Cybersecurity Radar — 2026-05-09
A critical unpatched Linux kernel zero-day dubbed "Dirty Frag" has gone public with no patch available, granting attackers root access and demanding immediate mitigation from all Linux admins. Simultaneously, Ivanti is battling an actively exploited zero-day in its EPMM mobile device management platform (CVE-2026-6973), while the ShinyHunters extortion gang has struck Instructure's Canvas platform a second time, defacing login portals across hundreds of colleges and universities just weeks after a prior breach claimed to expose 275 million records.
Cybersecurity Radar — 2026-05-09
🔴 Critical Alerts
"Dirty Frag" Linux Kernel Zero-Day — No Patch, Root Access Exposed
A critical Linux kernel zero-day vulnerability, nicknamed "Dirty Frag," has gone public after an embargo was broken — with no patch yet available. The flaw grants attackers root-level privileges, making it immediately dangerous for any organization running Linux systems. Security researchers confirmed the vulnerability is real and exploitable. Until a patch is issued, administrators should apply available workarounds, restrict privileged access, and monitor for unusual privilege escalation activity. The public disclosure without a fix dramatically raises the risk profile for all Linux deployments.
Ivanti EPMM Zero-Day Actively Exploited in Targeted Attacks (CVE-2026-6973)
Ivanti has disclosed and patched a high-severity remote code execution vulnerability in its Endpoint Manager Mobile (EPMM) solution, CVE-2026-6973, which has been exploited in zero-day attacks prior to the fix. The flaw allows an attacker with admin privileges to execute arbitrary code. Ivanti customers managing mobile endpoints are urged to apply the patch immediately. This is yet another in a string of actively exploited zero-days targeting Ivanti's product line, which has become a high-value target for threat actors probing network edge and mobile device management infrastructure.
Threat Landscape
ShinyHunters Returns: Canvas Portals Defaced Across Hundreds of Institutions
The ShinyHunters extortion gang has breached education technology giant Instructure for a second time, this time exploiting a separate vulnerability to deface Canvas LMS login portals for hundreds of colleges and universities. This follows the May 7 attack in which ShinyHunters claimed to have breached Instructure's environment and exposed 275 million people's data, forcing Canvas offline during finals week. According to Krebs on Security, the pattern now appears to be a planned escalation — ShinyHunters had been working against Instructure's environment for at least eight months prior, with an earlier breach at a university customer treated as an isolated incident. The targeting of EdTech infrastructure during high-stakes academic periods amplifies disruption.
PCPJack: New Credential Theft Framework Targeting Exposed Cloud Infrastructure
The Hacker News reports details of a newly surfaced credential theft framework called PCPJack, which targets exposed cloud infrastructure and actively removes artifacts linked to TeamPCP from compromised environments. The tool is designed for stealth, clearing forensic traces after credential harvesting to hinder detection and incident response. Organizations with internet-facing cloud management interfaces should audit for unusual access patterns and remove unnecessary public exposure of cloud control planes.
Nation-State Actors Deploying Ransomware as a Geopolitical Weapon
Analysis published within the coverage window highlights a growing trend: state-affiliated groups are deploying ransomware not for financial gain, but to paralyze operations, create geopolitical leverage, or mask intelligence collection. This "Ransomware-as-Disruption" model blurs the line between cybercrime and cyber warfare, particularly affecting defense contractors and critical infrastructure operators. Mid-market companies are increasingly in the crosshairs as softer targets with supply-chain links to more hardened organizations.
Vulnerabilities & Patches
CVE-2026-6973 — Ivanti EPMM RCE (High Severity, Actively Exploited)
- Product: Ivanti Endpoint Manager Mobile (EPMM)
- Severity: High
- Impact: Remote code execution by an authenticated attacker with admin privileges
- Status: Patch now available — apply immediately
- Exploited in targeted zero-day attacks before disclosure
"Dirty Frag" Linux Kernel Zero-Day — No CVE Assigned, No Patch Available
- Product: Linux kernel (all distributions affected pending clarification)
- Severity: Critical
- Impact: Grants attackers root-level access (local privilege escalation / RCE path)
- Status: NO PATCH — embargo broken; workarounds only
- Admins should immediately apply vendor-published workarounds, restrict access, and monitor privilege escalation events
CVE-2026-0300 — Palo Alto Networks PAN-OS RCE (Critical, Actively Exploited)
- Product: Palo Alto Networks firewalls (PAN-OS User-ID Authentication Portal)
- Severity: Critical
- Impact: Root-level remote code execution
- Status: Being actively exploited; patch advisory issued
- Organizations running affected Palo Alto firewalls should apply mitigations immediately and restrict access to the User-ID Authentication Portal
Breaches & Incidents
Instructure / Canvas: 275 Million Records Claimed, Platform Defaced Twice in 48 Hours
The ShinyHunters extortion gang's assault on Instructure — parent of Canvas LMS — has escalated into a multi-stage incident. In the first wave (May 7), a ransomware group claimed to have breached the platform and exfiltrated data on 275 million individuals, including students, teachers, and staff across the US. Canvas went offline during finals week, impacting thousands of schools. Within 24 hours, ShinyHunters struck again, defacing Canvas login portals for hundreds of colleges and universities using a separate vulnerability. Instructure has not publicly confirmed the full scope of the data exposure. Krebs on Security analysis indicates ShinyHunters had persistent access to Instructure's environment for at least eight months.
Ivanti EPMM: Zero-Day Attacks Confirmed Before Patch Release
Multiple organizations running Ivanti EPMM were compromised through CVE-2026-6973 before Ivanti issued a fix. The targeted nature of the attacks suggests prior knowledge of the vulnerability by threat actors, consistent with the pattern of sophisticated groups staging exploits against Ivanti products — a recurring theme throughout 2025–2026. Affected organizations should assume potential compromise, conduct forensic investigation, and apply the patch immediately.
Industry & Policy
CISA Advisory Page: Access Restricted
The CISA advisories page returned an access-denied response during today's research window. Readers should check directly for the latest KEV catalog updates, particularly given the active exploitation of CVE-2026-6973 and CVE-2026-0300 confirmed this cycle.
State-Affiliated Ransomware Blurs Criminal/Nation-State Line for CMMC-Regulated Organizations
Security analysts note that the distinction between nation-state attacks and criminal activity is collapsing in practice, particularly for organizations operating under compliance frameworks like CMMC. Ransomware gangs with state approval simultaneously pursue financial profit and geopolitical objectives — a dynamic seen with Russian-linked groups targeting defense contractors. This has direct policy implications: organizations that treat ransomware purely as a criminal matter may be underestimating the intelligence-gathering dimension of some attacks.
What to Watch
- Dirty Frag patch timeline: The Linux kernel community is under pressure to issue an emergency patch following the broken embargo. Watch for CVE assignment and distribution-level patches from Red Hat, Ubuntu, Debian, and others — expected within days given the severity.
- ShinyHunters escalation pattern: Krebs on Security's analysis suggests ShinyHunters had eight months of intermittent access to Instructure before this week's public escalation. Other major EdTech and SaaS providers should treat this as a warning sign and audit for long-term persistent access by unknown parties.
- Ivanti repeat exploitation cycle: CVE-2026-6973 follows a well-established pattern of Ivanti products being targeted by sophisticated threat actors immediately after — or before — disclosure. Security teams relying on any Ivanti product should be on heightened alert for additional undisclosed vulnerabilities in the same product line.
Reader Action Items
-
Apply the Ivanti EPMM patch for CVE-2026-6973 now. If you run Ivanti Endpoint Manager Mobile in your environment, treat this as a P0 emergency patch. Conduct a forensic review of EPMM admin logs for signs of prior unauthorized access, as attacks were in progress before the patch was available.
-
Implement Linux privilege escalation monitoring and workarounds for Dirty Frag. Until a kernel patch is released, apply the published workarounds, restrict local user permissions, and deploy endpoint detection rules targeting unusual privilege escalation activity on all Linux hosts — particularly internet-facing servers.
-
If your institution uses Canvas/Instructure, audit user data exposure and notify affected parties. Given ShinyHunters' claim of 275 million records compromised, educational institutions should inventory what personal data they have in Canvas, review Instructure's breach notifications, and prepare to notify students and staff in accordance with applicable data protection regulations.
This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.
Powered by
