May 16, 2026

Hello all,

This week brought another round of fun updates from Microsoft, Adobe, SAP, and others with Patch Tuesday releases. Immediately following Microsoft’s patch releases, a hacker who I shall dub Dirtbag Eclipse, released two new zero-day exploits, one of which I’ll cover in a bit more detail in a moment, along with a few other items that stood out to me. The unfortunate victims of this very public tantrum that Dirtbag Eclipse is having are the millions of Windows users that have been put into threat actors’ crosshairs via exploits that have no available patches.

There were lots of other exploits and vulnerabilities that were announced this past week, so make sure you read the full listing, checking for any that may apply to you or systems you support. In addition to the spate of vulnerabilities that were publicly announced this past week, Pwn2Own Berlin 2026 is underway and has already found a number of high-value zero-day exploits. Expect that they will be announced within the next 90 days. In the meantime, lets get to the headline news.

Headline NEWS:

• Cisco continues to stay in the weekly headline news, this time with a zero-day authentication bypass vulnerability in their Catalyst SD-WAN Controller. Cisco’s Security Advisory states, “This vulnerability exists because the peering authentication mechanism in an affected system is not working properly.” The vendor has released a patch and guidance to locate and mitigate any existing exploitation. CISA is urging immediate attention to this defect. Yeah, don’t wait on this one if you use Cisco’s SD-WAN.
• Exchange On-Prem from Microsoft has a zero-day defect that is under active exploitation. This vulnerability is trivial to exploit, only requiring a user to open a specially crafted email in Outlook Web Access (OWA). If you use any supported version of Exchange On-Premises, hopefully you left the Microsoft Emergency Mitigation Service active (it is on by default) since there is an emergency mitigation that was published. Articles that we’ve linked show how to check if the mitigation has been applied and explain what Exchange functionality has been crippled in response to this new defect.
• Fortinet released ForitUpdates to fix security FortiIssues in FortiAuthenticator and ForitSandbox. The defects can enable an unauthenticated threat actor to execute unauthorized code, achieving remote code execution. They are not known to be under active exploitation, yet. So FortiPatch soon.
• Microsoft Patch Tuesday was this week. There were no zero-days patched, which is a nice respite. However, there were 120 or more patches and fixes in this cycle, so there is a lot that needs to be addressed. Get to vetting them quickly, since threat actors are certainly scanning the patches to see what was plugged and how.
• Microsoft Zero-Days in BitLocker and a privilege escalation involving CTFMON that can grant SYSTEM level access were made public by Nightmare-Eclipse, or Chaotic Eclipse. I prefer the name Dirtbag Eclipse since this individual’s very public feud has major knock-on effects for millions of Windows users worldwide. The BitLocker bypass is particularly troubling, because that means that any lost of stolen laptop could potentially require a breach notification vs. a simple loss statement. Because if whatever is on the laptop is easily accessible via now well published instructions, the data must be considered compromised. Ouch. This one will hurt. Currently, the only mitigation is to add a BIOS password and BitLocker PIN.

In Ransomware, Malware, and Vulnerabilities News:

• AI caused breaches are covered by several articles in this week’s full listing. They describe how AI enabled breaches resulted from human error, by people sharing the wrong information with a public AI. And now the organization must go through breach notification and potential lawsuits as a result. If your organization hasn’t implemented proper Governance, Regulation, and Compliance (GRC) policies around the use of AI, you may be too late already. But don’t let that stop you, immediately begin the needed process so that you don’t become a victim. If you need help, the company I work for – Integris – is ready and able.

In Other News Events of Note and Interest:

• Google has been busy this week with lots of announcements. The most significant is their Android-powered Aluminum OS is coming, along with a new Googlebook to run it. There’s a 16-minute-long leak video that spills the beans on just about everything about it linked in the full listing of articles.

Musings

I’ve got nothing snarky or too witty to say this week. We defenders have a lot to keep up with, and I applaud you all for your persistence, and your dedicated, tireless, severely underappreciated, often unlauded service. Well done! Keep plugging away, one defect, one compromise, one remediation at a time.

And keep the shields up!

Viscount Jan Broucinek
Red Dot Security News

Headline NEWS

• Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks
• Addressing Exchange Server May 2026 vulnerability CVE-2026-42897
• On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
• Microsoft Confirms Active 0-Day Exploit—Check Emergency Mitigation Now
• Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator
• Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days
• Windows BitLocker 0-Day Vulnerability Enables Access to Encrypted Drives 

Ransomware, Malware, and Vulnerabilities News

• Good News, Government News, and Interesting
• New DFARS rule would expand FOCI requirements beyond classified contracts
• New cybersecurity industry coalition aims to lead US critical infrastructure protection
• Cyber-crime increasingly coming with threats of physical violence
• Police shut down reboot of Crimenetwork marketplace, arrest admin
• Romanian Man Faces Up to 30 Years in US Prison Over Vishing Scams
• Vulnerabilities and Exploits
• cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
• Linux 7.0.6 Released To Finish Mitigating the Dirty Frag Vulnerability
• Linux’s Latest Vulnerability Allows Reading Root-Owned Files By Unprivileged Users
• Palo Alto PAN-OS 0-Day Exploited to Execute Arbitrary Code With Root Privileges on Firewalls
• Chrome 148 update fixes 79 vulnerabilities, including 14 critical
• New GhostLock tool abuses Windows API to block file access
• 84 TanStack npm Packages Hacked in Ongoing Supply-Chain Attack Targeting CI Credentials
• SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANA
• Critical PHP SOAP Extension Vulnerabilities Enables Remote Code Execution Attacks
• Six new dnsmasq vulnerabilities open the door to DNS cache poisoning, local root
• New BitUnlocker Downgrade Attack on Windows 11 Allows Access to Encrypted Disks in 5 Minutes
• Microsoft Teams Vulnerability Allows Hackers to Perform Spoofing Attacks
• Windows DNS Client Vulnerability Enables Remote Code Execution Attacks
• Zoom Rooms and Workplace Flaws Expose Users to Elevated Access Attacks
• Older Apple devices get new fixes for WebKit, Wi-Fi & kernel flaws
• Anthropic’s Mythos AI Reportedly Found macOS Vulnerabilities that could bypass Apple security
• Anthropic’s Mythos Found Bugs in Apple’s MacOS
• Apple just pushed dozens of critical security updates, going all the way back to 2015 iPhones
• Bleeding Llama: Critical Unauthenticated Memory Leak in Ollama
• Critical SandboxJS Escape Vulnerability Enables Host Takeover
• New critical Exim mailer flaw allows remote code execution
• 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
• Kaspersky warns that passwords hashed with MD5 algorithm can be cracked in minutes using a GPU
• Critical PlayStation Network Security Issue Still Hasn’t Been Addressed, 6 Months After Initial Reporting
• High-Severity Vulnerability Patched in VMware Fusion
• Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
• Disgruntled researcher releases two more Microsoft zero-days
• Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming
• Phishing, Malware, and similar
• Fake OpenAI repository on Hugging Face pushes infostealer malware
• TrickMo Android banker adopts TON blockchain for covert comms
• Vidar Malware Targets Browser Credentials, Cookies, Crypto Wallets, and System Data
• ODINI Malware Uses CPU Magnetic Emissions to Breach Faraday-Shielded Air-Gapped Computers
• Fake OpenAI repository on Hugging Face pushes infostealer malware
• Over 500 Organizations Hit in Years-Long Phishing Campaign
• ClickFix campaign uses fake macOS utilities lures to deliver infostealers
• Official CheckMarx Jenkins package compromised with infostealer
• Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution
• Meet Bluekit: The AI-Powered All-in-One Phishing Kit
• Hackers Abuse OAuth Device Authorization Flow to Steal Microsoft 365 Tokens
• Microsoft Exchange, Windows 11 hacked on second day of Pwn2Own
• Breaches, Leaks, and Ransomware
• AI evaluation startup Braintrust confirms breach, tells every customer to rotate sensitive keys
• Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation
• US bank discloses security lapse after sharing customer data with AI app
• Canvas Developer Apologizes for Breach As Class-Action Lawsuits Pile Up
• Instructure Pays Ransom to Canvas Hackers
• Congress investigates Canvas breach after Instructure cuts deal with ShinyHunters
• Canvas Hackers ShinyHunters Say Their Official Domain Was Suspended
• FleetWave outage takes another turn. Chevin confirms crooks accessed customer data
• A DOD contractor’s API flaw exposed military course data and service member records
• Poland says hackers breached water treatment plants, and the US is facing the same threat
• A rigged game: ScarCruft compromises gaming platform in a supply-chain attack
• Zara data breach exposed personal information of 197,000 people
• Foxconn Ransomware Attack Shows Nothing Is Safe Forever
• Apple supplier Foxconn confirms ransomware attack affected North American factories
• Foxconn confirms cyberattack claimed by Nitrogen ransomware gang
• West Pharmaceutical Services hit by ransomware attack
• West Pharmaceutical says hackers stole data, encrypted systems
• 716,000 Impacted by OpenLoop Health Data Breach
• OpenAI says no user data stolen after supply-chain hackers accessed employee devices
• Hackers accessed BWH Hotels reservation system for months
• A hotel check-in system left a million passports and driver’s licenses open for anyone to see
• Sandworm Hackers Pivot From Compromised IT Systems Toward Critical OT Assets
• Hackers have breached tank readers at US gas stations; officials suspect Iran is responsible 

Other News Events of Note and Interest

• Cool Tool: Fluent Cleaner, the sleek CCleaner alternative that actually feels native
• Cool Tool: RevPDF – Free Adobe Acrobat alternative for Windows
• Cool Tool: Autodesk’s free new tool offers an easy way in to 3D modelling
• Europe wants out from under US tech – but first it has to find the exits
• EU to crack down on TikTok, Instagram ‘addictive design’ hooking kids
• Dell PCs are running into constant BSOD reboot loops and Windows 11 isn’t the culprit
• iOS, macOS, and iPadOS 26.5 updates arrive with encrypted RCS messaging and more
• Google’s Android-powered laptops are called Googlebooks, and they’re coming this year
• Major leak reveals Google’s Aluminium OS with a 16-minute video
• Googlebook’s Magic Pointer is coming to Chrome, and you can try it right now
• DBase debased: Database titan fades to black after 47 years
• 73 Seconds to Breach, 24 Hours to Patch: The Case for Autonomous Validation
• Wi-Fi 8 is closer than you think. Here’s what you need to know
• Google Workspace Updates: Small businesses can now seamlessly import users from Microsoft to Google Workspace
• Google limiting 15GB of free storage, only 5GB by default now
• Google Introduces Cloud Fraud Defense as Successor to reCAPTCHA
• Signal threatens Canada exit over new law
• Windscribe joins Signal in threatening Canada exit over controversial surveillance bill
• AI, LLM’s, and Skynet
• Science fiction becomes reality: Unitree Robotics unveils world’s first production-ready manned mecha
• Figure humanoid robots organize room, hang clothes, and make bed without humans
• The newest AI boom pitch: Host a mini data center at your home
• The Main Path to Truly Creative AI
• Spotify Will Now Verify Non-AI Artists
• OpenAI to give EU access to new cyber model; Anthropic still holding out on Mythos
• Claude For Legal Launches, May Reshape the Legal Tech World
• Introducing Claude for Small Business
• Canada’s cybersecurity agency to get access to OpenAI’s latest model
• Google says hackers used AI to develop a major security flaw
• Google says it disrupted an AI-driven effort to exploit a software bug
• Bot Auto claims first fully driverless commercial truck run to Dallas
• AI Is Now Fighting AI In Cyberspace. And Humans May Be the Weakest Link
• Engineering roles shift from developing code to managing AI
• Microsoft
• Defense at AI speed: Microsoft’s new multi-model agentic security system tops leading industry benchmark
• Windows 11 KB5089549 Patch Tuesday brings Xbox mode, File Explorer improvements, and more
• Windows 11 KB5089549 reportedly failing to install, slowing internet down on certain systems
• Windows 10 KB5087544 Patch Tuesday fixes Remote Desktop bug, brings Secure Boot change, more
• Windows 11’s File Explorer is finally fixing an annoying file size quirk
• Introducing Azure Container Apps Express!
• Windows Update is getting better at saving your PC from buggy drivers
• Microsoft fixes BitLocker recovery issue only for Windows 11 users
• Microsoft backpedals: Edge to stop loading passwords into memory
• Microsoft finally begins testing movable and resizable Taskbar on Windows 11, restoring key customization features many users missed