Here are today’s top cybersecurity stories for Tuesday, May 12, 2026.
Microsoft Patch Tuesday May 2026: 120 Flaws Fixed, 29 Critical RCEs
Microsoft released its May 2026 Patch Tuesday update, addressing 120 vulnerabilities across Windows, Office, Azure, and Microsoft 365. Twenty-nine of the flaws are rated Critical Remote Code Execution issues, including CVE-2026-41089 (Windows Netlogon, CVSS 9.8) and multiple Office and Word RCEs exploitable via malicious file attachments. No zero-days were disclosed. May 12 also marks the final comfortable patching window before the critical Secure Boot certificate expiration deadline on June 26, 2026. BleepingComputer
Google Uncovers First AI-Generated Zero-Day Exploit in the Wild
Google’s Threat Intelligence Group (GTIG) disclosed it detected a threat actor using a zero-day exploit believed to have been developed using artificial intelligence — the first confirmed case of AI-assisted exploit creation deployed in an active attack. The vulnerability targeted a 2FA bypass in a widely used open-source web administration tool. Google intercepted the campaign before mass exploitation occurred and coordinated responsible disclosure with the affected vendor. The exploit code contained hallmarks of LLM generation, including educational docstrings, a hallucinated CVSS score, and structured Pythonic formatting. Google Threat Intelligence Group
TeamPCP Backdoors Checkmarx Jenkins AST Plugin in Second Supply Chain Hit
The threat group TeamPCP compromised the official Checkmarx Jenkins Application Security Testing plugin on the Jenkins Marketplace, inserting an infostealer backdoor between May 9 and May 10, 2026. The attack follows a separate TeamPCP compromise of Checkmarx’s KICS Docker image weeks earlier and carries a CVSS score of 9.4 (CVE-2026-33634). Security researchers warn the second breach suggests initial remediation was incomplete and credentials were not fully rotated. Any CI/CD pipeline that pulled the plugin during the exposure window is at risk. The Hacker News
Ollama “Bleeding Llama” CVE-2026-7482: 300,000 AI Deployments Exposed
Full details are now public for CVE-2026-7482, a critical heap out-of-bounds read in the Ollama AI framework’s GGUF model loader. Carrying a CVSS score of 9.3, the unauthenticated flaw enables remote attackers to read heap memory from exposed servers, including system prompts, API keys, database credentials, and any PII flowing through inference jobs. Approximately 300,000 Ollama instances are publicly accessible. The vulnerability was patched in Ollama version 0.17.1, released in February 2026, but many deployments remain unpatched. The Hacker News
Palo Alto CVE-2026-0300 Patches Begin Rolling Out on May 13
Palo Alto Networks is releasing the first wave of patches for CVE-2026-0300, the unauthenticated root-level RCE in PAN-OS User-ID Authentication Portal (CVSS 9.3), beginning May 13. Full coverage across all affected branches is scheduled for May 28. Organizations with the User-ID Authentication Portal exposed to untrusted networks should apply patches immediately as exploitation has been confirmed in the wild since April 9. Interim mitigation involves restricting portal access to trusted zones or disabling it entirely. Help Net Security
JDownloader Website Compromised to Distribute Python RAT
The official JDownloader website was compromised between May 6 and May 7, 2026, with attackers replacing the Windows and Linux alternative installers with malware payloads. The Windows installer deployed a heavily obfuscated Python-based Remote Access Trojan; the Linux installer delivered ELF binaries with root-level persistence. The attack exploited an unpatched CMS vulnerability. Users who installed affected versions are advised to reinstall their operating systems and reset all credentials. BleepingComputer
FCC Reverses Foreign Router Update Ban, Extends Policy to 2029
The FCC reversed course on its March 2026 ban on software and firmware updates for foreign-made consumer routers, extending temporary waivers until at least January 2029. The agency acknowledged the original policy would have blocked security patches, creating a more urgent cybersecurity risk than the hardware origin concerns it was designed to address. The reversal also expands the scope of permissible updates for affected devices and drones. Dark Reading
Instructure Reaches Ransom Agreement to Stop Canvas Data Leak
Instructure announced on May 11 it reached a ransom agreement with ShinyHunters, halting the threatened release of 3.65 TB of Canvas LMS data affecting 8,809 institutions and approximately 275 million records. The company stated the stolen data was destroyed under the agreement. The resolution came hours before ShinyHunters’ May 12 release deadline. Instructure apologized for its lack of transparency during the incident. The breach remains the largest educational security incident on record. The Hacker News
Stay tuned for today’s in-depth analysis posts.
