WEEKLY TOP TEN: May 18, 2026, 16:00 GMT
- Microsoft May 2026 Patch Tuesday Fixes 120 Flaws With No Zero-Days
Microsoft released security updates addressing 120 vulnerabilities, marking the first Patch Tuesday in nearly two years with no actively exploited or publicly disclosed zero-days. The release includes 17 critical-rated flaws, 14 of which enable remote code execution. Notable fixes include CVE-2026-41096, a critical Windows DNS Client RCE rated CVSS 9.8; CVE-2026-41089, a preauthentication Netlogon RCE on domain controllers; CVE-2026-42898, a Microsoft Dynamics 365 RCE rated 9.9; and CVE-2026-40365 affecting SharePoint Server. Multiple Microsoft Office and Word vulnerabilities exploitable via the preview pane were also patched. Adobe, AMD, Apple, Cisco, Fortinet, Google, and Ivanti released coordinated advisories. - Cisco Catalyst SD-WAN Controller Authentication Bypass Actively Exploited in Zero-Day Attacks
Cisco released emergency updates for a maximum-severity authentication bypass vulnerability in Catalyst SD-WAN Controller and Manager, tracked as CVE-2026-20182 and carrying a CVSS score of 10.0. The flaw allows unauthenticated remote attackers to bypass peering authentication and obtain administrative privileges by sending crafted requests. Cisco’s Talos threat intelligence team attributed limited active exploitation to a sophisticated threat actor tracked as UAT-8616, the same group previously linked to CVE-2026-20127. Successful exploitation grants access to NETCONF for network configuration manipulation. CISA added the vulnerability to its KEV catalog, requiring FCEB agencies to remediate by May 17. - Microsoft Warns of Active Zero-Day Exchange Server Exploitation
Microsoft disclosed a new security vulnerability impacting on-premise versions of Exchange Server that has come under active exploitation. Tracked as CVE-2026-42897 with a CVSS score of 8.1, the flaw is a spoofing bug stemming from a cross-site scripting issue affecting Exchange Server Subscription Edition, 2016, and 2019. An attacker can weaponize the vulnerability by sending a crafted email that, when opened in Outlook Web Access with certain interaction conditions met, allows arbitrary JavaScript execution in the browser context. Microsoft tagged it with an “Exploitation Detected” assessment and shared mitigations until a permanent patch is released. An anonymous researcher reported the issue. - Instructure Reaches Agreement With ShinyHunters to Halt Canvas Data Leak
Canvas learning platform operator Instructure announced it reached an agreement with the ShinyHunters extortion group to prevent publication of approximately 275 million student records stolen earlier in May. The hackers had set a May 12 deadline before threatening to release private information from students and teachers across nearly 9,000 educational institutions. Instructure confirmed the stolen data was returned with shred logs proving permanent deletion. The single deal covers all impacted institutions. ShinyHunters originally exploited a vulnerability in Free-for-Teacher accounts on April 30, exfiltrating 3.65 terabytes of data, and later defaced login pages at roughly 330 schools. - Foxconn Confirms Cyberattack on North American Factories After Nitrogen Ransomware Claim
Taiwanese electronics manufacturing giant Foxconn confirmed that some of its North American factories were hit by a cyberattack after the Nitrogen ransomware group listed the company on its leak site, claiming theft of 8TB of data spanning more than 11 million files. The stolen trove allegedly contains confidential project schematics and technical drawings tied to major customers including Apple, Nvidia, Intel, Google, Dell, and AMD. Reported impacted facilities include the Mount Pleasant, Wisconsin plant and a Houston, Texas factory, with some workers forced to revert to pen-and-paper operations. Foxconn says affected sites are resuming normal production but declined to confirm customer data theft. - West Pharmaceutical Services Hit by Ransomware Attack Disrupting Global Operations
Pennsylvania-based pharmaceutical packaging giant West Pharmaceutical Services disclosed in an SEC 8-K filing that it suffered a material cybersecurity attack on May 4, with attackers exfiltrating data and encrypting certain systems. The company proactively took systems offline globally, notified law enforcement, and engaged Palo Alto Networks’ Unit 42 for incident response. The attack disrupted shipping, receiving, and manufacturing across multiple sites worldwide. Core enterprise systems have been restored, though some facilities remain offline. No ransomware group has publicly claimed responsibility, suggesting a ransom may have been paid. The financial impact remains undetermined. - BWH Hotels Says Hackers Had Access to Reservation Data for Six Months
Hospitality group BWH Hotels, parent of Best Western Hotels & Resorts, WorldHotels, and SureStay, is notifying guests that threat actors accessed a guest reservation web application for over six months before being detected on April 22. Investigators determined the intrusion began October 14, 2025, and compromised guest names, email addresses, phone numbers, home addresses, reservation numbers, stay dates, and special requests. Payment and financial information were not stored in the affected system. The company took the application offline, revoked unauthorized access, and engaged external cybersecurity experts. With over 53 million loyalty members, the scope of exposure remains undisclosed. - Cushman and Wakefield Hit With Class Action After Vishing-Linked Salesforce Breach
Global commercial real estate giant Cushman & Wakefield faces a proposed class action lawsuit filed in the U.S. District Court for the Southern District of New York after ShinyHunters published a 50GB Salesforce dataset containing over 500,000 records. The breach originated from a voice phishing attack in which an employee was tricked into providing access credentials. The leaked dataset, added to Have I Been Pwned on May 12, exposed names, contact details, business records, and corporate communications belonging to over 310,000 individuals. The Qilin ransomware group separately listed the company on its leak site, and plaintiffs allege exposure of Social Security numbers and financial information. - Ghostwriter Group Targets Ukrainian Government With Geofenced PDF Phishing
The Belarus-aligned threat actor Ghostwriter, also tracked as FrostyNeighbor and UAC-0057, has been attributed to a fresh spear-phishing campaign against Ukrainian governmental organizations active since March 2026. ESET researchers documented PDF lures impersonating Ukrainian telecom Ukrtelecom, with embedded links delivering geofenced payloads: victims with non-Ukrainian IPs receive benign decoys, while Ukrainian targets get RAR archives containing JavaScript versions of PicassoLoader that drop Cobalt Strike Beacon. The downloader profiles compromised hosts every ten minutes before operators manually deploy follow-on payloads. Targeting concentrates on military, defense, and government entities in Ukraine, with additional victims observed across Poland and Lithuania. - Researcher Drops YellowKey and GreenPlasma Windows Zero-Day Exploits
A cybersecurity researcher who went rogue after a dispute with Microsoft published proof-of-concept exploits for two unpatched Windows vulnerabilities named YellowKey and GreenPlasma. YellowKey is a BitLocker bypass that requires physical access, granting attackers entry to encrypted protected drives. GreenPlasma is a privilege escalation flaw enabling any user to escalate to SYSTEM privileges. The disclosures were deliberately timed for the days following the May Patch Tuesday cycle to maximize exposure for unpatched systems. The dual zero-day drop marked the researcher’s third wave of unauthorized Microsoft vulnerability releases, raising significant risk for enterprise endpoints relying on BitLocker encryption controls.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.