Cybersecurity Radar — 2026-05-13

🔴 Critical Alerts

Microsoft May 2026 Patch Tuesday: 120+ CVEs, No Active Exploits

Microsoft released security updates addressing over 120 CVE-numbered vulnerabilities on May 12, 2026 — and for the first time since June 2024, none are being actively exploited in the wild. SC World reports the update includes four Remote Code Execution vulnerabilities in Microsoft Word. While the absence of zero-days is welcome news, the volume and breadth of patches — including RCE flaws — means this update demands urgent deployment.

• Affected products: Windows, Microsoft Word, and a wide range of Microsoft services
• Severity: Multiple Critical-rated RCEs included
• Action: Apply all May 2026 Patch Tuesday updates immediately. Prioritize Word RCE patches for organizations with document-heavy workflows.

Exim MTA "Dead.Letter" Vulnerability (CVE-2026-45185) Under Active Discussion

The Hacker News flagged a critical use-after-free vulnerability — tracked as CVE-2026-45185, nicknamed "Dead.Letter" — in the widely-used Exim mail transfer agent. The flaw affects Exim's binary data transmission (BDAT) message body parsing when a TLS connection is handled by GnuTLS. Exim is used globally by millions of mail servers on Unix-like systems.

• Affected: Exim MTA deployments using GnuTLS for TLS handling
• Severity: Critical (use-after-free, remote exploitation potential)
• Action: Monitor for vendor patches, apply mitigations immediately when available. Review Exim exposure in your mail infrastructure.

1 sources

helpnetsecurity.com

helpnetsecurity.com

Threat Landscape

Kaspersky: Ransomware Groups Shift to Data Theft, Deploy EDR Killers

Kaspersky researchers published fresh analysis on May 12, 2026 outlining the major ransomware trends shaping 2026. Key findings include a marked rise in EDR killer tooling — malware specifically designed to disable endpoint detection and response products before deploying ransomware. Perhaps more significantly, threat actors are increasingly abandoning encryption in favor of pure data exfiltration and extortion, lowering operational risk while maintaining leverage over victims. The report flags healthcare, manufacturing, and legal sectors as primary targets.

• TTPs: EDR killers, data-only exfiltration, double extortion
• Sectors targeted: Healthcare, manufacturing, legal/professional services

Check Point: 2,122 Ransomware Victims Listed in Q1 2026 Across 70+ Leak Sites

Check Point Research's Q1 2026 ransomware report — published within the past 48 hours — documented 2,122 new victims listed across more than 70 active data leak sites in the first quarter alone. While this represents a 12.2% decline from Q4 2025's all-time record of 2,416, it reflects a consolidation trend: fewer, larger groups causing higher per-victim impact. The data points to an elevated "new normal" in ransomware volume.

• Notable trend: Consolidation among major groups, fewer but more capable actors
• Sectors targeted: Broadly cross-sector, with manufacturing and critical infrastructure prominent

ShinyHunters Extorts Instructure Over 275 Million Canvas Records

The threat actor group ShinyHunters stole 3.65TB of data — reportedly covering 275 million Canvas user records — from Instructure, the company behind the widely-used Canvas learning management system. The Hacker News reported on May 12 that Instructure reached a ransom agreement with ShinyHunters to prevent a wider public leak. The breach affects students and educators across universities and K-12 institutions globally.

• Threat actor: ShinyHunters
• Victim: Instructure (Canvas LMS)
• Data exposed: Personal records for an estimated 275 million users
• Status: Ransom reportedly paid; full scope of exposure under investigation

1 sources

research.checkpoint.com

research.checkpoint.com

Vulnerabilities & Patches

Microsoft Word RCEs (May 2026 Patch Tuesday)

Among the 120+ CVEs addressed in Microsoft's May 2026 Patch Tuesday, four Remote Code Execution vulnerabilities in Microsoft Word stand out as particularly high-risk. Successful exploitation could allow an attacker to run arbitrary code on a victim's machine simply by opening a malicious document — a classic and effective phishing vector.

• Affected: Microsoft Word (multiple versions)
• Risk: High — RCE via malicious documents
• Action: Patch immediately; consider disabling macro execution and enabling Protected View for untrusted documents.

Zero Day Initiative: May 2026 Patch Tuesday Security Review

The Zero Day Initiative published its May 2026 Patch Tuesday review on May 12, 2026, confirming that while the scale of patches is large, nothing is currently listed as being exploited in the wild. ZDI noted the update is "another big one," urging security teams to prioritize review and deployment.

• Key note: 120+ CVEs, no in-the-wild exploitation confirmed at time of publishing
• Action: Follow ZDI's analysis to prioritize which CVEs carry the highest exploitation likelihood.

Exim CVE-2026-45185 ("Dead.Letter") — Use-After-Free in TLS Mail Parsing

CVE-2026-45185 is a use-after-free flaw in Exim's BDAT message body parsing path when GnuTLS handles the TLS connection. Given Exim's ubiquity as a mail server backbone across Linux environments, this vulnerability has broad potential impact if weaponized.

• CVE: CVE-2026-45185
• Affected: Exim MTA with GnuTLS
• Type: Use-after-free, potential remote exploitation
• Action: Monitor Exim advisories, restrict internet-facing exposure, patch immediately upon release.

Breaches & Incidents

Instructure (Canvas) Ransom Settlement — 275 Million Records at Stake

In a development confirmed May 12, 2026, Instructure — parent company of the Canvas learning management platform — reportedly paid a ransom to the ShinyHunters group after the attackers exfiltrated 3.65TB of data containing personal records for approximately 275 million users. The ransom agreement was reached to prevent public release of the data. The breach affects students, faculty, and staff across thousands of educational institutions globally.

• Scope: ~275 million user records, 3.65TB of data
• Response: Ransom paid per reporting; investigation ongoing
• Impact: Potential exposure of names, emails, institutional credentials, and other personal data for students worldwide

Silent Ransomware Group Breaches Law Firm Orrick, Herrington & Sutcliffe

BlackFog's running State of Ransomware 2026 tracker — updated within the past week — documents that the Silent ransomware group breached international law firm Orrick, Herrington & Sutcliffe. The attack reportedly occurred in January 2026, with attackers maintaining access to the firm's network for several days before detection. Law firms remain high-value targets due to the sensitive client and financial data they hold.

• Threat actor: Silent ransomware group
• Victim: Orrick, Herrington & Sutcliffe (international law firm)
• Status: Breach confirmed; response details limited

Industry & Policy

CISA Advisory Page — Monitor for Fresh Guidance

CISA's Cybersecurity Alerts & Advisories page was active as of May 13, 2026. Given the volume of May Patch Tuesday releases, organizations should check the CISA KEV (Known Exploited Vulnerabilities) catalog for any new additions following today's disclosures. Screenshot-based extraction from the live page may be incomplete — verify directly.

Kaspersky Publishes 2026 Ransomware Trend Analysis

Kaspersky's Securelist team published a detailed state-of-ransomware report on May 12, 2026 — directly relevant to security teams assessing their defensive posture. The report highlights the rising role of EDR-killing malware as a precursor to ransomware deployment, and the structural shift away from encryption-based ransomware toward data-theft-only extortion. This has significant implications for detection strategies that rely on file encryption behavior as the primary ransomware signal.

• Implication: Organizations relying on encryption-detection triggers may miss "data-theft only" ransomware attacks
• Recommendation: Invest in data loss prevention (DLP) and behavioral analytics alongside traditional ransomware detection

Pwn2Own Berlin Underway — New Vulnerabilities Expected

Zero Day Initiative's May 2026 Patch Tuesday review noted that ZDI staff are currently in Berlin for Pwn2Own Berlin — a major vulnerability research competition. New vulnerability discoveries from this event often lead to coordinated disclosure and subsequent patches. Watch for follow-on CVE disclosures in the coming days.

What to Watch

• Post-Pwn2Own disclosure wave: With ZDI staff on-site at Pwn2Own Berlin, expect a fresh batch of vulnerability disclosures and coordinated patches from major vendors (browsers, OS, hypervisors) in the days ahead. Security teams should prepare for an accelerated patch cycle.

• Exim CVE-2026-45185 exploitation risk: The "Dead.Letter" use-after-free flaw in Exim's TLS mail parsing path has not yet been patched. As proof-of-concept code potentially circulates in researcher communities, the window before active exploitation may be short. Monitor mail server exposure urgently.

• Education sector targeting escalates: The Instructure/Canvas breach — 275 million records from a single platform — signals that education remains a high-value, low-resistance target for sophisticated threat actors like ShinyHunters. Expect copycat campaigns against other EdTech platforms holding large student databases.

Reader Action Items

1. Deploy May Patch Tuesday updates now. With 120+ CVEs patched — including four Word RCEs — prioritize patching Microsoft Office and Windows systems across your environment. Use CISA's KEV catalog to track any newly added entries following today's patch release.

2. Audit your Exim and mail server exposure. CVE-2026-45185 ("Dead.Letter") has no patch yet. Identify all internet-facing Exim deployments in your infrastructure, restrict unnecessary exposure, and subscribe to Exim security advisories so you can patch within hours of a fix landing.

3. Review EDR coverage and data exfiltration detection. Kaspersky's 2026 ransomware report confirms threat actors are actively deploying tools to kill EDR products before striking — and many groups are skipping encryption entirely. Validate that your EDR solution cannot be trivially disabled, and ensure you have data loss prevention controls that can flag large-scale exfiltration independent of ransomware file behavior.