🔥 Microsoft’s new MDASH AI just uncovered 16 Windows vulnerabilities, patched today in Patch Tuesday — including 4 critical RCEs in the TCP/IP kernel and IKEv2 VPN.

An army of 100+ AI agents debated, validated, and proved them exploitable.

Read more: https://thehackernews.com/2026/05/microsofts-mdash-ai-system-finds-16.html

⚡ WEBINAR — Your AppSec tools are flooded with “toast” alerts. But attackers are quietly building a Lethal Chain to your most important data.

Small low-risk flaws in code, pipeline, and cloud create one deadly path your tools miss.

Learn:
• How to spot real dangerous risks
• How to map actual attack paths
• A simple way to cut noise and focus on what matters

Join Wiz experts Mike McGuire & Salman Ladha live next week.

🔗 Watch here → https://thehackernews.com/2026/05/webinar-why-your-appsec-tools-miss.html

🚨 ConsentFix v3 just dropped on the XSS criminal forum.
New toolkit fully automates Microsoft account hijacks:

󠁯•󠁏 ClickFix social engineering + OAuth consent phishing
󠁯•󠁏 Fake personas & email campaigns
󠁯•󠁏 Cloudflare phishing pages
󠁯•󠁏 Auto token swap → persistent session + refresh tokens

Easily bypasses MFA/passkeys.

Read: https://thehackernews.com/2026/05/weekly-recap-linux-rootkit-macos-crypto.html#:~:text=New%20ConsentFix%20V3%20Attack%20Automates%20Microsoft%20Account%20Hijacking

😳 One sneaky plaintext byte is all it takes.

Exim’s new “Dead.Letter” (CVE-2026-45185) triggers when a client sends a TLS close_notify mid-BDAT, then slips in a final \n.

That single write hits a freed TLS buffer → corrupts heap allocator metadata on GnuTLS builds (4.97–4.99.2).

XBOW calls it one of the highest-caliber bugs they’ve seen in Exim.

Patch to 4.99.3 right now 👇 https://thehackernews.com/2026/05/new-exim-bdat-vulnerability-exposes.html

What if your Android phone secretly kept a tamper-proof forensic log that even advanced spyware can’t delete?

Google just made it real with "Intrusion Logging"

🔸 Opt-in, 12-month encrypted records designed for journalists & activists.

🔸 Enable: Settings → Security & privacy → Advanced Protection → Intrusion Logging

🔸 Rolling out with Android 16 (December update)

Full story: https://thehackernews.com/2026/05/android-adds-intrusion-logging-for.html

⚡ An 18-year-old flaw in NGINX can let unauthenticated attackers run code or crash servers using crafted HTTP requests.

Tracked as CVE-2026-42945 and named NGINX Rift, the bug affects NGINX Plus and Open Source.

Patch details and mitigation steps: https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html

🛑 3rd Linux kernel LPE in just ~2 weeks: Fragnesia (CVE-2026-46300) just dropped.

Attackers can now gain root by corrupting the kernel page cache through a flaw in XFRM ESP-in-TCP.

PoC is public. Major distros have already issued advisories.

Details: https://thehackernews.com/2026/05/new-fragnesia-linux-kernel-lpe-grants.html

🔥 Two new Windows zero-days expose a BitLocker bypass in WinRE and a CTFMON privilege escalation issue.

YellowKey affects Windows 11 and Server 2022/2025; GreenPlasma could enable abuse of SYSTEM-writable paths.

Full story: https://thehackernews.com/2026/05/windows-zero-days-expose-bitlocker.html

🔥 Two new Windows zero-days expose a BitLocker bypass in WinRE and a CTFMON privilege escalation issue.

YellowKey affects Windows 11 and Server 2022/2025; GreenPlasma could enable abuse of SYSTEM-writable paths.

Full story: https://thehackernews.com/2026/05/windows-zero-days-expose-bitlocker.html

⚠️ AI hallucinations just became a real cyber weapon.

2025 benchmark of 40 AI models: 36/40 were more likely to give confident wrong answers than correct ones on hard questions.

That’s not a glitch. That’s your new attack surface.

Read → https://thehackernews.com/2026/05/how-ai-hallucinations-are-creating-real.html

🚨 Threat actors targeted PraisonAI CVE-2026-44338, an authentication bypass vulnerability, within hours of disclosure.

The flaw affects versions 2.5.6–4.6.33 and can expose the /agents endpoint without authorization.

Read the full report: https://thehackernews.com/2026/05/praisonai-cve-2026-44338-auth-bypass.html

You've heard us say compliance should be part of how you operate, not a project.

On May 20, we're showing you exactly what that means.

Watch Rippling Automated Compliance for SOC 2 collect evidence continuously, catch issues the moment they happen, and resolve them, all without leaving the platform. No bouncing between tools. No quarterly scramble. No mystery about what your auditors will find.

This is the live demo. Come with questions.

🖥Automated Compliance: From Manual Chaos to Continuous Control

📅May 20 | Live Product Demo | Free

Save your spot → https://thn.news/compliance-automation-webinar

🚨 Belarus-aligned Ghostwriter has targeted Ukrainian government organizations since March 2026 with spear-phishing PDFs impersonating Ukrtelecom.

The campaign uses Ukraine IP geofencing, JavaScript PicassoLoader, 10-minute host fingerprinting, and Cobalt Strike after victim validation.

Full infection chain: https://thehackernews.com/2026/05/ghostwriter-targets-ukrainian.html

🔥 ThreatsDay Bulletin is out!

• PAN-OS root RCE actively exploited
• AI model hijacks
• GhostLock file lock trick
• Zero-auth defense leak
• OnlyFans ransomware
• ClickFix upgrade
+ 9 more stories.

Full read 👇 https://thehackernews.com/2026/05/threatsday-bulletin-pan-os-rce-mythos.html

🚨 ALERT - Three newly published node-ipc npm versions have been confirmed as malicious, with obfuscated stealer/backdoor behavior targeting developer and cloud secrets.

Full details on affected versions and how the payload triggers at runtime: https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html

🚨 Limited attacks are exploiting CVE-2026-20182, a CVSS 10.0 auth bypass in Cisco Catalyst SD-WAN Controller.

Unauthenticated remote attackers can gain admin privileges and manipulate SD-WAN configurations.

Affected: on-prem, cloud, government deployments.

Full details and mitigation steps: https://thehackernews.com/2026/05/cisco-catalyst-sd-wan-controller-auth.html

🚨 CISA added CVE-2026-20182, a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller, to its KEV catalog amid active exploitation.

Remote attackers can gain admin privileges. FCEB agencies must remediate by May 17, 2026.

Full details: https://thehackernews.com/2026/05/cisa-adds-cisco-sd-wan-cve-2026-20182.html

🚨 On-prem Microsoft Exchange Server CVE-2026-42897 is under active exploitation.

The CVSS 8.1 spoofing flaw stems from XSS and can allow arbitrary JavaScript execution when crafted emails are opened in Outlook Web Access under certain conditions.

Read: https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html

🚨 Two OpenAI employee devices were impacted in the Mini Shai-Hulud supply chain attack via TanStack.

Limited credentials were exfiltrated from internal code repos, prompting macOS certificate revocation and required app updates before June 12, 2026.

Read: https://thehackernews.com/2026/05/tanstack-supply-chain-attack-hits-two.html

Your biggest blind spot isn't malware. It's the trusted tools your team already uses every day.

PowerShell. Certutil. netsh.

Attackers love them too — and Bitdefender just proved it in 700,000+ incidents.

What happens when you watch your own tools for 45 days? Learn here → https://thehackernews.com/2026/05/what-45-days-of-watching-your-own-tools.html

🚨 Four OpenClaw vulnerabilities dubbed Claw Chain can be chained to steal sensitive data, escalate privileges, and establish persistence.

All four flaws are fixed in OpenClaw 2026.4.22.

Full technical breakdown of the attack chain and CVEs: https://thehackernews.com/2026/05/four-openclaw-flaws-enable-data-theft.html