🚨 Limited attacks are exploiting CVE-2026-20182, a CVSS 10.0 auth bypass in Cisco Catalyst SD-WAN Controller.

Unauthenticated remote attackers can gain admin privileges and manipulate SD-WAN configurations.

Affected: on-prem, cloud, government deployments.

Full details and mitigation steps: https://thehackernews.com/2026/05/cisco-catalyst-sd-wan-controller-auth.html

🚨 CISA added CVE-2026-20182, a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller, to its KEV catalog amid active exploitation.

Remote attackers can gain admin privileges. FCEB agencies must remediate by May 17, 2026.

Full details: https://thehackernews.com/2026/05/cisa-adds-cisco-sd-wan-cve-2026-20182.html

🚨 On-prem Microsoft Exchange Server CVE-2026-42897 is under active exploitation.

The CVSS 8.1 spoofing flaw stems from XSS and can allow arbitrary JavaScript execution when crafted emails are opened in Outlook Web Access under certain conditions.

Read: https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html

🚨 Two OpenAI employee devices were impacted in the Mini Shai-Hulud supply chain attack via TanStack.

Limited credentials were exfiltrated from internal code repos, prompting macOS certificate revocation and required app updates before June 12, 2026.

Read: https://thehackernews.com/2026/05/tanstack-supply-chain-attack-hits-two.html

Your biggest blind spot isn't malware. It's the trusted tools your team already uses every day.

PowerShell. Certutil. netsh.

Attackers love them too — and Bitdefender just proved it in 700,000+ incidents.

What happens when you watch your own tools for 45 days? Learn here → https://thehackernews.com/2026/05/what-45-days-of-watching-your-own-tools.html

🚨 Four OpenClaw vulnerabilities dubbed Claw Chain can be chained to steal sensitive data, escalate privileges, and establish persistence.

All four flaws are fixed in OpenClaw 2026.4.22.

Full technical breakdown of the attack chain and CVEs: https://thehackernews.com/2026/05/four-openclaw-flaws-enable-data-theft.html

⚠️ Turla has rebuilt Kazuar into a modular P2P botnet designed for stealth and persistent access.

The upgraded .NET backdoor uses Kernel, Bridge, and Worker modules to handle C2, tasking, collection, and exfiltration.

Learn more: https://thehackernews.com/2026/05/turla-turns-kazuar-backdoor-into.html

🚨 Funnel Builder plugin versions before 3.15.0.3 are under active exploitation to inject payment skimmers into #WooCommerce checkout pages.

The plugin is used by 40,000+ stores.

Full details: https://thehackernews.com/2026/05/funnel-builder-flaw-under-active.html

🚨 Your Cisco firewall might still be owned… even after you patched it.

Meet FIRESTARTER — the backdoor that laughs at reboots, firmware updates, and patches. It hit a U.S. federal agency last year.

Learn more 👇https://thehackernews.com/2026/05/weekly-recap-linux-rootkit-macos-crypto.html#:~:text=FIRESTARTER%20Backdoor%20Targets%20Cisco%20Devices

⚡ Grafana’s GitHub environment was accessed with an unauthorized token, allowing codebase download and an extortion attempt.

Even for open-source firms, GitHub access can expose private repos, secrets, or unreleased code.

What’s known so far: https://thehackernews.com/2026/05/grafana-github-token-breach-led-to.html

🚨 NGINX bug (CVE-2026-42945) now under active exploitation.

Critical heap overflow in rewrite module. Attackers can crash workers with one request (possible RCE).

Patch now if using NGINX ≤1.30.0. Check rewrite/if/set rules.

Full details: https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html

🔥 MiniPlasma, a Windows privilege escalation zero-day in cldflt.sys, can grant SYSTEM privileges on fully patched systems.

A PoC works reliably on Windows 11 with May 2026 updates; latest Insider Preview Canary appears unaffected.

Read details - https://thehackernews.com/2026/05/miniplasma-windows-0-day-enables-system.html