Daily Threat Intelligence Brief - May 26, 2026

Executive Summary

Microsoft confirmed in-the-wild exploitation of CVE-2026-42897, an Outlook Web Access spoofing and XSS zero-day affecting on-prem Exchange Server SE, 2019, and 2016. No permanent patch for 2016 and 2019 outside the Extended Security Update Period 2 program.
CISA issued Emergency Directive 26-03 for CVE-2026-20182, a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller and Manager, mandating federal remediation by May 17, 2026.
CISA added 10 vulnerabilities to the Known Exploited Vulnerabilities catalog during May 2026, including two Microsoft Defender flaws (CVE-2026-41091, CVE-2026-45498), Ivanti EPMM CVE-2026-6973, Langflow CVE-2025-34291, and Trend Micro Apex One CVE-2026-34926.
A by-design weakness in the Model Context Protocol affects Anthropic's reference SDKs across Python, TypeScript, Java, and Rust, exposing third-party tools with 150 million combined downloads and 9 of 11 MCP marketplaces. Over 40 MCP CVEs disclosed between January and April 2026.
ShinyHunters claims theft of approximately 275 million records from Instructure Canvas, affecting 8,809 customer institutions across 50 countries.
CVE-2026-32173 in the Azure SRE Agent (CVSS 8.6) exposed live command streams through an unauthenticated WebSocket endpoint accessible to any Entra ID account holder.
Salt Typhoon remains resident in US networks with fresh penetration of House Committee email confirmed. APT28 weaponized CVE-2026-21509 (Microsoft Office) against Ukrainian ministries.
Industry breakout time benchmark fell to 72 minutes in 2026, a fourfold acceleration year over year. Ransomware now appears in 44 percent of confirmed breaches.

Critical Vulnerabilities

CVE-2026-42897: Microsoft Exchange Server OWA Spoofing and XSS

Disclosed May 14, 2026, with active exploitation confirmed by Microsoft. CVSS 8.1. An attacker sends a crafted email; if the recipient opens it in OWA under specific interaction conditions, arbitrary JavaScript executes in the browser context, enabling session hijack, token theft, and lateral access to mailbox content.

Affected: on-prem Exchange Server Subscription Edition RTM, 2019, 2016. Exchange Online is not affected. Mitigations do not function when OWA is accessed via Internet Explorer or Edge in IE Mode. Exchange SE has a public update; 2016 and 2019 receive fixes only through the Period 2 Exchange Server ESU program.

Source: Microsoft MSRC advisory CVE-2026-42897, The Hacker News, SecurityWeek.

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass

CVSS 10.0 critical authentication bypass affecting Cisco Catalyst SD-WAN Controller and Manager. Disclosed May 14, 2026, with confirmed active exploitation. CISA Emergency Directive 26-03 required federal civilian executive branch agencies to remediate by May 17, 2026. Patches are available for all supported releases.

Source: Tenable analysis.

CVE-2026-6973: Ivanti Endpoint Manager Mobile

Added to CISA KEV on May 7, 2026. Improper input validation in Ivanti EPMM exploited in the wild. Federal remediation deadline issued under BOD 22-01. Ivanti has historically been a top-three target for state-aligned operators; treat any unpatched EPMM as actively hunted.

Source: CISA KEV alert 2026-05-07.

CVE-2026-41091 and CVE-2026-45498: Microsoft Defender

Added to CISA KEV on May 20, 2026. CVE-2026-41091 is an elevation of privilege flaw in Microsoft Defender; CVE-2026-45498 is a denial of service. Exploitation in the wild is confirmed. Notable because Defender itself is the attack target rather than a defended asset, undermining endpoint trust assumptions.

Source: Malwarebytes coverage, CISA KEV alert 2026-05-20.

CVE-2025-34291 and CVE-2026-34926: Langflow and Trend Micro Apex One

Added to CISA KEV on May 21, 2026. CVE-2025-34291 is an origin validation error in Langflow, a popular LangChain-adjacent low-code AI workflow platform. CVE-2026-34926 is a directory traversal in Trend Micro Apex One. Langflow exploitation matters because it sits inside many enterprise AI pilot environments with broad credential scope.

Source: CISA KEV alert 2026-05-21.

CVE-2026-41940: cPanel Critical RCE

CVSS 9.8 remote code execution in cPanel under mass exploitation. Patch immediately on any hosting infrastructure. Hosting-tier compromise enables downstream tenant impact and is regularly used as an initial access foothold for ransomware affiliates.

Source: Carthage Electronics threat report.

CVE-2026-0073: Android System Component RCE

Critical remote code execution in the Android System component exploitable by a proximal or adjacent attacker with zero privileges and zero user interaction. Patches rolling through Google and OEM update streams. High risk for mobile fleets that lag on monthly Android security patch level.

Source: Carthage Electronics threat report.

AI Security Threats

May 2026 marks the operational maturation of attacks against agentic AI systems. The threats below are no longer research curiosities. They are reaching production deployments at named vendors.

Model Context Protocol Design Flaw

Researchers disclosed a systemic vulnerability in the MCP architecture itself. MCP uses STDIO as primary transport and does not sanitize spawned command strings. The subprocess-based architecture makes command execution the default interface, inherited by every downstream implementation. The flaw is baked into Anthropic's official MCP SDK across Python, TypeScript, Java, and Rust. Estimated exposure: third-party tools with 150 million combined downloads and 9 of 11 MCP marketplaces.

Between January and April 2026, over 40 CVEs were filed against MCP implementations across the four supported language SDKs. Primary attack vectors include direct command injection through unsanitized tool arguments, tool poisoning via manipulated server descriptions, and prompt injection chained into tool execution.

Source: The Hacker News on Anthropic MCP RCE, Infosecurity Magazine on systemic flaw, Practical DevSecOps MCP guide, authzed timeline of MCP breaches, NSA Cybersecurity Information Sheet on MCP.

CVE-2026-32173: Azure SRE Agent Command Stream Exposure

CVSS 8.6. An unauthenticated WebSocket endpoint in the Azure SRE Agent exposed live command streams to any Entra ID account holder. An attacker with a free-tier Microsoft account could observe and in some configurations inject commands into running site reliability automation. Patched but instructive: agent platforms that integrate cloud privilege rarely apply the same hardening as the underlying cloud control plane.

Source: IBM X-Force analysis of agentic AI vulnerabilities.

Indirect Prompt Injection in Production

Unit 42 in March 2026 documented the first large-scale indirect prompt injection attacks observed in the wild, including ad-review evasion and system prompt leakage on live commercial platforms. Earlier landmark CVEs continue to anchor the threat model: CVE-2025-53773 (CVSS 9.6) demonstrated hidden prompt injection in GitHub pull request descriptions producing RCE via GitHub Copilot, and CVE-2025-32711 (EchoLeak, CVSS 9.3) showed a zero-click data exfiltration path in Microsoft 365 Copilot.

Munich Re's 2026 cyber risk report classifies prompt injection as a "major attack vector" in AI systems. OWASP retained prompt injection as the number one entry in the LLM Top 10 for 2026.

Source: Sombra LLM security risks 2026, Securance OWASP analysis, Cycode 2026 AI vulnerabilities.

Agentic AI Threat Categories

Microsoft Security's May 14 defense-in-depth guidance and Dark Reading's 2026 readership poll converge on a stable threat taxonomy for autonomous agents:

Tool misuse and privilege escalation: 520 documented incidents, the most common class. Agents granted broad tool access perform actions beyond intended scope.
Memory poisoning: low frequency, high severity. Adversaries implant false data into agent long-term storage. Unlike single-session prompt injection, poisoned memory persists across sessions.
Supply chain compromise: agent dependency chains include MCP servers, vector stores, and third-party tool catalogs, each a foothold.
Cascading failures: one compromised agent in a multi-agent workflow propagates malicious output to peers.
Intent breaking and sensitive data leakage: agents redirected from stated goals; context windows reconstructed from logs to recover secrets.

48 percent of cybersecurity professionals in a Dark Reading poll named agentic AI and autonomous systems the top attack vector heading into 2026, ahead of deepfakes, board recognition, and passwordless adoption.

Source: Microsoft Security blog defense in depth for autonomous agents, Kiteworks agentic AI attack surface, Stellar Cyber threats, Cisco State of AI Security 2026, Adversa AI May 2026 resources.

Threat Actor Activity

Salt Typhoon (China)

Salt Typhoon, the People's Republic of China operator responsible for the 2024 US telecom compromise, remains resident in US networks. Fresh penetration of US House Committee email infrastructure was confirmed during 2026. Salt Typhoon's operational pattern continues to favor long-dwell positions inside lawful intercept and provisioning systems, prioritizing telemetry collection over disruption.

China-Linked Telecom and Government Campaign

A February 2026 China-linked operation, separate from Salt Typhoon, hit more than 50 telecoms and government agencies across 42 countries. The campaign abused Google Sheets as a command and control conduit to remain invisible to network egress controls expecting outbound traffic to be uncommon SaaS endpoints.

APT28 (Russia, GRU)

APT28 weaponized CVE-2026-21509 in Microsoft Office through malicious DOC files in spear-phishing campaigns against Ukrainian government ministries. Document-based delivery remains GRU tradecraft despite predictions of its demise; the cost curve on living-off-the-land DOC chains is too favorable to abandon.

Iranian APT Activity

Iranian operators continued targeting US critical infrastructure during 2026, with confirmed interaction against water treatment SCADA and HMI control surfaces and energy sector OT. Operations remain consistent with prior IRGC-linked CyberAv3ngers and Static Kitten patterns.

Source: Hive Security state-sponsored deep dive, CybelAngel Chinese threat groups, Dark Reading new China APT analysis, Trend Micro Q1 2026 public sector, NJCCIC AI APT report.

Ransomware and Data Breaches

Notable May 2026 Incidents

Date	Organization	Actor	Impact
2026-05-12	Ocean City Radio	Undisclosed	Operations forced to shut down after attack costs
2026-05-15	Instructure Canvas	ShinyHunters	275M records claimed, 8,809 institutions, 50 countries
2026-05-18	NVIDIA GeForce NOW Armenia	ShinyHunters	User database including email, DOB, 2FA status, roles
2026-05-20	Multiple Exchange tenants	Unattributed	OWA session theft via CVE-2026-42897
2026-05-21	Langflow deployments	Unattributed	CVE-2025-34291 exploited at scale in AI pilots

2026 Ransomware Baseline Statistics

Metric	2025 Value	2026 Trend
Ransomware share of breaches	32%	44% (up 37% YoY)
Manufacturing share of attacks	12%	14% (sector leader)
Technology share of attacks	8%	9%
Retail and wholesale share	6%	7%
Healthcare avg breach cost	$7.42M	Highest by cost
Breakout time benchmark	~5 hours	72 minutes

Source: SharkStriker May 2026 breach list, Malwarebytes Canvas breach, Trend Micro Canvas analysis, BlackFog State of Ransomware 2026, CNIC Ransomware Statistics 2026.

Recommended Actions

Immediate (within 24 hours)

Apply CVE-2026-42897 mitigation on every on-prem Exchange server. Confirm Exchange EM Service is enabled and the automatic mitigation is active. Block OWA access from Internet Explorer and Edge in IE Mode. Hunt for anomalous OWA-originated outbound JavaScript fetches and session token reuse.
Patch Cisco Catalyst SD-WAN Controller and Manager for CVE-2026-20182. Treat any unpatched controller as breached and rotate management credentials, certificates, and tokens.
Apply Microsoft Defender updates for CVE-2026-41091 and CVE-2026-45498. Validate Defender services are running and reporting; assume tamper attempts on hosts last seen with stale signatures.
Patch Ivanti EPMM for CVE-2026-6973 and review MDM-issued device trust posture for anomalies.
Inventory Langflow deployments and apply CVE-2025-34291 fix. Rotate any API keys or model provider tokens stored in Langflow flows.

Short-Term (within 7 days)

Audit every Model Context Protocol server in use. Pin to current SDK versions, disable STDIO transports where avoidable, and require allowlists for spawned commands. Treat MCP marketplaces as untrusted sources until provenance is established.
Patch cPanel for CVE-2026-41940 across hosting estate. Validate tenant isolation and rotate hosting control credentials.
Ship Android security patch level current to all managed devices to remediate CVE-2026-0073.
Validate Azure SRE Agent configuration against the CVE-2026-32173 hardening guidance. Audit WebSocket endpoints across Azure agent and copilot integrations.
Add detections for indirect prompt injection patterns in inbound documents, email, and shared web content processed by AI features. Log AI tool invocations to immutable storage.

Strategic

Treat agentic AI as an enterprise attack surface with its own threat model. Run authorized red team exercises against agent platforms, MCP integrations, and copilot deployments. Krypteia Sec offers structured engagements in this space.
Reduce dwell-time tolerance to the 72-minute benchmark. Invest in detection engineering for the initial access through lateral movement window, not just perimeter and endpoint.
Move toward signed and attested tool catalogs for AI agents. Maintain a reviewed allowlist rather than open marketplace consumption.
Build a memory hygiene practice for long-running agents. Periodic memory audits, attestation of memory provenance, and rollback to known-good snapshots.
For education and SaaS tenants downstream of the Canvas breach, assume credential reuse. Force resets and enable phishing-resistant MFA where feasible.