Here are today’s top cybersecurity stories for Wednesday, May 13, 2026.
Palo Alto Networks Releases PAN-OS Patches for CVE-2026-0300
Palo Alto Networks began rolling out patches today for CVE-2026-0300, a CVSS 9.3 unauthenticated remote code execution vulnerability in the PAN-OS User-ID Authentication Portal affecting PA-Series and VM-Series firewalls. Active exploitation was confirmed as far back as April 9. Affected versions include PAN-OS 10.2, 11.1, 11.2, and 12.1. The full patch window extends through May 28 for all supported release tracks. The Hacker News
Researcher Drops Unpatched Windows BitLocker Bypass and Privilege Escalation PoC
A researcher using the alias Nightmare-Eclipse published proof-of-concept exploit code on May 12 for two unpatched Windows zero-days: YellowKey, a BitLocker bypass that works against TPM-only mode using a USB stick and a Windows Recovery Environment reboot sequence, and GreenPlasma, a CTFMON-based local privilege escalation to SYSTEM. Both flaws affect Windows 11 and Windows Server 2025. Microsoft has not issued patches or an advisory as of this writing. BleepingComputer
Exim CVE-2026-45185 “Dead.Letter” — Critical GnuTLS RCE Affects All 4.97–4.99.2 Builds
A critical use-after-free vulnerability in Exim mail server, tracked as CVE-2026-45185 and dubbed Dead.Letter, enables unauthenticated remote code execution on any Exim build compiled with GnuTLS. The flaw is triggered by sending a TLS close_notify alert mid-BDAT transfer, corrupting freed heap memory. All Exim versions from 4.97 through 4.99.2 using GnuTLS are affected. Exim 4.99.3 addresses the issue. OpenSSL-based builds are not impacted. The Hacker News
Fortinet Patches Critical RCE Flaws in FortiSandbox and FortiAuthenticator
Fortinet issued emergency advisories on May 12 for two critical vulnerabilities scored at CVSS 9.1. CVE-2026-26083 is a missing authorization flaw in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS that allows unauthenticated RCE via crafted HTTP requests. CVE-2026-44277 is an improper access control issue in FortiAuthenticator enabling unauthenticated code execution. Fortinet reports no known active exploitation. Fixes are available in FortiSandbox 5.0.2/4.4.9 and FortiAuthenticator 6.5.7/6.6.9/8.0.3. BleepingComputer
SAP May 2026 Patch Day — Critical SQL Injection in S/4HANA and Auth Bypass in Commerce Cloud
SAP’s May 2026 security patch release addresses 15 vulnerabilities, including two rated critical at CVSS 9.6. CVE-2026-34260 is an SQL injection flaw in S/4HANA exploitable by authenticated users. CVE-2026-34263 is a missing authentication check in Commerce Cloud allowing unauthenticated arbitrary code execution via a misconfigured Spring Security path. No active exploitation has been reported. BleepingComputer
European Space Agency Confirms Breach After Hacker Offers 200 GB for Sale
The European Space Agency confirmed a data breach after a threat actor identified as “888” posted an offer on BreachForums to sell approximately 200 GB of data claimed to include source code, API tokens, configuration files, credentials, and confidential project documents tied to the Ariel 2029 mission. ESA states only a small number of external servers supporting unclassified scientific collaboration were affected. A forensic investigation is underway. SecurityWeek
TrickMo Android Banking Trojan Upgrades to TON Blockchain C2 and SOCKS5 Pivoting
ThreatFabric researchers disclosed a new TrickMo variant, tracked as TrickMo C, that routes C2 communications through The Open Network blockchain via an embedded local TON proxy on infected devices, evading IP-based fraud detection. The variant also deploys a SOCKS5 proxy that turns compromised Android devices into network exit nodes. Banking and cryptocurrency wallet users in France, Italy, and Austria were actively targeted between January and February 2026. The Hacker News
Locked Shields 2026 Concludes — 41 Nations Complete World’s Largest Cyber Defense Exercise
The NATO Cooperative Cyber Defence Centre of Excellence’s Locked Shields 2026 exercise concluded this week, bringing together more than 4,000 participants from 41 nations across three days of live-fire cyber defense scenarios. Sixteen multinational teams defended simulated critical infrastructure including 5G networks, power grids, satellite systems, and electronic voting platforms. This year’s edition introduced AI-enhanced attack scenarios for the first time. Top-scoring teams included France-Sweden, Latvia-Singapore, and Germany-Austria-Luxembourg-Switzerland. SecurityWeek
OpenAI Expands GPT-5.4-Cyber Access to Verified Security Teams
OpenAI announced the expansion of its GPT-5.4-Cyber model access through the Trusted Access for Cyber program, opening it to thousands of verified defenders and hundreds of security teams. The announcement follows Anthropic’s release of its Claude Mythos cybersecurity model earlier this week, with both vendors accelerating AI-augmented threat analysis capabilities for enterprise security operations. SecurityWeek
Stay tuned for today’s in-depth analysis posts.
