Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0529

Daily Threat Intelligence Brief - May 29, 2026

May 29, 202616 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

Daily Threat Intelligence Brief: May 29, 2026

Report ID: CTI-2026-0529 Classification: TLP:CLEAR Prepared by: Krypteia Security Threat Intelligence

Executive Summary

  • Cisco confirmed active zero-day exploitation of CVE-2026-20182, a maximum-severity (CVSS 10.0) authentication bypass in Catalyst SD-WAN Controller and Manager. This is the sixth SD-WAN zero-day of 2026, and CISA mandated federal remediation by May 17 under Emergency Directive 26-03. Help Net Security, Cisco
  • Microsoft Exchange Server zero-day CVE-2026-42897 (CVSS 8.1) is being exploited in the wild through Outlook Web Access. No permanent patch exists, only an emergency mitigation, and the CISA KEV remediation deadline for federal agencies is today, May 29. SecurityWeek, Dark Reading
  • Two Microsoft Defender zero-days, RedSun (CVE-2026-41091, local privilege escalation) and UnDefend (CVE-2026-45498, CVSS 7.5 denial of service), are being chained by attackers to blind endpoint protection before deploying ransomware. Both are now in the CISA KEV catalog with a June 3 federal deadline. BleepingComputer, Help Net Security
  • AI agent frameworks crossed from theoretical to weaponized: Microsoft disclosed prompt-injection-to-RCE flaws in Semantic Kernel (CVE-2026-26030 CVSS 9.8 and CVE-2026-25592), proving a single retrieved document can open a shell on the agent host. Microsoft Security Blog
  • The "Comment and Control" research class showed Claude Code, Gemini CLI, and GitHub Copilot Agent could be hijacked through GitHub comments to steal CI/CD credentials, with Anthropic internally rating the issue CVSS 9.4. SecurityWeek
  • Software supply-chain poisoning dominated the May 27 KEV additions: TanStack (CVE-2026-45321), Nx Console (CVE-2026-48027), and Daemon Tools Lite (CVE-2026-8398) were all flagged for embedded credential-stealing malware. The Hacker News
  • ShinyHunters executed the largest education-sector breach on record, exfiltrating roughly 3.65 TB tied to about 275 million Canvas users across 8,809 institutions, then collecting a ransom from Instructure to halt the leak. The Hacker News, The Register
  • Nation-state activity stayed elevated: ESET reported APT campaigns against oil shipments, drone makers, and a poisoned code library, while Salt Typhoon expanded into South American telecom networks with new implants. Help Net Security, IT Pro
  • Microsoft's May 2026 Patch Tuesday closed 118 to 120 flaws with 16 to 17 rated critical and, notably, zero actively exploited bugs at release, the first such month since June 2024. BleepingComputer

Critical Vulnerabilities

CVE-2026-20182: Cisco Catalyst SD-WAN Controller Authentication Bypass

A remote, unauthenticated authentication bypass rated CVSS 10.0 in Cisco Catalyst SD-WAN Controller and Manager, disclosed May 14 with confirmed active exploitation. The flaw lives in the vdaemon service over DTLS (UDP port 12346), the same service previously affected by CVE-2026-20127. An attacker can become an authenticated peer of the appliance and perform privileged operations, including injecting an attacker-controlled public key into the vmanage-admin account's authorized SSH keys file. This is Cisco's sixth SD-WAN zero-day of 2026. CISA issued Emergency Directive 26-03 requiring remediation by May 17. Patches are available for all supported releases.

  • Affected: Cisco Catalyst SD-WAN Controller and SD-WAN Manager (all supported versions pre-patch)
  • Status: Actively exploited, patch available, CISA emergency directive issued
  • Sources: Tenable, BleepingComputer, The Hacker News

CVE-2026-42897: Microsoft Exchange Server OWA Cross-Site Scripting Zero-Day

An improper neutralization of input during web page generation (stored XSS) in on-premises Microsoft Exchange Server, CVSS 8.1, exploited in the wild. An attacker sends a specially crafted email that executes malicious JavaScript when the recipient opens it in Outlook Web Access, enabling session token theft, mailbox impersonation, and inbox-rule manipulation without ever touching the server directly. There is no permanent patch. Microsoft shipped an emergency mitigation (label M2.1.x) via the Exchange Emergency Mitigation Service on May 14, and CISA added the flaw to KEV on May 15 with a federal remediation deadline of today, May 29.

  • Affected: Exchange Server 2016, Exchange Server 2019, Exchange Server Subscription Edition (Exchange Online is not affected)
  • Status: Actively exploited, mitigation only, no full patch
  • Sources: Security Affairs, Microsoft, Infosecurity Magazine

CVE-2026-41091 and CVE-2026-45498: Microsoft Defender RedSun and UnDefend

Two Microsoft Defender zero-days under active exploitation. CVE-2026-45498 (UnDefend, CVSS 7.5, network vector) targets the Defender Antimalware Platform and can crash or disable real-time scanning, opening a window for malware to run without inspection. CVE-2026-41091 (RedSun) is a local privilege escalation caused by the Microsoft Malware Protection Engine improperly resolving links before accessing files. Huntress incident responders observed an attacker chaining BlueHammer, RedSun, and UnDefend to disable protection and stage ransomware. Both CVEs are in the CISA KEV catalog with a federal deadline of June 3.

CVE-2026-26030 and CVE-2026-25592: Microsoft Semantic Kernel Prompt-Injection RCE

Microsoft disclosed (May 7) two critical flaws that turn prompt injection into remote code execution in the Semantic Kernel agent framework. CVE-2026-26030 (CVSS 9.8) routes attacker-controlled vector-store fields into a Python eval() call inside the InMemoryVectorStore component, with attackers bypassing AST validation through Python class-hierarchy traversal. CVE-2026-25592 exposes a host-side file-download method (DownloadFileAsync) as a callable kernel function in the .NET SDK, where the localFilePath parameter is almost entirely model-controlled with minimal path validation. One retrieved document is enough to launch a process on the agent host. Fixed in Python 1.39.4 and .NET 1.71.0.

  • Affected: Semantic Kernel Python SDK below 1.39.4, .NET SDK below 1.71.0
  • Status: Patched, no confirmed in-the-wild exploitation yet, high architectural risk
  • Sources: Microsoft Security Blog, PointGuard AI

CVE-2026-32173 and CVE-2026-32211: Azure SRE Agent and Azure MCP Server

Two authentication failures in Microsoft's agentic cloud tooling. CVE-2026-32173 (CVSS 8.6) is an improper-authentication flaw in the Azure SRE Agent Gateway SignalR hub that lets an unauthorized attacker with network connectivity silently access agent interaction streams and disclose sensitive enterprise cloud operations data. It was reported by Enclave AI researcher Yanir Tsarimi. CVE-2026-32211 (CVSS 9.1) is a critical authentication flaw in the Azure MCP Server that exposes sensitive data. Both underscore that the management plane for AI agents is now a first-class target.

Recent CISA KEV Additions (May 20 to May 27, 2026)

CVE ID Product Type KEV Added Source
CVE-2026-41091 Microsoft Defender (RedSun) Local privilege escalation May 20 CISA
CVE-2026-45498 Microsoft Defender (UnDefend) Denial of service May 20 CISA
CVE-2025-34291 Langflow Origin validation error May 21 CISA
CVE-2026-34926 Trend Micro Apex One (On-Premise) Directory traversal May 21 CISA
CVE-2026-48172 LiteSpeed cPanel Plugin Privilege escalation May 26 CISA
CVE-2026-8398 Daemon Tools Lite Embedded malicious code May 27 The Hacker News
CVE-2026-45321 TanStack (npm) Supply-chain code injection May 27 The Hacker News
CVE-2026-48027 Nx Console Embedded malicious code May 27 The Hacker News

AI Security Threats

The defining trend of this reporting period is that prompt injection has graduated from a model-level annoyance to an infrastructure-level remote code execution and credential-theft vector. The attack surface is no longer the chatbot, it is the agent runtime, the framework, the management plane, and the developer supply chain.

Prompt Injection as Remote Code Execution

The Semantic Kernel disclosures (CVE-2026-26030 and CVE-2026-25592, detailed above) are the clearest proof point. Both flaws stem from the same architectural mistake: trusting model-routed input deep enough that it reaches a code-evaluation primitive. A single poisoned document in a vector store, or a single model-controlled file path, is sufficient to launch a process on the host running the agent. Microsoft framed the pattern bluntly in its research title, "When prompts become shells." Microsoft Security Blog

Comment and Control: Hijacking Coding Agents Through Git Comments

Researchers Aonan Guan (Wyze Labs) with Zhengyu Liu and Gavin Zhong (Johns Hopkins) demonstrated a prompt-injection class affecting Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and GitHub Copilot Agent running in GitHub Actions. An attacker plants instructions in a pull-request title, issue body, or HTML comment that GitHub's rendered Markdown hides. The agent reads the comment as trusted context, executes attacker-supplied instructions, and exfiltrates CI/CD credentials back through a PR comment or git commit, with no external server required. Anthropic internally rated the issue Critical (CVSS 9.3, later 9.4); Google and GitHub triaged it as well. No CVEs were assigned and no public advisories were published by the three vendors, which is itself a transparency gap. SecurityWeek, Repello AI

The Agent Management Plane Is Now a Target

The Azure SRE Agent (CVE-2026-32173) and Azure MCP Server (CVE-2026-32211) flaws show that the control surfaces for AI agents are exposed in the same ways traditional APIs have always been: unauthenticated WebSocket and SignalR endpoints, broken authorization, and silent eavesdropping on live command streams. As organizations wire agents into production operations, the gateway and orchestration layer becomes the highest-value pivot point. Network World

AI Tooling in the KEV Catalog and the Supply Chain

CISA added the AI tool Langflow (CVE-2025-34291) to KEV on May 21, confirming active exploitation of AI development infrastructure. On May 27, the catalog absorbed three supply-chain poisoning entries (TanStack, Nx Console, Daemon Tools Lite) where trusted packages and extensions shipped credential-harvesting payloads. This connects to the broader npm-poisoning trend: in late March 2026, actors tied to North Korea's Lazarus umbrella compromised the axios package (roughly 100 million weekly downloads) after building a fake Slack workspace and impersonating a company founder. AI coding agents that auto-install and execute dependencies dramatically widen the blast radius of these compromises. CISA via The Hacker News, Help Net Security ESET report

Emerging Patterns: Memory Poisoning, Sleeper Agents, and the Lethal Trifecta

Threat researchers are tracking newer agentic risks beyond direct injection: prompt injection via logs, confused-deputy attacks, and semantic-mosaic data leakage. Of particular concern is indirect prompt injection through poisoned data sources that corrupts an agent's long-term memory, causing it to develop persistent false beliefs, a "sleeper agent" scenario where the compromise lies dormant until a triggering condition activates it. The "lethal trifecta" framing (an agent that has access to private data, exposure to untrusted content, and the ability to externally communicate) remains the core risk model for 2026. A comparative audit found that no major vendor currently publishes injection-resistance metrics, leaving buyers without a way to compare defensive posture. Adversa AI, Airia, Cisco Blogs

Additional Agentic Disclosures

A critical vulnerability in NousResearch's Hermes Agent allows persistent prompt injection through unscanned DESCRIPTION.md files inside skill directories, and a command-injection flaw in Google Antigravity via the find_by_name tool enabled remote code execution and sandbox escape. Both reinforce that agent extension and skill-loading mechanisms are an under-reviewed attack surface. Adversa AI

Threat Actor Activity

Actor Attribution Recent Activity Source
UAT-8616 Unattributed Exploiting Cisco SD-WAN flaws since at least 2023; 10 additional clusters joined after PoC for CVE-2026-20182. Tenable
APT28 Russia (GRU 26165) Targeting government and military via Office flaw CVE-2026-21509; DOJ and FBI dismantled compromised SOHO routers. The Cyber Express
Lazarus North Korea Stole $1.5B from Bybit (Feb 2026) via Safe{Wallet} supply-chain compromise; poisoned the npm axios package. IT Pro
Salt Typhoon China New implants TernDoor, PeerTime, BruteEntry; expanded into South American telecom networks. The Cyber Express
CRINK collective China/Russia/Iran/North Korea Integrating generative AI into reconnaissance, malware development, and social engineering. IT Pro

ESET's APT activity report (May 28) detailed campaigns targeting oil shipments, drone manufacturers, and a poisoned code library, with China-aligned groups accounting for the largest portion of recorded attack sources during the period. Across the board, the headline shift is state-sponsored adoption of generative AI to accelerate the early stages of intrusion. Help Net Security

Ransomware and Data Breaches

Most Active Ransomware Groups

Group Tracked Victims (Cumulative) Notes Source
Qilin 1,733 Most prolific group tracked; led recent weekly counts. Cyber Threat Intelligence
Akira 1,299 Consistently among top weekly drivers. Dark Reading
Play 885 Sustained high-volume operations. Cyber Threat Intelligence
RansomHub 842 Paused operations in April after disruption. Cyber Threat Intelligence
Cl0p 740 Resurged on mass-exploitation campaigns. Dark Reading

Recent weekly tracking recorded 31 new victims with Everest (7), Qilin (5), Akira (4), and DragonForce (4) as the primary drivers. The Gentlemen ransomware group is scaling faster than any group on record according to Halcyon. Bank Info Security, Halcyon

Notable Breaches and Incidents

Organization Threat Actor Impact Source
Instructure (Canvas) ShinyHunters ~3.65 TB and ~275M users across 8,809 institutions; ransom paid. The Hacker News
Heritage Bank Undisclosed 182,793 individuals; unauthorized access March to April 2026. SharkStriker
Tampa Bay Dental Implants TridentLocker 6,400 individuals; clinical data and some SSNs exposed. SharkStriker
Ocean City Radio Undisclosed Shut down permanently May 12 from recovery costs. SharkStriker

The Canvas incident is now considered the largest education-sector breach on record. ShinyHunters accessed Canvas systems on April 25, Instructure detected the intrusion four days later, and after a second intrusion replaced the login page with a ransom message on May 7 during finals week, Instructure announced on May 11 that it had reached an agreement and the data was destroyed. Compromised data included names, email addresses, student ID numbers, and user messages; Instructure found no evidence that passwords, dates of birth, government identifiers, or financial data were involved. CNN, Reed Smith

Recommended Actions

Immediate (Critical)

  1. Patch Cisco Catalyst SD-WAN Controller and Manager for CVE-2026-20182 now. Federal CISA Emergency Directive 26-03 deadline has already passed (May 17). Rotate any SSH keys on vmanage-admin and audit authorized_keys for unauthorized entries.
  2. Apply the Exchange Emergency Mitigation Service fix (M2.1.x) for CVE-2026-42897 on all on-premises Exchange servers. The CISA KEV federal deadline is today, May 29. For air-gapped environments, run the latest Exchange On-premises Mitigation Tool manually via elevated Exchange Management Shell.
  3. Patch Microsoft Defender for CVE-2026-41091 (RedSun) and CVE-2026-45498 (UnDefend) ahead of the June 3 KEV deadline. Hunt for Defender service crashes or disablement events that could indicate the UnDefend blind-spot window being abused before ransomware deployment.
  4. Confirm the May 2026 Patch Tuesday rollup (118 to 120 flaws, 16 to 17 critical) is fully deployed across the estate.

Short-Term (High)

  1. Upgrade Semantic Kernel to Python 1.39.4 or .NET 1.71.0, then audit all internally built agent frameworks for eval(), dynamic code execution, and host file-system primitives reachable from model-routed input.
  2. Review every AI coding agent running in CI/CD (Claude Code, Gemini CLI, GitHub Copilot Agent). Restrict agent permissions, scope CI secrets to least privilege, and treat repository comments, issue bodies, and PR titles as untrusted input per the Comment and Control findings.
  3. Patch Azure SRE Agent (CVE-2026-32173) and Azure MCP Server (CVE-2026-32211), and inventory any externally reachable agent gateways or WebSocket and SignalR endpoints.
  4. Audit dependency trees for the poisoned packages now in KEV (TanStack, Nx Console) and the previously compromised axios package. Pin versions, enable provenance verification, and disable auto-install of unverified extensions.
  5. Remediate the remaining May KEV entries relevant to your stack: Langflow (CVE-2025-34291), Trend Micro Apex One (CVE-2026-34926), and LiteSpeed cPanel (CVE-2026-48172).

Strategic (Awareness and Architecture)

  1. Treat prompt injection as an infrastructure-level threat, not a content-moderation problem. Enforce a hard boundary between untrusted model input and any code-execution, file-system, or credential primitive.
  2. Apply the lethal-trifecta model when designing agents: no single agent should hold private data access, untrusted content exposure, and unrestricted external communication simultaneously.
  3. Demand injection-resistance metrics and security transparency from AI vendors during procurement, since no vendor currently publishes them.
  4. Monitor agent long-term memory and retrieval stores for poisoning, and build detection for dormant or sleeper-agent behavior triggered by specific conditions.
  5. For education, healthcare, and finance sectors, rehearse incident response for large-scale extortion. The Canvas, DaVita-class healthcare, and banking incidents this period show double-extortion and pay-or-leak pressure remain the dominant playbook.

Sources

Report generated by Krypteia Security Threat Intelligence on 2026-05-29. Classification TLP:CLEAR. All findings are sourced from publicly available reporting linked above and should be independently validated before operational action.