May 2026 was defined by two parallel stories running at the same time: a historically clean Microsoft Patch Tuesday, the first with no actively exploited zero-days since June 2024, sitting alongside a wave of critical vulnerabilities in network edge devices, endpoint security platforms, and web hosting infrastructure that were already being abused before most defenders had a chance to respond. The month’s disclosures hit authentication systems hard, with perimeter devices from Cisco and Palo Alto Networks, web hosting control panels, and Fortinet’s endpoint management infrastructure all falling to auth bypass flaws that required no valid credentials. Meanwhile, the Linux kernel’s “Copy Fail” vulnerability and a pair of actively exploited Microsoft Defender flaws reminded security teams that post-authentication privilege escalation is as immediate a threat as gaining initial access. For organizations trying to reduce their attack surface, May was not a month for routine patching cadences, it was a month for emergency decisions.
What We'll Cover
Cisco Catalyst SD-WAN Controller Authentication Bypass (CVE-2026-20182)
Overview
Cisco Catalyst SD-WAN Controller and Manager serve as the central control plane for enterprise SD-WAN fabric deployments, managing route advertisements, transport locations, and peer authentication across all connected sites. The flaw exists in the vdaemon service’s DTLS-based control-connection handshake on UDP port 12346, where device-type-specific certificate verification is skipped when a connecting peer claims to be a vHub device, despite the code path marking the peer as fully authenticated. An unauthenticated remote attacker can exploit this by sending a crafted DTLS handshake sequence to become a trusted control-plane peer, then use that access to inject SSH public keys, manipulate NETCONF configuration, and push changes across the entire SD-WAN overlay. A successful compromise of the controller effectively hands an attacker administrative control over every site and policy in the network fabric.
Severity and Score
Critical | CVSS 10.0
Type
Improper Authentication (CWE-287)
Disclosure
May 14, 2026 Included in the CISA Known Exploited Vulnerabilities catalog
Exploitation Status
Actively exploited. Cisco Talos clusters observed activity under UAT-8616 with high confidence, noting that post-compromise behaviors included SSH key injection, NETCONF configuration manipulation, malicious account creation, and log clearing, with some campaigns chaining access to older vulnerabilities to achieve root. A Metasploit module is publicly available, and Rapid7 Labs discovered the flaw while researching an earlier SD-WAN exploitation campaign, meaning the research community’s knowledge of this attack surface is already mature.
Mitigation Strategies
Upgrade to fixed releases: 20.9.9.1 for the 20.9 train, 20.12.5.4 or later, 20.15.4.4 or later, 20.18.2.2 for 20.18, and 26.1.1.1 for 26.1. Cisco explicitly states there are no workarounds, only patching addresses the vulnerability. Organizations on end-of-maintenance software branches should plan a supported migration rather than expect a hotfix. Inspect SD-WAN peering and authentication logs immediately for signs of unauthorized peer establishment or SSH key modifications.
Palo Alto Networks PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257)
Overview
PAN-OS GlobalProtect portal and gateway deployments use an optional “authentication override” feature that issues session cookies to authenticated users, eliminating the need to re-authenticate each session. The vulnerability arises when the certificate used to encrypt and decrypt those authentication override cookies is shared with another feature, such as the HTTPS service of the portal or gateway, allowing an attacker to forge valid authentication override cookies without possessing credentials. An unauthenticated remote attacker can exploit this to establish an unauthorized VPN connection, gaining access to internal network resources the same way a legitimately authenticated user would. Despite a medium CVSSv4 score, Rapid7 observed confirmed exploitation against multiple customers beginning May 17 with a second wave on May 21, consistent with the same threat actor operating from a hosting provider.
Severity and Score
High | CVSS 7.8
Type
Authentication Bypass (CWE-287)
Disclosure
May 13, 2026 Included in the CISA Known Exploited Vulnerabilities catalog (added May 29, 2026)
Exploitation Status
Actively exploited. Rapid7 MDR confirmed exploitation across multiple customers, observing VPN IP assignment following the forged cookie authentication, granting attackers access to internal networks. A public proof-of-concept script is available. CISA required federal civilian agencies to mitigate by June 1, 2026.
Mitigation Strategies
Apply the PAN-OS update from May 2026 immediately. As a configuration-level mitigation, either disable the authentication override feature on GlobalProtect portals and gateways, or generate a new certificate used exclusively for authentication override, separate from the certificate used by any other feature. Review GlobalProtect access logs for authentication events originating from unexpected IP ranges or hosting providers and cross-reference against authentication override cookie usage.
Linux Kernel “Copy Fail” Privilege Escalation (CVE-2026-31431)
Overview
The Linux kernel’s algif_aead module, part of the AF_ALG userspace cryptographic API interface, contains a logic flaw introduced in 2017 through an in-place optimization that allows controlled 4-byte writes into the kernel’s page cache. By abusing the interaction between the AF_ALG socket interface and the splice() system call, any unprivileged local user can corrupt the in-memory representation of a privileged binary, such as /usr/bin/su, without modifying the file on disk. Because the modification lives only in the page cache, standard disk forensics tools do not detect it, and the exploit is deterministic, running reliably in a 732-byte Python script without any race conditions or distribution-specific offsets. In container environments, the vulnerability also enables container escape, as the page cache is shared between containers and the host, a particularly severe risk in cloud, CI/CD, and Kubernetes deployments where untrusted code execution is routine.
Severity and Score
High | CVSS 7.8
Type
Incorrect Resource Transfer Between Spheres (CWE-706)
Disclosure
April 29, 2026 Included in the CISA Known Exploited Vulnerabilities catalog (added May 4, 2026)
Exploitation Status
Actively exploited. CISA added Copy Fail to its KEV catalog and ordered federal agencies to remediate by May 15, 2026. The exploit is publicly available, reliable, deterministic, and leaves no forensic trace on disk, a combination that makes detection of past exploitation particularly difficult in environments that have not yet applied kernel patches.
Mitigation Strategies
Apply the patched kernel package for your distribution as the highest priority action. Patches are available for Debian, Ubuntu, AlmaLinux, SUSE, Fedora, and CloudLinux; RHEL patches were also released during May. As an interim mitigation pending kernel patching, disable the algif_aead module with echo “install algif_aead /bin/false” > /etc/modprobe.d/disable-algif.conf followed by rmmod algif_aead. This does not affect dm-crypt/LUKS, IPsec, OpenSSL, GnuTLS, or SSH. Prioritize Kubernetes nodes, CI/CD runners, and any environment where untrusted code executes.
cPanel & WHM Authentication Bypass (CVE-2026-41940)
Overview
cPanel & WHM is the dominant web hosting control panel across shared hosting environments, with approximately 1.5 million internet-exposed instances visible via Shodan at the time of disclosure. The vulnerability chains a CRLF injection in the cPanel session writer with an encryption-skip triggered by a malformed cookie, then exploits a session caching quirk to promote the injection into a privileged login, all without valid credentials. An unauthenticated remote attacker who successfully exploits the flaw gains control over the cPanel host system, its configurations, databases, and all websites it manages. Exploitation was observed as early as February 23, 2026, making this a true zero-day that was abused for over two months before the emergency patch shipped on April 28, and by May 4, probing had evolved into multi-actor campaigns deploying ransomware, backdoors, and targeted cyber-espionage operations.
Severity and Score
Critical | CVSS 9.8
Type
Missing Authentication for Critical Function (CWE-306)
Disclosure
April 28, 2026 Included in the CISA Known Exploited Vulnerabilities catalog (added May 1, 2026)
Exploitation Status
Actively exploited at scale. Attackers deployed a Go-based Linux ransomware appending the .sorry extension, with Censys identifying over 8,800 hosts exposing encrypted files. A separate cyber-espionage campaign used the flaw to target government and military entities in Southeast Asia. The Shadowserver Foundation reported 44,000 unique IPs scanning or running exploits against honeypot sensors at peak activity.
Mitigation Strategies
Upgrade to cPanel & WHM 11.136.0.5 or later immediately; WP Squared users should upgrade to 136.1.7 or later. Organizations that cannot patch immediately should consider blocking TCP ports 2083 and 2087 from untrusted networks as a temporary measure, though patching is the only reliable remediation. Rotate all cPanel and WHM credentials after patching, audit session files and log directories for signs of unauthorized access, and review file systems for files with the .sorry extension indicating prior ransomware activity.
FortiClient EMS Pre-Authentication API Bypass (CVE-2026-35616)
Overview
FortiClient Enterprise Management Server occupies the control plane for enterprise endpoint security, enforcing device policy, managing VPN access, and governing application and compliance controls across corporate endpoints. An improper access control vulnerability in the FortiClient EMS API allows an unauthenticated attacker to bypass authentication and authorization controls by sending crafted requests, achieving full privilege escalation on the underlying server without valid credentials or user interaction. Compromise of the EMS server gives an attacker the ability to manipulate endpoint configurations, push malicious policies, and execute arbitrary code across the entire managed endpoint fleet. In May 2026, Arctic Wolf confirmed active exploitation campaigns where attackers pushed a credential stealer disguised as a legitimate Fortinet endpoint update, silently executed through PowerShell via VPN on-connect scripting workflows that FortiClient manages.
Severity and Score
Critical | CVSS 9.1
Type
Improper Access Control (CWE-284)
Disclosure
April 4, 2026 (zero-day exploitation began March 31, 2026) Included in the CISA Known Exploited Vulnerabilities catalog (added April 6, 2026)
Exploitation Status
Actively exploited, with ongoing campaigns confirmed in May 2026. Arctic Wolf identified the EKZ Infostealer credential theft campaign, which extracted credentials from Chrome and Firefox including bypass techniques targeting Chrome’s encrypted storage, as a distinct threat cluster from the initial zero-day campaigns. Approximately 2,000 FortiClient EMS instances remain internet-reachable according to Shadowserver scanning.
Mitigation Strategies
Upgrade to FortiClient EMS 7.4.7, which contains the permanent fix. Organizations on 7.4.5 or 7.4.6 can apply the available hotfix (build 7.4.6.2170.1277073) while planning the full upgrade; the 7.2 branch is not affected by this specific vulnerability. Restrict EMS server access behind VPN or firewall to block direct internet exposure. Review EMS logs for suspicious pre-authentication API requests and audit VPN on-connect script configurations for unauthorized modifications.
Microsoft Dynamics 365 On-Premises Code Injection RCE (CVE-2026-42898)
Overview
Microsoft Dynamics 365 on-premises deployments store process session state as serialized objects that the server trusts and processes during normal CRM operations. The vulnerability arises from insufficient validation of that session data, allowing an authenticated attacker with low privileges to inject malicious code into the saved state of a Dynamics CRM process and trigger the server to execute it. A scope change is involved, meaning exploitation can break out of the vulnerable component’s security context and affect resources and systems beyond Dynamics itself, a rare characteristic that substantially increases the blast radius beyond what a standard application-level RCE would produce. A Dynamics 365 server compromised through this path effectively becomes a remote code execution platform with reach into adjacent systems and data.
Severity and Score
Critical | CVSS 9.9
Type
Code Injection, Improper Control of Code Generation (CWE-94)
Disclosure
May 12, 2026 (Microsoft Patch Tuesday)
Exploitation Status
No active exploitation confirmed as of disclosure. Microsoft rated this as “Exploitation More Likely,” and security researchers flagged the scope-change behavior and minimal privilege requirement as factors that elevate real-world risk beyond what the “no known exploits” status might suggest. Organizations running on-premises Dynamics 365 for CRM and business operations should treat this as a high-priority patch given the potential for cross-system impact.
Mitigation Strategies
Apply the May 2026 Cumulative Update for Dynamics 365 on-premises. Affected versions span 9.1.1.914 through 9.1.45.11, and Microsoft’s Security Update Guide contains the specific KB numbers. Limit Dynamics 365 user permissions to the minimum required for business functions, reducing the pool of accounts an attacker would need to compromise before exploiting the injection. Monitor Dynamics CRM process logs for unexpected serialization activity or out-of-context code execution attempts.
Windows Netlogon Remote Code Execution (CVE-2026-41089)
Overview
Windows Netlogon is the authentication backbone of every Active Directory environment, the service that handles domain logon requests, machine account authentication, domain controller replication, and secure channel establishment between member servers and domain controllers. The vulnerability is a stack-based buffer overflow in the Netlogon Remote Protocol (MS-NRPC), triggered when the service processes a caller-specified length value during the authentication handshake without adequate validation. An unauthenticated remote attacker can send a specially crafted network packet to a domain controller over TCP port 135 (RPC Endpoint Mapper) or through the dynamic RPC endpoint, triggering the overflow and executing code in the context of the Netlogon service, which runs as SYSTEM. Exploitation requires no credentials and no user interaction, and a domain controller running SYSTEM-level attacker code is effectively a domain compromise.
Severity and Score
Critical | CVSS 9.8
Type
Stack-Based Buffer Overflow (CWE-121)
Disclosure
May 12, 2026 (Microsoft Patch Tuesday)
Exploitation Status
No active exploitation confirmed at disclosure. Microsoft assessed exploitation as “Less Likely,” though security researchers drew direct comparisons to Zerologon (CVE-2020-1472), a similarly critical Netlogon vulnerability that moved from advisory to weaponized public exploit in under two weeks. Proof-of-concept code demonstrating reliable exploitation on default Windows Server configurations appeared in research within days of the advisory, making the timeline for weaponization shorter than the “Less Likely” label implies.
Mitigation Strategies
Apply the May 2026 Patch Tuesday update to all domain controllers before any other systems, prioritize DCs at all sites, followed by systems used to administer them (jump hosts, management servers, admin workstations). Restrict Netlogon service exposure by allowing access to domain controllers only from required source networks. Remove DC reachability from DMZ segments, user VLAN subnets, and any “any-to-any” firewall rule sets. Monitor for unexpected Netlogon service traffic patterns and unusual RPC endpoint connections to domain controllers from workstation segments.
Microsoft Defender Elevation of Privilege Zero-Day (CVE-2026-41091)
Overview
Microsoft Defender’s Malware Protection Engine (mpengine.dll) improperly resolves symbolic links before performing sensitive file access operations, a vulnerability class known as “link following.” Because the engine runs with SYSTEM-level privileges as part of its core scanning function, an attacker who can influence which path the engine follows when performing a file operation can redirect privileged file access to a target of their choosing. A local attacker with low-level access exploits this to escalate directly to SYSTEM, the highest privilege level on Windows, without requiring user interaction. What makes this particularly operationally significant is that the vulnerable component is the security software itself. Defender sits on nearly every supported Windows system, and a privilege escalation in the scanning engine provides a reliable post-compromise escalation path that is both ubiquitous and, before this patch, invisible to the tool most organizations rely on to detect exactly that kind of behavior.
Severity and Score
High | CVSS 7.8
Type
Improper Link Resolution Before File Access, Link Following (CWE-59)
Disclosure
May 20, 2026 Included in the CISA Known Exploited Vulnerabilities catalog (added May 20, 2026)
Exploitation Status
Actively exploited. CISA added both CVE-2026-41091 and a companion Defender denial-of-service flaw (CVE-2026-45498) to the KEV catalog simultaneously, with federal agencies required to remediate by June 3, 2026. The Canadian Centre for Cyber Security issued independent guidance aligning with CISA’s assessment. The denial-of-service companion flaw is being used to disable Defender before or during exploitation. The pairing of an availability impact and a privilege escalation in the same security product represents a meaningful attack chain.
Mitigation Strategies
Verify the Microsoft Malware Protection Engine has updated to version 1.1.26040.8 and the Antimalware Platform to 4.18.26040.7. Under default Defender configuration, these deploy automatically, but version drift on systems with impaired update connections is a known risk. Manually confirm engine versions on domain-joined systems, servers, and any endpoints known to have intermittent Windows Update connectivity. Check for the companion CVE-2026-45498 patch simultaneously, as disabling Defender is an observed prerequisite for exploitation in some attack chains.
May 2026 surfaced a pattern that defenders have seen before but rarely this concentrated: the tools and infrastructure organizations trust most, endpoint security software, network edge devices, endpoint management servers, becoming the primary exploitation targets. CVE-2026-41091 abused Microsoft Defender’s own engine to reach SYSTEM. CVE-2026-35616 turned FortiClient EMS’s update distribution into a malware delivery channel. CVE-2026-34926 allowed an attacker with Trend Micro Apex One server access to push malicious code to every managed endpoint. The common thread is not a particular weakness class, but a target selection strategy: attackers are gravitating toward infrastructure that has broad, trusted reach into environments, because compromising a management plane produces compounding returns.
The month also showed how quickly a theoretical severity rating can detach from operational reality. CVE-2026-0257 carried a medium CVSSv4 score but was being exploited at scale within days of disclosure, with confirmed lateral movement into internal networks via the VPN access it granted. CVE-2026-41940’s CVSS 9.8 score matched the scale of actual harm: ransomware across 8,800+ hosts, espionage campaigns, and mass credential theft. The more important signal was that exploitation predated the patch by over two months, meaning CVSS scores evaluated after a patch arrived told organizations nothing about when the threat actually began.
For security teams, the takeaway from May is less about any individual CVE and more about the structural change those CVEs collectively represent. Authentication bypass flaws on internet-facing infrastructure, management plane vulnerabilities with fleet-wide reach, and privilege escalation in security tooling itself form an attack surface that patch management alone cannot close fast enough. Organizations that want to reduce exposure to this class of threat need visibility into the management plane, who is connecting, what is being configured, and whether the security tools themselves are behaving as expected.
Ready to secure your systems against these risks? Our cybersecurity service can help identify vulnerabilities, close gaps, and strengthen your defenses before attackers exploit them.
