Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0531

Daily Threat Intelligence Brief - May 31, 2026

May 31, 202614 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

Daily Threat Intelligence Brief: May 31, 2026

Report ID: CTI-2026-0531 Classification: TLP:CLEAR Reporting period: Last 24 to 48 hours, with active-threat carryover where exploitation is ongoing.

Executive Summary

  • Cisco Catalyst SD-WAN is under live attack. CVE-2026-20182, a CVSS 10.0 authentication bypass in the SD-WAN Controller and Manager, is being exploited in the wild and sits on the CISA KEV catalog. A perfect-score, internet-facing infrastructure flaw is the single highest-priority item this cycle.
  • Microsoft Exchange on-prem has a patch-less zero-day. CVE-2026-42897, an actively exploited OWA cross-site scripting and spoofing bug, has no permanent fix. Microsoft shipped only an automatic mitigation, and the CISA KEV deadline for federal agencies was May 29, 2026.
  • AI and agentic tooling is now a primary RCE surface, not a research curiosity. Langflow (CVE-2026-33017) and n8n (CVE-2026-21858, CVSS 10.0) both allow unauthenticated full takeover, and researchers count 14 assigned CVEs and 30-plus RCE issues across the MCP ecosystem covering LiteLLM, LangChain, Flowise, Cursor, and Windsurf.
  • Prompt injection remains unsolved at the model layer. A joint OpenAI, Anthropic, and Google DeepMind study, "The Attacker Moves Second," found every published defense bypassed at success rates above 90 percent under adaptive attack. OWASP still ranks prompt injection LLM01.
  • ShinyHunters claims a record-class education breach. The group says it stole roughly 275 million records tied to students, teachers, and staff across 8,809 school districts, universities, and online platforms via Canvas and Instructure instances.
  • Iran-linked Nimbus Manticore expanded operations. The IRGC-tied group is hitting defense, aerospace, and telecom targets with the Minifast toolkit, reported May 26, 2026, while China-aligned Salt Typhoon retains persistent access to US House committee email.
  • Fortinet, Palo Alto, cPanel, and Dynamics 365 round out the critical-patch list. FortiClient EMS (CVE-2026-35616), PAN-OS (CVE-2026-0300), cPanel and WHM (CVE-2026-41940), and Dynamics 365 (CVE-2026-42898) all carry CVSS 9.1 or higher with active or mass exploitation.
  • Ransomware now rides 44 percent of confirmed breaches, up from 32 percent the prior year, a 37 percent year-over-year jump per industry reporting.

Critical Vulnerabilities

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass

Field Detail
CVSS 10.0 (Critical)
Product Cisco Catalyst SD-WAN Controller and Manager
Status Actively exploited, on CISA KEV
KEV added May 14, 2026

An authentication bypass that lets an unauthenticated attacker reach controller and manager functions on internet-exposed SD-WAN infrastructure. Tenable links the ongoing activity to threat cluster UAT-8616. A CVSS 10.0 on edge networking gear with confirmed exploitation should be patched ahead of everything else. Source: Tenable, CISA.

CVE-2026-42897: Microsoft Exchange OWA Zero-Day

Field Detail
CVSS 8.1 (High)
Product Exchange Server 2016, 2019, Subscription Edition
Status Actively exploited, no permanent patch
KEV added May 15, 2026

A cross-site scripting and spoofing flaw in Outlook Web Access. An attacker sends a crafted email; if the victim opens it in OWA and interaction conditions are met, arbitrary JavaScript runs in the browser context. Microsoft confirmed active exploitation and shipped only an automatic mitigation through the Exchange EM Service. No permanent patch exists, and Exchange Online is not affected. Federal mitigation deadline was May 29, 2026. Source: The Hacker News, Microsoft, Dark Reading.

CVE-2026-41089: Windows Netlogon Wormable Buffer Overflow

Field Detail
CVSS 9.8 (Critical)
Product Windows Netlogon
Status Patched in May 2026 Patch Tuesday
Impact SYSTEM-level control of a domain controller

A wormable stack-based buffer overflow that hands an attacker SYSTEM on a domain controller. Wormable plus domain-controller-level access is the textbook precursor to enterprise-wide compromise. Microsoft shipped fixes for 137 CVEs this Patch Tuesday, 30 rated critical and 14 at CVSS 9.0 or higher. Source: Cloudswitched, INE.

CVE-2026-42898: Microsoft Dynamics 365 On-Prem

Field Detail
CVSS 9.9 (Critical)
Product On-premises Dynamics 365
Status Patched, prioritize for internet-facing instances

A near-maximum-severity flaw in on-prem Dynamics 365. Business-application exposure of this severity warrants emergency change windows. Source: Cloudswitched.

CVE-2026-0300: Palo Alto PAN-OS

Field Detail
CVSS 9.3 (Critical)
Product Palo Alto PAN-OS firewalls
Status Actively exploited in the wild

One of the most serious enterprise-infrastructure vulnerabilities disclosed in May 2026. Firewalls are the perimeter; an actively exploited PAN-OS flaw is a direct path into the protected network. Source: Carthage Electronics, INE.

CVE-2026-35616: Fortinet FortiClient EMS

Field Detail
CVSS 9.1 (Critical)
Product FortiClient EMS 7.4.5 through 7.4.6
Status Exploited zero-day, hotfix available, on CISA KEV

An improper access control flaw in the FortiClient EMS API that bypasses authentication and authorization to achieve code execution without credentials or user interaction. watchTowr sensors caught exploitation on March 31, 2026, before Fortinet's April 4 advisory; CISA added it to KEV April 6. Attackers are deploying the EKZ infostealer disguised as a fake Fortinet endpoint patch. Hotfix available pending the full 7.4.7 release. Source: watchTowr, Tenable, Security Affairs.

CVE-2026-41940: cPanel and WHM

Field Detail
CVSS 9.8 (Critical)
Product cPanel and WHM
Status Mass exploitation underway

A critical cPanel and WHM flaw with mass exploitation in progress. Shared-hosting control panels are high-value targets because one compromise can cascade across every tenant. Source: Carthage Electronics.

Additional KEV Additions This Cycle

CVE ID Product Type KEV Added
CVE-2026-41091 Microsoft Defender Elevation of privilege May 20, 2026
CVE-2026-45498 Microsoft Defender Denial of service May 20, 2026
CVE-2025-34291 Langflow Origin validation error May 21, 2026
CVE-2026-34926 Trend Micro Apex One Directory traversal May 21, 2026
CVE-2026-31431 Linux Local root access May 2026
CVE-2026-8398 Daemon Tools Lite Embedded malicious code May 27, 2026

Note the Microsoft Defender pair: a security product itself being exploited for privilege escalation and denial of service. Sources: CISA May 20, CISA May 21, CISA May 27, The Hacker News, Malwarebytes.

AI Security Threats

This is the fastest-moving section of the brief, and the trend is unambiguous: the AI tooling layer has become a first-class remote-code-execution surface, and the model layer itself still has no durable defense against prompt injection. Two distinct problem classes are converging.

Class 1: The Agentic and MCP Tooling Layer Is an RCE Minefield

The infrastructure people are wiring around LLMs, workflow builders, agent frameworks, and Model Context Protocol servers, is shipping with classic, pre-authentication remote code execution.

CVE-2026-33017: Langflow code injection to RCE. Affects all versions prior to 1.8.x and is listed in CISA KEV. It requires no authentication, no multi-step chain, and a single HTTP request to achieve full RCE on exposed servers. Attackers built working exploits and began hitting internet-facing instances roughly 20 hours after the advisory dropped. That window, advisory to mass exploitation in under a day, is the operational reality defenders now plan against. Source: SonicWall, Andri's Blog, securityonline.info.

CVE-2026-21858: n8n unauthenticated takeover. Rated CVSS 10.0. The formWebhook function used by n8n Form nodes fails to validate that the POST Content-Type is multipart/form-data, letting unauthenticated attackers take over local deployments, run commands on the host, and exfiltrate corporate data. Fixed in n8n 1.121.0 and later. Source: CSO Online, The Register.

MCP supply chain advisory: systemic, not isolated. OX Security and Cloud Security Alliance research describes the Model Context Protocol ecosystem as "execute first, validate never." The numbers tell the scale: over 150 million total downloads, roughly 7,000 publicly reachable servers, 14 CVEs already assigned, and more than 30 RCE issues across flagship products including LiteLLM, LangChain, Langflow, Flowise, Windsurf, Cursor, DocsGPT, and GPT Researcher. In several products the MCP server configuration interface is reachable without authentication, so a remote attacker can register a malicious STDIO server and trigger execution merely by initiating an agent session. One report puts roughly 200,000 Anthropic-MCP-pattern servers in an exposed posture. Source: OX Security, CSA Lab Space, flyingpenguin.

Class 2: Prompt Injection Is Still Unsolved, and Agents Amplify It

No model-layer fix exists. Prompt injection is ranked LLM01 by OWASP, with documented attack success rates of 50 to 84 percent depending on configuration and attempt count. The joint OpenAI, Anthropic, and Google DeepMind study "The Attacker Moves Second" found that under adaptive attack conditions, every single published defense was bypassed at success rates above 90 percent. Defense in depth, not a silver-bullet filter, is the only viable posture. Source: Vectra AI, arXiv: Prompt Injection 2.0.

Agentic AI turns one bad output into system-wide compromise. Per the OWASP Top 10 for Agentic Applications 2026, what used to be a single manipulated response can now hijack an agent's planning loop, execute privileged tool calls, persist malicious instructions in long-term memory, and propagate across connected systems. The attack surface extends past chat into RAG pipelines, multimodal inputs, and coding assistants, each a distinct injection vector that text-only defenses do not cover. Source: christian-schneider.net, elevateconsult.com, arXiv: Agentic Coding Assistants.

Coding assistants are confirmed production targets. Critical CVEs in Microsoft Copilot (CVSS 9.3), GitHub Copilot (CVSS 9.6), and Cursor IDE (CVSS 9.8) demonstrate active exploitation across 2025 and 2026, where injected content in a repo or prompt context coerces the assistant into attacker-chosen actions. Source: Vectra AI, Penligent.

KrypteiaSec assessment: the two classes compound. An attacker who injects an agent (Class 2) and lands inside an MCP-connected toolchain with unauthenticated RCE primitives (Class 1) gets prompt-to-shell with no traditional exploit. This is the core of the MCP and agent security testing niche, and it is exactly the surface organizations are deploying fastest and securing slowest.

Threat Actor Activity

Salt Typhoon (China-aligned)

Maintains deep, persistent access to US House committee staff email and personnel working national-security committees, with operations described as still ongoing in recent reporting. The pattern is classic espionage: quiet, long-dwell, intelligence-driven rather than disruptive. Source: CISA, CybelAngel.

Nimbus Manticore (Iran, IRGC-linked)

Reported May 26, 2026, attacking defense, aerospace, and telecom sectors using the Minifast malware toolkit. Separately, Iranian APT actors have targeted US critical infrastructure including water treatment and energy systems, interacting directly with SCADA and HMI control surfaces. Source: Industrial Cyber, NJCCIC.

Operational Trend: Speed and AI-Assisted Tradecraft

The fastest APT campaigns in 2026 move from initial access to data exfiltration in roughly 72 minutes. State-sponsored actors from China, Russia, Iran, and North Korea are using AI to accelerate reconnaissance, malware development, and social engineering, and nation-states increasingly outsource ransomware and disruption to criminal proxies for plausible deniability. Source: Hive Security, SecurityWeek, Trend Micro.

Ransomware and Data Breaches

Headline Incidents

Victim / Target Actor Impact Source
Canvas / Instructure (education) ShinyHunters Claims ~275M records across 8,809 institutions Malwarebytes
NVIDIA GeForce NOW partner (Armenia) ShinyHunters Names, emails, DOB, membership, 2FA status exposed SharkStriker
Ocean City Radio Undisclosed Forced shutdown May 12 due to attack costs SharkStriker
Advanced Psychiatry Associates Various Listed among victims disclosed May 29, 2026 SharkStriker
American Battery Factory Various Listed among victims disclosed May 29, 2026 SharkStriker

Additional victims surfaced on May 29 include AKM Enterprises, Alpine Aerotech, and Asopagos, attributed to multiple threat actors.

Ransomware Posture

Metric Value Source
Share of confirmed breaches involving ransomware 44 percent (up from 32 percent) CNIC Solutions
Year-over-year increase 37 percent CNIC Solutions
Dominant data-extortion actor this cycle ShinyHunters SharkStriker

The ShinyHunters pivot to pure data extortion at this volume confirms the broader shift: the leverage is the data and the leak threat, encryption is increasingly optional.

Recommended Actions

Immediate (Critical, act within 24 to 48 hours)

  1. Patch or isolate Cisco Catalyst SD-WAN against CVE-2026-20182. If immediate patching is not possible, restrict management-plane access to trusted networks only.
  2. Apply Microsoft's automatic mitigation for Exchange CVE-2026-42897, confirm the Exchange EM Service is enabled, and treat OWA as compromised-until-proven-clean given there is no permanent patch.
  3. Deploy the May Patch Tuesday rollup, prioritizing CVE-2026-41089 (Netlogon) on every domain controller and CVE-2026-42898 on internet-facing Dynamics 365.
  4. Apply the FortiClient EMS hotfix for CVE-2026-35616 and hunt for EKZ infostealer artifacts and any fake "Fortinet patch" payloads.
  5. Inventory and take offline any internet-exposed Langflow (CVE-2026-33017), n8n (CVE-2026-21858), or unauthenticated MCP servers until patched. Assume single-request RCE.

Short-Term (High, this week)

  1. Patch PAN-OS (CVE-2026-0300) and cPanel and WHM (CVE-2026-41940); verify no webshells were planted during the mass-exploitation window.
  2. Audit every MCP server and agent framework in the environment against the OX Security and CSA advisory: require authentication on configuration interfaces, disallow dynamic STDIO server registration, and constrain tool permissions to least privilege.
  3. Hunt for Salt Typhoon and Nimbus Manticore TTPs in email, defense-adjacent, and OT or SCADA environments. Review long-dwell access on privileged mailboxes.
  4. Clear the remaining KEV backlog: Microsoft Defender (CVE-2026-41091, CVE-2026-45498), Trend Micro Apex One (CVE-2026-34926), Langflow (CVE-2025-34291), and the Linux root flaw (CVE-2026-31431).

Strategic (Awareness and program-level)

  1. Treat the AI and agent tooling layer as production infrastructure with a full SDLC: authentication, network segmentation, secrets isolation, and runtime monitoring on every LLM, RAG, and MCP component.
  2. Adopt defense in depth for prompt injection. Given that every published defense was bypassed above 90 percent under adaptive attack, assume injection succeeds and contain blast radius through tool-permission scoping, human-in-the-loop on privileged actions, and output validation.
  3. Rehearse a data-extortion-only ransomware scenario. With ShinyHunters operating at hundreds of millions of records, exfiltration and leak threats, not encryption, are the dominant pressure. Validate detection on bulk data egress.
  4. Adversary speed is now sub-72-minutes to exfiltration. Measure and compress your own mean time to detect and respond accordingly.

Sources