Here are today’s top cybersecurity stories for Thursday, May 14, 2026.
Cisco Patches CVSS 10.0 SD-WAN Auth Bypass Under Active Exploitation
Cisco disclosed CVE-2026-20182, a critical authentication bypass in Cisco Catalyst SD-WAN Controller with a CVSS score of 10.0. An unauthenticated remote attacker can exploit the flaw in the vdaemon service over DTLS (UDP port 12346) to obtain administrative access and inject SSH keys into the vmanage-admin account. Cisco Talos attributed limited active exploitation to UAT-8616 and confirmed patches are available with no workarounds.
The Hacker News
Foxconn Confirms Nitrogen Ransomware Attack on North American Factories
Foxconn confirmed a ransomware attack on facilities in Wisconsin and Texas after the Nitrogen gang claimed theft of 8 TB comprising more than 11 million files. The group alleges the stolen data includes confidential technical documentation and project files tied to Apple, Nvidia, Intel, Google, and Dell. Affected factories began restoring operations after network outages forced staff to paper-based processes.
BleepingComputer
West Pharmaceutical Services Hit by Ransomware — Data Exfiltrated, Systems Encrypted
West Pharmaceutical Services disclosed a material cybersecurity incident in which attackers exfiltrated data and deployed file-encrypting ransomware across its global manufacturing and distribution operations. The company detected the breach on May 4 and engaged Palo Alto Networks Unit 42 for incident response. No ransomware group has publicly claimed the attack. West Pharmaceutical has not confirmed whether personal information was involved.
BleepingComputer
OpenAI Launches Daybreak AI-Powered Vulnerability Detection Platform
OpenAI introduced Daybreak, a cybersecurity initiative combining GPT-5.5-based models with Codex Security to automate vulnerability detection, patch generation, and patch validation. The platform uses three model tiers targeting standard use, verified defenders, and red team engagements. Major security vendors including Cisco, CrowdStrike, Palo Alto Networks, and Fortinet are integrating the capabilities. Access remains restricted to vetted organizations.
The Hacker News
F5 Patches Over 50 Vulnerabilities in BIG-IP, BIG-IQ, and NGINX
F5 released its May 2026 quarterly security notification addressing 51 vulnerabilities across BIG-IP, BIG-IQ, and NGINX — 19 high severity and 32 medium. The most critical flaw, CVE-2026-42945 (CVSS 9.2), is a heap buffer overflow in NGINX’s ngx_http_rewrite_module enabling unauthenticated denial-of-service and, where ASLR is disabled, remote code execution. F5 reports none of the patched vulnerabilities have been exploited in the wild.
SecurityWeek
Trump Budget Proposes Cutting Over 1,000 CISA Jobs and $495 Million in Funding
The Trump administration’s proposed fiscal year 2026 budget would cut 1,083 full-time positions from CISA, reducing staff to 2,649 and slashing the agency budget from roughly $2.9 billion to $2.4 billion. The proposal eliminates the Election Security Program entirely and cuts the National Risk Management Center by 73%. Security industry groups warn the reductions will limit the federal government’s capacity to respond to nation-state threats.
CyberScoop
Microsoft Exposes Multi-Stage Code-of-Conduct Phishing Campaign Targeting 35,000 Users
Microsoft detailed an adversary-in-the-middle phishing campaign active in mid-April 2026 targeting 35,000 users at 13,000 organisations across 26 countries. Attackers sent polished HTML-templated PDF attachments impersonating HR compliance notices that directed victims through Cloudflare CAPTCHA gates to token-harvesting sites. Healthcare, financial services, and professional services sectors were most heavily targeted.
The Hacker News
Instructure Reaches Ransom Agreement with ShinyHunters to Halt 3.65 TB Canvas Data Release
Instructure confirmed it reached an agreement with ShinyHunters to prevent public release of 3.65 TB of data stolen from the Canvas learning management system, affecting approximately 275 million users at 8,809 educational institutions globally. The breach exposed private student-teacher messages and personal records obtained through a Free-For-Teacher account. The agreement does not constitute confirmation the stolen data was deleted.
The Hacker News
Chinese APT Groups Salt Typhoon and Twill Typhoon Expand Targeting and Update Backdoors
Salt Typhoon targeted an Azerbaijani oil and gas company using the ProxyNotShell exploit chain and Deed RAT via DLL sideloading — a departure from its typical telecom focus. Twill Typhoon targeted Asia-Pacific entities with an updated remote access tool. SecurityWeek reports both groups have expanded their targeting scope and refined their malware in recent campaigns.
SecurityWeek
Stay tuned for today’s in-depth analysis posts.
