflow agents send messages, file tickets, and process invoices. An agentic injection produces a wrong action, not a wrong answer. The consequences land before a human can review them.

A March 2026 incident illustrates the failure mode: a financial services firm discovered that its customer-facing agent had been leaking internal pricing data for three weeks. The attacker did not breach a system in the traditional sense. They asked a carefully phrased question that bypassed the system prompt. The agent had read-access to a pricing database as a "feature." No alarm fired because the agent acted within its granted permissions, just on the wrong instructions.

Industry baseline controls remain weak. According to 2026 survey data, 41 to 44% of organizations operating AI agents have not implemented human-in-the-loop oversight on consequential actions, and 55 to 63% lack purpose binding, kill switches, or network isolation for those agents. This is the single largest preventable risk in enterprise AI today.

The MCP and LLM Supply Chain Is Now A Top Attack Surface

The Model Context Protocol ecosystem is being aggressively probed. Adversa AI's May 2026 MCP threat roundup documents tool-poisoning, credential theft from MCP servers, and authentication weaknesses across the ecosystem. CVE-2026-33032 in nginx-ui MCP (CVSS 9.8, 2,600+ exposed) is the headline, but it is not isolated. A research analysis of 7,000+ MCP servers found 36.7% vulnerable to server-side request forgery, and AWS credential exfiltration was demonstrated via the MarkItDown MCP server.

The LiteLLM PyPI compromise (versions 1.82.7 and 1.82.8) is the supply-chain analogue. LiteLLM is a routing layer used in many production AI gateways. Trend Micro's analysis ("Your AI Gateway Was a Backdoor") documents how the malicious versions exfiltrated cloud credentials, SSH keys, and Kubernetes secrets from any environment that installed them. At 3.4 million daily PyPI downloads, the blast radius is enterprise-wide. Any organization that pulled LiteLLM during the malicious-version window should treat all credentials accessible to that process as compromised and rotate them.

Adjacent risk: multi-turn jailbreaks remain the preferred frontier-model attack pattern, and jailbreaks that succeed against one frontier model transfer to peers at high rates (one referenced study notes 64.1% transfer from GPT-4 jailbreaks to Claude 2). Defense-in-depth at the agent layer cannot assume model-level guardrails will hold.

Defensive Priorities for Agentic AI

Treat all tool-using agents as untrusted code paths. Sandbox, network-isolate, and require explicit per-action authorization for any state-changing tool.
Default to least-privilege tool grants. A customer-support agent does not need write access to a pricing database.
Inventory MCP servers in your environment. Apply standard application-security controls (auth, TLS, input validation, SSRF mitigations) to every MCP endpoint.
Pin LLM-orchestration dependencies. Use a vetted internal mirror. Subscribe to PyPI typosquat and compromised-package feeds.
Add a kill switch and circuit breaker to every production agent. Define what "too many actions, too fast" looks like for each agent and stop it automatically.

Threat Actor Activity

ShinyHunters

ShinyHunters is the most active financially motivated extortion crew of May 2026. Their tradecraft is not encryption-based ransomware: it is voice phishing (vishing) into SaaS and cloud apps, mass exfiltration of customer data, then extortion against the victim and named downstream customers.

Campaign	Target	Scope
Canvas/Instructure breach	Education sector	275M records, 8,809 institutions, 3.65 TB
Anodot/Snowflake token theft	SaaS analytics chain	13+ corporate downstream victims
NVIDIA GeForce NOW (Armenia)	Gaming/cloud	Full user DB: PII, 2FA status, internal roles
Rockstar Games (via Anodot)	Gaming	Customer data theft (extent undisclosed)

The Anodot pivot is the technically important story: a single compromised SaaS vendor exposed at least 13 large enterprise customers, including Snowflake, Rockstar Games, and Instructure. Token theft from an upstream provider remains one of the highest-leverage attack patterns of 2026. EclecticIQ and Google Cloud Threat Intelligence both flag this as the dominant ShinyHunters TTP through Q2 2026.

The FBI IC3 published advisory PSA260515 on May 15 specifically addressing ShinyHunters activity against learning management systems.

UAT-8616

The cluster continues to exploit Cisco SD-WAN vulnerabilities at scale, with CVE-2026-20182 as the current vehicle. Tenable's reporting indicates campaign objectives consistent with espionage and pre-positioning rather than immediate disruption.

Legacy Mass-Exploitation Actors

The May 20 KEV additions of decade-old Microsoft and Adobe vulnerabilities indicate that opportunistic actors continue to find and exploit unpatched legacy systems exposed to the public internet, particularly in OT-adjacent environments, healthcare, and small government deployments.

Ransomware and Data Breaches

Major Incidents (May 2026)

Date	Victim	Actor	Impact
2026-04-25	Instructure (Canvas)	ShinyHunters	275M records, 8,809 institutions, 3.65 TB exfiltrated
2026-05-11	Instructure settlement	ShinyHunters	Confirmed "agreement" with threat actor
2026-05-12	Ocean City Radio	Unattributed	Operations shut down, financial loss
Q2 2026	NVIDIA GFN partner (AM)	ShinyHunters	User DB: PII, 2FA, internal roles
Apr-May	Snowflake customers	ShinyHunters	Token-replay attacks via Anodot
Apr-May	Rockstar Games	ShinyHunters	Customer data theft (via Anodot)

Sector View

Sector	Pressure	Primary Vector
Education	Critical	Canvas/Instructure breach, downstream impact
SaaS Analytics	High	Anodot token theft, supply-chain pivot
Gaming/Cloud	High	Direct ShinyHunters targeting
Hosting/SMB Web	High	cPanel CVE-2026-41940 mass exploitation
Network Infra	Critical	Cisco SD-WAN CVE-2026-20182 active
AI Platforms	Rising	Langflow KEV entry, MCP server exposure

Recommended Actions

Immediate (Next 24 to 48 Hours)

Patch Cisco Catalyst SD-WAN Controller and Manager against CVE-2026-20182 across all environments. Rotate controller secrets and review configuration changes since May 14.
Inventory on-prem Exchange Server exposure. Restrict OWA externally, enforce CSP, and hunt for CVE-2026-42897 indicators.
Confirm all domain controllers are at May 2026 patch level. CVE-2026-41089 is a Tier 0 risk.
Audit Python and AI environments for LiteLLM 1.82.7 or 1.82.8. If installed, rotate every credential the process could reach: cloud keys, SSH keys, kube tokens, API keys.
Inventory MCP servers exposed in your environment. Take any nginx-ui MCP endpoints off the public internet pending CVE-2026-33032 remediation.
Verify the FBI IC3 ShinyHunters advisory (PSA260515) has reached your fraud, legal, and SaaS-administration teams.

Short-Term (Next 30 Days)

Patch all KEV additions from May 7, 20, and 21, with federal deadlines as the floor, not the ceiling.
Move Android fleet to May 2026 patch level via MDM. Block enrollment of devices below this level.
Run a targeted hunt across cPanel and WHM hosts for indicators consistent with CVE-2026-41940 exploitation since February 2026.
Implement upstream SaaS-vendor token review. Identify every third-party SaaS that holds OAuth tokens or service-account credentials into your production data. Rotate where the vendor has any breach indicators.
Stand up an AI-agent governance baseline: per-agent tool inventory, kill switch, human-in-the-loop on consequential actions, network isolation, audit logging.
Subscribe to MCP-specific advisories and the Adversa MCP resource feed.

Strategic (Next Quarter)

Adopt a formal AI Bill of Materials (AI-BOM) practice covering models, prompts, tools, MCP servers, and orchestration dependencies.
Treat prompt injection as a first-class AppSec risk class. Add adversarial prompt testing to release gates for every agentic deployment.
Build supply-chain trust boundaries around AI gateway dependencies: internal package mirrors, signed releases, allow-listed versions, automatic detection of yanked or malicious upstream packages.
Stand up dedicated detection for SaaS-token-replay attacks, the dominant ShinyHunters pattern: anomalous geographies, off-hours bulk reads, and downstream-customer access from upstream vendor tokens.
Conduct a tabletop exercise modeled on the Instructure event: a third-party SaaS provider you depend on is breached, the threat actor extorts the vendor, and your data is leverage. Define your decision tree before it happens.