Cybersecurity Radar — 2026-05-23

🔴 Critical Alerts

Microsoft Defender Zero-Days Patched via Emergency Update (UnDefend & RedSun)

Microsoft has released emergency out-of-band security updates to patch two actively exploited Windows Defender zero-day vulnerabilities, tracked under the names "UnDefend" and "RedSun." Both flaws were publicly dropped last month and have since been exploited by attackers. CISA has issued a warning confirming active exploitation. The patches began rolling out within the past 48 hours. All Windows users running Defender should ensure automatic updates are applied immediately — manual verification of patch status is recommended for enterprise environments.

Recommended Action: Verify Defender is fully updated. Check Windows Update history for the emergency out-of-band patch. Prioritize patching endpoints that have not auto-updated.

TrendAI Apex One Zero-Day Exploited in the Wild (CVE-2026-34926)

TrendAI has patched a critical directory traversal vulnerability in the on-premise version of its Apex One endpoint security platform, tracked as CVE-2026-34926, which was actively being exploited before the patch was released. Organizations running the on-premise version of Apex One are at highest risk and should apply the patch immediately. Cloud-hosted deployments should verify their vendor update status.

Recommended Action: Apply the CVE-2026-34926 patch for Apex One on-premise immediately. Audit logs for signs of directory traversal activity. Check with TrendAI if running cloud/managed versions.

3 sources

securityweek.com

securityweek.com

securityweek.com

securityweek.com

securityweek.com

securityweek.com

Threat Landscape

Nine-Year-Old Linux Kernel Privilege Escalation Bug Disclosed (CVE-2026-46333)

Cybersecurity researchers disclosed details of a vulnerability in the Linux kernel that went undetected for nine years. The flaw, tracked as CVE-2026-46333 (CVSS: 5.5), involves improper privilege management that could allow an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of Debian, Fedora, and Ubuntu. While the medium CVSS score may understate operational risk in multi-tenant or shared environments, the wide distribution footprint makes this a significant concern for Linux infrastructure operators.

Recommended Action: Monitor for patch releases from Debian, Fedora, and Ubuntu. Restrict local user access to sensitive systems until patches are available.

State-Backed Ransomware Escalates Threats to OT and Critical Infrastructure

A deepening analysis published this week highlights growing concerns over state-affiliated ransomware groups targeting operational technology (OT) environments and critical infrastructure. A March 2026 Trellix assessment of Iranian cyber capability described increasingly sophisticated use of affiliated groups and ransomware-style operations that blur the line between state-directed campaigns and criminal activity. Separately, Russian-speaking ransomware group Qilin was confirmed to have attacked German political party Die Linke, threatening to publish stolen data if a ransom is not paid — underscoring that political organizations are increasingly in the crosshairs.

Threat Actors: Qilin (Russian-speaking), Iranian state-affiliated groups Targeted Sectors: Critical infrastructure, OT environments, political organizations, defense contractors

Kaspersky 2026 Ransomware Report: EDR Killers and Quantum Threats

Kaspersky's freshly released State of Ransomware 2026 report highlights the rise of "EDR killers" — tools designed to disable endpoint detection and response software before deploying ransomware payloads. The report also flags emerging post-quantum threats as a future risk vector for ransomware operations. Ransomware groups are actively evolving their TTPs to evade modern defenses.

Ukrainian Teen Identified in California Infostealer Operation

Ukrainian cyberpolice, operating in conjunction with U.S. law enforcement, identified an 18-year-old man from Odesa suspected of running an infostealer malware operation targeting users of an online store based in California. The suspect used infostealer malware to harvest user credentials from the e-commerce platform. The joint operation highlights continued international cooperation on cybercrime enforcement targeting financially motivated threat actors.

1 sources

cybersecurity-insiders.com

cybersecurity-insiders.com

Vulnerabilities & Patches

Microsoft Defender Zero-Days: UnDefend & RedSun Microsoft confirmed and patched two Defender zero-days — "UnDefend" and "RedSun" — which were publicly disclosed last month and have since been actively exploited. Emergency patches are now rolling out. No CVE IDs were published in available sources; affected product is Windows Defender across modern Windows versions.

CVE-2026-34926 — TrendAI Apex One Directory Traversal (Actively Exploited) A directory traversal flaw in the on-premise version of TrendAI Apex One, tracked as CVE-2026-34926, was being exploited in the wild before a patch was available. Organizations relying on Apex One for endpoint protection should treat this as a critical-priority update.

CVE-2026-46333 — Nine-Year-Old Linux Kernel Privilege Escalation (CVSS 5.5) A newly disclosed Linux kernel vulnerability, undetected for nine years, allows unprivileged local users to disclose sensitive files and execute commands as root. Affected distributions include Debian, Fedora, and Ubuntu on default installations. Patches are expected from distributors; monitor vendor security advisories closely.

Post-May Patch Tuesday: Microsoft's Unplanned Patch Wave Despite a relatively quiet May 2026 Patch Tuesday (120 flaws, no zero-days disclosed), Microsoft has since been forced to issue multiple emergency updates: the unpatched Exchange CVE-2026-42897, three Defender flaws (including UnDefend and RedSun), and a BitLocker bypass (CVE-2026-45585, CVSS 6.8). The post-Patch Tuesday wave underscores the importance of monitoring for out-of-band Microsoft security updates.

Breaches & Incidents

Nine HIPAA-Regulated Entities Report Data Breaches in May 2026

A May 2026 round-up from HIPAA Journal confirms data breaches affecting at least nine HIPAA-regulated healthcare entities, including the University of Nebraska Medical Center, Singing River Health System, and Tampa-area organizations. Healthcare continues to be a top-targeted sector for ransomware and data theft. Response status and scope vary by entity; affected patients should expect notification letters. Organizations in the healthcare sector should review their incident response preparedness and third-party vendor risk posture.

GitHub Investigating TeamPCP Breach Claim: 3,800+ Internal Repos Allegedly Exfiltrated

GitHub is actively investigating unauthorized access to internal repositories after threat actor group "TeamPCP" listed alleged source code and internal organizational data for sale. TeamPCP claims to have exfiltrated over 3,800 internal GitHub repositories via a compromised employee device. GitHub has not confirmed the full scope of the incident as of the latest reporting. Developers using GitHub Enterprise or accessing internal GitHub infrastructure should monitor for anomalous access and review credential hygiene.

1 sources

hipaajournal.com

hipaajournal.com

Industry & Policy

ShinyHunters Linked to Escalating Instructure/Canvas Platform Attacks

KrebsOnSecurity reports new details suggesting the May 2026 breach of Instructure's environment — affecting the widely used Canvas LMS platform — appears to be a planned escalation of an attack pattern that threat actor ShinyHunters had been working on for at least eight months prior. A previous incident at Penn was initially treated as an isolated case; the May 2026 events now indicate a sustained, multi-institution campaign targeting Instructure's environment. Educational institutions using Canvas should immediately review access logs and credential exposure.

Law Enforcement Takes Down Ukrainian Infostealer Operator

As noted in the Threat Landscape section, U.S. and Ukrainian law enforcement jointly identified and moved against an 18-year-old infostealer operator from Odesa, Ukraine, targeting a California-based online retailer. The case reflects ongoing law enforcement coordination across jurisdictions to pursue financially motivated cybercriminals, even relatively low-level operators.

What to Watch

• Linux kernel CVE-2026-46333 patches: Watch for official patch releases from Debian, Fedora, and Ubuntu — the nine-year-old privilege escalation flaw affects default configurations and will require prompt patching across Linux infrastructure once fixes are available.
• GitHub breach scope expansion: The TeamPCP incident is still under investigation; if confirmed at the claimed scale (3,800+ repos), it could expose sensitive code dependencies and secrets across the developer ecosystem. Expect further disclosures.
• State-backed ransomware targeting OT/ICS: The blurring of nation-state and criminal ransomware activity — particularly from Iranian and Russian-affiliated groups — signals a growing threat to industrial control systems and critical infrastructure operators in 2026. Energy, utilities, and defense contractors should increase OT monitoring posture.

Reader Action Items

1. Patch Defender and Apex One immediately: Apply Microsoft's emergency out-of-band patches for the UnDefend and RedSun Defender zero-days. If running TrendAI Apex One on-premise, apply the CVE-2026-34926 patch without delay — both are under active exploitation.

2. Audit Linux environments for CVE-2026-46333 exposure: Identify all Debian, Fedora, and Ubuntu systems in your environment and monitor vendor advisory channels. Implement least-privilege controls and restrict local user access to sensitive systems until patches are confirmed applied.

3. Review GitHub access credentials and developer secrets: In response to the TeamPCP/GitHub incident, rotate any GitHub personal access tokens, review repository access permissions, and scan codebases for accidentally committed secrets or credentials using tools like GitGuardian or GitHub's built-in secret scanning.