15 May 2026
Week in review
Greetings,
We are excited to announce the release of AUSCERT’s 2025 Year in Review. The report offers members a valuable snapshot of our work behind the scenes, highlighting the services we deliver and the many opportunities available to support their organisations.
These achievements reflect our ongoing commitment to equipping our community with the tools, insights and support needed to confidently navigate an increasingly dynamic cyber security environment. You can read the full report here.
The attack, attributed to the cybercriminal group ShinyHunters, involved the theft of vast amounts of data, including names, email addresses, student IDs and private messages exchanged on the platform. At least 120 Australian schools, universities and TAFEs were caught up in what has been described as one of the largest education data breaches globally. The disruption forced institutions to suspend access, extend deadlines and scramble for contingency plans as exams and assessments were impacted.
Hackers initially threatened to release the stolen data unless a ransom was paid, placing significant pressure on Instructure. The company later confirmed it had reached an “agreement” with the attackers, with reports indicating the data was returned and assurances provided that it would not be published, although experts caution that such guarantees cannot be verified. While this approach may have reduced immediate risk, cyber security specialists warn it could increase the likelihood of future attacks, particularly against essential digital services like education platforms.
SAP Patches Critical S/4HANA, Commerce Vulnerabilities
Date: 2026-05-12
Author: Security Week
The most severe of the resolved vulnerabilities are critical code injection issues in S/4HANA and Commerce that could allow attackers to leak data and execute arbitrary code. Both security defects have a CVSS score of 9.6.
Tracked as CVE-2026-34260, the S/4HANA bug is described as an SQL injection issue stemming from missing input validation and sanitization.
Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator
Date: 2026-05-12
Author: Bleeping Computer
[See AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2026.5015/
https://portal.auscert.org.au/bulletins/ESB-2026.5016/]
Fortinet has released security updates to address two critical vulnerabilities in FortiSandbox and FortiAuthenticator that could enable attackers to run commands or arbitrary code on unpatched systems.
The first one, tracked as CVE-2026-44277, impacts the company's FortiAuthenticator Identity and Access Management (IAM) solution and was patched in FortiAuthenticator versions 6.5.7, 6.6.9, and 8.0.3.
New critical Exim mailer flaw allows remote code execution
Date: 2026-05-13
Author: Bleeping Computer
[AUSCERT has contacted impacted members where applicable]
A critical vulnerability affecting certain configurations of the Exim open-source mail transfer agent could be exploited by an unauthenticated remote attacker to execute arbitrary code.
Identified as CVE-2026-45185, the security issue impacts some Exim versions before 4.99.3 that use the default GNU Transport Layer Security (GnuTLS) library for secure communication. It is a user-after-free (UAF) flaw triggered during the TLS shutdown while handling BDAT chunked SMTP traffic.
Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
Date: 2026-05-14
Author: Talos Intelligence
[See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.5194/]
[AUSCERT has contacted affected members where applicable]
Talos is aware of the active, in-the-wild (ITW) exploitation of CVE-2026-20182 in Cisco Catalyst SD-WAN Controller and Manager, that allows log in to the affected system as an internal, high-privileged, non-root user account. Talos clusters the exploitation of this vulnerability and subsequent post-compromise activity under UAT-8616, whom we assess is a highly sophisticated cyber threat actor.
Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages
Date: 2026-05-12
Author: The Hacker News
[See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2026.0102]
TeamPCP, the threat actor behind the recent supply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign.
Windows BitLocker zero-day gives access to protected drives, PoC released
Date: 2026-05-13
Author: Bleeping Computer
A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw.
Known as Chaotic Eclipse or Nightmare Eclipse, the researcher describes the BitLocker bypass issue as functioning like a backdoor because the vulnerable component is present only in the Windows Recovery Environment (WinRE), which is used to repair boot-related issues in Windows.
ASB-2026.0099.2 – cPanel, WHM and WP2: CVSS (Max): 9.8
An authentication bypass security issue has been identified in the cPanel software (including DNSOnly) affecting all currently supported versions after 11.40.
ESB-2026.4894 – Thunderbird 140.10.2: CVSS (Max): 9.8
Memory safety bugs present in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that
with enough effort some of these could have been exploited to run arbitrary code.
ESB-2026.5018 – FortiOS: CVSS (Max): 8.3
An Out-Of-Bounds Write vulnerability [CWE-787] in FortiOS capwap daemon may allow an attacker controlling an authenticated FortiAP FortiExtender or FortiSwitch to gain execution privileges on the FortiGate device.
ESB-2026.5030 – Adobe Connect: CVSS (Max): 9.6
Adobe has released a security update for Adobe Connect. This update resolves critical vulnerabilities that could lead to arbitrary code execution and privilege escalation.
ESB-2026.5095 – Palo Alto PAN-OS: CVSS (Max): 9.2
A buffer overflow vulnerability in the DNS proxy and DNS Server features of
Palo Alto Networks PAN-OS Software allows an unauthenticated attacker with network access to cause a denial of service (DoS) condition (all PAN-OS platforms except Cloud NGFW and Prisma Access) or potentially execute arbitrary.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
