Here are today’s top cybersecurity stories for Thursday, May 7, 2026.
Ivanti Warns of New EPMM Zero-Day CVE-2026-6973 Exploited in the Wild
Ivanti has disclosed a new high-severity vulnerability in its Endpoint Manager Mobile (EPMM) product, tracked as CVE-2026-6973 with a CVSS score of 7.2. The improper input validation flaw lets remotely authenticated administrators execute arbitrary code on on-premises EPMM servers running version 12.8.0.0 and earlier. Ivanti confirmed a limited number of customer environments have been actively exploited, with attackers believed to have leveraged admin credentials stolen through the earlier CVE-2026-1340 campaign. Patches are available in versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Shadowserver currently tracks over 850 internet-exposed EPMM instances, with 182 in North America.
BleepingComputer
Fake Claude AI Website Delivers New Beagle Windows Backdoor via Google Ads
A malvertising campaign is using Google sponsored search results to push a fake Claude AI website at “claude-pro[.]com,” where visitors download a 505MB archive containing a malicious MSI installer. Sophos researchers discovered the installer deploys DonutLoader, which then fetches a previously undocumented Windows backdoor called Beagle. Beagle executes CMD and PowerShell commands, uploads and downloads files, manages directories, and communicates with its command-and-control server using AES-encrypted TCP/UDP traffic. The hosting infrastructure traces back to a server established in March 2026, and the campaign remains active.
BleepingComputer
Hackers Abuse Google Ads to Steal ManageWP Credentials via Adversary-in-the-Middle Phishing
A credential-harvesting campaign discovered by Guardio Labs targets ManageWP users — GoDaddy’s platform for centrally managing WordPress site fleets — through malicious Google sponsored results. The operation uses a live adversary-in-the-middle proxy that relays credentials and two-factor authentication codes in real time, granting attackers immediate access to victims’ accounts. A single compromised account often controls hundreds of websites, enabling attackers to inject malware or redirect traffic at scale. At least 200 victims have been confirmed. Russian-language code embedded in the command-and-control disclaimed operator responsibility for illegal use.
BleepingComputer
Symcor Targeted by Everest Ransomware in Attack on Canadian Financial Services BPO
The Everest ransomware group claimed on May 2, 2026 to have attacked Symcor, a Mississauga-based business process outsourcing company serving major Canadian banks and financial institutions. Everest threatened to publish exfiltrated data unless negotiations commence. Symcor provides payment processing, data management, and document services to Canada’s financial sector. A confirmed data breach would carry significant PIPEDA notification obligations for the company and its banking clients. Symcor had not issued a public statement at time of publication.
DeXpose
PCPJack Cloud Credential Theft Framework Disclosed by SentinelOne
SentinelOne researcher Alex Delamotte published details on May 7, 2026 of a new credential theft framework called PCPJack. The toolset targets exposed cloud infrastructure — including Docker, Kubernetes, Redis, MongoDB, and RayML deployments — harvesting credentials from cloud, container, developer, and financial services platforms before exfiltrating data and spreading in worm-like fashion through compromised networks. PCPJack actively removes artifacts linked to TeamPCP from infected environments and is assessed to pursue illicit revenue through credential resale, fraud, and spam campaigns.
The Hacker News
Eclipse BaSyx Java Server SDK Patches Critical CVSS 10.0 Path Traversal and SSRF Flaws
Two critical vulnerabilities were disclosed on May 5, 2026 in the Eclipse BaSyx Java Server SDK, an open-source platform used in Industry 4.0 and Industrial IoT deployments. CVE-2026-7411 (CVSS 10.0) is an unauthenticated path traversal flaw in the Submodel HTTP API enabling arbitrary file writes and full remote code execution. CVE-2026-7412 (CVSS 8.6) is a blind server-side request forgery flaw in the Operation Delegation feature, allowing attackers to probe internal networks and cloud metadata endpoints. Both flaws are patched in version 2.0.0-milestone-10.
SecurityWeek
CISA BlueHammer Patch Deadline Falls Today — Federal Agencies Must Fix CVE-2026-33825
The CISA two-week remediation deadline for the BlueHammer Windows Defender privilege escalation flaw, CVE-2026-33825, lands on May 7, 2026. Added to the Known Exploited Vulnerabilities catalog on April 22, the high-severity flaw lets low-privileged local users gain SYSTEM rights on unpatched Windows 10 and Windows 11 devices. Microsoft shipped the fix in the April 14, 2026 Patch Tuesday release. CISA described the vulnerability as “a frequent attack vector for malicious cyber actors” posing significant risk to federal operations.
BleepingComputer
Palo Alto CVE-2026-0300 Patch Window Narrows — First Fixes Arrive May 13
Palo Alto Networks confirmed that the first patches for the actively exploited PAN-OS buffer overflow zero-day CVE-2026-0300 will begin rolling out on May 13, 2026, with a staggered release completing by May 28. The unauthenticated remote code execution flaw carries a CVSS score of 9.3 when the User-ID Authentication Portal is internet-accessible and enables root-level system compromise. Organizations unable to patch immediately should restrict Portal access to trusted internal IP ranges or disable the feature entirely. Exploitation was traced to as early as April 9, 2026.
Help Net Security
Microsoft Enables Hotpatch by Default for All Intune-Managed Windows Devices in May 2026
Microsoft announced it will turn on hotpatch security updates by default for all eligible Windows devices managed through Microsoft Intune and the Microsoft Graph API starting with the May 2026 security update cycle. Hotpatching applies security fixes to running processes without requiring a reboot, and Microsoft estimates the change will cut time-to-90%-patch-compliance in half across managed fleets. Organizations not ready to adopt hotpatch can opt out at the tenant level through Intune controls. Devices require the April 2026 baseline update to be eligible.
BleepingComputer
Stay tuned for today’s in-depth analysis posts.
