Cybersecurity Radar — 2026-05-28
Microsoft confirms two actively exploited Windows Defender zero-days (CVE-2026-41091 and CVE-2026-45498) with patches expected June 3, while Gitea users face an unauthenticated remote code execution vulnerability. A critical Cisco SD-WAN flaw and Windows Server 2016 domain controller failures post-patch compound the threat landscape as organizations race to remediate.
Cybersecurity Radar — 2026-05-28
🔴 Critical Alerts
Microsoft Defender Zero-Days Under Active Exploit (CVE-2026-41091, CVE-2026-45498)
Two Windows Defender vulnerabilities are actively exploited in the wild. CVE-2026-41091 and CVE-2026-45498 both allow privilege escalation and denial of service attacks on affected systems. Microsoft has committed to releasing permanent fixes on June 3, 2026, but organizations must monitor for active exploitation in the interim. These vulnerabilities affect all Windows systems running the vulnerable Defender versions.
Recommended Action: Enable Windows Defender automatic updates immediately; apply patches on June 3 without delay. Review logs for abnormal Defender process activity indicating exploitation attempts.
Windows Server 2016 Domain Controller Lookup Failure Post-Patch
Microsoft has confirmed a known issue affecting Windows Server 2016 systems after installation of the May 2026 security update KB5087537. Domain controller lookups fail, preventing proper domain authentication. This regression affects organizations that have already deployed this month's patches.
Recommended Action: Test KB5087537 in isolated environments before enterprise rollout. If already deployed, assess domain controller connectivity and prepare rollback procedures. Monitor Microsoft support channels for a resolution patch.
Threat Landscape
Gitea Unauthenticated Remote Code Execution (CVE-2026-27771)
Cybersecurity researchers disclosed a critical vulnerability in Gitea, an open-source self-hosted version control platform. CVE-2026-27771 permits unauthenticated remote attackers to pull private container images from Gitea deployments without credentials. All versions prior to 1.26.2 are affected. This flaw is particularly dangerous for organizations using Gitea to host proprietary container images.
Recommended Action: Upgrade to Gitea 1.26.2 immediately if running an affected version. Audit container image access logs for suspicious pull requests from unauthenticated sources.
Cisco Catalyst SD-WAN Controller Critical Flaw (CVE-2026-20182)
Cisco warned of a critical authentication bypass vulnerability in its Catalyst SD-WAN Controller, tracked as CVE-2026-20182, that is actively exploited in zero-day attacks. The flaw allows unauthenticated attackers to gain administrative privileges on compromised devices, potentially giving them control over network routing and security policies.
Recommended Action: Apply Cisco's latest security advisory patches; restrict administrative access to SD-WAN controllers to trusted networks only; enable multi-factor authentication on all administrative accounts.
FBI Alert: Silent Ransom Group Targets Law Firms
The FBI issued an alert (May 27, 2026) warning of active Silent Ransom Group campaigns targeting law firms. This threat actor group is conducting targeted ransomware attacks against legal organizations, likely seeking high-value intellectual property and client data.
Recommended Action: Law firms should implement network segmentation separating client data from general operations; deploy EDR (Endpoint Detection and Response) solutions with behavioral analysis; conduct immediate audit of recent file access patterns and backup integrity.
Vulnerabilities & Patches
CVE-2026-20182 — Cisco SD-WAN Controller Authentication Bypass (CVSS: Critical) Unauthenticated remote attackers can bypass authentication on Catalyst SD-WAN Controller and gain administrative privileges. Active exploitation confirmed. Patches available from Cisco.
CVE-2026-27771 — Gitea Unauthenticated Container Image Access (CVSS: Not Assigned) All Gitea versions before 1.26.2 allow unauthenticated remote access to private container images. Upgrade to 1.26.2 or later.
Microsoft May 2026 Patch Tuesday: 120 Flaws (No Zero-Days) Microsoft released 120 security patches in May 2026 with no publicly disclosed zero-days, though CVE-2026-41091 and CVE-2026-45498 (Defender flaws) were already under active exploit at disclosure time. 30 patches address critical severity issues.
Breaches & Incidents
Instructure Canvas Breach Escalation: ShinyHunters Eight-Month Campaign
Krebs on Security (May 25, 2026) reported that the May 2026 data breach of Instructure (Canvas learning platform) represents a planned escalation of an attack campaign ShinyHunters had been conducting for at least eight months. The incident was initially downplayed as Penn-specific, but evidence now shows a coordinated multi-phase attack.
Recommended Action: Instructure users should reset all authentication credentials immediately; review account access logs for unauthorized activity; check for secondary compromises via linked email and password managers.
Gitea Vulnerability Exploitation Risk
Organizations running Gitea prior to 1.26.2 with exposed instances should assume private container images may have been accessed without authorization. Conduct forensic analysis of pull request logs and re-evaluate secrets embedded in container images.
Industry & Policy
Cogent Launches AI-Powered Zero Day Response Capabilities
Cogent announced (May 27, 2026) new Zero Day Response and Autonomous Remediation capabilities designed to reduce the exploit-to-remediation time window for vulnerability detection and patching. This represents industry movement toward faster incident response automation.
Nation-State vs. Criminal Ransomware Lines Blurring
SecurityWeek and Industrial Cyber report (May 2026) that state-backed ransomware activity is rising, particularly from Iranian and Russian-aligned groups using both profit motive and geopolitical objectives. Waterfall Threat Report 2026 notes a strategic shift from high-volume ransomware toward nation-state targeting of critical infrastructure and OT (operational technology) systems.
What to Watch
- June 3 Microsoft Patch Deadline: Two active Defender zero-days (CVE-2026-41091, CVE-2026-45498) will receive permanent fixes; critical for all Windows environments
- SD-WAN Controller Hardening: Cisco CVE-2026-20182 exploitation in the wild requires immediate administrative access reviews across all network infrastructure
- Gitea Container Registry Audit: Organizations must verify no private container images were exfiltrated via CVE-2026-27771; assume compromise if running pre-1.26.2 versions with external exposure
Reader Action Items
- Patch or Isolate: Immediately update Windows Defender to current version and stage June 3 patches in test environments now; for Gitea, upgrade to 1.26.2 and audit all container image pull logs from the past 30 days for unauthorized access
- Network Segmentation Review: Verify Cisco SD-WAN Controllers are restricted to trusted administrative networks only; implement multi-factor authentication on all controller management interfaces
- Backup Integrity Check: Law firms and organizations with sensitive IP should validate backup integrity and verify backups are isolated from production networks in case of ransomware targeting your sector
This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.
Powered by
