Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0530

Daily Threat Intelligence Brief - May 30, 2026

May 30, 202614 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

Executive Summary

  • Microsoft Exchange Server is under active attack with no permanent patch. CVE-2026-42897, an OWA cross-site scripting zero-day (CVSS 8.1), is being exploited in the wild via crafted email. CISA set a federal remediation deadline of May 29, 2026. Only an emergency mitigation exists. (SecurityWeek, Microsoft)
  • cPanel CVE-2026-41940 (CVSS 9.8) is among the most exploited flaws on the internet. A pre-auth bypass affecting roughly 1.5 million exposed instances has compromised 44,000+ servers, with Mirai recruitment and ".sorry" ransomware payloads observed. (Rapid7, Picus)
  • Cisco Catalyst SD-WAN CVE-2026-20182 (CVSS 10.0) was exploited as a zero-day for an authentication bypass yielding admin control. CISA added it to the KEV catalog on May 14, 2026. (BleepingComputer, CISA)
  • The agentic AI supply chain is the fastest-growing attack surface. Researchers disclosed 40+ CVEs against Model Context Protocol implementations between January and April 2026, including a systemic "by-design" flaw in Anthropic's MCP SDKs that Ox Security says exposes 200,000+ server instances. (SecurityWeek, DEV Community)
  • Microsoft Defender flaws are being exploited in the wild. CVE-2026-45498 ("UnDefend," remote DoS) and CVE-2026-41091 (elevation of privilege) were added to KEV on May 20, 2026. The DoS creates a detection blind spot for ransomware staging. (Malwarebytes, CISA)
  • ShinyHunters claims a 275-million-record education breach via the Canvas platform, naming 8,809 affected institutions, in one of the largest education-sector incidents on record. (Malwarebytes)
  • Chinese state actors remain pre-positioned in US critical infrastructure. CISA's February 2026 supplementary advisory flags intensified Volt Typhoon activity in water and communications sectors, consistent with pre-conflict positioning. (CISA, Cybersecurity Dive)
  • Ransomware is consolidating and accelerating. In Q1 2026 the top 10 groups accounted for 71.1% of data-leak-site victims, the highest concentration since Q1 2024, while LockBit 5.0 returned and Cl0p surged past 1,189 primary incidents. (Check Point Research, Ransom-DB)
  • Adversary breakout time has collapsed to 72 minutes, a fourfold reduction year over year, narrowing the window for detection and response. (Hive Security)

Critical Vulnerabilities

CVE-2026-42897: Microsoft Exchange Server OWA Zero-Day (CVSS 8.1)

An improper-neutralization (cross-site scripting) flaw in on-premises Exchange Server, actively exploited via specially crafted email. When the recipient opens the message in Outlook Web Access, arbitrary JavaScript executes in the authenticated browser session, enabling session-token theft, mailbox impersonation, and mail-rule manipulation without the attacker touching the server. Affects Exchange Server 2016, 2019, and Subscription Edition at all patch levels. Exchange Online is not affected. No permanent patch exists; Microsoft deployed an Emergency Mitigation Service fix (M2.1.x) on May 14, and CISA required federal remediation by May 29, 2026. (Security Affairs, Dark Reading)

CVE-2026-41940: cPanel and WHM Pre-Auth Authentication Bypass (CVSS 9.8)

A pre-authentication remote auth bypass chaining a CRLF injection in the session writer with an encryption-skip triggered by a malformed cookie. The injection promotes a session to root (user=root, hasroot=1, tfa_verified=1), bypassing both password and 2FA gates. Roughly 1.5 million internet-exposed instances were vulnerable across all supported versions after 11.40. Exploitation has been observed since approximately February 23, 2026, making it a true zero-day for about two months before the April 28 emergency patch. At least 44,000 IPs were compromised, with the cPanelSniper proof-of-concept driving mass exploitation, Mirai botnet recruitment, and ".sorry" ransomware payloads. (Rapid7, CyberScoop, securityonline.info)

CVE-2026-20182: Cisco Catalyst SD-WAN Controller Authentication Bypass (CVSS 10.0)

A maximum-severity authentication bypass in the Catalyst SD-WAN Controller, exploited in zero-day attacks to gain administrative privileges on compromised devices. CISA added it to the KEV catalog on May 14, 2026. Organizations running affected controllers should apply Cisco's fixed releases immediately and audit for unauthorized administrative sessions. (BleepingComputer, CISA)

CVE-2026-21858 "Ni8mare": n8n Unauthenticated RCE (CVSS 10.0)

A content-type confusion flaw in the n8n Form Webhook handler that allows unauthenticated remote code execution, arbitrary file access, and authentication bypass on the popular AI workflow-automation platform. The formWebhook function fails to validate that the POST Content-Type is multipart/form-data. Discovered by Cyera Research Labs, it affects versions prior to 1.121.1 and impacts roughly 100,000 servers globally. A working proof-of-concept is public; no in-the-wild exploitation was confirmed at disclosure, but scanning traffic increased. A related second-order expression-injection flaw, CVE-2026-27493, can chain to RCE via crafted form data. Upgrade to 1.121.1 or later. (CSO Online, Orca Security, The Register)

CVE-2026-45498 "UnDefend" and CVE-2026-41091: Microsoft Defender (Exploited)

CVE-2026-45498 is a remotely triggerable denial-of-service requiring no credentials that crashes or destabilizes Microsoft Defender, creating a blind-spot window for ransomware deployment, data exfiltration, and lateral movement. CVE-2026-41091 is an elevation-of-privilege flaw. Both were added to CISA KEV on May 20, 2026, and are being exploited in the wild. (Malwarebytes, Carthage Electronics)

CVE-2026-0073: Android System Component RCE (Critical)

A critical remote code execution flaw in the Android System component affecting Android 14, 15, 16, and 16-QPR2. Exploitable by a proximal or adjacent attacker with no privileges and no user interaction. Apply the latest Android security bulletin patches as soon as carrier and OEM updates are available. (Carthage Electronics)

CVE-2026-34926 and CVE-2025-34291: Trend Micro Apex One and Langflow (KEV)

CVE-2026-34926 is a directory-traversal flaw in Trend Micro Apex One (On-Premise). CVE-2025-34291 is an origin-validation error in Langflow, an AI agent builder. Both were added to CISA KEV on May 21, 2026, based on evidence of active exploitation. The Langflow entry continues the 2026 pattern of AI tooling appearing directly in the exploited-vulnerabilities catalog. (CISA)

CVE-2026-35616: Fortinet FortiClient EMS Zero-Day

An actively exploited FortiClient EMS zero-day for which a full patch was still pending at disclosure, with only a hotfix available. Organizations should apply the hotfix, restrict management-interface exposure, and monitor for anomalous EMS activity. (CyberScoop)

AI Security Threats

The AI attack surface has moved decisively from theoretical to operational. Prompt injection remains the number-one AI risk, ranked LLM01 by OWASP, with documented attack success rates of 50 to 84 percent depending on system configuration and attempt count. No complete fix exists: even frontier models from Anthropic, OpenAI, and Google remain vulnerable after applying their best defenses, leaving defense in depth as the only viable strategy. (Vectra AI)

The MCP supply chain is the year's defining AI security story. Between January and April 2026, researchers disclosed more than 40 CVEs against Model Context Protocol implementations spanning the Python, TypeScript, Java, and Rust SDKs, ranging from trivial path traversals to a CVSS 9.6 RCE in a package downloaded nearly half a million times. In April 2026, Ox Security disclosed a systemic "by-design" flaw in Anthropic's official MCP SDKs that could expose more than 200,000 server instances across 200-plus dependent open-source projects and 150 million cumulative downloads, enabling arbitrary command execution and access to internal databases, API keys, and chat histories. February 2026 scanning identified over 8,000 MCP servers on the public internet, with Trend Micro independently finding 492 that had zero client authentication and zero traffic encryption. (SecurityWeek, The Hacker News, OX Security)

Agentic AI amplifies a single bad output into a multi-system compromise. Per the OWASP Top 10 for Agentic Applications 2026, what was once one manipulated response can now hijack an agent's planning loop, execute privileged tool calls, persist malicious instructions in memory, and propagate across connected systems. Help Net Security research on production agents that query telemetry and execute infrastructure changes identifies four operational attack vectors: prompt injection embedded in tickets or documentation, retrieval poisoning of runbooks and incident histories, retrieval jamming that floods knowledge bases to stall response, and telemetry manipulation that alters mitigation decisions. The danger is that these attacks resemble normal incident response gone wrong, defeating signature-based detection. The recommended architecture is a "propose-commit split" where agents draft changes but a non-bypassable gate enforces policy checks, human approval for high-impact actions, and integrity-protected audit logs. (Help Net Security, Christian Schneider)

Production exploitation is already documented. EchoLeak (CVE-2025-32711, CVSS 9.3) was the first real-world zero-click prompt-injection exploit in a production LLM system, allowing Microsoft 365 Copilot to silently exfiltrate enterprise data simply when a user opened a benign-looking email. The exploit chained an XPIA-classifier evasion, reference-style Markdown to bypass link redaction, auto-fetched images, and a CSP-allowed Microsoft Teams proxy. Critical AI-coding-tool CVEs have also landed in 2025 and 2026, including GitHub Copilot (CVSS 9.6), Cursor IDE (CVSS 9.8), and Microsoft Copilot (CVSS 9.3). (arXiv 2509.10540, Sentra, Cycode)

Readiness lags adoption sharply. Per the Cisco State of AI Security 2026 report, 83 percent of organizations plan to deploy agentic AI but only 29 percent feel ready to do so securely. Academic work continues to confirm there is no silver bullet: a systematic analysis of prompt injection on agentic coding assistants catalogs vulnerabilities across skills, tools, and protocol ecosystems, and design-pattern research concludes that architectural containment, not model-level filtering, is the durable mitigation. (Help Net Security, arXiv 2601.17548, arXiv 2506.08837)

KrypteiaSec note: The convergence of n8n (CVE-2026-21858), Langflow (CVE-2025-34291), and the MCP CVE wave validates the thesis that AI orchestration platforms are now first-class attack surfaces. MCP and agent security testing is exactly the niche where offensive AI assessment delivers the most defender value right now.

Threat Actor Activity

Chinese state-sponsored groups remain the dominant strategic threat. Salt Typhoon and Volt Typhoon represent the most serious confirmed penetration of US infrastructure by a foreign adversary in decades. CISA reporting indicates Salt Typhoon was detected on federal networks before the telecom intrusions, and a February 2026 supplementary advisory notes intensified Volt Typhoon activity in the water and communications sectors, characterized as pre-conflict positioning with new indicators of compromise. CISA is now advising critical infrastructure operators to prepare to operate in isolation for "weeks to months" during conflict. (CISA China Overview, CyberScoop, Cybersecurity Dive)

Iranian operations remain active and increasingly deceptive. Unit 42 tracked Screening Serpens deploying six new RAT variants between February and April 2026 during regional conflict, targeting entities across the US, Israel, the UAE, and additional Middle Eastern states. A separate Iran-linked MIS-affiliated MuddyWater intrusion posed as a Chaos ransomware member as a false-flag espionage cover. (Unit 42, Infosecurity Magazine)

AI is now embedded in adversary tradecraft. APT36 has used AI as a polymorphic malware assembly line, producing variants faster than signature-based detection can respond, and APT41 logged a 113 percent surge in operations correlated with US-China trade tensions. (Hive Security)

Actor Attribution May 2026 Activity Primary Targets
Salt Typhoon China Persistent backbone/telecom access, federal nets Telecom, government
Volt Typhoon China Intensified pre-positioning, new IOCs Water, communications
Screening Serpens Iran Six new RAT variants in regional conflict US, Israel, UAE, Mideast
MuddyWater Iran (MIS) False-flag espionage as fake ransomware crew Regional government
APT36 Pakistan AI-driven polymorphic malware production South Asia, government
APT41 China 113% operational surge Multi-sector espionage

Ransomware and Data Breaches

The Q1 2026 ransomware ecosystem consolidated sharply: the top 10 groups accounted for 71.1 percent of data-leak-site victims, the highest concentration since Q1 2024. LockBit 5.0 returned with confirmed victims after its post-disruption diversification, Cl0p surged its operational tempo past 1,189 primary incidents (United States at over 57 percent of volume), and the sudden RansomHub shutdown in April pushed affiliates to other groups within weeks. (Check Point Research, Check Point Blog, Ransom-DB)

Group Status (Q1-Q2 2026) Notable Detail
Cl0p Surging 1,189+ incidents, 57%+ US-targeted
LockBit 5.0 Returned New victims after law-enforcement hit
RansomHub Shut down April 2026 Affiliates migrated within weeks
ShinyHunters Active Claims 275M education records
Victim Threat / Group Records or Impact Source
Canvas education platform ShinyHunters 275M records, 8,809 institutions Malwarebytes
Heritage Bank Unauthorized access 182,793 individuals SharkStriker
Tampa Bay Dental Implants TridentLocker 6,400 patients, some SSNs SharkStriker
Ocean City Radio Cyberattack Permanent shutdown May 12 SharkStriker

Recommended Actions

Immediate (0 to 72 Hours)

  • Mitigate CVE-2026-42897 on all on-premises Exchange servers now. Confirm the Exchange Emergency Mitigation Service is enabled and the M2.1.x URL-rewrite mitigation is applied. Hunt for anomalous OWA JavaScript execution, suspicious mail rules, and session-token theft. (Microsoft)
  • Patch or isolate cPanel and WHM (CVE-2026-41940) immediately. Apply the post-April-28 fixed release, then assume compromise on any instance exposed since February: rotate all credentials and API tokens, inspect sessions for forged root entries, and scan for ".sorry" payloads and Mirai implants. (Rapid7)
  • Remediate all KEV additions from May 14 to May 27, 2026, prioritizing Cisco SD-WAN (CVE-2026-20182), Microsoft Defender (CVE-2026-45498, CVE-2026-41091), Trend Micro Apex One (CVE-2026-34926), and Langflow (CVE-2025-34291). (CISA KEV)
  • Upgrade n8n to 1.121.1 or later and remove any public exposure of Form and Webhook endpoints (CVE-2026-21858, CVE-2026-27493). (Orca Security)
  • Apply the FortiClient EMS hotfix (CVE-2026-35616) and restrict management-interface exposure. (CyberScoop)

Short-Term (1 to 4 Weeks)

  • Inventory every MCP server and AI agent integration. Remove unauthenticated and unencrypted MCP servers from public exposure, pin SDK versions to patched releases, and scope agent tokens to least privilege rather than broad personal-access tokens. (Trend Micro via DEV)
  • Implement a propose-commit split for any agent that can change infrastructure. Route every production-touching action through a non-bypassable gate with policy checks, human approval for high-impact changes, and integrity-protected audit logs. (Help Net Security)
  • Deploy defense in depth against prompt injection: input validation on all data sources, tool sandboxing with minimal privileges, output filtering, and goal-lock mechanisms. Treat model-level filtering as insufficient on its own. (Vectra AI)
  • Validate that Microsoft Defender DoS conditions do not blind your EDR. Add redundant telemetry and alert on Defender service crashes or restarts. (Malwarebytes)

Strategic (1 to 3 Months)

  • Treat AI orchestration platforms as production attack surfaces with dedicated threat modeling, red-team exercises, and adversarial evaluation before claiming autonomous operations are safe. (arXiv 2601.17548)
  • Plan for isolated operations. Per CISA guidance, critical infrastructure operators should build the capability to run essential functions for weeks to months without external connectivity given embedded Chinese state actors. (CyberScoop)
  • Compress detection and response to beat a 72-minute breakout time. Invest in identity-centric detection, automated containment, and tested incident-response runbooks resistant to retrieval poisoning. (Hive Security)
  • Adopt the OWASP Top 10 for Agentic Applications 2026 as a control baseline for all internal and customer-facing agent deployments. (Christian Schneider)

Sources