Microsoft has rolled out its May 2026 Patch Tuesday security updates, delivering fixes for approximately 120 vulnerabilities across Windows, Microsoft Office, networking services, and enterprise platforms. Unlike several recent monthly releases, this update contains no publicly disclosed or actively exploited zero-day vulnerabilities, making it a relatively less chaotic cycle for IT and security teams.  Even without emergency-level exploits, the Microsoft May 2026 Patch Tuesday release remains significant due to the large number of critical flaws addressed. The company confirmed that the update resolves 17 critical vulnerabilities, including 14 remote code execution (RCE) flaws, two elevation-of-privilege issues, and one information disclosure vulnerability. 

Microsoft May 2026 Patch Tuesday: Vulnerabilities That Demand Attention 

One of the most important areas covered in the May 2026 Patch Tuesday update involves multiple vulnerabilities affecting Microsoft Office applications, particularly Word and Excel.  According to Microsoft, attackers could exploit these flaws by tricking users into opening malicious files. Several of the vulnerabilities can also be triggered through the preview pane, allowing remote code execution without fully opening the attachment.  Because Office documents remain a common attack vector in phishing campaigns, security professionals are strongly recommending that organizations prioritize deployment of these updates, especially in environments where employees regularly receive external attachments. 

Windows GDI Flaw Allows Exploitation Through Microsoft Paint 

Among the noteworthy issues patched during Microsoft’s May 2026 Patch Tuesday rollout is CVE-2026-35421, a Windows GDI remote code execution vulnerability.  The flaw can be exploited through a malicious Enhanced Metafile (EMF) image opened in Microsoft Paint. Successful exploitation could allow attackers to execute arbitrary code on the victim’s machine.  Although the attack requires user interaction, researchers warned that image-based attacks are often effective because users may not recognize specially crafted files as dangerous. 

SharePoint and DNS Vulnerabilities Raise Enterprise Security Concerns 

Another major vulnerability addressed in the May 2026 Patch Tuesday release is CVE-2026-40365, a remote code execution flaw affecting Microsoft SharePoint Server.  Microsoft stated that an authenticated attacker could use the vulnerability to launch a network-based attack capable of remotely executing code on vulnerable SharePoint systems. Since SharePoint environments often store sensitive internal data and business documents, the flaw is expected to receive close attention from enterprise administrators.  The company also patched CVE-2026-41096, a serious Windows DNS Client remote code execution vulnerability. The flaw involves improper handling of specially crafted DNS responses sent by attacker-controlled DNS servers.  The issue stems from a heap-based buffer overflow condition in Windows NetLogon functionality. A successful attack could corrupt system memory and allow remote code execution without requiring authentication. 

Dynamics 365 Vulnerability Carries Near-Maximum Severity Score 

Another critical issue fixed during the Microsoft May 2026 Patch Tuesday cycle is CVE-2026-42898, a remote code execution vulnerability affecting on-premises versions of Microsoft Dynamics 365.  The flaw received a CVSS severity score of 9.9 and requires no user interaction for exploitation. Researchers warned that attacks targeting Dynamics 365 environments could have widespread consequences because the platform frequently connects with multiple enterprise systems and sensitive databases.  Previous attacks involving Dynamics infrastructure have exposed privileged business information, making this vulnerability especially concerning for large organizations.

Windows 11 Cumulative Updates Introduce New Features 

As part of the May 2026 Patch Tuesday rollout, Microsoft released Windows 11 cumulative updates KB5089549 and KB5087420 for versions 25H2, 24H2, and 23H2.  The updates are mandatory because they contain the latest security fixes and stability improvements.  After installation: 

• Windows 11 25H2 updates to build 26200.8457  
• Windows 11 24H2 updates to build 26100.8457  
• Windows 11 23H2 updates to build 22631.7079  

Microsoft confirmed that versions 25H2 and 24H2 share the same underlying update structure, meaning users receive identical fixes and improvements across both versions. 

Xbox-Inspired Desktop Experience Added to Windows 11 

One of the more noticeable additions included in the Microsoft May 2026 Patch Tuesday update is a new Xbox-style desktop experience for PCs.  The feature is designed to provide a console-like interface on Windows devices. Alongside the visual changes, Microsoft also introduced reliability improvements for the taskbar and enhancements to Windows Hello authentication.  The update improves both Windows Hello Face recognition reliability and the persistence of fingerprint authentication across system upgrades. 

File Explorer Receives Major Improvements 

File Explorer received several updates in the latest May 2026 Patch Tuesday release.  Microsoft expanded archive support to include formats such as: 

• uu  
• cpio  
• xar  
• NuGet Packages (nupkg)  

The company also improved how File Explorer preserves View and Sort preferences in folders like Downloads and Documents when applications directly launch those locations.  Additionally, Microsoft fixed a white flash issue that sometimes appeared in dark mode while opening “This PC” or resizing the Details pane.  Explorer.exe reliability was also enhanced to reduce crashes and improve overall responsiveness. 

Input, Voice Typing, and Haptic Feedback Enhancements 

The Microsoft May 2026 Patch Tuesday updates introduced several improvements to input and accessibility features.  Compatible devices can now provide haptic feedback during actions such as snapping windows or aligning PowerPoint objects. Current supported hardware includes: 

• Surface Slim Pen 2  
• ASUS Pen 3.0  
• MSI Pen 2  

Microsoft added that support for additional peripherals, including select mouse devices, could arrive in future hardware updates.  Voice typing on the touch keyboard also received a redesign. The updated interface removes the previous full-screen overlay and displays animations directly on the dictation key to reduce distractions. In addition, Microsoft introduced the Arabic 101 Legacy keyboard layout for users who prefer the earlier Arabic keyboard configuration.

Storage, Printing, and Performance Updates Included 

Several broader system improvements were bundled into the May 2026 Patch Tuesday release.  Microsoft increased the FAT32 formatting limit through the command line from 32GB to 2TB. The update also improves storage settings performance when viewing large disk volumes. Additional changes include: 

• Reduced memory usage in Delivery Optimization  
• Improved audio driver compatibility with midisrv.exe  
• Better taskbar system tray reliability  
• Enhanced startup application performance  
• Improved monitor color profile persistence  
• Simplified kiosk mode app configuration  

The update also introduces a new icon identifying printers that support Windows Protected Print Mode. 

Microsoft Introduces More Secure Batch File Processing 

Microsoft added a new security-focused feature aimed at administrators and enterprise policy managers.  The May 2026 Patch Tuesday update introduces a secure processing mode for batch files and Command Prompt scripts. When enabled, the feature prevents batch files from being modified during execution.  Administrators can activate the setting using the following registry path:  Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor  Value Name: LockBatchFilesWhenInUse  The feature can also be enabled through Application Control for Business policies. 

In this weekly roundup from The Cyber Express, the global cybersecurity landscape continues to show rapid and uneven change, shaped by both regulatory shifts and escalating cyber threats. Governments are tightening oversight of new technologies such as artificial intelligence, while threat actors are simultaneously refining their techniques to exploit businesses, infrastructure, and end users across multiple platforms.  This edition of cybersecurity news brings together some of the most important developments of the week, ranging from significant amendments to the European Union’s AI Act to the expansion of malware campaigns into macOS environments and the discovery of a critical vulnerability in widely used enterprise firewall software.   It also covers major sentencing in a global ransomware case and a fresh warning from the FBI about the growing scale of cyber-enabled cargo theft targeting logistics and supply chain organizations. 

The Cyber Express Weekly Roundup 

EU Updates AI Act with Simpler Rules and New AI Content Bans 

In a significant regulatory update, the European Union has agreed to revise parts of the EU AI Act. The updated framework aims to simplify compliance requirements for businesses while simultaneously introducing stricter restrictions on harmful AI-generated content. Read more.. 

ClickFix Malware Campaign Expands to macOS 

Another key development is the expansion of the ClickFix malware campaign beyond Windows systems. Security researchers at Microsoft have confirmed that the operation is now targeting macOS users using deceptive troubleshooting content. Read more... 

Critical PAN-OS Vulnerability Enables Remote Code Execution 

A critical security flaw has been identified in Palo Alto Networks’ PAN-OS firewall software. Tracked as CVE-2026-0300, the vulnerability carries a CVSS score of 9.3, indicating severe risk. The issue originates from a buffer overflow vulnerability in the User-ID Authentication Portal. Read more... 

Latvian Cybercriminal Sentenced in Global Ransomware Case 

Latvian national Deniss Zolotarjovs has been sentenced to 102 months in prison for his role in a large-scale ransomware operation. According to the U.S. Department of Justice, the group operated under multiple ransomware brands, including Conti, Royal, Akira, and Karakurt. Between 2021 and 2023, the organization carried out attacks against more than 54 companies worldwide, using data theft and encryption-based extortion tactics to pressure victims into paying ransom demands. Read more... 

FBI Warns of Rising Cyber-Enabled Cargo Theft 

The FBI has issued an alert regarding a sharp rise in cyber-enabled cargo theft. Criminal actors are using impersonation techniques to pose as legitimate logistics providers, allowing them to intercept and redirect freight shipments. The agency noted that logistics, shipping, and insurance companies have been targeted since at least 2024. Read more... 

Weekly Takeaway 

This week’s The Cyber Express weekly roundup highlights the growing convergence of regulatory change, advanced malware threats, critical infrastructure vulnerabilities, ransomware enforcement actions, and supply chain fraud. As the global cybersecurity landscape continues to evolve, organizations across all sectors remain under increasing pressure to strengthen defenses and adapt to emerging risks. 

The rollout of the UK’s Online Safety Act in July 2025 was intended to create a safer digital environment for children through stricter age verification rules, tighter moderation standards, and stronger protections against harmful online content. However, early evidence suggests that many of the safeguards introduced under the legislation can still be bypassed with surprisingly simple tactics, including a fake moustache drawn with makeup.  Recent findings have raised concerns among parents, researchers, and digital safety experts about the effectiveness of current age verification systems. While the Online Safety Act has led to some improvements in children’s online experiences, critics argue that enforcement remains inconsistent and that many platforms are still vulnerable to manipulation.  One of the most widely discussed examples involved a 12-year-old boy who reportedly used an eyebrow pencil to create a fake moustache before facing a facial age estimation check. According to the report, the altered appearance convinced the system that he was 15 years old, allowing him to bypass restrictions designed for younger users. The incident has become a symbol of broader concerns about the reliability of AI-driven age-verification technologies. 

Online Safety Act Faces Early Challenges 

The Online Safety Act was introduced to strengthen online child protection measures by requiring platforms to implement stricter checks and reduce children’s exposure to harmful material. The legislation also aimed to improve reporting tools and create safer digital spaces for younger users.  Despite those goals, the report suggests that loopholes remain widespread. Children have reportedly been bypassing protection through several methods, including entering false birthdates, borrowing adult credentials, sharing accounts, and using VPN services. More advanced attempts have also involved spoofing facial recognition systems used in age verification processes.  Survey data cited in the findings revealed that nearly half of children believe current age verification systems are easy to evade. Around one-third admitted to bypassing these systems in recent months.  The fake moustache example particularly highlighted weaknesses in facial age estimation tools that rely heavily on visual indicators rather than stronger forms of identity confirmation. Experts argue that systems based primarily on appearance can be vulnerable to minor cosmetic changes, lighting adjustments, or camera manipulation. 

Mixed Results Following Online Safety Act Rollout 

Although concerns over age verification remain significant, the report noted that the Online Safety Act has produced some positive outcomes. Approximately half of the surveyed children said they were now seeing more age-appropriate content online. In addition, around 40% of both children and parents stated that the internet feels somewhat safer since the legislation came into effect.  Many children also appeared supportive of increased online protections. The findings showed that younger users generally approved of stricter platform rules, reduced interaction with strangers, and limitations placed on high-risk platform features.  Around 90% of children who noticed stronger moderation systems and improved reporting tools viewed those changes positively. Researchers said this indicates that many younger users are willing to engage with safer digital environments when protections are implemented effectively.  Still, the improvements have not been universal. Within just one month of new child protection codes being introduced under the Online Safety Act, nearly half of the children surveyed reported encountering harmful content online. This included violent material, hate speech, and body image-related content, all categories the legislation specifically aims to regulate. 

Privacy Concerns Grow Around Age Verification 

The expansion of age verification requirements has also triggered growing concerns over privacy and data security. More than half of the children surveyed said they had been asked to verify their age within a recent two-month period. These checks were reportedly common across major platforms, including TikTok, YouTube, Google services, and Roblox.  Many platforms now rely on technologies such as facial age estimation, government-issued identification checks, and third-party age assurance providers to comply with the Online Safety Act. While users generally described the systems as easy to complete, concerns remain about how sensitive data is collected, stored, and potentially reused.  Parents expressed unease about whether biometric information and identity documents submitted during age verification could later be retained by companies or accessed by government agencies. Those concerns have intensified calls for more centralized and privacy-focused verification systems instead of fragmented checks spread across multiple online services.  Experts argue that current approaches may not strike the right balance between child safety and personal privacy. They warn that if the weaknesses exposed by tactics like the fake moustache incident are not addressed, public trust in these systems could continue to decline. 

A newly disclosed local privilege escalation (LPE) vulnerability known as Dirty Frag is raising serious concerns across the Linux ecosystem after researchers revealed that the flaw can grant root access to most major Linux distributions. The vulnerability, which currently remains unpatched, has been described as a successor to the previously disclosed Copy Fail flaw tracked as CVE-2026-31431.  Security researcher Hyunwoo Kim, also known online as @v4bel, publicly disclosed the issue after what he described as a breakdown in the coordinated disclosure and embargo process. The vulnerability was initially reported to Linux kernel maintainers on April 30, 2026, but no official fixes or CVE identifiers had been assigned at the time of disclosure.  According to Kim, Dirty Frag is not a single bug but a vulnerability class capable of achieving root privileges across many Linux distributions by chaining together two separate flaws: the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability.  Kim explained in his technical write-up:  “Dirty Frag is a vulnerability (class) that achieves root privileges on most Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability.”  He further noted that Dirty Frag extends the same bug class associated with Dirty Pipe and Copy Fail (CVE-2026-31431). Unlike race-condition-based attacks, Dirty Frag operates through a deterministic logic flaw, making exploitation more reliable.  “Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high.” 

Dirty Frag Targets Multiple Linux Distributions 

The new LPE vulnerability affects a broad range of Linux distributions, including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44. Researchers warned that successful exploitation allows an unprivileged local user to escalate privileges and gain full root access.  In a public disclosure sent to the oss-security mailing list on May 8, 2026, Kim described Dirty Frag as a “universal Linux LPE” capable of compromising all major Linux distributions.  The disclosure stated:  “This is a report on ‘Dirty Frag’, a universal LPE that allows obtaining root privileges on all major distributions.”  Kim also emphasized that the impact closely resembles Copy Fail, or CVE-2026-31431, which has already been observed under active exploitation in the wild. 

How Dirty Frag Works 

The first component of Dirty Frag, the xfrm-ESP Page-Cache Write vulnerability, originates from the IPSec (xfrm) subsystem. Researchers said it provides attackers with a four-byte store primitive similar to CVE-2026-31431 and allows overwriting small portions of the kernel page cache.  However, exploitation through the xfrm-ESP path requires an unprivileged user to create a namespace. Ubuntu blocks this behavior through AppArmor restrictions, limiting the effectiveness of that exploit path on Ubuntu-based Linux distributions.  To bypass that limitation, Dirty Frag chains a second flaw: the RxRPC Page-Cache Write vulnerability.  Kim explained:  “RxRPC Page-Cache Write does not require the privilege to create a namespace, but the rxrpc.ko module itself is not included in most distributions.”  He added that while RHEL 10.1 does not ship the rxrpc.ko module by default, Ubuntu systems load it automatically. By combining both vulnerabilities, attackers can adapt exploitation techniques depending on the target environment.  “Chaining the two variants makes the blind spots cover each other. In an environment where user namespace creation is allowed, the ESP exploit runs first. Conversely, on Ubuntu, where user namespace creation is blocked but rxrpc.ko is built, the RxRPC exploit works.” 

Links to Older Linux Kernel Vulnerabilities 

Researchers traced the xfrm-ESP vulnerability back to a Linux kernel source code commit made in January 2017. Interestingly, the same commit was also identified as the root cause of another serious Linux kernel issue, CVE-2022-27666, a buffer overflow vulnerability with a CVSS score of 7.8 that affected multiple Linux distributions.  The RxRPC Page-Cache Write vulnerability, meanwhile, was reportedly introduced in June 2023.  Security firm CloudLinx stated in an advisory that the flaw exists in the “ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path” and is reachable through the XFRM user netlink interface.  AlmaLinux also released a technical analysis explaining how the issue impacts kernel memory handling:  “The bug lives in the in-place decryption fast paths of esp4, esp6, and rxrpc: when a socket buffer carries paged fragments that are not privately owned by the kernel, the receive path decrypts directly over those externally-backed pages.”  According to the advisory, this behavior can expose or corrupt plaintext data while an unprivileged process still maintains a reference to the affected pages. 

Public PoC Increases Risk for Linux Distributions 

The threat level surrounding Dirty Frag has intensified due to the public release of a fully working proof-of-concept exploit. Researchers warned that the exploit can grant root access using a single command, significantly lowering the barrier for attackers.  Until official patches become available, administrators are urged to disable the affected modules manually. The recommended mitigation command is: 

sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true" 

Security experts also warned that Dirty Frag importantly differs from CVE-2026-31431. Unlike Copy Fail, Dirty Frag can still be exploited even if the Linux kernel’s algif_aead module has been disabled.  Kim stated:  “Note that Dirty Frag can be triggered regardless of whether the algif_aead module is available.”  He further cautioned:  “In other words, even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, your Linux is still vulnerable to Dirty Frag.”  With no patches currently available and exploit code already circulating publicly, the newly disclosed Dirty Frag LPE vulnerability presents a significant risk to Linux distributions worldwide. 

The cybersecurity posture of the U.S. oil and gas sector has come under renewed scrutiny following Operation Epic Fury, with a new independent survey revealing a disconnect between operator confidence and actual operational technology (OT) security capabilities. While companies across the upstream and midstream energy segments have accelerated cybersecurity investments since the February 28 launch of Operation Epic Fury, the findings suggest many organizations may still lack the tools needed to identify real-time cyber threats targeting OT environments.  The independent survey, conducted on behalf of Tosi, examined the views of OT decision makers across U.S. oil and gas operators. The research found that most respondents believe they can detect an active OT cyber breach within 24 hours. However, the same OT decision makers acknowledged relying heavily on systems and processes not specifically designed to monitor OT infrastructure.  According to the survey data, 87 percent of operators rated themselves as confident in their ability to detect an OT breach within a day, assigning their organizations a score of four or five on a five-point confidence scale. Despite that confidence, 51 percent said their detection capabilities primarily depend on IT security tools that provide only limited visibility into OT-specific network traffic.  Another 27 percent of respondents said they would depend on field operators or technicians identifying irregularities manually, while only 16 percent reported using continuous OT monitoring as the primary basis for cyber threat detection. Sakari Suhonen, CEO of Tosi U.S., warned that this gap represents a major vulnerability for the energy sector in the wake of Operation Epic Fury.  “This is the most consequential blind spot in U.S. energy infrastructure right now,” Suhonen said. “The sector has the budget, the executive attention, and the will to act. What it does not yet have is detection that actually sees OT. After Operation Epic Fury, that distinction is the difference between catching an intrusion in hours and finding out about it from a production outage.” 

Operation Epic Fury Drives Rapid OT Security Spending 

The independent survey was fielded in April 2026, approximately six weeks after Operation Epic Fury began. Researchers noted that the speed of the sector’s response has been unusually aggressive compared to previous cybersecurity cycles.  One of the clearest trends identified by OT decision makers involved changing perceptions of cyber risk. Sixty-three percent of surveyed operators said cyber risk is now higher than it was before February 28, with 13 percent describing the increase as significant.  Respondents identified several key factors contributing to elevated risk levels, including growing convergence between IT and OT systems, increased targeting of energy infrastructure by state-sponsored cyber actors, and expanding dependence on third-party remote access technologies.  The independent survey also showed that emergency cybersecurity funding is already being deployed. Ninety-four percent of operators said they had either approved or were actively reviewing unplanned OT security spending linked directly to the post-Operation Epic Fury threat landscape. Among OT decision makers surveyed, 95 percent expect OT cybersecurity budgets to increase over the next 12 months, while one in four anticipated budget growth exceeding 20 percent. 

OT Decision Makers Prioritize Detection and Visibility 

The survey findings indicate that OT decision makers are placing greater emphasis on visibility and detection capabilities rather than traditional perimeter security tools.  When respondents were asked to identify the single most important OT security capability to improve over the next year, 22 percent selected continuous monitoring and anomaly detection. Another 20 percent pointed to OT-specific incident detection and response solutions.  Additional priorities included asset discovery at 15 percent and OT-specific secure remote access at 14 percent. Combined, detection, visibility, and remote access technologies accounted for 71 percent of all named priorities among surveyed OT decision makers.  At the same time, operational disruptions linked to cybersecurity incidents appear widespread throughout the sector. According to the independent survey, 99 out of 100 operators reported experiencing at least one category of cyber incident since February 28.  Ransomware affecting OT-connected systems impacted 48 percent of operators surveyed, while another 48 percent reported precautionary OT shutdowns triggered by incidents originating on the IT side of operations. 

Human Challenges Continue to Slow OT Security Progress 

Despite the increase in cybersecurity spending following Operation Epic Fury, many organizations continue to struggle with internal operational barriers. The independent survey found that 45 percent of operators consider the cultural divide between IT and OT teams to be the single largest obstacle preventing faster cybersecurity improvements. Respondents said IT security personnel often lack the specialized expertise required to secure OT environments effectively.  Operational risk aversion ranked as the second-largest barrier at 28 percent. By contrast, only 11 percent of respondents identified budget constraints as a major challenge, marking a notable change from previous industry research in which financial limitations consistently ranked as the top concern for OT decision makers.  The findings emerge amid continuing warnings from federal authorities regarding Iran-aligned cyber activity targeting Western critical infrastructure after Operation Epic Fury. On April 7, six U.S. federal agencies — including the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Energy — issued joint advisory AA26-097A. The advisory confirmed that Iranian-affiliated threat actors were actively disrupting programmable logic controllers across U.S. energy, water, and government sectors, resulting in operational disruptions and financial losses.  The Railroad Commission of Texas later issued a parallel warning to operators on April 10. According to Tosi, the independent survey represents the first dataset quantifying how the oil and gas sector itself is responding to the cybersecurity environment created by Operation Epic Fury. Suhonen said the industry’s next decisions regarding OT security investments will determine whether organizations close existing detection gaps or reinforce systems that remain ineffective for OT environments.  “The next twelve months will see oil and gas spend more on OT security than in the previous several years combined,” Suhonen said. “That spend will land in one of two places. It will close the detection gap with OT-native monitoring, asset visibility, and purpose-built secure remote access. Or it will deepen the IT-tool stack that operators have already told us they cannot see what they need it to see. The data is unambiguous about which path the market needs to take.” 

A recently disclosed set of vulnerabilities in Salesforce Marketing Cloud, widely known as SFMC, has drawn attention to the security risks tied to centralized marketing infrastructure.   The flaws, which affected components tied to AMPScript, CloudPages, and email-rendering workflows, could have enabled attackers to access subscriber information, enumerate marketing emails, and potentially affect organizations across multiple tenants.  Security researchers found that weaknesses in SFMC’s templating engine and cryptographic implementation introduced opportunities for unauthorized data access across customer environments. 

AMPScript and SFMC Template Injection Risks 

Modern enterprises rely heavily on Salesforce Marketing Cloud to manage large-scale marketing campaigns, personalized customer journeys, and trackable email communications. The platform, formerly known as ExactTarget, supports dynamic content generation through technologies such as AMPScript, Server-Side JavaScript (SSJS), and internal data views connected to large subscriber databases.  While these features provide flexibility for marketers, researchers noted that they also increase the impact of any underlying vulnerability. One of the major concerns centered on SFMC’s server-side templating framework.  AMPScript and SSJS allow organizations to dynamically insert subscriber attributes such as names, email addresses, and engagement metrics directly into marketing content. However, functions like TreatAsContent introduced a dangerous behavior because they effectively evaluate user-controlled input as executable template code. Researchers explained that if attacker-controlled data was passed into these functions, it could trigger template injection inside Salesforce Marketing Cloud environments.  The issue became more severe because SFMC historically supported AMPScript execution within email subject lines. According to the findings, legacy behavior caused subject templates to be evaluated twice by default. That design opened the door for payload execution during the second rendering stage. Researchers demonstrated the risk using the following payload inside a name field:  %%=RowCount(LookupRows("_Subscribers","SubscriberKey",_subscriberkey))=%%  If processed during the second evaluation phase, the payload could execute successfully and create a reliable injection point inside the marketing workflow.  Once template execution was achieved, attackers could potentially use built-in SFMC functions such as LookupRows to query internal Data Views, including: 

• _Subscribers  
• _Sent  
• _Job  
• _SMSMessageTracking  
• _Click  

Access to these views could expose subscriber lists, email delivery records, engagement metrics, and message history associated with affected Salesforce Marketing Cloud tenants. 

CloudPages and “View Email in Browser” Vulnerability

Researchers identified an even more serious vulnerability tied to SFMC’s “view email in browser” functionality and CloudPages infrastructure. Many Salesforce customers configure branded domains such as view.example.com or pages.example.com that route back to shared SFMC infrastructure. These links typically rely on an encrypted qs parameter containing tenant and message-specific information. According to researchers from Searchlight Cyber, the older “classic” qs implementation used unauthenticated CBC encryption. The researchers found that the implementation behaved as a padding oracle, which made it possible to decrypt and re-encrypt query string parameters under certain conditions. Initially, the researchers abused the weakness using the Padre tool before later improving the process through the AMPScript MicrositeURL function.  This allowed them to forge valid QS values and access workflows such as “Forward to a Friend,” which could resolve subscriber identifiers into actual email addresses.  One of the most concerning aspects of the vulnerability was SFMC’s use of a single static encryption key shared across tenants. Researchers stated that once the cryptographic structure became understood, attackers could theoretically enumerate subscribers and access email content across multiple organizations using the same mechanism.

Legacy Encryption Weaknesses Expanded the Attack Surface 

The researchers also uncovered an older URL format that relied on per-parameter “encryption.” However, the mechanism reportedly consisted of a repeating static XOR key combined with a checksum. Although the scheme was considered legacy functionality, researchers found that it still worked on modern SFMC tenants. Because the implementation lacked strong cryptographic protections, attackers could decrypt and enumerate parameters such as JobID and ListSubscriber at high speed without relying on the slower padding-oracle technique.  The findings highlighted how legacy systems inside large cloud platforms can continue to create security exposure long after newer protections are introduced. 

Impact of the Salesforce Marketing Cloud Vulnerability 

Researchers concluded that the combined vulnerabilities could have enabled attackers to: 

• Enumerate and exfiltrate subscriber records  
• Access sent marketing emails and engagement data  
• Forge cross-tenant QS tokens  
• Access emails belonging to other organizations  
• Exploit hard-coded cryptographic material  
• Abuse argument-injection flaws tied to the MicrositeURL function  
• Manipulate CloudPages and other SFMC web workflows  

To address the issues, Salesforce assigned multiple CVEs covering several root causes, including insecure cryptographic implementations, hard-coded keys, and argument injection vulnerabilities affecting MicrositeURL and CloudPages components.  According to Salesforce, the vulnerabilities were reported on 16 January 2026. Mitigations were deployed between 21 January and 24 January 2026. The company stated that it had identified no confirmed malicious exploitation at the time of disclosure.  As part of the remediation process, Salesforce migrated Marketing Cloud Engagement encryption to AES-GCM, rotated encryption keys, and disabled the double evaluation behavior tied to AMPScript subject-line rendering.  The company also invalidated all legacy tracking and CloudPages links created before 21 January 2026 at 23:00 UTC. Those links expired globally on 23 January 2026 at 21:00 UTC. 

A newly disclosed cybersecurity issue, tracked as CVE-2026-0300, has drawn urgent attention due to its critical severity and active exploitation. The flaw affects PAN-OS, the operating system used in Palo Alto Networks firewalls, and has been categorized as a buffer overflow vulnerability with serious implications for enterprise security environments.  The CVE-2026-0300 PAN-OS vulnerability was officially published on May 6, 2026, and updated the same day after being discovered in real-world production environments. It carries a CVSS score of 9.3, placing it firmly in the “critical” category. The issue stems from a buffer overflow vulnerability in the User-ID Authentication Portal, also known as the Captive Portal service, within PAN-OS.  This flaw allows an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted network packets. Because the attack requires no authentication, no user interaction, and can be carried out over the network with low complexity, the exposure risk is considered extremely high. 

Technical Details of the Buffer Overflow Vulnerability in PAN-OS 

The root cause of CVE-2026-0300 PAN-OS is classified under CWE-787: Out-of-bounds Write, a common but dangerous type of buffer overflow vulnerability. Attackers can exploit this flaw to overwrite memory and potentially take full control of affected systems.  The vulnerability impacts PA-Series and VM-Series firewalls when the User-ID™ Authentication Portal is enabled. Importantly, Prisma Access, Cloud NGFW, and Panorama appliances are not affected.  Security data associated with the vulnerability highlights the following: 

• Attack Vector: Network  
• Attack Complexity: Low  
• Privileges Required: None  
• User Interaction: None  
• Confidentiality, Integrity, Availability Impact: High  

Additionally, the vulnerability is automatable and has already reached the “ATTACKED” stage in exploit maturity, indicating that real-world attacks have been observed. 

Active Exploitation and Risk Factors 

Evidence shows limited exploitation of CVE-2026-0300 PAN-OS, particularly targeting systems where the User-ID Authentication Portal is exposed to untrusted networks or the public internet. Environments that allow external access to this portal face the highest level of risk. The severity is further highlighted by the CVSS vector:  CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H  This translates to a scenario where attackers can remotely compromise systems without needing credentials or user involvement, leveraging the buffer overflow vulnerability to gain root-level access. 

Affected and Unaffected Versions 

Multiple versions of PAN-OS are impacted by CVE-2026-0300, including: 

• PAN-OS 12.1 versions prior to 12.1.4-h5 and 12.1.7  
• PAN-OS 11.2 versions prior to 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12  
• PAN-OS 11.1 versions prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15  
• PAN-OS 10.2 versions prior to 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6  

Patches are scheduled with estimated availability dates ranging from May 13 to May 28, 2026. Cloud NGFW and Prisma Access deployments remain unaffected. 

Mitigation and Workarounds 

While patches are being rolled out, organizations are advised to take immediate steps to reduce exposure to the buffer overflow vulnerability in PAN-OS.  Recommended mitigations include: 

• Restricting access to the User-ID Authentication Portal to trusted internal IP addresses only  
• Preventing any exposure of the portal to the public internet  
• Disabling the User-ID Authentication Portal entirely if it is not required  

The risk associated with CVE-2026-0300 PAN-OS drops significantly when these best practices are implemented. Systems that already follow strict network segmentation and access control policies are at a much lower risk. 

The collaboration between the Unique Identification Authority of India and the National Forensic Sciences University marks a significant development in India's security landscape and digital forensics. In a move aimed at strengthening the country’s digital infrastructure, UIDAI and NFSU have formalized a five-year partnership to advance research, training, and operational capabilities in cybersecurity and digital forensics. 

According to an official statement, UIDAI and NFSU have established a structured collaboration designed to address emerging challenges in cybersecurity and digital forensics.

UIDAI and NFSU Join Forces on Cybersecurity and Digital Forensics

The agreement, announced on May 5 in Ahmedabad, provides a comprehensive framework to bring together expertise from both institutions. It is intended to reinforce cyber resilience across UIDAI’s systems, which form the backbone of India’s digital identity ecosystem.  The Ministry of Electronics and Information Technology highlighted that this partnership creates an umbrella structure for coordinated efforts in research, technical development, and capacity building. The initiative underscores the growing importance of cybersecurity and digital forensics as critical components of national digital infrastructure. 

Six Strategic Pillars Driving UIDAI and NFSU Collaboration 

The UIDAI and NFSU partnership is structured around six key pillars, each targeting specific aspects of cybersecurity and digital forensics. These include academic and professional development, aimed at building skilled talent in the field, as well as strengthening information security and system integrity within UIDAI’s ecosystem.  Another major focus area is the development of advanced forensic infrastructure and laboratory capabilities. This will support deeper investigation and analysis of cyber incidents. Additionally, the agreement outlines provisions for technical support in cybersecurity operations, ensuring that UIDAI benefits from NFSU’s specialized expertise.  The collaboration also emphasizes joint research and technical advisory in emerging technologies. Areas such as artificial intelligence, blockchain, cryptography, and deepfake detection are expected to play a central role. The sixth pillar focuses on strategic placement and outreach, creating pathways for NFSU students to gain hands-on experience and career opportunities within UIDAI-related projects. 

Strengthening India’s Digital Backbone

India’s digital identity framework, powered by UIDAI, requires continuous upgrades to counter evolving cyber threats. The UIDAI and NFSU partnership aims to address this need by integrating advanced cybersecurity and digital forensics practices into the system’s core operations. UIDAI Chief Executive Officer Vivek Chandra Verma described the agreement as a crucial step toward enhancing the security architecture of India’s digital public infrastructure. He stated that the collaboration will significantly improve forensic readiness and resilience, ensuring stronger protection against cyber risks. The signing ceremony was attended by senior officials from both institutions, including Deputy Director General Abhishek Kumar Singh and NFSU Gujarat Campus Director S. O. Junare. Their presence highlighted the institutional commitment to advancing cybersecurity and digital forensics through sustained collaboration. 

Expanding Access While Enhancing Security 

Alongside this partnership, UIDAI has also taken steps to improve accessibility to its services. Collaborations with digital platforms like MapmyIndia and Google now allow users to locate authorized Aadhaar centers more easily. These platforms provide information on available services, operating hours, and accessibility features. While these initiatives focus on user convenience, they also align with the broader objective of strengthening the integrity of India’s digital identity system. By combining improved accessibility with robust cybersecurity and digital forensics measures, UIDAI aims to maintain trust in its infrastructure.

The Cyber Express previously reported the ChipSoft cyberattack, in which ransomware actors stole patient data. Now, reports have surfaced from the Dutch medical software provider, noting that the compromised data has been destroyed, though key details about the incident remain undisclosed.  In an update issued on April 28, 2026, ChipSoft stated that all data collected during the cyberattack had been deleted. According to the company, cybersecurity specialists verified that the destruction was carried out in a “technically sound manner,” although no further explanation was provided about the methods used.  The company emphasized that preventing the publication of stolen data was a top priority. “With the support of cybersecurity experts, we managed to prevent the data from being published. Furthermore, the stolen data has been destroyed,” the statement read. However, ChipSoft has not clarified whether it paid a ransom to the attackers, despite earlier indications that negotiations had taken place.  “Protecting our customers’ data has always been our top priority. In this exceptional situation, that priority weighed very heavily,” the company added, hinting at the difficult decisions made during the ransomware attack response. 

Timeline of the ChipSoft Cyberattack 

The ChipSoft cyberattack first came to light in early April 2026. On April 12, ChipSoft disclosed that it had fallen victim to a cyberattack on its systems earlier that week. As an immediate precaution, the company disabled connections to several key services, including its Care Portal, Care Platform, and HiX Mobile applications, starting April 8.  At the time, ChipSoft confirmed it had engaged Z-CERT, the Dutch healthcare cybersecurity expertise center, and external cybersecurity professionals to conduct a forensic investigation. The company acknowledged the disruption caused to healthcare providers and patients, noting that patient portals were temporarily unavailable and data exchange via the platform had been halted. 

Data Theft Confirmed in the Netherlands 

By April 16, the investigation revealed that cybercriminals behind the ransomware attack had successfully stolen personal and medical data from several Dutch healthcare institutions. ChipSoft confirmed that affected organizations were being notified directly.  Hans Mulder, CEO of ChipSoft, addressed the breach, stating: “After forty years of dedication to reliable healthcare IT, it pains us that this situation has arisen. We cannot undo this data theft. However, we are doing everything we can to support the affected customers as best as possible in this situation.”  In contrast, a separate update on the same day confirmed that Belgian patient data had not been compromised in the cyberattack on ChipSoft systems. 

Systems Shutdown and Gradual Recovery 

The cyberattack forced ChipSoft to shut down multiple services as a preventive measure. Systems such as Zorgplatform, Zorgportaal, and HiX Mobile were temporarily taken offline, affecting daily operations in healthcare institutions.  By April 17, after extensive analysis conducted in collaboration with cybersecurity experts and Z-CERT, ChipSoft announced that the affected systems were safe to use again. A phased rollout began shortly afterward, with healthcare institutions being informed directly about the restoration process.  Further progress was reported on April 24, when ChipSoft confirmed that most healthcare institutions had regained access to Zorgplatform. Connections to Zorgportaal were also being restored, allowing many patient portals to become operational again. The HiX Mobile app became available once institutions reactivated their systems.  Despite these advancements, ChipSoft cautioned that the recovery process required time and careful handling. The company acknowledged the strain placed on healthcare providers, stating that the precautionary measures had significantly impacted daily workflows and patient care. 

A newly disclosed security issue, tracked as CVE-2026-41940, has raised significant concerns across the web hosting ecosystem, particularly for systems running cPanel and WebHost Manager (WHM). The flaw, described as an authentication bypass security vulnerability, affects multiple authentication pathways and could potentially allow unauthorized users to gain access to sensitive control panel environments.  The vulnerability was formally acknowledged in a security advisory published on April 28, 2026, and later updated several times, with the most recent revision on April 29, 2026, at 02:46 PM CST. The advisory, titled “Security: CVE-2026-41940 - cPanel & WHM / WP2 Security Update 04/28/2026,” outlines the scope, impact, and mitigation steps associated with the issue.  According to the advisory, the root cause lies in an authentication bypass security flaw affecting cPanel software, including DNSOnly installations, across all versions released after 11.40. While initially lacking an official identifier, the issue is now widely referenced as CVE-2026-41940. 

Affected Versions and Patch Releases 

The vulnerability impacts all currently supported versions of cPanel and WHM. To address the issue, patches have been released for the following versions:

• 11.86.0.41  
• 11.110.0.97  
• 11.118.0.63  
• 11.126.0.54  
• 11.130.0.19  
• 11.132.0.29  
• 11.134.0.20  
• 11.136.0.5  

Additionally, WP Squared version 136.1.7 has also received a corresponding fix.  The advisory stresses that administrators should immediately update their systems using the standard update script: 

/scripts/upcp --force 

Once the update is complete, verification of the installed version and restarting the cPanel service (cpsrvd) is required to ensure the patch is properly applied. 

Immediate Mitigation Steps for CVE-2026-41940 

For environments where updates cannot be applied right away, temporary mitigations have been recommended. These include blocking inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall level, or disabling key services such as cpsrvd and cpdavd. Administrators are also warned that systems with disabled automatic updates or pinned to specific versions will not receive patches automatically. These systems must be manually updated as a priority to mitigate the authentication bypass security risk posed by CVE-2026-41940.

Detection Script and Indicators of Compromise 

To assist administrators in identifying potential exploitation attempts, a detection script has been provided. The script scans session files located in /var/cpanel/sessions for indicators of compromise (IOCs).  Key detection mechanisms include: 

• Identification of session files containing both token_denied and cp_security_token, which strongly suggests exploitation attempts.
• Detection of pre-authentication sessions containing authenticated attributes.
• Sessions marked with tfa_verified but lacking legitimate origin markers.
• Multi-line password values, indicating possible session file corruption.

If the script detects suspicious activity, it outputs warnings or critical alerts. In cases where compromise is confirmed, administrators are instructed to: 

• Purge all affected sessions  
• Force password resets for root and all WHM users  
• Audit system logs, such as /var/log/wtmp and WHM access logs  
• Investigate persistence mechanisms like cron jobs, SSH keys, or backdoors  

An example output included in the advisory demonstrates detection of an exploitation attempt originating from IP address 100.96.3.23, where an injected session token was identified alongside a failed authentication attempt. 

Industry Response and Ongoing Monitoring 

Although cPanel has not disclosed detailed technical specifics about CVE-2026-41940, third-party hosting provider Namecheap confirmed that the issue involves “an authentication login exploit that could allow unauthorized access to the control panel.”  As a precaution, Namecheap implemented firewall rules blocking TCP ports 2083 and 2087, temporarily restricting access to cPanel and WHM interfaces. The company stated, “Our team is actively monitoring the situation and will apply the official patch across all supported servers as soon as it becomes available.”  The provider also confirmed that patches had been deployed across Reseller and Stellar Business servers, with broader rollout ongoing. 

Urgency Around Updating cPanel Systems 

The advisory emphasizes that any server running an unsupported version of cPanel remains at risk from this authentication bypass security flaw. Administrators are strongly urged to upgrade to a supported and patched version as soon as possible.  “If your server is not running a supported version of cPanel that is eligible for this update, it is highly recommended that you work toward updating your server as soon as possible, as it may also be affected,” the advisory notes. 

Cybersecurity researchers have revealed critical details about a newly identified RCE vulnerability, tracked as CVE-2026-3854, affecting both GitHub’s cloud infrastructure and GitHub Enterprise Server deployments. The flaw, which carries a high CVSS score of 8.7, could allow an authenticated user to execute arbitrary code on affected systems with a single crafted git push command.  The vulnerability, discovered by researchers at Wiz, exposes a command injection flaw within GitHub’s internal handling of user-supplied data. Specifically, the issue lies in how push options, key-value strings sent during a git push operation, were processed. 

What is CVE-2026-3854 RCE Vulnerability? 

According to an advisory from GitHub, “During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers.” Because the internal header format relied on a delimiter character that could also appear in user input, attackers could manipulate these values to inject additional metadata fields.  This weakness opened the door for exploitation of the RCE vulnerability, allowing attackers to gain access to a repository, including one they created themselves, to execute arbitrary commands on the server handling the request.

How the RCE Vulnerability Worked 

At the core of CVE-2026-3854 is improper input sanitization. During a typical git push, metadata such as repository type and processing environment is passed between internal services. This metadata is encoded using a delimiter, specifically a semicolon.  However, because user-controlled push options were inserted into this metadata without sufficient filtering, an attacker could craft inputs containing the delimiter. This allowed them to inject additional fields into the internal X-Stat header.  By chaining multiple malicious values, researchers demonstrated that an attacker could: 

• Override the environment in which the push operation was processed  
• Bypass sandboxing protections designed to restrict execution  
• Ultimately achieve remote code execution on the server  

This made the flaw particularly dangerous, as it required minimal effort to exploit—a single command could trigger the attack. 

Timeline: Discovery and Rapid Response 

The CVE-2026-3854 RCE vulnerability was responsibly disclosed by Wiz on March 4, 2026. GitHub’s response was notably swift.  In a detailed blog post, Alexis Wales explained:  “On March 4, 2026, we received a vulnerability report through our Bug Bounty program from researchers at Wiz describing a critical remote code execution vulnerability affecting github.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server.”  GitHub’s internal security team began validation immediately. Within 40 minutes, they had reproduced the issue and confirmed its severity. By 5:45 p.m. UTC, the root cause had been identified, and by 7:00 p.m. UTC—less than two hours after validation—a fix was deployed to GitHub.com. 

Affected Systems and Patch Availability 

The RCE vulnerability CVE-2026-3854 impacted a wide range of GitHub products, including: 

• GitHub.com  
• GitHub Enterprise Cloud  
• GitHub Enterprise Cloud with Data Residency  
• GitHub Enterprise Cloud with Enterprise Managed Users  
• GitHub Enterprise Server  

While cloud-hosted services were patched automatically on March 4, 2026, GitHub Enterprise Server required manual updates. Fixes were released in the following versions: 

• 3.14.25  
• 3.15.20  
• 3.16.16  
• 3.17.13  
• 3.18.8  
• 3.19.4  
• 3.20.0 or later  

Users of GitHub Enterprise Server are strongly advised to upgrade immediately to mitigate the risk associated with this RCE vulnerability. 

No Evidence of Exploitation 

Following the patch deployment, GitHub conducted a thorough forensic investigation to determine whether CVE-2026-3854 had been exploited in the wild.  A key indicator of exploitation was the triggering of an unusual internal code path—one not used during normal operations. GitHub analyzed telemetry data and found: 

• All instances of this anomalous behavior were linked exclusively to the Wiz researchers’ testing  
• No unauthorized users triggered the exploit  
• No customer data was accessed, modified, or exfiltrated  

This provided strong assurance that the RCE vulnerability had not been abused before disclosure. 

Defense-in-Depth Improvements 

Beyond fixing the input sanitization issue, GitHub identified an additional weakness. The exploit relied partly on a code path that should not have been accessible in the affected environment. Although it existed within the server’s container image, it was intended for a different configuration. GitHub removed this unnecessary code as part of its remediation efforts. This additional hardening ensures that even if a similar vulnerability emerges in the future, its impact would be significantly reduced.

Recommendations for GitHub Enterprise Server Users 

For organizations using GitHub Enterprise Server, exploitation of CVE-2026-3854 would require an authenticated user with push access. As a precaution, GitHub recommends: 

• Reviewing /var/log/github-audit.log for suspicious push operations  
• Checking for push options containing semicolons (;)  
• Upgrading to the latest patched version without delay  

India’s cybersecurity watchdog, CERT-In, has raised concerns of the nature of modern cyber threats, particularly those driven by artificial intelligence. In its latest advisory, the cybersecurity watchdog has highlighted how frontier AI technologies are reshaping the threat landscape, making cyberattacks faster, more scalable, and far more accessible, even to less skilled attackers. The warning places a special emphasis on Micro, Small, and Medium Enterprises (MSMEs), which are becoming prime targets due to their comparatively weaker security frameworks.  According to CERT-In, the rise of AI-powered tools marks a significant turning point in how cyberattacks are conceived and executed. What once required advanced technical expertise and hours of manual effort can now be accomplished in a fraction of the time through automation. The cybersecurity watchdog noted that modern AI systems are capable of independently scanning large volumes of source code, identifying deeply embedded vulnerabilities, and even launching coordinated, multi-stage cyberattacks. This shift has introduced what the agency describes as an era of “automation and scale” in cybercrime. 

From Manual Intrusion to AI-led Cyberattacks 

CERT-In’s advisory explains that traditional hacking methods involve painstaking manual processes and highly specialized knowledge. Attackers would typically spend hours, if not days, probing systems for weaknesses before exploiting them. However, AI has fundamentally altered this dynamic. Frontier AI systems can now detect “zero-day” vulnerabilities, previously unknown flaws, in mere seconds.  More concerning is the ability of these systems to “chain” multiple vulnerabilities together. By linking weaknesses across different applications or platforms, attackers can orchestrate comprehensive attacks that compromise entire networks from end to end. This level of sophistication was once limited to highly skilled professionals or state-sponsored actors. Today, however, the cybersecurity watchdog warns that such capabilities are accessible, effectively lowering the barrier to entry for cybercriminals. 

MSMEs Under Heightened Risk 

The advisory stresses that MSMEs are particularly vulnerable in this new threat environment. Unlike large enterprises, MSMEs often operate with limited budgets and lack dedicated cybersecurity teams or advanced monitoring systems. This makes it easier for attackers to leverage AI-driven tools.  CERT-In has pointed out that because AI simplifies and automates many aspects of cyberattacks, even individuals with minimal technical expertise can now carry out highly precise and damaging operations. As a result, MSMEs face a disproportionate level of risk. A successful breach could lead to severe consequences, including data theft, operational disruptions, or ransomware attacks that many smaller businesses are ill-prepared to manage.  The cybersecurity watchdog has cautioned that without immediate and meaningful improvements in their security posture, MSMEs could suffer significant financial and reputational damage. The growing accessibility of AI-powered attack tools means that the threat is no longer hypothetical but immediate and widespread. 

Recommended Security Measures 

In response to these emerging risks, CERT-In has outlined several critical steps that organizations, especially MSMEs, should take to strengthen their defenses. One of the primary recommendations is the deployment of robust threat detection systems combined with continuous network monitoring. These measures can help identify unusual activity early and prevent attacks from escalating.  Another key focus area highlighted by the cybersecurity watchdog is patch management. As AI tools enable attackers to quickly identify and exploit unpatched vulnerabilities, delays in updating software can create significant security gaps. CERT-In stresses that the timely application of patches is essential to minimizing exposure.  Additionally, maintaining comprehensive system logs is strongly advised. Detailed logs play a crucial role in forensic investigations, helping organizations understand how an attack occurred and what vulnerabilities were exploited. This information is vital for preventing future incidents and strengthening overall cybersecurity resilience. 

A cybersecurity incident has raised concerns after it was revealed that sensitive data associated with the Jurong Region Line (JRL) MRT stations and the Changi NEWater Factory 3 were compromised. The contractor responsible for both critical infrastructure projects, Shanghai Tunnel Engineering Co (Singapore), is currently facing scrutiny as authorities investigate the breach.

Data Compromise Involving Shanghai Tunnel Engineering Co 

The breach primarily affects the civil engineering firm Shanghai Tunnel Engineering Co, which has been engaged in the construction of three key stations along the JRL and the new Changi NEWater Factory 3. While the exact timing of the incident remains unclear, the compromised data has since been identified as tender documents for the projects. These documents, however, are available on the government’s GeBIZ procurement portal, which mitigates concerns over the theft of sensitive information. On April 27, the Land Transport Authority (LTA) responded to public queries by confirming that it was aware of the cybersecurity breach and had reported the matter to the police and other relevant authorities. In an effort to minimize potential risks, the LTA temporarily suspended the contractor’s access to its digital systems, although the breach has not been reported to have disrupted the ongoing construction of the JRL MRT stations.

Impact on Changi NEWater Factory 3 

While the data breach raises alarms, the national water agency PUB (Public Utilities Board) has reassured the public that there has been no access to its digital systems by Shanghai Tunnel Engineering Co. Following an internal investigation, PUB concluded that no sensitive data related to the Changi NEWater Factory 3 had been stolen. The only data compromised were the project tender documents, which, as mentioned, are publicly accessible on GeBIZ. A PUB spokesperson emphasized that the agency maintains a "serious view" of cybersecurity and has advised the contractor to review its security protocols. Despite extensive checks on known ransomware portals and hacker forums, no evidence of leaked data related to the breach has surfaced, alleviating some concerns among stakeholders.

Company’s Response to Cybersecurity Incident 

In a statement issued on April 28, Shanghai Tunnel Engineering Co (Singapore) acknowledged the cybersecurity incident, confirming that it had taken immediate steps to contain the situation. While the company did not specify when the breach occurred, it assured the public that it was cooperating fully with the authorities. Furthermore, the company has enlisted an external cybersecurity specialist to aid in the investigation. "We are cooperating fully with the relevant authorities and kindly request that all parties allow the investigation to proceed without interference," a company representative said. Shanghai Tunnel Engineering Co, established in 1996, is a well-established contractor with significant experience in MRT projects across Singapore. The firm has previously worked on various stations for the Circle, Downtown, and Thomson-East Coast lines. Its latest projects involve critical infrastructure, including the JRL stations and the Changi NEWater Factory 3.

Contract Details and Future Expectations 

In 2019, Shanghai Tunnel Engineering Co was awarded a $465.2 million contract to design and build three JRL stations, Choa Chu Kang, Choa Chu Kang West, and Tengah—along with a 4.3km viaduct connecting them. This work includes integrating the existing Choa Chu Kang MRT station on the North-South Line into the JRL network. In addition to the JRL projects, Shanghai Tunnel Engineering Co is also involved in the construction of the Changi NEWater Factory 3. In November 2025, a $205 million contract was awarded to Sanli M&E Engineering, which formed a joint venture with Shanghai Tunnel Engineering Co in February 2026. The joint venture will be responsible for several key aspects of the factory’s construction, including civil, structural, and architectural works, as well as external and building services. The Changi NEWater Factory 3 is expected to be operational by 2028 and will replace the existing Bedok facility. Once completed, the factory will be capable of producing up to 50 million gallons of NEWater daily, contributing significantly to Singapore's water sustainability efforts.

Medtronic, the global leader in medical technology, disclosed a data breach affecting its corporate IT systems. On April 24, the company confirmed that an unauthorized third party gained access to certain systems, although the Medtronic data breach is not expected to have any material impact on the company’s financial performance or business operations. The breach has raised concerns across the healthcare and medtech sectors, but Medtronic assured investors and customers that it had taken immediate action to contain the situation.

What Happened to the Medtronic Data Breach? 

The Medtronic data breach, which was identified on April 24, involved unauthorized access to some of Medtronic’s corporate IT systems. However, the company was quick to clarify that no disruption had occurred in key operational areas, including product safety, customer connections, and manufacturing or distribution activities. Importantly, there was no reported impact on patient safety or the company’s ability to meet its patient care commitments. In a public filing with the U.S. Securities and Exchange Commission (SEC), Medtronic stated, “We have not identified any impact to our products, patient safety, connections to our customers, our manufacturing and distribution operations, or our financial reporting systems.” The company emphasized that the networks supporting corporate IT systems are separate from those used for products, manufacturing, and distribution, which remain unaffected by the breach. Additionally, Medtronic highlighted that the IT systems supporting hospitals and healthcare customers are managed separately and secured by the customers’ IT teams. As such, hospital networks were not impacted by the breach, nor was there any disruption to hospital operations or services.

Immediate Actions Taken by Medtronic 

Following the identification of the breach, Medtronic moved quickly to contain the incident. The company activated its incident response protocols and sought assistance from cybersecurity experts to investigate the breach and implement necessary remediation measures. Medtronic has also initiated an effort to determine if any personal information was accessed during the breach. If any sensitive data has been compromised, the company assured it would provide necessary notifications and support services to affected individuals. The company remains committed to enhancing its cybersecurity measures. “We are simultaneously identifying additional ways to further optimize our system security,” said a Medtronic spokesperson. The company has also assured its stakeholders that it does not expect the incident to have an impact on its financial results or overall business operations.

The Broader Impact on the Medtech Sector 

The data breach at Medtronic follows a series of similar cybersecurity incidents that have affected other companies in the medtech industry. In March 2026, a cyberattack disrupted operations at Stryker, another major player in the medical technology sector. The attack targeted Stryker’s Microsoft environment, affecting ordering, shipping, and manufacturing processes. It took several weeks for Stryker to fully recover and return to normal operations. Simultaneously, Intuitive Surgical, a leading manufacturer of surgical robots, reported a phishing incident. The unauthorized party gained access to sensitive customer, employee, and corporate data. Intuitive Surgical also claimed that the issue was contained without significant financial impact, echoing Medtronic’s own assessment that the data breach would not affect its financial standing. These incidents highlight the frequency and sophistication of cyberattacks within the healthcare and medtech industries. As digital transformation accelerates in these sectors, companies are vulnerable to cyber threats.

A vulnerability has been identified in the popular open-source text editor, Notepad++, with the release of CVE-2026-3008. The vulnerability, discovered and reported by CSA under its Responsibility Vulnerability Disclosure Policy, is linked to a potential string injection flaw in Notepad++ version 8.9.3. To mitigate the risk associated with this vulnerability, users and administrators are strongly urged to update their installations to version 8.9.4 immediately.

A Deeper Look at CVE-2026-3008 

The CVE-2026-3008 bug addresses a string-injection vulnerability in Notepad++, a widely used text editor for software development, writing, and other professional environments. The vulnerability allows attackers to exploit it, potentially gaining access to sensitive memory to read information or, in some cases, causing the application to crash. This flaw was first flagged by a contributor, Hazley Samsudin, whose prompt reporting allowed the Notepad++ team to act swiftly to resolve the issue.  As part of Notepad++'s ongoing security commitment, the Product Owner quickly released an official patch in version 8.9.4 to rectify the issue, ensuring the software remains secure for all users.

The Impact of CVE-2026-3008 on Notepad++ Users 

The vulnerability in Notepad++ version 8.9.3 has the potential for significant impacts on users. If successfully exploited, attackers could manipulate the string injection vulnerability to access memory addresses or even crash the application entirely. This could compromise the integrity of unsaved data or disrupt workflow, particularly in environments where Notepad++ is a critical tool for coding or note-taking. While this vulnerability may not allow for direct execution of arbitrary code, its potential for causing application crashes poses a risk to stability, especially if users are working with large or complex files. Given the widespread use of Notepad++ across multiple industries, it is crucial for users to take immediate action by upgrading to the secure 8.9.4 version.

Affected Versions of Notepad++ 

The vulnerability (CVE-2026-3008) is present exclusively in Notepad++ version 8.9.3. Therefore, anyone using this version or earlier versions is at risk of exploitation. The update to version 8.9.4, which includes necessary security patches, should be prioritized to prevent any potential exploitation of this vulnerability.  Users of Notepad++ are strongly encouraged to update their installations to the latest version, 8.9.4, which has been designed to address the vulnerabilities identified, including CVE-2026-3008. The Notepad++ development team worked quickly to release this update, which also includes a series of bug fixes and performance improvements. To ensure that systems remain secure, users can download the latest release directly from the official Notepad++ website or the GitHub repository. Administrators managing multiple machines should push the update across their networks to guarantee all affected systems are secured.  In addition to this update, Notepad++ version 8.9.4 includes several other improvements aimed at enhancing the software's overall stability and performance. These include fixes for crashes related to undo actions, improvements to file path handling, and updates to Scintilla and Lexilla for better language processing. 

Notable Fixes in Notepad++ v8.9.4 

The v8.9.4 update not only resolves the CVE-2026-3008 vulnerability but also brings a host of other important bug fixes and stability improvements. Some of the notable changes include: 

• Fixes to Crashes: Issues such as crashes when using the FindInFiles feature or when dropping files with long paths (over 259 characters) have been addressed.  
• Undo Action Issues: Previous versions had an issue with crashes caused by undoing actions in the column editor, especially when bad inputs were entered. This issue has now been resolved.  
• UI and Rendering Fixes: Improvements have been made to the user interface, including fixes for visual glitches in the Mark dialog and Document List view.  
• Improved Language Support: Updates to Scintilla and Lexilla provide better handling of C++ 11 raw string literals and enhanced syntax highlighting for various file formats.  

Additionally, the update addresses installation issues that impacted users of the MSI installer, including problems with context menu registrations and incorrect hexadecimal display names during installation. 

The Litecoin network faced a security breach when a zero-day vulnerability triggered a 13-block reorganization, impacting several major mining pools. This disruption led to a temporary halt in transaction finality, drawing attention to the potential risks within the Litecoin ecosystem. The Litecoin team quickly confirmed the bug on their official X account and assured the community that a patch had been fully deployed to resolve the issue. 

The Zero-Day Bug and Its Impact on the Litecoin Network 

A zero-day vulnerability refers to a flaw that is unknown to the developers at the time of its exploitation. In this case, the bug targeted the handling of MimbleWimble Extension Block (MWEB) transactions, a privacy feature on the Litecoin network. The vulnerability allowed an attacker to exploit the network by triggering a Denial-of-Service (DoS) attack, flooding the network with invalid MWEB transactions. MWEB transactions are designed to offer enhanced privacy for Litecoin users by obscuring transaction details. However, due to the zero-day bug, some Litecoin nodes that had not updated their software accepted invalid MWEB transactions, violating the network’s consensus rules. As a result, a block reorganization (or “reorg”) took place when a competing chain of blocks replaced the existing chain, causing 13 blocks to be reorganized. A block reorg of this magnitude is a rare event and presents significant challenges, including the potential for double-spending and undermined user confidence.

Understanding the Denial-of-Service Attack and Its Impact on Miners 

The core target of the attack was the mining pools, which play a critical role in securing the Litecoin network. Mining pools are groups of miners who pool their computational power to increase their chances of successfully finding a block. By launching a DoS attack, the attacker aimed to disrupt the mining process by overwhelming the network with invalid transactions. The impact on miners was particularly severe. Mining pools that failed to update their nodes were unable to process valid blocks during the attack. This resulted in temporary downtime for these pools, contributing to a short-term drop in the network’s hashrate. While the Litecoin network quickly recovered, the event highlighted the vulnerability of mining operations when software updates are delayed or ignored.

Quick Response and Deployment of the Patch 

Despite the severity of the incident, the Litecoin team responded promptly. Within hours, the development team confirmed the bug and rolled out a patch that effectively closed the attack vector. The patch prevented nodes from accepting invalid MWEB transactions, thus stabilizing the network and mitigating further risks. The team urged all node operators to update their software immediately to ensure the security of their operations. Importantly, the Litecoin team confirmed that no funds were lost as a result of the reorganization. While users’ transactions that were part of the reorganized blocks were reversed, the overall integrity of the network remained intact. The incident, although disruptive, demonstrated the resilience and quick action of the Litecoin team.

The Role of MWEB and Zero-Day Bugs 

Launched in 2011, Litecoin has earned a reputation as one of the oldest and most stable cryptocurrencies. As a fork of Bitcoin, it relies on a proof-of-work consensus mechanism to validate transactions. Over the years, Litecoin has faced relatively few security incidents, but the April 25 event serves as a stark reminder that even established networks are susceptible to vulnerabilities.  The introduction of MWEB in 2022 marked a significant upgrade for Litecoin, providing users with enhanced privacy features. However, as seen with this recent zero-day vulnerability, new features can also introduce unforeseen risks. 

The e-commerce platform eBay, a giant in online auctions and fixed-price listings, faced widespread disruptions beginning late Sunday, April 26, 2026, extending into Monday, as users across the globe reported severe technical issues. The eBay outage, which has crippled essential features of the site, particularly the API, has left many buyers and sellers frustrated, struggling to access critical functions, including search features, listings, and checkout processes.  As users faced slow page loads, failed transactions, and difficulty completing sales, a series of unverified reports surfaced suggesting that the hacktivist group 313 Team was behind the massive denial-of-service (DDoS) attack, claiming responsibility for the outage. While the true cause remains unconfirmed by eBay, the timing and scale of the disruption have fueled speculation that a cyberattack was involved. 

The Scope of the eBay Outage 

The eBay outage first began to affect eBay users on the afternoon of April 26, when they began reporting issues with the platform’s functionality. According to Downdetector, a popular service that tracks online outages, the spike in complaints reached around 3:30 PM ET, with the situation worsening the evening. As of 10:30 PM ET, more than 1,300 outage reports were logged, although the number eventually decreased to about 600 by 11:50 PM ET.  Users complained that essential functions like search were malfunctioning, and pages were loading extremely slowly. "I can't even search for anything or complete a purchase," one frustrated user posted on social media. Others echoed similar concerns, noting that critical transactions were unable to be completed, with error messages preventing them from checking out.  Sellers also voiced their frustrations, noting that they could not access the API, which is crucial for the functioning of third-party tools used to manage listings, inventory, and sales. "It’s been nearly 6 hours since the API went down, and we have no word from support," one seller wrote, emphasizing the financial impact of the outage. 

Social Media Users Complain About the Outage

While eBay has not officially confirmed the cause of the outage, rumors quickly began circulating on social media that the hacktivist group 313 Team was responsible for a DDoS attack targeting the platform. DDoS attacks, which flood a website with traffic to overwhelm its servers and take it offline, have become a frequent tactic for hacktivist groups in recent years. The group, which has previously targeted high-profile organizations, allegedly posted a claim on various forums, taking credit for the disruption. However, this attribution has not been independently verified, and eBay has not provided details about the nature of the attack. The company’s official status page displayed no alerts of a cyberattack, showing only minor updates on the system’s functionality.  Despite these official updates, the community’s response has been vocal, with many users continuing to report issues well into the night. One individual posted, "It’s not just down for me, it’s down for everyone. Is this part of a bigger attack targeting e-commerce sites?"  With eBay’s customer support channels largely silent or offering only generic responses, users took to social media to express their frustration. The company’s Instagram account, where many users had previously reached out for help, quickly became a forum for complaints. One commenter wrote, “Brooo you’re down—come on, get up! I need to pay for an auction.” Others left similar messages, questioning the reliability of the platform and demanding answers. 

In this week’s edition of The Cyber Express weekly roundup, we explore the latest developments in the world of cybersecurity, focusing on high-profile data breaches, growing malware campaigns, and law enforcement actions against cybercriminals.   As the digital threat landscape continues to evolve, attackers are targeting sensitive personal and organizational data, from health records to financial credentials. Meanwhile, government regulators are ramping efforts to protect minors and combat harmful content on social platforms, while cybercriminals continue to exploit vulnerabilities in both public and private sectors.  This weekly roundup highlights how various industries, from healthcare and social media to finance and government, are grappling with rising threats, making it clear that the intersection of data security, regulation, and cybercrime is more critical than ever.  

The Cyber Express Weekly Roundup 

UK Biobank Data Breach Triggers Urgent Review of Data Security Measures 

A significant data breach at the UK Biobank has raised major concerns over the security of health-related data used in scientific research. In April 2026, de-identified participant information was discovered being sold on a Chinese consumer platform, sparking widespread alarm among the research community. Read more... 

Vercel CEO Reveals Expansion of Malware Campaign Affecting Multiple Targets 

Vercel's CEO, Guillermo Rauch, confirmed that the recent breach involving Context.ai was part of a much larger malware campaign affecting multiple targets. Following a review of network logs, Vercel’s security team uncovered evidence of malware distribution that compromised several customer accounts, including access to valuable Vercel account keys. Read more... 

Ofcom Investigates Telegram and Teen Platforms 

In the UK, Ofcom has launched an investigation into Telegram and several popular teen chat platforms, such as Teen Chat and Chat Avenue, after reports surfaced of online grooming and child sexual abuse material (CSAM) on these services. Under the Online Safety Act, platforms are required to take proactive steps to prevent harmful content and protect minors from exploitation. Read more... 

Personal Data Exposed in Breach of France’s ANTS Portal 

A recent breach of France’s ANTS (Agence Nationale des Titres Sécurisés) portal has compromised personal data, including names, email addresses, and birthdates, although no documents or sensitive attachments were affected. The breach, which occurred on April 15, 2026, raises significant concerns about identity theft and phishing risks, as the exposed data could be used to target individuals. Read more... 

Bluesky Faces Coordinated DDoS Attack 

Bluesky, the rapidly expanding social media platform, suffered a major disruption on April 15, 2026, when it was targeted by a sophisticated distributed denial-of-service (DDoS) attack. The attack caused widespread outages, impacting core platform functions such as user feeds, notifications, and search capabilities. Read more... 

Indian Authorities Arrest Key SIM Card Supplier in Cyber Fraud Crackdown 

India’s Central Bureau of Investigation (CBI) has arrested a key conspirator in a major cyber fraud operation as part of Operation Chakra-V. The suspect, arrested in Guwahati, is accused of supplying fraudulent SIM cards used in various cybercrime schemes, including extortion and fake loan scams. The SIM cards were acquired using fake identities and distributed to cybercriminal networks. Read more... 

Weekly Takeaway 

This week’s roundup highlights the diverse and evolving nature of cyber threats. From the exposure of sensitive health data and sophisticated malware campaigns to DDoS attacks and SIM card fraud schemes, the cybersecurity landscape remains fraught with challenges. Regulatory bodies and companies alike continue to grapple with emerging risks, particularly in sectors like public health data, social media platforms, and digital content safety. As these incidents unfold, it’s clear that both technical vulnerabilities and human factors, such as social engineering, continue to be central targets for attackers.  With regulatory frameworks like the Online Safety Act and increased investigative efforts in places like India and France, the pressure on platforms and authorities to act quickly and decisively is higher than ever. As the cyber threat landscape becomes more interconnected, the need for enhanced security protocols, improved monitoring, and greater accountability in digital spaces remains critical. 

The UK Biobank data breach has intensified scrutiny around the handling and protection of sensitive health information, even when such data is stripped of personally identifiable details. Widely regarded as one of the most significant biomedical research resources in the world, UK Biobank holds extensive genetic, lifestyle, and medical data contributed by around 500,000 volunteers.   The recent data breach at UK Biobank, which involved the unauthorized listing of participant data for sale on a Chinese consumer website linked to Alibaba, has sparked concern among participants, researchers, and cybersecurity experts alike. 

The UK Biobank Data Breach 

The data breach at UK Biobank came to light in April 2026, when officials discovered that de-identified data belonging to participants had been listed for sale online. The listings appeared on a consumer platform owned by Alibaba, sparking immediate concern among researchers and participants alike.  UK Biobank, a biomedical database established in 2003, contains extensive genetic, lifestyle, and health data from around 500,000 UK volunteers. This dataset has been a cornerstone for global medical research, contributing to thousands of discoveries since access was opened to scientists in 2012.  Professor Sir Rory Collins, chief executive and principal investigator of UK Biobank, confirmed the breach in an official statement. He said, “Last week, we found that de-identified participant data made available to researchers at three academic institutions were listed for sale on a consumer website in China, owned by Alibaba.”  He added that with support from UK and Chinese authorities, Alibaba “swiftly removed those listings before any sales were made.” 

Nature of the Exposed Data 

Despite the seriousness of the UK Biobank data breach, officials stressed that the compromised information did not include personally identifiable details. According to Collins, the dataset did not contain names, addresses, dates of birth, or NHS numbers.  “All the data are de-identified,” he said, emphasising that there is no evidence that participants were directly identified as a result of the breach.  However, the incident still represents a violation of strict data access agreements. The data had been shared with three academic institutions under contracts that require secure handling and prohibit unauthorized distribution. Collins described the situation as “a clear breach of the contract,” noting that the institutions and individuals involved have had their access suspended. 

Immediate Response to the Data Breach at UK Biobank 

In response to the data breach at UK Biobank, the organization moved quickly to contain the risk and reassure participants. Access to its research platform has been temporarily suspended while new protection methods are implemented.  Among the measures introduced: 

• Strict limits on the size of files that researchers can export  
• Daily monitoring of all exported files for suspicious activity  
• A comprehensive, board-led forensic investigation  

“These security measures will further minimise the potential for misuse of UK Biobank data,” Collins said.  Researchers typically access the data through a restricted, cloud-based platform hosted in the UK. The system is designed to ensure that sensitive information remains secure while still enabling scientific discovery. Following the breach, additional controls are being layered onto this infrastructure.