Daily Threat Intelligence Brief - May 28, 2026

Executive Summary

CISA added three new entries to the Known Exploited Vulnerabilities catalog on May 27, 2026, headlined by CVE-2026-8398, an embedded malicious code vulnerability in Daemon Tools Lite that ships a trojanized installer to users downloading the legitimate utility. Federal civilian agencies must remediate by June 17, 2026.
CVE-2026-6973, an improper input validation flaw in Ivanti Endpoint Manager Mobile (EPMM), remains under active exploitation after its May 7 KEV addition. Operators of internet-exposed EPMM tenants are the highest-risk population and should assume compromise pending forensic review.
Cisco Catalyst SD-WAN CVE-2026-20182 (CVSS 10.0) continues to be abused by an unattributed actor cluster for unauthenticated administrative takeover of controllers. Cisco confirmed in-the-wild activity prior to patch release and CISA's federal deadline has already passed.
Microsoft Exchange Server zero-day CVE-2026-42897 (spoofing and stored XSS in Outlook Web Access) is being weaponized for credential phishing and session hijack against Exchange 2016, 2019, and Subscription Edition.
BlueRock Security telemetry on 7,000 surveyed Model Context Protocol (MCP) servers found 36.7% vulnerable to server-side request forgery. CVE-2026-33032 (CVSS 9.8) in nginx-ui MCP exposes more than 2,600 public instances to unauthenticated full takeover.
Iranian-affiliated APT activity, reported by CISA in joint advisory AA26-097A, has disrupted Rockwell Automation Allen-Bradley programmable logic controllers across US water, wastewater, energy, and government facility sectors since at least March 2026.
ShinyHunters continues to extort Instructure (Canvas LMS) after the May intrusion that exposed roughly 275 million student, teacher, and staff records across 8,809 institutions. A secondary breach hit an NVIDIA GeForce NOW Alliance partner in Armenia.
Salt Typhoon, the China-linked telecom intrusion cluster, is now reported in more than 80 countries with confirmed fresh penetration of US House committee email infrastructure and 50-plus telco and government victim networks identified since February 2026.
Unit 42's 2026 attack-speed benchmark places median breakout time at 72 minutes from initial access to data exfiltration, a fourfold compression against the prior-year baseline and the operational baseline defenders must now plan around.
Prompt injection remains OWASP LLM01 for 2026 with the Foundation reaffirming it as the single most critical AI application vulnerability. Field audits show exposure in roughly 73% of production AI deployments, including AI-assisted IDE workflows where pull request descriptions were demonstrated as a remote code execution vector.

Critical Vulnerabilities

CVE-2026-8398: Daemon Tools Lite Embedded Malicious Code

Added to the CISA KEV catalog on May 27, 2026. The vulnerability stems from a supply-chain compromise in which a trojanized installer was distributed through legitimate download channels, embedding malicious code in the Daemon Tools Lite virtual drive utility. Endpoints that installed the utility within the affected build window should be treated as compromised, with credential rotation and full reimage as the safe path. Source: CISA KEV update May 27.

CVE-2026-6973: Ivanti Endpoint Manager Mobile Improper Input Validation

Added to KEV on May 7, 2026. The flaw allows an unauthenticated attacker to inject crafted input that bypasses validation logic and reaches administrative functionality within EPMM. Given Ivanti EPMM's role as a mobile device management spine, successful exploitation grants attackers a pivot point into corporate device fleets. Patch immediately, restrict admin console exposure to VPN, and audit device enrollment events for anomalies. Source: CISA KEV May 7 addition.

CVE-2026-20182: Cisco Catalyst SD-WAN Controller Authentication Bypass

CVSS 10.0. An unauthenticated remote attacker can bypass authentication and obtain full administrative privileges on the SD-WAN Controller. Cisco confirmed in-the-wild exploitation in May 2026. The federal remediation deadline has passed; operators that have not patched should rotate controller credentials, audit policy templates for unauthorized changes, and review tunnel topology for unsanctioned overlays. Source: Tenable FAQ on CVE-2026-20182.

CVE-2026-42897: Microsoft Exchange Server Spoofing and XSS

Affects Exchange Server Subscription Edition, 2016, and 2019. Microsoft confirmed active exploitation. The flaw is triggered by a specially crafted email that executes malicious JavaScript when opened in Outlook Web Access under certain conditions, enabling credential theft and session hijack. On-premises Exchange operators should apply the May security update, audit transport rules, and force credential resets for high-value mailboxes. Source: SecurityWeek on Exchange zero-day.

CVE-2026-41091 and CVE-2026-45498: Microsoft Defender Zero-Days

Both added to KEV on May 20, 2026 with a federal patch deadline of June 3. CVE-2026-41091 is an elevation of privilege flaw and CVE-2026-45498 is a denial of service that lets a standard user block Defender definition updates, freezing endpoint signatures while other tradecraft runs. The pairing is being used to neutralize endpoint protection ahead of payload deployment. Source: Malwarebytes on exploited Defender flaws.

CVE-2026-34926: Trend Micro Apex One Directory Traversal

Added to KEV on May 21, 2026. Allows arbitrary file read and policy configuration leakage from on-premises Apex One management consoles. Trend customers should apply the May hotfix and search consoles for anomalous reads of policy XML. Source: CISA May 21 KEV addition.

CVE-2025-34291: Langflow Origin Validation Error

A 2025 Langflow vulnerability promoted to KEV on May 21, 2026 after researchers observed agent orchestration servers being used as the initial access foothold into broader AI tool chains. Treat any internet-exposed Langflow deployment as compromised pending forensic review and pull all stored credentials, API tokens, and prompt history. Source: CISA May 21 KEV addition.

CVE-2026-33032: nginx-ui MCP Endpoint Unauthenticated RCE

CVSS 9.8. BlueRock Security identified more than 2,600 publicly exposed instances of the vulnerable endpoint, any of which can be taken over by an unauthenticated attacker to execute code in the context of the agentic infrastructure. The vulnerability is part of a broader MCP attack surface where 36.7% of surveyed servers were SSRF-vulnerable. Operators should immediately remove public exposure and audit logs for anomalous tool invocations. Source: Kiteworks on agentic AI attack surface.

CVE-2026-0073: Android System Component RCE

Critical remote code execution in the Android System component, affecting Android 14, 15, 16, and 16-QPR2. Exploitable by a proximal or adjacent attacker with no privileges and no user interaction required. The proximity requirement narrows the threat surface to Bluetooth, Wi-Fi, or nearby radio attacks but enables high-impact device compromise for executives in close-quarters environments. Source: Carthage zero-day report May 2026.

CVE-2026-41940: cPanel Authentication Bypass via CRLF Injection

A critical authentication bypass in cPanel and WHM disclosed on April 28, 2026, stemming from CRLF injection in login and session handling. Exploitation has been observed in the wild since at least February 2026, so any cPanel-managed hosting environment that did not patch promptly should be treated as potentially compromised. Source: Carthage zero-day alert May 2026.

AI Security Threats

The agentic AI attack surface is the dominant story this week. Prompt injection has escalated from a model-level concern into an infrastructure problem, with MCP poisoning, agent memory corruption, and tool-call chain abuse joining the classic instruction-override pattern.

BlueRock Security surveyed roughly 7,000 publicly reachable MCP servers and found 36.7% potentially vulnerable to server-side request forgery, where an attacker tricks the MCP host into making requests to internal resources. The same study highlighted CVE-2026-33032 in nginx-ui MCP, a CVSS 9.8 unauthenticated RCE with more than 2,600 exposed instances at the time of the report. The combination of vibe-coded MCP servers, unvetted open-source dependencies, and minimal security review during deployment is producing a fleet that is vulnerable by design. Source: Aembit guide to MCP security vulnerabilities.

The American Banker reporting on Anthropic's MCP architectural flaw notes that the protocol design itself creates a third-party security exposure channel that the company has declined to patch, forcing banks and other regulated industries to manage the risk through compensating controls rather than fixes. The practical implication for security teams: MCP server inventory, traffic segmentation, and outbound egress controls now belong in the same risk tier as Active Directory and identity infrastructure. Source: American Banker on unpatched AI flaw in banking.

Prompt injection holds the OWASP LLM01 designation for 2026, with the Foundation describing it as the single most critical vulnerability in AI applications. Field telemetry shows prompt injection exposure in roughly 73% of production AI deployments, and OpenAI has publicly described the problem as a "frontier security challenge" with no clean solution. The two reference vulnerabilities driving 2026 threat models are CVE-2025-53773 (CVSS 9.6), which proved that hidden prompt injection in GitHub pull request descriptions could yield remote code execution through GitHub Copilot, and CVE-2025-32711 (EchoLeak, CVSS 9.3), the zero-click vulnerability in Microsoft 365 Copilot disclosed in June 2025. Both are now standard testing references for AI red teams. Sources: Securance on OWASP LLM01, Cycode top AI security vulnerabilities.

Researchers have demonstrated practical attack scenarios in which agents were manipulated into making unauthorized API calls, accessing restricted data, and even initiating financial transactions. The pattern that recurs across reported incidents is the same: indirect prompt injection lands in tool output (a web page fetched, a document parsed, a Jira ticket read), and the agent treats that content as instruction rather than data. Defensive architecture must therefore separate tool output from instruction context at the agent runtime layer, not at the prompt template layer. Source: CygenIQ guide to prompt injection in RAG and agents.

For organizations running agentic workloads, the immediate hygiene checklist is: inventory every MCP server in use including community packages, restrict MCP host network egress to known good destinations, capture tool-call telemetry for offline review, deploy a separate identity for the agent that is least-privileged against backend systems, and treat any agent that processes external content as an indirect-injection attack surface. Source: Adversa AI top MCP security resources May 2026.

Threat Actor Activity

Iranian-Affiliated APT Targeting US Critical Infrastructure

CISA released joint advisory AA26-097A covering Iranian-affiliated APT operations active since at least March 2026 against US critical infrastructure. The actor cluster has been observed disrupting programmable logic controllers in Government Services and Facilities, Water and Wastewater Systems, and Energy sectors. Targeted equipment includes internet-facing Rockwell Automation and Allen-Bradley PLCs, accessed from a rotating set of overseas IP addresses. Asset owners should remove PLC management interfaces from public network exposure, deploy industrial protocol allow-lists at the IT/OT boundary, and review PLC logic for unauthorized program changes. Source: CISA advisory AA26-097A.

Salt Typhoon (China-Linked)

Salt Typhoon, the cluster behind the 2024 US telecom intrusion campaign, has expanded reach to networks in more than 80 countries spanning telecommunications, transportation, and government targets. Confirmed activity in 2026 includes fresh penetration of US House committee email infrastructure, and a separate but related China-linked campaign struck more than 50 telcos and government agencies across 42 countries in February 2026, with operators staging command and control inside Google Sheets to evade detection. Source: CybelAngel on Chinese APTs in 2026.

Speed Benchmark

Unit 42 telemetry sets the 2026 median breakout time at 72 minutes from initial access to first data exfiltration, a roughly fourfold compression against the prior-year baseline. The implication for defenders: any control architecture that relies on human-in-the-loop response within hours is structurally too slow. Detection and response automation, pre-authorized containment actions, and SOAR playbooks for the top 10 initial-access scenarios are the minimum bar for surviving 2026 intrusion velocity. Source: CybelAngel APT report.

Ransomware and Data Breaches

Victim	Actor	Records or Volume	Notes
Instructure (Canvas)	ShinyHunters	275M records	8,809 schools, defaced login page, double-extortion
NVIDIA GeForce Alliance	ShinyHunters	Unspecified	Armenia partner breach, follow-on extortion
Ocean City Radio	Unattributed	Operations only	Station forced to shut down May 12, financial loss
Multiple US K-12	Indirect	Coursework disrupted	Canvas downstream impact, classes suspended in several districts

The Canvas/Instructure intrusion is the dominant breach story of May 2026. ShinyHunters defaced the Canvas login page with a ransom demand, published a per-institution record-count list spanning 8,809 schools and universities, and disrupted classes and coursework at districts across the United States. The data set spans students, teachers, and staff, with per-institution counts ranging from tens of thousands to several million. Source: Malwarebytes on Canvas breach.

ShinyHunters also claimed a follow-on intrusion against an NVIDIA GeForce NOW Alliance partner in Armenia, indicating the group is leveraging Canvas-era momentum to extort adjacent targets. The Qilin ransomware-as-a-service operation continues to target US, Canadian, French, UK, and Italian victims with double-extortion playbooks, and the KRYBIT data-leak site remains active on Tor as a publication channel for non-paying victims. Source: SharkStriker May 2026 breaches.

Recommended Actions

Immediate (within 24 hours)

Apply patches for CVE-2026-20182 (Cisco SD-WAN), CVE-2026-42897 (Exchange), CVE-2026-6973 (Ivanti EPMM), CVE-2026-41091 and CVE-2026-45498 (Defender), CVE-2026-34926 (Apex One), and CVE-2026-33032 (nginx-ui MCP). Treat each as exploited until you can prove otherwise.
Inventory installed Daemon Tools Lite instances against the CVE-2026-8398 advisory window and quarantine any matching endpoints pending reimage.
Remove all internet-exposed Langflow, MCP server, and PLC management interfaces from public address space. Reachable agent orchestration is the new exposed RDP.
Search Exchange OWA logs for anomalous email-triggered JavaScript execution patterns indicating CVE-2026-42897 exploitation, then force credential reset for any account with suspicious OWA session activity.

Short Term (within 7 days)

Run a full MCP server inventory against the BlueRock SSRF criteria and the Aembit MCP security checklist. Pull any community-sourced MCP server that has not had a 2026 security review.
Deploy outbound egress controls and tool-call telemetry capture on every agent runtime. Tool output and instruction context must be separated at the runtime layer, not the prompt layer.
Tune EDR and SIEM detections for the Iranian PLC tradecraft described in CISA advisory AA26-097A, including the listed overseas IP indicators and Rockwell-targeted protocols.
Validate that incident response playbooks are tuned for a 72-minute breakout window. Manual approval gates that take longer than one hour are now structurally insufficient.

Strategic (within 30 to 90 days)

Stand up an MCP and agentic AI governance program: identity-per-agent, least-privilege tool scopes, signed-tool inventory, and quarterly red team exercises explicitly targeting indirect prompt injection.
Adopt OWASP LLM01 2026 as a board-level reporting metric. Track prompt-injection exposure and mitigation coverage in the same cadence as patching SLAs.
Conduct tabletop exercises for the Canvas-style supply-chain breach scenario, with particular focus on downstream educational and SaaS dependency mapping.
Refresh OT and ICS segmentation for water, energy, and government facilities against the Iranian PLC tradecraft. Confirm that PLC management traffic cannot reach the internet, even via misconfigured jump hosts.