Threat and Security Update – May, 2026

Stay Ahead of Threats with the Latest Vulnerability Updates for May

Stay up to date on critical cyber risks, Microsoft’s MayPatch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats.

Quick Highlights

Microsoft Patch Tuesday:
– 137 vulnerabilities disclosed
– 17 rated Critical, no zero-day flaws have been disclosed this month

High-Severity Advisories from Major Vendors:
– Adobe: 52 vulnerabilities patched across 10 products
– Cisco: 4 high-severity flaws, affecting Cisco IoT Field Network Director Software, Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO), Cisco 350 Series Managed Switches (SG350) and Cisco 350X Series Stackable Managed Switches (SG350X), and Cisco Unity Connection
– Fortinet: 1 critical-severity flaw and 1 high-severity flaw in FortiSandbox and FortiOS
– Ivanti: 1 critical-severity flaw, 4 high-severity flaws, and 2 medium-severity flaws disclosed in Ivanti Secure Access Client, Ivanti Xtraction, Ivanti Virtual Traffic Manager, and Ivanti Endpoint Manager (EPM)
– SAP: 2 critical-severity and 1 high-severity vulnerabilities in SAP S/4HANA, SAP Commerce, and SAP Forecasting & Replenishment
– Apple: Multiple iOS releases addressing security vulnerabilities

Top Threats to Watch:
– AI-powered attack automation is accelerating – Campaigns like Bissa Scanner and Vibe Hacking show how adversaries are using AI to scale exploitation, generate tools, and automate full intrusion workflows with minimal skill barriers.
– Trust boundaries in automation (CI/CD) are breaking – The Gemini CLI flaw highlights how implicit trust in pipelines can lead to full remote code execution and supply chain compromise from simple input manipulation.
– Phishing is evolving into multi-stage access operations – Fake invitation campaigns combine credential theft, MFA bypass, and legitimate remote access tools, making early detection much harder.
– Legitimate tools continue to be weaponized post-compromise – From RMM software to collaboration platforms like Teams, attackers are blending into normal operations to evade detection and maintain access.
– Post-compromise privilege escalation remains critical – Exploits like Dirty Frag show that once initial access is gained, reliable local privilege escalation can quickly lead to full system/root control.

Windows 10 Reaches End of Support

As of October 14, 2025, Microsoft has officially ended support for Windows 10. October 2025’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program.

What This Means for Your Organization:
– No more security patches or bug fixes for Windows 10 devices
– Increased exposure to vulnerabilities and compliance risks
– Continued support requires either: 1.) Enrolling in Microsoft’s paid ESU program, or 2.) Upgrading to Windows 11

Upgrading Windows 11
Unlike traditional feature upgrades, Windows 11 25H2 is built on the same servicing branch and code base as Windows 11 24H2, making the transition simpler and lower risk.

Fortress has thoroughly tested Windows 11 25H2 and recommends upgrading all supported devices. To begin the upgrade process, contact our 24/7/365 Security Operations Team or reach out to your client experience manager.

Windows 11 End of Support

As of November 2025, Microsoft has officially ended support for earlier versions of Windows 11 (listed below).

Windows 11 version 21H2 (All Editions)
Windows 11 version 22H2 (All Editions)
Windows 11 version 23H2 (Home & Pro)

We would also like to highlight several upcoming End of Support dates for the following Windows releases:

Windows 11 version 23H2 (Enterprise & Education) – Support ends November 10, 2026. After this date, these editions will no longer receive security updates or fixes.
Windows 11 version 24H2 (Home & Pro) – Support ends October 13, 2026. Devices running these editions should be upgraded before this date to remain supported and secure.

Fortress recommends reviewing device inventories ahead of these deadlines to ensure systems are upgraded in advance and remain within a supported lifecycle.

* Some specialized editions of Windows 11 24H2 (e.g. Long Term Support Cycle) will continue to receive extended support through 2029. However, for all other editions we recommend upgrading to Windows 11 25H2.

Windows Server 2016 End of Support

Support for Windows Server 2016 is scheduled to end on January 12, 2027, which is now less than a year away. After this date, Microsoft will no longer provide security updates, bug fixes, or technical support for the platform.

Organizations still running Windows Server 2016 should begin planning upgrade or migration strategies to avoid increased security risk and compliance concerns once support ends.

Fortress recommends reviewing affected systems early to allow sufficient time for testing, upgrades, or workload migration before the end-of-support deadline.

Need help planning your transition?

Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure.

Patch Tuesday Summary

Microsoft May 2026 Patch Tuesday
137 vulnerabilities disclosed, including 17 critical and 0 zero-days. By category:

61 Elevation of Privilege
31 Information Disclosure
15 Remote Code Execution
14 Security Feature Bypass
8 Denial of Service
6 Spoofing
2 Tampering

Critical Common Vulnerabilities and Exposures (CVEs)

Critical CVE’s Worth Mentioning

CVE-ID	Details	Severity	Exploited?
CVE-2026-26164	Improper neutralization of special elements in output used by a downstream component(‘injection’) in M365 Copilot allows an unauthorized attacker to disclose information over a network.	Critical	No
CVE-2026-42898	Improper control of generation of code (‘code injection’) in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.	Critical	No
CVE-2026-42831	Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.	Critical	No
CVE-2026-40363	Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.	Critical	No
CVE-2026-40358	Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.	Critical	No
CVE-2026-40365	Insufficient granularity of access control in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.	Critical	No
CVE-2026-40361	Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.	Critical	No
CVE-2026-40367	Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.	Critical	No
CVE-2026-40366	Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.	Critical	No
CVE-2026-40364	Access of resource using incompatible type (‘type confusion’) in Microsoft Office Word allows an unauthorized attacker to execute code locally.	Critical	No
CVE-2026-41103	Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate privileges over a network.	Critical	No
CVE-2026-41096	Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network.	Critical	No
CVE-2026-35421	Heap-based buffer overflow in Windows GDI allows an unauthorized attacker to execute code locally.	Critical	No
CVE-2026-40402	Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally.	Critical	No
CVE-2026-32161	Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an adjacent network.	Critical	No
CVE-2026-41089	Stack-based buffer overflow in Windows Netlogonallows an unauthorized attacker to execute code over a network.	Critical	No
CVE-2026-40403	Heap-based buffer overflow in Windows Win32K – GRFX allows an authorized attacker to execute code locally.	Critical	No

Microsoft May 2026 Security Update Release

3rd Party Critical CVE’s Worth Mentioning

Adobe Products *

CVE-ID(s)	Affected Product	Issues	Key Risks
CVE-2026-34636 CVE-2026-34637 CVE-2026-34638	Adobe Premiere Pro	3 Critical	Arbitrary code execution
CVE-2026-34639 CVE-2026-34640	Adobe Media Encoder	2 Critical	Arbitrary code execution
CVE-2026-34690 CVE-2026-34642 CVE-2026-34643 CVE-2026-34644	Adobe After Effects	4 Critical	Arbitrary code execution
CVE-2026-34645 CVE-2026-34646 CVE-2026-34647 CVE-2026-34648 CVE-2026-34649 CVE-2026-34650 CVE-2026-34651 CVE-2026-34652 CVE-2026-34686 CVE-2026-34653 CVE-2026-34654 CVE-2026-34655 CVE-2026-34656 CVE-2026-34658 CVE-2026-34685	Adobe Commerce	10 Critical, 4 Important, 1 Moderate	Application denial-of-service Arbitrary code execution Security feature bypass Arbitrary file system write
CVE-2026-34659 CVE-2026-34660	Adobe Connect	2 Critical	Arbitrary code execution Privilege escalation
CVE-2026-34661 CVE-2026-34662 CVE-2026-34663 CVE-2026-34687	Adobe Illustrator	2 Critical, 2 Important	Arbitrary code execution Application denial-of-service Memory exposure
CVE-2026-34664 CVE-2026-34681 CVE-2026-34682 CVE-2026-34683 CVE-2026-34684	Substance 3D Designer	5 Important	Arbitrary file system read Arbitrary code execution
CVE-2026-34665 CVE-2026-34666 CVE-2026-34667 CVE-2026-34668 CVE-2026-34669 CVE-2026-34670 CVE-2026-34671 CVE-2026-34672 CVE-2026-34688 CVE-2026-34673 CVE-2026-34677 CVE-2026-34678 CVE-2026-34679 CVE-2026-34680	Content Authenticity SDK	1 Critical, 13 Important	Application denial-of-service
CVE-2026-34674	Substance 3D Sampler	1 Critical	Arbitrary code execution
CVE-2026-34675 CVE-2026-34676	Substance 3D Painter	2 Critical	Arbitrary code execution

Adobe Security Bulletins

Cisco *

CVE-ID(s)	Affected Product	Description	Severity	Exploited?
CVE-2026-20167 CVE-2026-20168 CVE-2026-20169	Cisco IoT Field Network Director Software	Multiple vulnerabilities in the web-based management interface could allow an authenticated, remote attacker to access files, execute commands, and cause denial of service (DoS) conditions on managed routers.	High	No
CVE-2026-20188	Cisco CrossworkNetwork Controller (CNC) and Cisco Network Services Orchestrator (NSO)	A vulnerability in the connection-handling mechanism could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system.	High	No
CVE-2026-20185	Cisco 350 Series Managed Switches (SG350) and Cisco 350X Series Stackable Managed Switches (SG350X)	A vulnerability in the Simple Network Management Protocol (SNMP) subsystem could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.	High	No
CVE-2026-20034 CVE-2026-20035	Cisco Unity Connection	Multiple vulnerabilities could allow a remote attacker to execute arbitrary code on or conduct server-side request forgery (SSRF) attacks through an affected device.	High	No

Cisco Security Advisories

Fortinet *

CVE-ID	Affected Product	Description	Severity	Exploited?
CVE-2026-26083	FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI	A missing authorization vulnerability may allow an unauthenticatedattacker to execute unauthorized code or commands via HTTP requests.	Critical	No
CVE-2025-53844	FortiOS capwap daemon	An Out-Of-Bounds Write vulnerability may allow an attacker controllingan authenticated FortiAPFortiExtender or FortiSwitch to gain execution privileges on the FortiGate device.	High	No

Fortinet PSIRT Advisories

Ivanti *

CVE-ID(s)	Affected Product	Description	Severity	Exploited?
CVE-2026-7431 CVE-2026-7432	Ivanti Secure Access Client	Multiple vulnerabilities could allow a locally authenticated user to read or modifysensitive log data via write access to a shared memory section or allow a locally authenticated user to escalate privileges to SYSTEM.	1 High, 1 Medium	No
CVE-2026-8043	Ivanti Xtraction	External control of a file name allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks.	Critical	No
CVE-2026-8051	Ivanti Virtual Traffic Manager	OS command injection allows a remote authenticated attacker with admin privileges to achieve remote code execution.	High	No
CVE-2026-8109 CVE-2026-8110 CVE-2026-8111	Ivanti Endpoint Manager (EPM)	Multiple vulnerabilities could allow a remote/local authenticated attacker to leak access credentials, escalate privileges, and achieve remote code execution.	2 High, 1 Medium

Ivanti May 2026 Security Update

SAP *

CVE-ID	Affected Component	Description	Severity	Exploited?
CVE-2026-34260	SAP S/4HANA (SAP Enterprise Search for ABAP)	SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input.	Critical	No
CVE-2026-34263	SAP Commerce	Due to improper Spring Security configuration, allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.	Critical	No
CVE-2026-34259	SAP Forecasting & Replenishment	Due to an OS Command Execution vulnerability, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands.	High	No

SAP May 2026 Security Notes

Apple**

Version: iOS 26.5 and iPadOS 26.5, iOS 18.7.9 and iPadOS 18.7.9, iPadOS 17.7.11, iOS 16.7.16 and iPadOS 16.7.16, iOS 15.8.8 and iPadOS 15.8.8, macOS Tahoe 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, tvOS 26.5, watchOS 26.5, visionOS 26.5
Release Date: Monday, May 11, 2026
Release Notes: Addresses more than 50 security vulnerabilities in iOS 26.5 and around 70 security updates for macOS Tahoe 26.5. There were no known actively exploited bugs.

Apple Release Notes

Google Chrome

Version: 148.0.7778.167/168 (Windows and Mac), 148.0.7778.167 (Linux)
Release Date: Tuesday, May 12, 2026
Previous Version Release Notes: Chrome version 148.0.7778.96 (Linux) and 148.0.7778.96/97 (Windows/Mac)released on May 5^th, 2026, contained 127 security flaws including 3 critical-severity and 31 high-severity.

Chrome Release Notes

Mozilla FireFox

Version: Firefox 150.0.3
Release Date: Tuesday, May 12, 2026
Key Fixes: 5 High CVE’s – CVE-2026-8388, CVE-2026-8389, CVE-2026-8390, CVE-2026-8391, and CVE-2026-8401

* Not handled by Fortress SRM.
** MacOS handled by Fortress SRM, iOS not handled by Fortress SRM.

Threat Intelligence Trends – May 2026

The following resources are grouped by threat type / category.

AI-Enabled / Emerging Threats

AI-Powered Exploitation Accelerates Initial Access in Cyberattacks
Google Threat Intelligence reports that attackers are using AI to discover vulnerabilities, generate exploits, and scale initial access operations, including the first observed AI-developed zero-day.
Read more

Bissa Scanner: AI‑Assisted Mass Exploitation & Credential Harvesting
An exposed attacker server revealed a highly automated operation using AI tools to scan millions of systems, exploit vulnerabilities, and harvest large volumes of credentials, with over 900 confirmed compromises.
Read more

Vibe Hacking: AI‑Augmented Campaigns Targeting Latin America
Two campaigns (SHADOW‑AETHER‑040 and ‑064) leveraged agentic AI to automate full attack chains—from initial access to data exfiltration—against government and financial organizations in Latin America.
Read more

Social Engineering & Phishing

Cross-Tenant Helpdesk Impersonation → Human-Operated Data Exfiltration
Threat actors abuse Microsoft Teams external access to impersonate IT helpdesk staff, trick users into granting remote access, then use legitimate tools and protocols to move laterally and exfiltrate sensitive data while blending into normal activity.
Read more

US Fake Invitation Phishing Campaign
A large-scale phishing campaign targeting U.S. organizations uses fake event invitations and CAPTCHA pages to trick users into credential theft, OTP interception, or installing legitimate remote access tools.
Read more

Operation TrustTrap: Large-Scale Domain Spoofing Campaign
A massive phishing campaign leveraging 16,800+ spoofed domains abuses trust in government-style URLs to harvest credentials and payment data, focusing on human perception rather than technical exploits.
Read more

Silver Fox Tax-Themed Phishing Campaign Deploys Multi-Stage Malware
A cyberespionage campaign by the Silver Fox group uses fake tax audit emails to trick victims into downloading malicious files that deliver ValleyRAT and a new ABCDoor backdoor, enabling full remote access and data theft.
Read more

Vulnerabilities & Exploits

VM2 Sandbox Escape Enables Remote Code Execution (CVE-2026-26956)
A critical vulnerability in the Node.js sandbox allows attackers to escape the isolated environment and execute arbitrary commands on the host by exploiting WebAssembly exception handling flaws.
Read more

GitHub Enterprise Server RCE via Git Push Option Injection (CVE-2026-3854)
A high‑severity vulnerability allows attackers with repository push access to achieve remote code execution by injecting malicious data into unsanitized git push options that are processed as internal headers.
Read more

CVE-2026-42208: Targeted SQL Injection in LiteLLM Exploited Within 36 Hours
A critical pre-auth SQL injection in LiteLLM’s authentication flow was actively probed just 36 hours after disclosure, with attackers performing targeted schema enumeration to access high-value secrets like API keys and credentials.
Read more

Hackers Exploit Canvas XSS Flaw to Deface School Portals
Attackers leveraged cross-site scripting (XSS) vulnerabilities in Instructure’s Canvas LMS to hijack admin sessions and deface login portals with ransom messages, escalating pressure after an earlier data breach.
Read more

Critical cPanel Authentication Flaw Prompts Emergency Mitigation by Namecheap
A critical authentication bypass vulnerability (CVE-2026-41940) in cPanel allowed unauthenticated attackers to gain full control of servers, prompting Namecheap to temporarily block panel access while deploying patches.
Read more

Palo Alto PAN-OS Zero-Day Enables Root RCE on Firewalls
A critical buffer overflow in the PAN‑OS User-ID Authentication Portal allows unauthenticated attackers to execute code with root privileges on affected firewalls, with active exploitation observed.
Read more

Apache ActiveMQ Jolokia Flaw Enables RCE (CVE‑2026‑34197)
A high‑severity vulnerability in Apache ActiveMQ Classic allows attackers to execute arbitrary code by abusing the Jolokia management API to load malicious configurations, with some versions enabling unauthenticated exploitation.
Read more

Copy Fail: 732 Bytes to Root on Every Major Linux Distribution
A critical Linux kernel flaw (CVE‑2026‑31431) allows unprivileged users to gain root by corrupting the page cache of files, enabling reliable privilege escalation across nearly all Linux distributions since 2017.
Read more

APT28 Exploits Incomplete Patch → New Zero-Click Windows Vulnerability (CVE‑2026‑32202)
Akamai uncovered that a Microsoft fix for a prior zero‑day (CVE‑2026‑21510) was incomplete, leaving behind a zero‑click authentication coercion flaw (CVE‑2026‑32202) that APT28 used to silently steal credentials.
Read more

Dirty Frag: Linux Privilege Escalation via Page‑Cache Manipulation
A Linux kernel vulnerability chain that enables unprivileged users to overwrite read‑only page‑cache memory and gain root access by exploiting two flaws in networking subsystems.
Read more

Google Fixes CVSS 10 Gemini CLI CI RCE
A critical vulnerability in Gemini CLI allowed attackers to inject malicious configuration in CI workflows and execute arbitrary commands on host systems due to unsafe workspace trust in headless mode.
Read more

Recommended Actions

Mitigations

Enforce strict trust boundaries in CI/CD pipelines (disable automatic trust of workspace content, require explicit approvals for external inputs)
Patch and update all exposed systems promptly (e.g., Gemini CLI, Linux kernel, internet-facing apps)
Move secrets out of easily accessible locations (e.g., .env files) and into secure secret managers
Restrict use of remote management tools (RMM) and enforce least privilege access controls
Implement strong MFA with phishing-resistant methods and conditional access policies

Monitoring

Monitor for unusual use of legitimate tools (RMM software, Teams, CLI agents) in non-standard contexts
Track suspicious activity in CI/CD pipelines, especially execution triggered by external pull requests or untrusted inputs
Watch for abnormal authentication patterns (e.g., OTP reuse, impossible travel, unusual login flows)
Monitor outbound traffic for data exfiltration or connections to uncommon storage/services (e.g., S3-like endpoints)
Log and review kernel/module loading activity and privilege escalation indicators on Linux hosts

Detection Tips

Alert on creation or modification of hidden config directories/files (e.g., .gemini/, phishing kit artifacts)
Detect CAPTCHA-gated phishing flows followed by authentication prompts
Identify anomalous execution chains involving trusted binaries/tools launched from unusual parent processes
Look for signs of page cache manipulation or sensitive file tampering (Linux LPE indicators)
Correlate multi-stage attacks: phishing → credential use → RMM deployment → lateral movement

About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering

Why Patching Matters

Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities.

Vigilant Managed Cyber Hygiene

 Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management.

Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications
Critical patches, OS upgrades, and configuration updates for all devices, on/off network
24/7/365 U.S.-based monitoring and real-time reporting for full visibility

Stay Protected. Stay Proactive.

Learn how Fortress SRM can enhance your cybersecurity strategy