Daily Threat Intelligence Brief

Report ID: CTI-2026-0601 Date: June 1, 2026 Classification: TLP:CLEAR Prepared by: Krypteia Security Threat Intelligence

Executive Summary

Microsoft Exchange OWA zero-day (CVE-2026-42897, CVSS 8.1) remains under active exploitation with no permanent patch. A single crafted email executes JavaScript inside an authenticated Outlook Web Access session, enabling session-token theft and mailbox impersonation. Microsoft shipped only an emergency mitigation on May 14; CISA mandated federal remediation by May 29.
PAN-OS GlobalProtect authentication bypass (CVE-2026-0257, CVSS 7.8) is being exploited in the wild. Reused cookie-signing certificates let unauthenticated attackers forge authentication-override cookies. CISA added it to the KEV catalog with a June 2026 federal deadline.
Cisco Catalyst SD-WAN Controller (CVE-2026-20182, CVSS 10.0) is under active exploitation by a sophisticated actor tracked as UAT-8616, granting unauthenticated admin access over DTLS UDP 12346.
Agentic AI frameworks crossed the line from content risk to code execution. Microsoft disclosed CVE-2026-25592 and CVE-2026-26030 in Semantic Kernel, turning prompt injection into host-level remote code execution. A broader cluster spans CrewAI, LangFlow, GPT Researcher, and LiteLLM.
No prompt-level defense holds. The joint OpenAI, Anthropic, and Google DeepMind paper "The Attacker Moves Second" found every published defense bypassed at success rates above 90 percent under adaptive attack.
ShinyHunters claims roughly 275 million education records from Canvas/Instructure instances spanning 8,809 institutions, one of the largest education-sector breaches on record.
Nation-state tempo is accelerating. The 2026 adversary breakout-time benchmark is 72 minutes, a fourfold reduction year over year. APT41 operations surged 113 percent; Iranian and Russian groups expanded espionage campaigns.
cPanel/WHM authentication bypass (CVE-2026-41940) was exploited since at least February 2026, roughly two months before patch, exposing an estimated 1.5 million internet-facing instances.

Critical Vulnerabilities

CVE-2026-42897: Microsoft Exchange Server OWA Zero-Day

CVSS: 8.1
Affected: Exchange Server 2016, 2019, and Subscription Edition (on-premises, all update levels). Exchange Online is not affected.
Type: Cross-site scripting in the Outlook Web Access component.
Impact: An attacker sends a crafted email. When the recipient opens it in OWA, arbitrary JavaScript executes inside their authenticated browser session, enabling session-token theft, mailbox impersonation, and inbox-rule manipulation. The attacker never touches the server directly.
Status: Actively exploited. No permanent patch exists. Microsoft deployed an emergency mitigation (M2.1.x) via the Exchange Emergency Mitigation Service on May 14, 2026. CISA added the flaw to KEV on May 15 with a federal remediation deadline of May 29.
Note: The URL-rewrite mitigation breaks inline images in the OWA reading pane and disrupts the "Print Calendar" feature. Air-gapped environments must run the Exchange On-premises Mitigation Tool manually.
Sources: NVD, SecurityWeek, Microsoft Community Hub

CVE-2026-20182: Cisco Catalyst SD-WAN Controller Authentication Bypass

CVSS: 10.0
Affected: Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage).
Type: Authentication bypass in the peering authentication mechanism (vdaemon service over DTLS, UDP port 12346).
Impact: An unauthenticated remote attacker sends crafted requests to log in as a high-privileged internal account, then weaponizes NETCONF access to manipulate the entire SD-WAN fabric configuration.
Status: Actively exploited in the wild, clustered under threat actor UAT-8616. Discovered by Rapid7. CISA added it to KEV with a federal deadline of May 17, 2026. It echoes the earlier CVE-2026-20127 (CVSS 10.0) in the same component.
Action: Upgrade to a fixed Cisco release immediately.
Sources: Cisco Advisory, Rapid7, Talos

CVE-2026-0257: PAN-OS GlobalProtect Authentication Bypass

CVSS: 7.8
Affected: PAN-OS firewalls with a GlobalProtect portal or gateway configured, authentication-override cookies enabled, and a shared certificate configuration.
Type: Authentication bypass via certificate reuse.
Impact: When the certificate used to encrypt and decrypt authentication-override cookies is shared with another feature (such as the portal or gateway HTTPS service), a remote unauthenticated attacker can recover the public key, forge arbitrary override cookies, and bypass authentication to establish unauthorized VPN sessions.
Status: Actively exploited. Rapid7 MDR observed exploitation against devices with the Cloud Authentication Service disabled and override cookies enabled. CISA added it to KEV with a federal remediation deadline in June 2026.
Mitigation: Generate a dedicated certificate solely for authentication-override cookies, or disable the Authentication Override options in GlobalProtect.
Sources: Palo Alto Networks, Rapid7, The Hacker News

CVE-2026-41940: cPanel and WHM Authentication Bypass

Affected: cPanel and WebHost Manager.
Impact: Critical authentication bypass. Exploited in the wild since at least February 2026, roughly two months before the patch released. An estimated 1.5 million internet-accessible cPanel instances were potentially exposed.
Status: Actively exploited; patch available.
Sources: Carthage Electronics Zero-Day Report

CVE-2026-2441: Google Chrome Zero-Day RCE

Affected: Google Chrome / Chromium.
Impact: Actively exploited zero-day enabling remote code execution.
Status: Patched. Update Chrome immediately and confirm the build version.
Sources: Orca Security

Additional KEV Additions (May 2026)

CVE	Product	Type	Notes
CVE-2026-31431	Linux	Local root access	Actively exploited, added to KEV
CVE-2026-6973	Ivanti Endpoint Mgr Mobile	Improper input validation	Added early May
CVE-2026-34926	Trend Micro Apex One	Directory traversal	Added to KEV
CVE-2025-34291	Langflow	Origin validation error	Added to KEV
CVE-2026-41091	Microsoft Defender	Elevation of privilege	Added to KEV
CVE-2026-45498	Microsoft Defender	Denial of service	Added to KEV

Sources: CISA KEV Catalog, CISA Alert 2026-05-20, The Hacker News on CVE-2026-31431

AI Security Threats

The defining story of the period: agentic AI frameworks have moved prompt injection from a content-safety nuisance to an unauthenticated remote-code-execution primitive. Once a model is wired to tools with file-system and process access, a malicious instruction embedded in untrusted content is functionally equivalent to a shell command.

Semantic Kernel: Prompt Injection to Host RCE (CVE-2026-25592, CVE-2026-26030)

On May 7, 2026, Microsoft disclosed two critical vulnerabilities in its Semantic Kernel agent framework. A single crafted prompt was sufficient to launch a process (calc.exe) on the host running the agent, with no browser exploit, no malicious attachment, and no memory-corruption bug.

CVE-2026-26030: Affects Python Semantic Kernel versions before 1.39.4. A malicious prompt manipulated tool parameters and altered the filter string. Despite AST validation and blocklists, attackers bypassed the controls using Python class-hierarchy traversal to dynamically load the os module and execute system commands.
CVE-2026-25592: Affects the .NET SDK before version 1.71.0.
Primary recommendation: Upgrade both SDKs immediately. Treat any tool wired to an agent as an execution boundary, not a convenience.
Source: Microsoft Security Blog, PointGuard AI

The Framework RCE Cluster

The Semantic Kernel disclosures are part of a wider Q1 to Q2 2026 wave. Researchers documented four CVEs in CrewAI and a systemic MCP STDIO command-injection class spanning LangFlow, GPT Researcher, and LiteLLM. The shared root cause: AI agent frameworks shipping with unsafe defaults that convert prompt injection into a direct, unauthenticated shell on the host. A parallel vm2 sandbox-escape wave turned JavaScript-based agents into host RCE vectors.

Source: Lyrie Research, Kodem on vm2

Defenses Do Not Hold Under Adaptive Attack

The joint study "The Attacker Moves Second" (Nasr et al., OpenAI, Anthropic, and Google DeepMind) found that under adaptive attack, every published prompt-injection defense was bypassed at success rates above 90 percent. No instruction-level safeguard, including variants of "ignore any instructions in external content," is a reliable control. The International AI Safety Report 2026 reinforced this: sophisticated attackers bypass the best-defended models roughly 50 percent of the time with just 10 attempts.

Source: Simon Willison analysis

OWASP Top 10 for Agentic Applications 2026

What was once a single manipulated output can now hijack an agent's planning loop, execute privileged tool calls, persist malicious instructions in memory, and propagate across connected systems. Agents act as nonhuman identities with real privileges, creating an ideal substrate for the classic confused-deputy attack: an authorized program tricked into misusing its access. This is especially dangerous where LLMs query telemetry and then execute configuration changes against live infrastructure.

Source: Help Net Security, OWASP LLM Top 10 2026 overview

Krypteia Assessment

The pattern is structural, not incidental. Tool-calling agents collapse the boundary between data and code. Defenders cannot prompt their way out of this. The only durable controls are architectural: tool sandboxing with least privilege, deterministic input validation at every data source, goal-lock mechanisms, and human-in-the-loop approval gates on high-impact actions. Treat every agent's tool registry as your real attack surface.

Threat Actor Activity

The 2026 benchmark for adversary breakout time, from initial foothold to active exfiltration, is 72 minutes: a fourfold reduction from prior-year averages. Detection-and-response windows are shrinking faster than most SOCs can adapt.

Chinese Operations

APT41 recorded a 113 percent surge in operations, the largest single-quarter increase documented for any nation-state actor, correlating with U.S.-China trade tensions. Targets include trade-policy officials, academic economists, and think tanks.
Salt Typhoon breaches of Congress confirmed deep, persistent access by China-aligned actors into U.S. communications systems.
A new China-aligned APT has been observed striking with precision and persistence against U.S. public-sector targets.

Iranian Operations

Screening Serpens deployed six new remote-access Trojan variants between February and April 2026 during regional conflict, hitting targets across the U.S., Israel, the UAE, and additional Middle Eastern entities.
An Iran-linked group posed as a member of the Chaos ransomware crew as cover for an espionage campaign, and MuddyWater (tied to the Iranian Ministry of Intelligence and Security) ran a false-flag operation in early 2026.

Russian Operations

APT28 exploited CVE-2026-21509 in Microsoft Office via malicious DOC files, targeting Ukrainian government ministries.

Sources: Unit 42 on Screening Serpens, Dark Reading on new China APT, CybelAngel on Chinese APTs, Trend Micro Q1 2026

Ransomware and Data Breaches

Incident	Threat Actor	Scope and Impact	Status
Canvas / Instructure	ShinyHunters	Claims ~275M records across 8,809 school districts, universities, and platforms	Claimed
NVIDIA GeForce NOW Alliance	ShinyHunters	Armenia partner breached; user DB with names, emails, DOB, 2FA status, roles	Confirmed
Ocean City Radio	Undisclosed	Financial losses from attack forced shutdown on May 12, 2026	Confirmed

Sector Trends

Ransomware was present in 44 percent of confirmed breaches in 2025, up from 32 percent, a 37 percent year-over-year increase. By attack volume, manufacturing leads at 14 percent of global incidents, followed by technology at 9 percent and retail/wholesale at 7 percent. The Canvas/Instructure incident stands out for scale, with per-institution record counts ranging from tens of thousands to several million.

Sources: SharkStriker May 2026 Breaches, Malwarebytes on education breach, Ransomware Statistics 2026

Recommended Actions

Immediate (0 to 48 hours)

Exchange (CVE-2026-42897): Confirm the Exchange Emergency Mitigation Service is enabled and M2.1.x is applied. For disconnected environments, run the latest Exchange On-premises Mitigation Tool manually. Hunt for anomalous OWA sessions, new inbox rules, and unexpected mailbox-delegation changes.
Cisco SD-WAN (CVE-2026-20182): Upgrade Catalyst SD-WAN Controller and Manager to a fixed release now. Audit NETCONF activity and admin logins. Restrict DTLS UDP 12346 exposure.
PAN-OS (CVE-2026-0257): Issue a dedicated certificate for authentication-override cookies or disable Authentication Override. Review GlobalProtect session logs for forged-cookie indicators.
Chrome (CVE-2026-2441): Force-update browsers across the fleet and verify the patched build.
Semantic Kernel (CVE-2026-25592, CVE-2026-26030): Upgrade Python to 1.39.4 or later and .NET to 1.71.0 or later. Inventory any agent wired to tools with shell or file-system access.

Short-Term (1 to 4 weeks)

Patch all current KEV entries against your asset inventory, prioritizing internet-facing edge devices (cPanel, Ivanti EPMM, Trend Micro Apex One).
Audit agentic AI deployments: enforce tool sandboxing with least privilege, deterministic input validation on all data sources, and human approval gates for high-impact tool calls.
Block or sandbox MCP STDIO command paths in LangFlow, GPT Researcher, LiteLLM, and CrewAI deployments. Treat the tool registry as the primary attack surface.
Tighten phishing defenses against crafted-document and crafted-email vectors used by APT28 and the Exchange XSS chain.

Strategic (1 to 3 months)

Adopt an architecture-first stance on prompt injection. Assume no instruction-level defense holds under adaptive attack; design for containment, not prevention.
Reduce breakout-time exposure: target detection and response well inside the 72-minute benchmark with automated containment for edge-device compromise.
Build a nonhuman-identity governance program covering AI agents as privileged actors, including credential scoping, audit logging, and revocation.
Run adversarial testing (red-team prompt injection and agent abuse) against any production AI system before granting it tool access to sensitive resources.