CISA Issues KEV Alerts for Actively Exploited Zero-Days in Microsoft Exchange and Cisco SD-WAN

Instructure, the company behind Canvas LMS, has confirmed it paid a ransom to the ShinyHunters hacking group. This payment was made after the group threatened to publicly release 3.5 TB of stolen data affecting 275 million users. Instructure stated an 'agreement' was reached to ensure data deletion, a decision that has reignited the contentious debate over the ethics and efficacy of paying ransoms to cybercriminals. The original breach involved 3.65 TB of data, including names, emails, and private messages, and caused widespread disruption during final exams.

OpenAI has confirmed that two of its employee devices were compromised as a result of the 'Shai-Hulud' supply chain attack. Attackers stole credentials and secrets, gaining limited access to internal source code repositories. OpenAI states no user data or production systems were affected, but the incident highlights the pervasive risk. Furthermore, the source code for the 'Shai-Hulud' worm has reportedly been leaked, significantly escalating the threat by enabling less skilled actors to launch copycat attacks and broaden the campaign's impact.

The new article, dated May 17, 2026, reinforces the critical need for immediate patching of CVE-2026-44413 in JetBrains TeamCity. It significantly expands on the potential impact, detailing how a compromise could lead to devastating supply chain attacks, similar to SolarWinds, by enabling attackers to steal source code (T1213), inject malicious code (T1195.002), and steal credentials (T1552). It also provides enhanced detection methods, including reviewing audit and web server logs, and monitoring build agents. Additional remediation steps are advised, such as restricting server access, regularly auditing user permissions, and securing build scripts, emphasizing Network Isolation (D3-NI).

The new article clarifies Daybreak's 'Public Accessibility' for vulnerability scanning requests, allowing organizations to request scans. It also reframes the competitive landscape, mentioning Anthropic's 'Mythos' project. Furthermore, it provides a deeper analysis of the 'AI arms race' dynamic, emphasizing the 'shift left' approach in DevSecOps, and discusses potential risks such as over-reliance on AI-generated patches and attackers studying defensive AI models.

Further analysis of the 'Fragnesia' (CVE-2026-46300) Linux kernel vulnerability reveals a detailed attack flow involving initial access, triggering the flaw in the XFRM subsystem, heap manipulation, and page-cache corruption to achieve root privileges. The expanded impact assessment highlights critical risks for containerized environments, where it could lead to container escapes, and for cloud infrastructure, undermining tenant separation. Major Linux distributions are now actively rolling out emergency patches, urging immediate application. The flaw is noted as part of a series of similar kernel bugs, including 'Dirty Frag' and 'CopyFail', emphasizing ongoing challenges in kernel memory management. Detection methods include EDR and monitoring for anomalous syscalls, with remediation focused on immediate patching or live patching.

This update provides more specific hunting hints for the GreenPlasma privilege escalation vulnerability, including monitoring for Windows Security Event ID 4673 and suspicious cmd.exe or powershell.exe processes spawning with SYSTEM privileges, often preceded by whoami /priv commands. For YellowKey, the analysis clarifies that the BitLocker bypass is reported to work even when a Trusted Platform Module (TPM) is in use, undermining TPM-based key protection. Mitigation strategies are further detailed with references to D3FEND techniques like Physical Security and Executable Allowlisting.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) Catalog on May 15, 2026. This inclusion mandates U.S. federal agencies to apply Microsoft's mitigations by a specified deadline, underscoring the heightened urgency and confirmed widespread exploitation of the zero-day. The vulnerability, a stored Cross-Site Scripting (XSS) flaw in Outlook Web Access (OWA), is exploited when a user opens a specially crafted email containing a malicious JavaScript payload. This allows attackers to execute arbitrary code in the victim's browser, potentially leading to session hijacking, credential theft, and lateral movement within the network. Microsoft continues to work on a permanent patch.

New intelligence reveals the critical Cisco SD-WAN vulnerability (CVE-2026-20182) is a zero-day actively exploited by the sophisticated threat actor UAT-8616, as identified by Cisco Talos. Furthermore, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this CVE to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion mandates that all federal agencies patch affected systems by May 17, 2026, underscoring the extreme urgency and heightened risk associated with this flaw. This development significantly increases the perceived severity and required response for all organizations.