Threat Advisories

Microsoft’s May 2026 Patch Tuesday update for Windows 10, KB5087544, reflects the current reality of the platform. Now firmly in its Extended Security Updates phase, Windows 10 is no longer evolving through features, but it is still being actively secured and maintained. This update combines a large set of vulnerability fixes with targeted changes to Remote Desktop and Secure Boot that reveal how Microsoft is tightening control over endpoint trust and stability.

Fortinet has disclosed two critical vulnerabilities affecting FortiSandbox and FortiAuthenticator that could enable unauthenticated remote code execution (RCE) on exposed systems.

Trellix has announced that internal source code for portions of its product portfolio was accessed without authorisation. The affected material relates to product development code only and does not include customer environments or customer data. There is no indication of malicious modification to released software artifacts.

CVE 2026 31431, commonly known as “Copy Fail”, is a high severity local privilege escalation vulnerability affecting the Linux kernel. The issue impacts kernels shipped by all major Linux distributions since 2017 and allows a local, unprivileged user to gain root level execution on the host system.

In late March 2026, a threat actor operating under the alias “The_Auditors” claimed to have breached BlackLine Systems, a US‑based financial automation and accounting software provider. The attacker alleges the exfiltration of approximately 354 GB of sensitive financial and operational documents, reportedly totaling over 1.5 million records belonging not only to BlackLine, but to its enterprise customers. At the time of writing, BlackLine has not publicly confirmed a breach, and the claims remain unverified. However, multiple cybersecurity intelligence firms have assessed the allegations as credible based on multiple indicators.

A new and active npm supply‑chain attack has been observed abusing compromised maintainer credentials to self‑propagate malicious code across packages in the Node.js ecosystem. The malware steals authentication material (npm tokens, cloud credentials, CI/CD secrets, SSH keys, and wallet data) and uses any discovered publishing tokens to inject itself into additional packages owned by the same maintainer, creating worm‑like lateral spread.

Microsoft has disclosed a critical remote code execution (RCE) vulnerability in the Windows Internet Key Exchange (IKE) Service Extensions, tracked as CVE‑2026‑33824. The vulnerability is caused by a double‑free memory handling flaw that can be triggered remotely by an unauthenticated attacker sending specially crafted network traffic to a vulnerable system. Successful exploitation could allow arbitrary code execution with system‑level privileges.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of a high‑severity remote code execution (RCE) vulnerability in Apache ActiveMQ Classic, tracked as CVE‑2026‑34197. The flaw has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, signalling verified malicious activity in the wild and elevating remediation priority for all organizations using affected versions of ActiveMQ.

Threat Type: Actively Exploited ZeroDay
Affected Product: Fortinet FortiClient Enterprise Management Server (EMS)

Google has released emergency security updates addressing CVE20265281, a high severity (CVSS score: N/A), actively exploited zero day impacting its Chrome browser.