Welcome to Threat Thursday, Galactic’s weekly threat intelligence roundup.
Every Thursday, we cover the cybersecurity stories that matter most for protecting organizations from emerging threats. Each item is broken down into what happened, what it could mean for your organization, and what to do about it.
Whether you’re overseeing risk management decisions, running security operations, or just trying to stay current, this update is designed to provide the information you need to keep yourself and your organization cyber safe.
This Week's Stories
1. Fortinet Emergency Pair: Pre-Authentication Remote Code Execution in FortiAuthenticator and FortiSandbox (CVE-2026-44277 + CVE-2026-26083)
Fortinet, a major maker of firewall and security appliances used by businesses worldwide, published an emergency advisory on May 12 for two serious flaws in two of its security products. The first (CVE-2026-44277) is in FortiAuthenticator, the appliance many organizations use to verify employee logins and run multi-factor authentication for access to business systems. The second (CVE-2026-26083) is in FortiSandbox, an appliance that inspects suspicious files for malware. Both flaws let an attacker run their own code on the appliance without needing a password, just by sending it a specially crafted request. Both are rated critical (9.1 out of 10). Patches are available; the cloud-hosted version of FortiAuthenticator is not affected. There’s no public exploitation yet, but flaws at this severity in Fortinet products have historically been weaponized within about a month of disclosure.
Potential impact: FortiAuthenticator sits at the front door of an organization’s identity controls. An attacker who compromises it can bypass the login process entirely, approve their own access into other business systems, and quietly move through the environment with what looks like legitimate credentials. The notable pattern is that vendor advisories like this reach attacker tooling well before they reach every customer’s patching window. Treat the gap between today and the first public exploitation report as a window to act, not a reason to wait. Recovery from an identity-appliance compromise is the kind of incident that involves forensics, regulator-grade disclosure for some industries, and rotating credentials across the business.
What to do: Affected organizations should inventory FortiAuthenticator and FortiSandbox deployments and patch to the fixed builds (FortiAuthenticator 6.5.7, 6.6.9, or 8.0.3; FortiSandbox 5.0.2 or 4.4.9). Where the management interface is reachable from the public internet, restrict it to trusted internal networks until patching is complete. Review authentication logs and administrator activity from the past two weeks for anything unexplained.
Source: Bleeping Computer
2. Microsoft Patches a Critical Zero-Click Outlook Vulnerability (CVE-2026-40361)
Microsoft’s May 2026 security updates closed a critical flaw in a component of Office that both Outlook and Word rely on. The flaw lets an attacker run code on a victim’s computer simply by sending them an email; the recipient does not need to click anything, open an attachment, or even fully open the message. Microsoft has rated the flaw “exploitation more likely.” The researcher who reported it, Haifei Li, compared the bug to a decade-old Outlook flaw called BadWinmail that was considered an enterprise-grade danger at the time. Li released a proof-of-concept demonstrating the flaw, but not a working exploit. As of publication, there is no confirmed in-the-wild attack. This is the standout item from a 120-plus-CVE Patch Tuesday that, unusually, shipped without any zero-days for the first time since June 2024.
Potential impact: Zero-click email flaws are the kind of vulnerability security teams dread, because they remove the user from the equation. A single hostile message arriving in a finance manager’s, executive’s, or system administrator’s inbox can hand the attacker control of that mailbox, and the mailbox is the launching pad for invoice-fraud, wire-redirect, and follow-on phishing campaigns against everyone the user has corresponded with. The window where this stays a proof-of-concept is exactly the window every organization should be patching in. Once a working exploit is public, unpatched inboxes become exposed surface.
What to do: Affected organizations should accelerate deployment of the May 2026 Office and Outlook security updates. Where patches roll out on a ring schedule, push the Outlook ring forward. Review mail flow logs for unusual delivery patterns over the past two weeks. For high-value mailboxes that cannot be patched immediately, consider temporarily disabling the Outlook Preview Pane until patch coverage is complete.
Source: SecurityWeek
3. Google Documents the First AI-Developed Zero-Day Used in the Wild
Google’s Threat Intelligence Group disclosed on May 11 that it identified a zero-day exploit (an attack tool for a flaw the affected vendor had not yet fixed) it assesses was developed with help from an AI model. Google alerted the affected vendor before the threat actor could begin a planned mass-exploitation campaign. The flaw was a way to bypass two-factor authentication on a popular open-source web-based administration tool that Google declined to name. The exploit was a Python script that carried all the hallmarks of AI-generated code: extensive educational comments, an invented but non-existent severity score, and a textbook-clean structure. Google says with high confidence that the AI used was neither Gemini nor Anthropic’s tooling. In the same report, Google describes other malware families now integrating AI models into the malware itself for evasion and persistence. The takeaway from Google’s own chief analyst: for every AI-assisted exploit they can trace, there are likely many they cannot.
Potential impact: The standard advice has long been that organizations have weeks, sometimes months, between a vulnerability becoming public and a working exploit reaching attackers. That window is closing. With AI models capable of producing working exploit code from a vulnerability description, the gap between disclosure and weaponization can collapse to hours for some classes of flaw, especially in well-documented open-source software. The practical effect is that patch cadence on admin tools, identity infrastructure, and anything internet-facing has to move faster than it used to, and the "we’ll patch on the next scheduled maintenance window" model needs serious review.
What to do: Organizations should audit which web-based administration tools are exposed beyond the internal network and gate them behind VPN or conditional access. Accelerate patch cadence on identity-adjacent and admin tooling. Review authentication logs for signs of 2FA bypass: successful logins without a multi-factor prompt, unusual login locations, or anomalous user-agent strings. Treat any non-trivial vulnerability disclosure in an admin tool as a same-week patch, not a "next sprint" item.
Source: BleepingComputer
4. ClaudeBleed: A Flaw in Claude’s Chrome Extension Lets Other Extensions Hijack the AI Agent
Security firm LayerX disclosed a vulnerability on May 8 in Anthropic’s Claude for Chrome extension, the browser add-on that lets the Claude AI assistant read and act on web pages. The flaw, named “ClaudeBleed,” is a combination of two design errors: the extension grants very broad access in the browser, and it accepts commands from other code running in the same browser without checking who that code belongs to. The result is that any other Chrome extension, including one with no declared permissions at all, can silently take control of the Claude extension and use it to read information from whatever the user has open: Gmail, Google Drive, GitHub, and so on. Anthropic released a partial fix (version 1.0.70) on May 6, but researchers showed within hours that the fix can be bypassed by switching the extension into a “privileged” mode that reportedly does not require user notification. Cybernews reports the patch was broken in three hours.
Potential impact: For organizations whose employees have installed Claude for Chrome alongside any other browser extensions, the realistic risk is silent data exfiltration from whatever business tool is open in the same browser window. The bigger pattern is that AI-assistant browser extensions inherit very wide access by design (they have to be able to read and act on pages on the user’s behalf), and when their trust model has a hole, every other extension in the browser becomes part of the attack surface. Browser extensions are easy to under-manage; this incident is a sharp argument for treating them like any other piece of software running with privileged access to business data.
What to do: Administrators should inventory Claude for Chrome installs across the organization, and consider blocking the extension via Chrome Enterprise policy until a complete vendor fix ships. Audit other AI-assistant browser extensions for the same trust pattern (accepting commands from content scripts without verifying the source). For accounts that touch sensitive workflows, limit the set of extensions that can run alongside an AI assistant. Track Anthropic’s subsequent updates for a confirmed complete fix.
Source: SecurityWeek
5. Instructure Pays the Ransom for Canvas, Says Stolen Data Was Destroyed
On May 11, one day before a threatened public leak deadline, Instructure (the company behind the Canvas learning platform used by many schools and training organizations) publicly confirmed it reached an agreement with the cybercriminal group ShinyHunters for an undisclosed payment. The company says it received “digital confirmation of data destruction” and “assurance that no Instructure customers will be extorted as a result of this incident.” According to Krebs on Security, the agreement covers the full claimed dataset (3.65 terabytes, 275 million records, and roughly 8,809 institutions), although those figures remain ShinyHunters’ unverified claims rather than Instructure-confirmed scope. This is the third Instructure-mediated breach by the same group in eight months. Instructure has also confirmed that all three waves trace back to the same compromised Salesforce account at Instructure, originally taken over through social engineering in September 2025.
Potential impact: For any organization that uses Canvas, the realistic working assumption is that names, email addresses, student or staff identifiers, and other personal information have been outside the company’s control for weeks. The promise of "destruction" is a claim, not a verifiable fact, and even sincere destruction does not undo whatever copies may already have been made or shared. The bigger pattern is that this is a SaaS vendor breach that traces back to a social-engineering attack on a single administrator account at the SaaS company itself. Any organization that depends on a major SaaS platform shares that risk surface, regardless of how secure the rest of the organization is. The durable hardening work happens upstream at the SaaS admin layer, not in the integrations.
What to do: Organizations using Canvas should rotate Canvas passwords as a precaution and remain alert to phishing attempts referencing the platform. More broadly, audit the SaaS vendors that hold sensitive customer or employee data, with particular attention to anything integrated with Salesforce. Harden multi-factor authentication on every SaaS administrator account, review session-token policies, and revisit what an attacker can reach from an admin login today. The recurring root cause across this nine-month series is social engineering of SaaS admins; that is where the durable mitigation lives.
Source: Inside Higher Ed
6. Two Linux Kernel Privilege Escalation Flaws in Play: Dirty Frag and Copy Fail
Two distinct flaws in the Linux kernel (the core software that runs Linux servers used to host websites, business applications, and parts of cloud infrastructure) are getting attention this week. The first, “Dirty Frag” (CVE-2026-43284 and CVE-2026-43500), is a chained flaw in the kernel’s memory management that lets a user with low privileges gain full administrator (“root”) access on a Linux server. A working exploit has been public since early May; mainline and major-distribution patches finished rolling out on May 9. The second, “Copy Fail” (CVE-2026-31431), is a separate nine-year-old flaw in a different kernel component with a small Python proof-of-concept; it was added to the U.S. government’s Known Exploited Vulnerabilities catalog with a May 15 federal patch deadline. Both turn a low-privileged foothold into full server control.
Potential impact: Most realistic attacks on Linux servers start with a small foothold: a stolen credential, a compromised web app, an over-permissioned service account. Privilege escalation bugs like these are what turn that small foothold into control of the entire server, including the ability to read and tamper with everything the server hosts. For organizations running web servers, application servers, or container hosts on Linux, the gap between "an intruder is on the box" and "we own the box" is what these flaws close. Patching now means a small intrusion stays small.
What to do: Administrators should inventory Linux kernel versions across the environment and verify the Dirty Frag patches are fully deployed. Apply Copy Fail-fixed kernels (6.18.22, 6.19.12, or 7.0 series) before the May 15 federal deadline. For containerized workloads, confirm the host kernel is patched, not just the container image. Pull system audit logs for unexpected privilege-escalation activity over the past two weeks.
Source: Tenable
The Through Line
Two themes tie this cycle together. The first is the collapsing distance between vulnerability disclosure and a working attack. Fortinet has shipped patches before any in-the-wild use, which is the window every defender wants. The Google report on AI-developed exploits makes the case that this window is shrinking across the industry, and ClaudeBleed is a real-time example: the vendor’s first fix was bypassed within hours. The practical implication is that patch cadence on identity, admin, and inbox-adjacent software has to move faster than it used to. "Next maintenance window" is no longer a safe default for anything reachable from outside the network.
The second theme is the trust model itself. The Canvas settlement shows that "the vendor said the data is destroyed" is a claim, not proof. This pushes the lesson: hardening means understanding where the real trust boundaries are, and where they bend, instead of trusting the labels alone. Whether the label says "provenance verified" on a package, "data destroyed" on a settlement, or "fully patched" on an extension, the question is whether the underlying control held.
Make sure to check back here each week for another Threat Thursday update. See you then!
