Here are today’s top cybersecurity stories for Tuesday, May 26, 2026.
Netherlands Seizes 800 Stark Industries Servers, Arrests Two for Aiding Russian Cyberattacks
Dutch financial crime investigators (FIOD) arrested the co-owners of two hosting companies tied to Stark Industries Solutions and seized approximately 800 servers. Authorities allege the suspects provided infrastructure supporting Russian cyberattacks, foreign interference operations, and disinformation campaigns against EU member states, in violation of EU sanctions legislation. The arrests followed a multi-year investigation into the firms’ connections to Russian intelligence-linked activity.
Krebs on Security
Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Three Server Versions
Microsoft released an out-of-band security update for CVE-2026-45659, a remote code execution flaw in SharePoint Server carrying a CVSS score of 8.8. An authenticated attacker with Site Member permissions or higher can execute arbitrary code on the server without requiring administrator access. The patch covers SharePoint Server Subscription Edition, 2019, and 2016. No active exploitation has been reported.
The Hacker News
MuddyWater Uses DLL Side-Loading in Espionage Campaign Against 9 Organizations Across 9 Countries
Iran-linked threat group MuddyWater (Mango Sandstorm) compromised at least nine organizations across nine countries during Q1 2026, using DLL side-loading via signed Fortemedia and SentinelOne binaries to run malicious payloads while blending in with legitimate software. Targeted sectors include industrial and electronics manufacturing, education, financial services, and professional services. A major South Korean electronics manufacturer had attackers active inside its network for approximately one week in February 2026.
The Hacker News
Anthropic Silently Patches Claude Code Sandbox Bypass — Second Fix in Five Months
Security researcher Aonan Guan disclosed that every Claude Code release from version 2.0.24 through 2.1.89 contained a SOCKS5 hostname null-byte injection flaw, allowing attackers to bypass the network sandbox and exfiltrate data. Anthropic fixed the issue in version 2.1.90 on April 1, 2026, without assigning a CVE or publishing a security advisory. This is the second time in five months Anthropic has silently patched a Claude Code sandbox bypass without public disclosure.
SecurityWeek
Oncology Institute Discloses Third-Party Vendor Data Breach Exposing Patient Records
The Oncology Institute notified patients that a third-party vendor detected unauthorized access to information systems containing patient data on May 20, 2026, with Kroll administering the breach response. The incident is potentially connected to the broader TriZetto Provider Solutions compromise, which exposed over 3.4 million patient records beginning in late 2024. Potentially affected data includes names, addresses, Social Security numbers, and insurance information.
SecurityWeek
CERT-In Sets 12-Hour Patch Deadline for Internet-Exposed Systems Amid AI-Accelerated Attacks
India’s Computer Emergency Response Team published new guidance requiring organizations to patch known exploited vulnerabilities on internet-facing and high-value systems within 12 hours where feasible. The directive responds directly to the acceleration of vulnerability discovery and exploitation driven by generative AI and large language models. Secondary tiers set one-day windows for critical external flaws and three-day windows for critical internal vulnerabilities on high-value systems.
The Hacker News
Windows KB5087537 May 2026 Update Causes Domain Controller Lookup Failures on Server 2016
Microsoft confirmed a known issue where the May 2026 security update KB5087537 triggers domain controller lookup failures on Windows Server 2016 systems, disrupting domain authentication and directory services. Microsoft has acknowledged the issue and is working on a resolution. A manual workaround is available for organizations that cannot wait for a patched update.
BleepingComputer
CISA Opens KEV Nomination Form to Vendors and Security Researchers
CISA launched a public nomination form allowing security researchers, vendors, and industry partners to submit vulnerabilities for potential inclusion in the Known Exploited Vulnerabilities catalog. The initiative broadens the submission pipeline beyond CISA’s internal discovery process and aims to accelerate cataloging when new exploitation evidence surfaces. The KEV catalog is widely used by security teams as a prioritization input for remediation.
Help Net Security
Drupal CVE-2026-9082 CISA KEV Deadline Passes — Active Exploitation Continues
The May 27 CISA KEV remediation deadline for Drupal CVE-2026-9082, a critical PostgreSQL SQL injection flaw, arrives with active attacks still under way. Security researchers recorded over 15,000 exploitation attempts against approximately 6,000 sites across 65 countries. Organizations running Drupal on PostgreSQL backends that have not applied the available patch remain at high risk.
CISA KEV Catalog
Stay tuned for today’s in-depth analysis posts.
