Here are today’s top cybersecurity stories for Thursday, May 21, 2026.
Cisco Patches CVSS 10.0 Secure Workload Flaw Giving Attackers Site Admin Privileges
Cisco disclosed CVE-2026-20223, a maximum-severity authentication bypass in Cisco Secure Workload. Unauthenticated attackers who send crafted API requests gain Site Admin privileges, allowing modification of security policies and access to sensitive data across tenant environments. SaaS deployments were fixed automatically. On-premises customers must upgrade to version 3.10.8.3 or 4.0.3.17. No active exploitation was confirmed as of May 20, 2026. BleepingComputer
Microsoft Patches Two Actively Exploited Defender Zero-Days After Six Weeks
Microsoft released patches for CVE-2026-41091 (RedSun — SYSTEM privilege escalation via the Malware Protection Engine, CVSS 7.8) and CVE-2026-45498 (UnDefend — denial-of-service against the Defender Antimalware Platform). Both flaws were actively exploited from mid-April 2026 onward with no patch available. CISA added both to the Known Exploited Vulnerabilities catalog on May 20. Fixes deploy automatically via Windows Update through Malware Protection Engine version 1.1.26040.8. BleepingComputer
Operation Saffron: Europol Dismantles First VPN Used in Ransomware and Data Theft
French and Dutch authorities, coordinated by Europol and Eurojust, seized 33 servers and four domains tied to First VPN on May 19 and 20. The service appeared in nearly every major cybercrime investigation Europol supported. Authorities accessed user traffic before the takedown, identified 506 users, and shared 83 intelligence packages across 27 partner countries. Leads relevant to Phobos ransomware investigations were generated. The service’s operator was interviewed in Ukraine. BleepingComputer | Europol
Verizon DBIR 2026: Vulnerability Exploitation Is Now the Top Breach Entry Point
Verizon’s 2026 Data Breach Investigations Report, covering more than 22,000 incidents, identified vulnerability exploitation as the leading initial access vector for the first time in the report’s 19-year history. Vulnerability exploitation accounted for 31% of breaches, up from 20% the prior year. Only 26% of vulnerabilities in CISA’s KEV catalog were fully remediated — down from 38% the year before. Median patch time grew to 43 days. Ransomware was present in 48% of confirmed breaches. SecurityWeek | Verizon
Chinese APT Calypso Targets Telecoms With New Showboat Linux Malware and JFMBackdoor
Calypso, also tracked as Red Lamassu, deployed Showboat — a modular Linux post-exploitation framework with remote shell, file transfer, and SOCKS5 proxy capabilities — alongside JFMBackdoor, a Windows implant delivered via DLL side-loading. The campaign has targeted telecoms across Asia Pacific and the Middle East since at least mid-2022. Showboat’s C2 infrastructure ties to IP addresses in Chengdu, China. The group shares tooling with other China-nexus clusters, consistent with a known digital quartermaster model. The Hacker News | BleepingComputer
Covenant Health Discloses Qilin Ransomware Breach Affecting 478,000 Patients
Covenant Health confirmed a Qilin ransomware breach that compromised data belonging to 478,188 individuals, including nearly 285,000 in Maine. The incident began before the May 26, 2025 detection date and exposed Social Security numbers, addresses, and medical records. The organization initially reported fewer than 10,000 affected before forensic analysis revealed the full scope. Class action litigation has been filed. BleepingComputer
Cisco Patches Sixth Exploited SD-WAN Zero-Day of 2026
Cisco released a patch for a new Catalyst SD-WAN Controller zero-day vulnerability, the sixth SD-WAN zero-day exploited in 2026. Organizations running Cisco SD-WAN should apply patches immediately and audit for signs of prior compromise, including unauthorized SSH key injection or configuration modifications. SecurityWeek
Google Patches 21 Chrome Vulnerabilities Including Actively Exploited Zero-Day
Google released a Chrome security update addressing 21 vulnerabilities, including one actively exploited zero-day. The update brings Chrome to version 146.0.7680.177/178 on Windows and macOS. Administrators should apply the update without delay and confirm automatic updates are enabled across managed endpoints. SecurityWeek
Acuity Brands Discloses Two Separate Data Breaches Affecting Employees
Lighting and smart buildings company Acuity Brands disclosed two separate data breach incidents. Unauthorized access in December 2021 and a second incident in October 2020 together exposed Social Security numbers, driver’s licence numbers, financial account information, and health data belonging to current and former employees. Available evidence points to Conti ransomware group involvement in the 2021 incident. SecurityWeek
CISA Adds Seven Vulnerabilities to KEV Including Two Defender Zero-Days and Five Legacy CVEs
CISA added seven vulnerabilities to its Known Exploited Vulnerabilities catalog on May 20. The additions include CVE-2026-41091 and CVE-2026-45498 (both Microsoft Defender) alongside five legacy CVEs from 2008 to 2010 covering Microsoft Windows, DirectX, Internet Explorer, and Adobe Acrobat — evidence of continued exploitation of unpatched older systems. Federal civilian agencies face mandatory remediation deadlines. CISA
Stay tuned for today’s in-depth analysis posts.
