WEEKLY TOP TEN: May 11, 2026, 16:00 GMT
- Vimeo Data Exposed Via Third-Party Analytics Vendor Anodot
Vimeo confirmed that roughly 119,000 user and customer email addresses were exposed following a breach at Anodot, a third-party analytics vendor. ShinyHunters claimed credit as part of its ongoing pay-or-leak campaign, asserting that the company’s Snowflake and BigQuery environments were accessed through the Anodot integration. Have I Been Pwned added the exposed data on May 5, 2026. Vimeo stated that no video content, valid login credentials, or payment card information was involved. The company disabled all Anodot credentials, removed the integration from its systems, and notified law enforcement while engaging outside security experts to investigate. - NVIDIA GeForce NOW Data Breach Confirmed Via Armenian Regional Partner
NVIDIA confirmed on May 8 that user information was exposed through a breach of GFN.am, the regional GeForce NOW Alliance partner operating in Armenia. The compromise occurred between March 20 and March 26 and was not discovered until May 2, leaving a nearly 54-day dwell time. Exposed data includes names, email addresses, usernames, dates of birth, and phone numbers for users registered before March 9. No account passwords or payment data were compromised. A threat actor using the ShinyHunters name claimed responsibility and offered the database for sale on a hacker forum, though NVIDIA clarified the incident is isolated to GFN.am’s infrastructure and does not affect NVIDIA-operated services globally. - Palo Alto Networks PAN-OS Zero-Day (CVE-2026-0300) Actively Exploited by Nation-State Actors
Palo Alto Networks disclosed that a critical buffer overflow vulnerability in PAN-OS, tracked as CVE-2026-0300 with a CVSS score of 9.3, is being actively exploited by suspected state-sponsored threat actors. The flaw resides in the User-ID Authentication Portal service and enables unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls. After exploitation, attackers deployed tunneling tools such as EarthWorm and ReverseSocks5, probed Active Directory using stolen credentials, and deleted logs to conceal activity. CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities catalog on May 6. Patches are scheduled to begin rolling out May 13, 2026. - CISA Orders Federal Agencies to Patch Ivanti EPMM Zero-Day (CVE-2026-6973)
CISA added a high-severity vulnerability in Ivanti Endpoint Manager Mobile, tracked as CVE-2026-6973 with a CVSS score of 7.2, to its Known Exploited Vulnerabilities catalog and gave federal agencies four days to remediate. The flaw stems from improper input validation in EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1, and allows a remotely authenticated attacker with administrative access to achieve remote code execution. Ivanti confirmed that a very limited number of customers had been exploited and noted that risk is significantly reduced for organizations that rotated credentials following earlier EPMM vulnerabilities. The cloud-based Neurons for MDM platform is not affected by this issue. - JDownloader Official Site Compromised in Supply Chain Attack Delivering Python RAT
The official website of JDownloader, a widely used open-source download manager, was compromised between May 6 and May 7, 2026, with attackers replacing legitimate Windows and Linux installers with malicious files. The Windows payload was confirmed to deploy a Python-based remote access trojan, while the Linux installer also carried malicious code. JDownloader confirmed the breach and advised users to verify file integrity before executing any recently downloaded installers. The incident follows a broader pattern of supply chain attacks targeting developer and end-user tools throughout 2026 and underscores the risk posed by compromising software distribution infrastructure to reach large user bases without directly attacking individual targets. - Cisco Patches High-Severity SSRF and Code Execution Flaws in Enterprise Products
Cisco released security patches addressing multiple high-severity vulnerabilities across its enterprise product portfolio, including server-side request forgery flaws in Unity Connection that could enable code execution or service disruption. The SSRF vulnerabilities could allow remote attackers to send crafted requests that interact with internal systems, potentially exposing sensitive infrastructure or enabling lateral movement within an organization’s network. Cisco rated the flaws as high severity and strongly urged customers to apply updates immediately. Organizations running Unity Connection and related enterprise communications platforms should prioritize remediation given the potential for unauthenticated remote exploitation under certain configurations. - xlabs_v1 Mirai-Based Botnet Hijacks IoT Devices for DDoS-for-Hire Attacks
A newly identified Mirai-derived botnet designated xlabs_v1 has emerged as a significant DDoS threat, targeting Android TV boxes, routers, and other ADB-exposed IoT devices with 21 distinct flooding methods. Researchers found the botnet is being operated as a DDoS-for-hire service, enabling low-skill threat actors to launch volumetric attacks against any target of their choosing. The botnet spreads by exploiting exposed Android Debug Bridge interfaces commonly left open on consumer and enterprise IoT devices. The discovery highlights the continued weaponization of poorly secured smart devices for large-scale denial-of-service operations targeting businesses, critical infrastructure, and online services globally. - Apache HTTP Server Critical Double-Free Flaw (CVE-2026-23918) Enables Remote Code Execution
The Apache Software Foundation released security updates addressing CVE-2026-23918, a critical double-free vulnerability with a CVSS score of 8.8 in the HTTP/2 implementation of Apache HTTP Server. The flaw could allow remote attackers to execute arbitrary code by sending specially crafted HTTP/2 requests that trigger improper memory management in the server process. Organizations hosting web applications on Apache HTTP Server are strongly advised to apply the patch immediately, as the HTTP/2 protocol is enabled by default across many modern deployments. Given Apache’s prevalence as one of the most widely deployed web server platforms globally, unpatched instances represent a high-value attack surface for exploitation campaigns. - cPanel Zero-Day (CVE-2026-41940) Actively Exploited Against Governments and MSPs
A critical authentication bypass vulnerability in cPanel and WHM, tracked as CVE-2026-41940, has been actively exploited in attacks targeting government entities and managed service providers. The flaw exists in the login flow of cPanel versions after 11.40 and allows remote unauthenticated attackers to bypass authentication checks entirely, granting full control over hosting configurations and sensitive data. The Shadowserver Foundation reported that thousands of instances may be publicly exposed. Separately, cPanel released patches for three additional vulnerabilities including CVE-2026-29202, an authenticated remote code execution flaw with a CVSS score of 8.8. Defenders should apply all available cPanel patches and restrict management interface access to trusted networks immediately. - MuddyWater Uses Ransomware Disguise to Mask Iran-Linked Cyber Espionage Campaign
Security researchers uncovered an Iran-linked APT campaign attributed to MuddyWater that disguised cyber espionage operations as ransomware attacks using Chaos Ransomware tooling. The group combined phishing, credential theft, and data exfiltration with ransomware-style tactics to obscure the true intelligence-gathering nature of the intrusion. Rather than seeking financial gain, MuddyWater used the ransomware facade to complicate attribution, distract incident responders, and potentially destroy evidence. The campaign is consistent with MuddyWater’s broader pattern of targeting government, telecommunications, and defense sectors across the Middle East and Europe, illustrating a growing trend of state-sponsored actors co-opting criminal malware to blur the line between espionage and cybercrime.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.