CyberNews: 13/05/2026 Edition

Published by Dunateo on 2026-05-13

Today’s roundup

  • Patch Tuesday, May 2026 Edition
  • Instructure settles with hackers following massive student data theft
  • Critical Fortinet vulnerabilities fixed in FortiSandbox and FortiAuthenticator
  • GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data
  • New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution
  • Foxconn confirms cyberattack impacting North American factories
  • UK fines water supplier $1.3M for exposing data of 664k customers
  • Hackers accessed BWH Hotels reservation system for months
  • Android Adds Intrusion Logging for Sophisticated Spyware Forensics
  • Global Cyber Agencies Issue New SBOMs for AI Guidance to Tackle AI Supply Chain Risks

    • Summary

    Microsoft's May 2026 Patch Tuesday addressed 118 vulnerabilities, including 16 critical flaws, with no zero-days. Notable fixes included a stack-based buffer overflow in Windows Netlogon (CVE-2026-41089) and an Entra ID bypass (CVE-2026-41103). AI, particularly Project Glasswing, notably aided in bug discovery across major vendors.

    Instructure, the Canvas LMS provider, settled with ShinyHunters following a data theft affecting 9,000 institutions. Approximately 3.65TB of student data was returned and destroyed, as the U.S. House Committee on Homeland Security investigates.

    Fortinet patched critical remote code execution (RCE) flaws: an improper access control (CVE-2026-44277) in FortiAuthenticator and a missing authorization (CVE-2026-26083) in FortiSandbox, allowing unauthenticated command or code execution.

    A new campaign, GemStuffer, leveraged over 150 malicious RubyGems packages for data exfiltration, specifically targeting scraped data from U.K. Council portals in a software supply chain attack.

    Exim released security updates for a severe use-after-free vulnerability, CVE-2026-45185 (Dead.Letter), affecting GnuTLS builds of its Mail Transfer Agent (MTA), potentially leading to memory corruption and code execution.

    Foxconn confirmed a cyberattack impacting its North American factories, though specific details regarding the number of affected facilities across various states and Mexico were not disclosed.

    The UK's Information Commissioner's Office fined South Staffordshire Water Plc £963,900 ($1.3 million) after a cyberattack exposed personal data of 663,887 customers and employees, underscoring critical infrastructure data protection enforcement.

    BWH Hotels (Best Western, WorldHotels) disclosed a data breach where hackers accessed a guest reservation system for over six months (October 2025 – April 2026). Exposed data included names, emails, phones, addresses, and reservation details; payment information was not compromised.

    Google introduced an opt-in Android feature, Intrusion Logging, within Advanced Protection Mode. It provides persistent, privacy-preserving forensic logs to assist in investigating sophisticated spyware attacks and suspected device compromises.

    The G7 Cybersecurity Working Group issued new guidance on Software Bill of Materials (SBOMs) for Artificial Intelligence (AI). This guidance outlines seven key data clusters to enhance transparency and security across AI supply chains.

    Want to dig deeper?

    Vulnerabilities

    CVE-2026-41089 High
    CVE-2026-41103 High
    CVE-2026-44277 High
    CVE-2026-26083 Critical
    CVE-2026-45185 Critical