The Lyceum: Cyber Intelligence Daily — May 08, 2026

Three things define today, and they all share a clock. CISA gave federal agencies until Sunday, May 10, 2026, to patch an Ivanti EPMM zero-day already being used in targeted attacks. ShinyHunters gave Instructure until Monday — May 12 — before leaking what they claim is 275 million Canvas records covering nearly 9,000 schools. And the Linux kernel disclosure process broke for the second time in two weeks: a third party broke the Dirty Frag embargo overnight, releasing a one-shot, deterministic root exploit into an ecosystem that has no general patch yet.

The pattern is the part. Embargoes are collapsing, vendor windows are shrinking, and defenders are trying to triage three deadlines while the calendar laughs.

• CVE-2026-6973 — Ivanti Endpoint Manager Mobile (EPMM) versions 12.8.0.0 and prior: actively exploited zero-day, patched in 12.6.1.1 / 12.7.0.1 / 12.8.0.1, added to CISA KEV with a federal due date of May 10. Authenticated admin RCE on the appliance that controls every corporate mobile device.
• CVE-2026-0300 — Palo Alto Networks PAN-OS User-ID Authentication Portal (captive portal): unauthenticated buffer-overflow RCE, on CISA KEV with a federal due date of May 9, no patch yet — Palo Alto's only mitigation is to restrict the portal to trusted internal IPs or disable it.
• Dirty Frag (CVE-2026-43284 / CVE-2026-43500) — Linux kernel xfrm-ESP and rxrpc page-cache write flaws, chained: deterministic local root on Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora. Public PoC (V4bel/dirtyfrag) released on May 7 after embargo break; AlmaLinux test kernels available, no general distro patches yet.
• Copy Fail follow-up (CVE-2026-31431) — Microsoft Defender telemetry shows operators already running "preliminary testing" of the earlier Copy Fail Linux LPE; the algif_aead blacklist mitigation does not cover Dirty Frag.
• PamDOORa — New Linux backdoor advertised on a Russian-language forum for $1,600 by an actor calling themselves "darkworm." Hooks into PAM (Pluggable Authentication Modules) to harvest SSH credentials at login.

If your organization manages corporate phones, tablets, and laptops through Ivanti's Endpoint Manager Mobile, this is the story that should interrupt your Friday.

Ivanti published its May 2026 EPMM updates on Thursday, disclosing five vulnerabilities including a zero-day already being exploited. CVE-2026-6973 is a high-severity input-validation flaw that lets an authenticated attacker with admin privileges run arbitrary code, SecurityWeek reports. EPMM is the control tower for every corporate mobile device — get in, and you can push malicious configurations, intercept communications, or pivot deeper.

CISA added the bug to the Known Exploited Vulnerabilities catalog Thursday with a federal deadline of May 10 — Sunday. Shadowserver currently sees more than 850 EPMM instances exposed to the internet, mostly in Europe (508) and North America (182), per BleepingComputer. The flaw only affects on-prem EPMM; Ivanti Neurons for MDM (the cloud product) is unaffected, Help Net Security notes. Patched releases: 12.6.1.1, 12.7.0.1, 12.8.0.1.

VulnCheck's VP of security research told CyberScoop that, because exploitation requires admin privileges, CVE-2026-6973 was likely chained with a separate initial-access bug. Two earlier 2026 EPMM CVEs — CVE-2026-1281 and CVE-2026-1340 — have been exploited by China- and Iran-attributed actors. Translation: someone may already have been inside before this bug was even needed.

If exploitation expands beyond "very limited" over the weekend, expect CISA to broaden the directive. If it stays contained, this becomes the third Ivanti zero-day folded into routine patch hygiene. Either way: patch tonight, rotate admin credentials, and audit EPMM access logs for unfamiliar logins.

Two weeks ago it was Copy Fail. This morning it's Dirty Frag. If you run Linux servers — and statistically, you do — this is the second time this month you've had to scramble.

Researcher Hyunwoo Kim posted Dirty Frag to oss-security at 03:56 UTC, hours before this issue went out, after a third party broke the coordinated disclosure embargo. Dirty Frag chains two page-cache write flaws — one in the IPsec ESP path, one in rxrpc — into a deterministic local privilege escalation. The kernel doesn't panic on failure. The exploit succeeds on the first try. There is no race condition, no timing luck, per The Hacker News. Working PoC code is on GitHub.

The cruel detail for anyone who already worked overtime on Copy Fail: the algif_aead blacklist mitigation that contained Copy Fail does nothing for Dirty Frag. AlmaLinux assigned CVE-2026-43284 and CVE-2026-43500 and has test-repo kernels available; CloudLinux has a livepatch in flight. Ubuntu, RHEL, CentOS Stream, openSUSE Tumbleweed, and Fedora have not yet shipped fixes.

The interim workaround is to blacklist and unload the esp4, esp6, and rxrpc kernel modules. The trade-off is real: doing so breaks IPsec tunnels and the kAFS variant of AFS, so any host terminating IPsec, strongSwan, or Libreswan traffic needs a different plan, Cryptika notes.

If distributions ship patches by Monday, this fades into normal kernel-update tempo. If they don't, every multi-tenant Linux host — shared hosting, VPS providers, container platforms with user namespaces, university lab clusters — is one unprivileged shell away from root through the weekend. The signal to watch: Microsoft Defender already reports operator "testing activity" against Copy Fail. Dirty Frag is more reliable than Copy Fail. The interval between PoC and live abuse is going to be measured in days, not weeks.

The timing is almost theatrical: the week before finals, and the platform millions of students use to submit assignments and check grades just went dark.

Instructure, the company behind Canvas, has confirmed a cyber incident affecting its cloud-hosted environment. ShinyHunters claims responsibility and says it stole roughly 275 million records and 3.65 terabytes of data, WCNC reports. The group shared a list of 8,809 affected institutions with BleepingComputer and EdScoop, including all eight Ivy League universities, MIT, and Oxford.

The exposed fields, according to The Daily Pennsylvanian, include names, institutional emails, student ID numbers, and course enrollments. Duke's CISO told WRAL that Instructure has indicated no evidence that passwords, dates of birth, government identifiers, or financial data were involved. That's the best-case scenario — and it's still enough to fuel convincing phishing against students and faculty for years.

The deadline is the end of day on May 12, 2026. Instructure has not contacted the attackers to negotiate, DataBreaches.net reports, and ShinyHunters is now telling individual schools to negotiate directly. Instructure's status page shows ongoing recovery work and precautionary key reissuance for third-party integrations.

If Instructure holds the line through Monday, this becomes a watershed test of whether large SaaS providers can credibly refuse extortion at this scale. If they pay, every education-sector vendor with a cloud tenant becomes a higher-priority target on Tuesday. The signal is whether the leak actually drops on May 13.

There is also a buried timeline detail worth flagging: Instructure first learned of the breach on April 25 and notified at least one district on May 5, per WRAL. That ten-day gap is a regulatory exposure independent of whether the 275 million figure is accurate.

There is a particular kind of uncomfortable when the company selling you a lock has its own lock picked.

RansomHouse, an extortion crew operating since 2022, took credit Thursday for the recent breach at Trellix, the enterprise security vendor formed from the McAfee Enterprise / FireEye merger. Trellix disclosed earlier this week that part of its source code repository had been accessed and stated: "Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited," SecurityWeek reports.

That caveat matters. Source code for security software is a roadmap of every detection gap the engineers knew about and every edge case they couldn't fix. RansomHouse named Trellix on its leak site Thursday and posted screenshots that appear to show access to internal services and management dashboards.

If RansomHouse publishes the stolen code before Trellix completes its review, both researchers and adversaries will comb it for undisclosed weaknesses in Trellix's endpoint and email detection logic. If Trellix's distribution pipeline really is intact — meaning the build-and-sign infrastructure for customer-facing products was not touched — this is contained reputational damage. The signal is whether Trellix issues an out-of-band advisory to customers in the next ten days. Silence is the bad outcome.

Ukraine's national CERT documented a phishing campaign in which the attackers impersonate CERT-UA itself, sending emails styled as official security notifications and delivering a malware family the agency is tracking as AGEWHEEZE. The targets are government bodies and security-adjacent organizations — the very audience most likely to take a CERT-UA notice at face value. The advisory is CERT-UA#21075 and lists indicators of compromise. For Western defenders, the lesson generalizes: any organization that publishes patch advisories or breach notifications becomes spoofable infrastructure, and authenticity workflows for "your CERT" need to be more than visual.

Source: CERT-UA Advisory #21075 — Ukrainian. No English-language coverage confirmed at time of publication.

CERT-UA's "Danger Bulletin" documents continued exploitation of CVE-2026-21509 by UAC-0001 — Ukraine's tracking designation for APT28, the GRU's Unit 26165. The targeting extends beyond Ukraine into EU government networks. The bulletin is CERT-UA#19542. The Western press has been quiet on this thread despite the EU dimension; if your organization has any nexus to Ukraine policy, energy, or defense supply chains, the IOCs are worth pulling into your detection stack.

Source: CERT-UA Advisory #19542 — Ukrainian. No English-language coverage confirmed at time of publication.

Xakep published a technical breakdown of a fresh privilege-escalation path through NFS, the protocol Linux servers use to share files across a network. NFS misconfigurations are endemic in enterprise environments, and the writeup details a working escalation technique that has not yet surfaced in English-language press. If your environment uses NFS for shared storage between Linux hosts — common in research, media, financial back-office, and any team running on-prem ML workloads — this is worth getting in front of before Western tooling vendors catch up.

Source: Xakep — Russian. No English-language coverage confirmed at time of publication.

A learning platform extorting nine thousand schools during finals week, a Linux root exploit dropped at 4 AM by someone who wasn't even invited to the embargo, and a security vendor explaining that yes, its source code is gone, but no, it's fine. Somewhere, a CISO is reading "no evidence of impact" three times in a row and refilling their coffee for the fourth time before nine.

Stay patched. Stay suspicious.

Forward this to whoever's pulling the weekend shift — they earned it.