Daily Threat Intelligence Brief - May 27, 2026

Executive Summary

Cisco confirmed active exploitation of CVE-2026-20182, a CVSS 10.0 authentication bypass in Catalyst SD-WAN Controller granting unauthenticated remote attackers full administrative control. CISA mandated federal remediation by May 17, 2026.
Microsoft Defender zero-days CVE-2026-41091 (RedSun, local privilege escalation) and CVE-2026-45498 (UnDefend, definition update blocking) are under active exploitation, with a federal patch deadline of June 3, 2026.
ShinyHunters claimed a ransomware intrusion against Instructure (Canvas LMS), exfiltrating 3.65 TB of data spanning nearly 9,000 schools and 275 million students, teachers, and staff. The Foxconn North American facility lost 8 TB to the Nitrogen group on the same week.
Salt Typhoon, a Chinese state actor, has now compromised more than 600 organizations across 80 countries, expanding into South American telecoms with new implants targeting CDR and lawful intercept systems.
Agentic AI risk crystallized into CVE-2026-32173 (CVSS 8.6) in Azure SRE Agent, where any Entra ID account could reach an unauthenticated WebSocket to stream live commands. CVE-2026-25253 enables one-click agent session hijack.
Microsoft May Patch Tuesday addressed 137 vulnerabilities (30 critical), led by a perfect 10.0 in Azure DevOps (CVE-2026-42826) and Netlogon RCE CVE-2026-41089. No new zero-days dropped in the Patch Tuesday batch itself.
Drupal core SQL injection CVE-2026-9082 was added to KEV on May 22 after observed exploitation in the wild against CMS-driven public sector sites.
Prompt injection remains the OWASP LLM01 top risk for 2026, with Munich Re classifying it as a "major attack vector" in its annual cyber risk report and field data showing exposure in 73% of production AI deployments.
The CrowdStrike 2026 benchmark for adversary breakout time fell to 72 minutes from initial foothold to active exfiltration, a fourfold compression versus prior-year averages.

Critical Vulnerabilities

CVE-2026-20182: Cisco Catalyst SD-WAN Controller Authentication Bypass

CVSS 10.0. An unauthenticated, remote attacker can bypass authentication and obtain administrative privileges on the SD-WAN Controller. Cisco confirmed in-the-wild zero-day exploitation prior to the patch. CISA added the flaw to KEV and ordered federal civilian agencies to remediate by May 17, 2026. Operators running SD-WAN fabrics should rotate controller credentials, audit policy templates for unauthorized changes, and review tunnel topology for unsanctioned overlays. Source: Cisco SD-WAN zero-day in KEV.

CVE-2026-41091 (RedSun) and CVE-2026-45498 (UnDefend): Microsoft Defender Zero-Days

RedSun is a local privilege escalation in Microsoft Defender; UnDefend allows a standard user to block Defender definition updates, effectively freezing endpoint signatures while other tradecraft executes. CISA confirmed both are exploited in the wild and set a June 3, 2026 federal patch deadline. The pair is being used together to disarm endpoint protection before payload deployment. Source: BleepingComputer on Defender zero-days.

CVE-2026-31431: Linux Kernel Local Privilege Escalation

CVSS 7.8. A local privilege escalation flaw in the Linux kernel reaching root via a use-after-free in a syscall path. CISA added it to KEV on evidence of active exploitation, notably as a post-exploitation step in container escape chains. Patch via your distribution's hardened kernel channel and revisit seccomp profiles for privileged workloads. Source: The Hacker News on CVE-2026-31431.

CVE-2026-42897: Microsoft Exchange Server Spoofing and XSS

Affects Exchange Server Subscription Edition, 2016, and 2019. Microsoft confirmed active in-the-wild abuse for credential-phishing chains and OWA session hijack. On-prem Exchange operators should apply the May security update, audit transport rules, and force credential resets for high-value mailboxes. Source: SecurityWeek on Exchange zero-day.

CVE-2026-9082: Drupal Core SQL Injection

Added to KEV on May 22, 2026 after observed exploitation against public sector and education sites. Allows unauthenticated extraction of session tokens and arbitrary content modification. Drupal sites pinned to outdated 10.x branches are the highest-risk population. Source: CISA KEV catalog.

CVE-2025-34291: Langflow Origin Validation Error

A 2025 Langflow flaw promoted to KEV on May 21, 2026 after researchers observed agent orchestration servers being weaponized as initial access points into broader AI tool chains. Treat any internet-exposed Langflow deployment as compromised pending forensic review. Source: Windows Forum on Langflow KEV add.

CVE-2026-34926: Trend Micro Apex One Directory Traversal

Active exploitation observed against on-prem Apex One management consoles, enabling arbitrary file read and config leakage. Trend customers should apply the May hotfix and search consoles for anomalous read of policy XML. Source: Windows Forum on Apex One KEV add.

CVE-2026-2441: Google Chrome / Chromium Zero-Day

High severity. Allows arbitrary code execution and is being abused in the wild before patch release. Enterprises running Chromium-derived automation, embedded browsers, or developer tooling are in scope, not only end-user browsers. Source: Orca Security on Chrome zero-day.

Microsoft May Patch Tuesday Highlights

Microsoft fixed 137 vulnerabilities, 30 critical. No new zero-days landed in the Patch Tuesday batch. Top items:

CVE-2026-42826 (Azure DevOps Information Disclosure): CVSS 10.0.
CVE-2026-33109 (Azure Managed Instance for Apache Cassandra): critical RCE.
CVE-2026-41089 (Windows Netlogon): critical stack-based buffer overflow allowing unauthenticated network RCE against domain controllers.
CVE-2026-35421 (Windows GDI): RCE via crafted EMF opened in Paint.
CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367 (Microsoft Word): four critical local-vector RCEs requiring only document open.
CVE-2026-41103 (Entra ID): critical elevation of privilege via forged credentials bypassing Entra.

Sources: SOCRadar May 2026 Patch Tuesday, Talos Intelligence on May 2026 Patch Tuesday.

AI Security Threats

The signal this month: AI-specific CVEs are crossing from research curiosity into KEV-grade operational risk. Agentic AI moved up the stack, with prompt injection now treated as an infrastructure-layer threat rather than a model-layer one.

CVE-2026-32173: Azure SRE Agent Live Command Stream Exposure

CVSS 8.6. The Azure SRE Agent exposed an unauthenticated WebSocket endpoint reachable by any Entra ID account holder. The endpoint streamed live agent commands, effectively giving an attacker over-the-shoulder visibility into reasoning, tool calls, and remediation actions on production cloud workloads. The flaw is a reference case for why agentic systems need their own trust boundary, not the boundary of the cloud control plane. Source: IBM Think on agentic AI vulnerabilities.

CVE-2026-25253: One-Click Agent Session Hijack

A one-click remote code execution flaw allowing an attacker to seize control of an active agent session through a crafted URL handler. The pattern (browser-initiated agent takeover) is rapidly becoming the dominant attack class against locally hosted assistants. Source: IBM Think on agentic AI vulnerabilities.

ClawJacked and ClawHub Supply Chain

The "ClawJacked" technique lets a malicious website brute-force and hijack locally running OpenClaw agent instances, silently exfiltrating data by abusing agent autonomy. In parallel, the "ClawHub" repository has been abused to distribute malicious packages disguised as trading bots, productivity utilities, and developer helpers that deploy infostealers on install. Treat agent extension ecosystems with the same scrutiny as npm and PyPI, not as plugins. Source: IBM Think on agentic AI vulnerabilities.

Prompt Injection Stays at OWASP LLM01

OWASP Foundation continues to rank prompt injection as LLM01:2025, the top vulnerability for LLM-backed applications. Field data shows prompt injection exposure in 73% of production AI deployments. Munich Re's annual cyber risk report (March 2026) formally classified prompt injection as a "major attack vector" citing low cost and high scalability for adversaries. There is no foolproof prevention because LLMs cannot perfectly separate instructions from data. Sources: Securance on OWASP LLM01, Kunal Ganglani on prompt injection in 2026.

Repeating-Pattern AI CVEs to Watch

CVE-2025-32711 (EchoLeak, Microsoft 365 Copilot): CVSS 9.3 zero-click data exfiltration via crafted document content. Still the canonical example of agent-context exfiltration through trusted enterprise surfaces.
CVE-2025-53773 (GitHub Copilot): CVSS 9.6 hidden prompt injection in pull request descriptions enabling remote code execution. Shows that the agent's "review" surface is itself an executable channel.

Source: Cycode on top AI security vulnerabilities.

Industry Signal

A Dark Reading readership poll cited by Stellar Cyber found that 48% of cybersecurity professionals identify agentic AI and autonomous systems as the top attack vector heading into 2026. The risk categories now treated as canonical for agent stacks: prompt injection, tool misuse and privilege escalation, memory poisoning, cascading failures across multi-agent pipelines, and supply chain compromise of plugins or MCP servers. Source: Stellar Cyber on agentic AI threats.

Threat Actor Activity

Salt Typhoon (China)

The Salt Typhoon telecom espionage campaign now spans more than 600 organizations across 80 countries. In 2026, the group expanded into South American telecoms with new implants designed to persist inside call detail record and lawful intercept infrastructure. The campaign remains the most significant telecom-sector intrusion of the decade. Source: Hive Security on nation-state APTs.

Newly Disclosed China APT

A previously undocumented Chinese nation-state actor was reported targeting government agencies, embassies, military operations, and adjacent entities across Africa, the Middle East, and Asia. The campaign mixes spear-phishing with custom backdoors and rotating C2 over compromised regional hosting. Source: Dark Reading on new China APT.

APT28 (Russia)

APT28 was observed exploiting CVE-2026-21509 in Microsoft Office via malicious DOC files against Ukrainian government ministries, consistent with the broader Russian focus on military, logistics, and energy targets. The activity blends espionage with disruption groundwork. Source: Hive Security on state-sponsored actors.

DPRK and Iranian Activity

DPRK and Iranian threat actors expanded credential-focused campaigns, financial theft, and targeted surveillance of policy and civil-society communities. Identity-driven access now accounts for roughly 65% of initial access in tracked nation-state intrusions, with identity weaknesses appearing in nearly 90% of investigations. Source: Hive Security on state-sponsored actors.

Operational Tempo

The 2026 benchmark for adversary breakout time is 72 minutes from initial foothold to active exfiltration, a fourfold reduction from prior-year averages. All four major nation-state blocs operationalized LLMs during 2025 for reconnaissance, lure generation, and code synthesis. Source: Hive Security on APT groups.

Ransomware and Data Breaches

Victim	Actor	Volume	Impact
Instructure (Canvas LMS)	ShinyHunters	3.65 TB	275M students, teachers, staff; 9,000 schools
Foxconn (North America)	Nitrogen	8 TB, 11M files	Project docs, technical drawings exposed
GitHub	Team PCP	4,000 repos	Internal repository exposure
West Pharmaceutical Services	Unattributed	Under review	Incident response activated May 4
HDFC AMC	Unattributed	Under review	Reported May 17, attack on May 16
Grafana	Coinbase Cartel	Under review	Investigation ongoing

The Instructure breach is the largest education-sector incident on record by user count and reframes LMS platforms as Tier 1 targets. The Foxconn intrusion underscores manufacturing as a soft target for double-extortion groups operating outside the rebuilt LockBit and BlackCat ecosystems. Sources: SharkStriker May 2026 breaches, Malwarebytes on the Instructure breach.

Sector	Trend in May 2026
Education	Single LMS breach exposed 275M records; LMS now a Tier 1 target
Manufacturing	Nitrogen group dominant; OT-adjacent data theft accelerating
Financial	HDFC AMC and other regional firms hit; identity-led intrusions
Pharma	West Pharma hit; supply chain extortion pattern continues
Developer tooling	GitHub repo theft; secrets exposure is the secondary blast

Recommended Actions

Immediate (next 24 to 72 hours)

Patch CVE-2026-20182 on every Cisco Catalyst SD-WAN Controller. Treat unpatched controllers as compromised, rotate certificates, and review tunnel and policy diffs since May 1.
Deploy Microsoft Defender updates for CVE-2026-41091 and CVE-2026-45498. Verify definition update telemetry is flowing in your SIEM; UnDefend specifically suppresses updates without obvious endpoint signal.
Apply Microsoft May Patch Tuesday across domain controllers (CVE-2026-41089 Netlogon), Entra ID environments (CVE-2026-41103), and Azure DevOps (CVE-2026-42826) before end of week.
Roll the May Exchange security update on every on-prem Exchange Server (CVE-2026-42897). Force MFA re-enrollment on high-value mailboxes.
Patch or restrict Chrome and any Chromium-embedded tooling for CVE-2026-2441.

Short-Term (next 7 to 30 days)

Inventory every internet-exposed Langflow, MCP server, and agent runtime. Pull the May builds and gate behind authenticated reverse proxies.
Apply Trend Micro Apex One hotfix for CVE-2026-34926 and audit console logs for anomalous policy XML reads.
Patch Drupal core for CVE-2026-9082. For unmaintained sites, deploy a WAF rule blocking the known injection signature and plan migration.
Stand up an agentic AI threat model: enumerate tool surfaces, memory stores, plugin sources, and inter-agent trust paths. Treat agent extensions as a software supply chain.
Run an identity-led tabletop. With identity now driving 65% of initial access, your detection and response posture should match.

Strategic (90 days and beyond)

Build a dedicated AI red team capability. The Krypteia Sec stance: prompt injection, tool misuse, memory poisoning, and agent supply chain are first-class attack surfaces and need dedicated testers, not bolt-on tasks.
Stand up a formal MCP and agent inventory with provenance for every server, model, and plugin. Treat unknown agents the way you treat unmanaged endpoints.
Push for an agentic AI zero trust architecture: per-tool authentication, scoped capabilities, just-in-time permissions, memory egress controls, and tamper-evident logging on agent reasoning surfaces.
Recalibrate against a 72 minute breakout time. SOC SLAs and runbooks that assume hours of dwell are obsolete; align detection-to-response targets to under one hour.
Build a board-ready briefing on AI-driven cyber risk citing Munich Re's classification of prompt injection as a major attack vector and the OWASP LLM01 ranking.