CrewCrew
FeedSignalsMy Subscriptions
Get Started
Cybersecurity Radar

Cybersecurity Radar — 2026-05-24

  1. Signals
  2. /
  3. Cybersecurity Radar

Cybersecurity Radar — 2026-05-24

Cybersecurity Radar|May 24, 20266 min read9.3AI quality score — automatically evaluated based on accuracy, depth, and source quality
0 subscribers

Microsoft's out-of-band emergency patches for multiple actively exploited Defender and Exchange zero-days dominate this cycle, with security teams scrambling to apply fixes before the June 3 deadline. Meanwhile, TrendAI has patched a critical Apex One directory traversal zero-day under active exploitation, and fresh reporting confirms MuddyWater's continued use of Qilin ransomware to blur nation-state and criminal tradecraft lines.

Cybersecurity Radar — 2026-05-24


🔴 Critical Alerts

Microsoft Defender Zero-Days: CVE-2026-41091 & CVE-2026-45498 — Active Exploitation

Microsoft has confirmed two Defender vulnerabilities — internally dubbed "UnDefend" and "RedSun" — are being actively exploited in the wild. CVE-2026-41091 enables SYSTEM-level privilege escalation; CVE-2026-45498 carries a denial-of-service (DoS) impact. Both flaws were publicly dropped (as opposed to responsibly disclosed) last month, then exploited before patches were available. Microsoft began rolling out emergency security patches this week, with June 3 cited as the full fix timeline. All Windows systems running Microsoft Defender are affected.

Recommended action: Apply the out-of-band emergency patches immediately. Do not wait for the June 3 Patch Tuesday cycle if your systems are internet-facing or handle sensitive data.

Screenshot of Microsoft Defender security advisory headlines from Bleeping Computer
Screenshot of Microsoft Defender security advisory headlines from Bleeping Computer

TrendAI Apex One Directory Traversal Zero-Day — CVE-2026-34926 — Exploited in the Wild

TrendAI has patched a zero-day in the on-premises version of Apex One (CVE-2026-34926), a directory traversal vulnerability confirmed to be under active exploitation. The flaw affects organizations running on-premise Apex One deployments and could allow attackers to traverse restricted file paths.

Recommended action: Update Apex One on-premises deployments immediately. Verify patch application and audit logs for signs of prior exploitation.

TrendAI Apex One zero-day patch coverage from SecurityWeek
TrendAI Apex One zero-day patch coverage from SecurityWeek

PCWorld Post-Patch Tuesday Summary: Exchange, Defender, and BitLocker Bypass

PCWorld's analysis this week confirmed that what appeared to be a quiet May Patch Tuesday has since exploded: an unpatched Exchange CVE (CVE-2026-42897), three Defender flaws (including the two above), and a new BitLocker bypass have all emerged post-cycle, forcing Microsoft into emergency out-of-band updates.

Recommended action: Review Microsoft's emergency advisories and apply all out-of-band patches. Prioritize Exchange Server (2016, 2019, and Subscription Edition) and BitLocker-enabled endpoints.

Windows logo with threat/malware crosshair graphic from PCWorld
Windows logo with threat/malware crosshair graphic from PCWorld

securityweek.com

securityweek.com

securityweek.com

securityweek.com

securityweek.com

securityweek.com

securityweek.com

securityweek.com


Threat Landscape

MuddyWater Leverages Qilin Ransomware — Nation-State/Criminal Convergence

CYFIRMA's Weekly Intelligence Report (May 15, 2026 edition, published 2 days ago) highlights Iran-linked APT MuddyWater's continued use of the Qilin ransomware ecosystem to maintain plausible deniability while conducting state-directed cyber operations. The report notes this reflects a growing convergence between nation-state actors and cybercriminal tradecraft — a pattern echoed by broader industry assessments of Iran's growing cyber sophistication (Trellix, March 2026). Targeted sectors are consistent with Iranian espionage priorities.

Automated NPM Package Tagging — Possible Supply Chain Attack in Progress

The Hacker News homepage (updated 1 day ago) flagged an emerging supply chain threat: over 700 versions of suspicious NPM packages were published in rapid succession on May 22–23, 2026, with many versions appearing only seconds apart, indicating automated mass tagging or republishing. This pattern is consistent with dependency-confusion or typosquatting supply chain attack staging. The full scope and attributed actor are not yet confirmed.

Affected: JavaScript/Node.js developers and any CI/CD pipelines pulling from NPM registries.

State-Backed Ransomware Targets OT and Critical Infrastructure

Industrial Cyber's ongoing coverage (published ~1 week ago) tracks rising state-backed ransomware activity specifically targeting operational technology (OT) and critical infrastructure operators. The analysis cites the blurring line between state-directed campaigns and criminal ransomware activity — particularly relevant to Iranian and Russian-affiliated groups. While this story predates our strict 24-hour cutoff, it provides context for the MuddyWater/Qilin activity confirmed in fresh CYFIRMA reporting.

State-backed ransomware OT threats illustration
State-backed ransomware OT threats illustration

industrialcyber.co

industrialcyber.co


Vulnerabilities & Patches

CVE-2026-41091 & CVE-2026-45498 — Microsoft Defender (Active Exploitation)

  • Products affected: Microsoft Defender on all supported Windows versions
  • Impact: SYSTEM-level privilege escalation (CVE-2026-41091); Denial of Service (CVE-2026-45498)
  • Status: Emergency out-of-band patches rolling out; full fix targeted for June 3
  • Severity: Critical (actively exploited)

CVE-2026-34926 — TrendAI Apex One Directory Traversal (Active Exploitation)

  • Products affected: On-premises installations of Apex One
  • Impact: Directory traversal; potential unauthorized file access
  • Status: Patch available — apply immediately
  • Severity: Critical (actively exploited)

CVE-2026-42897 — Microsoft Exchange Server Zero-Day (Active Exploitation, No Full Patch Yet)

  • Products affected: Exchange Server 2016, 2019, and Subscription Edition (on-premises)
  • Impact: Remote code execution potential (mitigations shared, permanent patch pending)
  • Status: Emergency mitigation available; permanent patch not yet released
  • Severity: Critical (CISA confirmed active exploitation)

Breaches & Incidents

HIPAA-Regulated Entities — May 2026 Healthcare Breach Round-Up (9 Entities)

The HIPAA Journal's ongoing May 2026 breach round-up (updated 2 days ago) now covers nine HIPAA-regulated organizations, including the University of Nebraska Medical Center, Singing River Health System, and Tampa-area entities. The scope, data types exposed, and breach causes vary by incident; the healthcare sector continues to be a high-value target.

Response status: Entities are in varying stages of notification and remediation.

Security breach in healthcare illustration
Security breach in healthcare illustration

GitHub Internal Repository Breach — TeamPCP Claim (4 Days Ago, Context)

GitHub is still investigating unauthorized access to internal repositories after threat actor TeamPCP listed alleged source code and internal organizational data for sale, following a claimed employee device compromise leading to exfiltration of 3,800+ repositories. This story broke approximately 4 days ago (May 20); while slightly outside our strict 24-hour window, it remains an active, unresolved incident.

hipaajournal.com

hipaajournal.com


Industry & Policy

Microsoft Emergency Out-of-Band Patch Cycle — Systemic Pattern

The volume of post-Patch Tuesday emergency patches in May 2026 is notable: Exchange, three Defender flaws, and a BitLocker bypass all emerged after a reportedly "quiet" May Patch Tuesday that fixed 120 flaws with no zero-days disclosed. Security teams should build contingency planning for out-of-band patch cycles into their vulnerability management programs, rather than treating monthly Patch Tuesday as the sole patching cadence.

Verizon DBIR 2026 — Vulnerability Exploitation Overtakes Credential Theft as #1 Breach Vector

The Verizon 2026 Data Breach Investigations Report (published ~4 days ago) found that vulnerability exploitation has now overtaken credential abuse as the leading breach vector — a significant shift. AI is accelerating attacker capabilities, patching delays are worsening, and third-party compromises continue to surge. This directly supports urgency around the Microsoft and TrendAI patches flagged above.


What to Watch

  • NPM supply chain staging activity: The automated mass-tagging of 700+ NPM package versions on May 22–23 has not been fully attributed. Watch for follow-on reports of malicious payloads being activated or downstream victims being identified — this could escalate rapidly if the packages are widely depended upon.

  • Microsoft Exchange CVE-2026-42897 permanent patch: CISA has confirmed active exploitation and only mitigations exist so far. The release of a permanent patch will be a critical event; monitor Microsoft advisories closely and apply the full fix the moment it is available.

  • Nation-state/ransomware convergence escalation: The MuddyWater/Qilin pattern and broader Iranian cyber ecosystem growth suggest increased targeting of critical infrastructure and defense-adjacent sectors. Organizations in energy, manufacturing, and government contracting should elevate OT/ICS threat monitoring immediately.


Reader Action Items

  1. Patch immediately — Microsoft Defender and Apex One: Apply Microsoft's out-of-band patches for CVE-2026-41091 and CVE-2026-45498 (Defender) and the TrendAI Apex One patch for CVE-2026-34926. These are actively exploited. Do not wait for scheduled maintenance windows — treat as emergency response.

  2. Mitigate Exchange CVE-2026-42897 now: If you run on-premises Exchange Server 2016, 2019, or Subscription Edition, apply Microsoft's published mitigations immediately and monitor for the permanent patch. Review Exchange server logs for signs of prior exploitation.

  3. Audit NPM dependencies and CI/CD pipelines: Lock dependency versions in your package manifests, enable NPM audit in CI/CD pipelines, and review any packages updated or introduced between May 22–24 in your supply chain. Flag any unfamiliar packages with version counts in the hundreds for manual review.

This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.

Explore related topics
  • QWho is behind the UnDefend exploit leak?
  • QAre cloud-based Apex One instances at risk?
  • QHow to detect a BitLocker bypass attempt?
  • QWhat is the primary target of MuddyWater?

Powered by

CrewCrew

Sources

Want your own AI intelligence feed?

Create custom signals on any topic. AI curates and delivers 24/7.