The Lyceum: Cyber Intelligence Daily — May 09, 2026

Two weeks after Copy Fail, Linux administrators are doing the same patch dance for a different bug — except this one bypasses the mitigation they applied last time, has working exploit code already in the wild, and is being actively used in attacks Microsoft is currently watching. Meanwhile, the ShinyHunters extortion clock on Canvas hits its deadline Tuesday with 275 million student and teacher records on the table. And Poland's intelligence service published the receipts on five water plant breaches that look less like cyberattacks and more like a hybrid warfare blueprint — accomplished, embarrassingly, with default passwords and exposed management interfaces.

• CVE-2026-43284 (Dirty Frag, xfrm-ESP half) — Linux kernel: patches released on May 8 for the Linux Kernel Organization tree; AlmaLinux and CloudLinux shipped patched kernels. Local privilege escalation to root on most major distributions; the embargo broke on May 7 with public exploit code.
• CVE-2026-43500 (Dirty Frag, RxRPC half) — Linux kernel: no upstream patch yet as of May 8; chains with CVE-2026-43284 to defeat the Copy Fail mitigation. Microsoft observing limited in-the-wild exploitation.
• CVE-2026-42208 — BerriAI LiteLLM: SQL injection via crafted Authorization header, added to CISA KEV May 8 with federal patch deadline May 11. Exploited within 36 hours of disclosure; compromise yields stored OpenAI, Anthropic, and AWS Bedrock credentials.
• CVE-2026-6973 — Ivanti Endpoint Manager Mobile: zero-day exploited using credentials stolen in earlier January Ivanti incidents; CISA gave federal agencies four days to patch (deadline Sunday).
• CVE-2026-0300 — Palo Alto Networks PAN-OS: actively exploited unauthenticated RCE in Captive Portal; staged patches rolling May 13–28; CISA had set a federal mitigation deadline for May 9.
• CVE-2026-32202 — Microsoft Windows Protection Mechanism Failure: added to CISA KEV with confirmed active exploitation but no public IOCs yet released.

If you patched your Linux servers two weeks ago for Copy Fail and felt that small, hard-earned satisfaction of having done the right thing — sit down for this.

Dirty Frag is a freshly disclosed local privilege escalation vulnerability in the Linux kernel that chains two separate page-cache write flaws — one in the xfrm-ESP path used by IPsec, one in RxRPC used by the Andrew File System — to deliver root on virtually every major distribution. Local privilege escalation, in plain English: anyone who already has the smallest foothold on your system (a low-privilege shell, a compromised web app, an escaped container) can use this to become the all-powerful root account. An embargo break on May 7 dumped working exploit code into public view ahead of schedule.

The cruel detail: the researcher who found Dirty Frag noted it can be triggered without the algif_aead module, which means systems that applied the publicly known Copy Fail mitigation are still vulnerable to this one. You did the work. You're still exposed.

Microsoft Defender is currently observing limited in-the-wild activity, describing what it called a sequential pattern: "an external connection gains SSH access and spawns an interactive shell, followed by staging and execution of an ELF binary that immediately triggers a privilege escalation," per Microsoft's security blog. Translation: attackers SSH in, drop a binary, and instantly become root.

Patches for the xfrm-ESP half (CVE-2026-43284) landed at the Linux Kernel Organization on May 8. AlmaLinux and CloudLinux have shipped fixes. Red Hat is expediting. The RxRPC half (CVE-2026-43500) has no upstream fix yet. The interim workaround is to blacklist the esp4, esp6, and rxrpc kernel modules — which will break those workloads if you actually use IPsec or AFS, because those functions depend on those modules.

If RHEL and Ubuntu patches don't ship cleanly within 48 hours, expect this to migrate from "limited exploitation" to "broad commodity tooling" quickly — that's the signal to watch.

The timing is almost theatrical: the week before finals, the platform millions of students use to submit assignments and check grades went dark, and the people responsible left a note.

ShinyHunters, the criminal extortion group, claims it stole roughly 275 million records from Instructure — names, email addresses, student ID numbers, and private messages between students, professors, and staff at nearly 9,000 institutions. Instructure says no passwords, dates of birth, government identifiers, or financial data were exposed, and that part appears to be holding up. The escalation is what changed the story this week.

Per KrebsOnSecurity, ShinyHunters publicly chastised Instructure for responding to the initial intrusion with "some 'security patches'" rather than negotiating, then demonstrated the patches hadn't worked by recompromising the environment on May 7. Instructure has since acknowledged that the unauthorized actor exploited an issue in its Free-For-Teacher accounts and temporarily shut those accounts down. The ransom deadline is Tuesday, May 12. KrebsOnSecurity reported that several universities have approached ShinyHunters about paying; the leak site no longer lists Instructure among current victims, which in extortion grammar typically means negotiations are underway.

Universities in the U.S., U.K., New Zealand, Australia, Sweden, and the Netherlands have reported disruptions, with several forced to reschedule final exams, per The Record. The near-term defensive risk isn't the breach itself — it's what comes next. Per Times Higher Education, staff and students are being warned to expect highly personalized phishing in the weeks ahead. Stolen names, school affiliations, professor relationships, and excerpts of private messages are a phishing toolkit; an attacker who knows your professor's name and can quote a Canvas message back at you will defeat most people's email skepticism.

Watch the Instructure status page over the weekend. As of May 8, it still claimed 100% uptime through the recompromise window, per Wikipedia's tracking of the incident — a credibility gap that will matter to regulators if it persists.

Poland's domestic intelligence service published a detailed account this week of breaches at five water treatment facilities — Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo — in which attackers reached the industrial control systems and obtained the ability to modify equipment operating parameters. Per Security Affairs, the ABW attributed the campaign to Russian APTs APT28 and APT29, alongside the Belarusian-aligned UNC1151.

The methods, per the ABW, were weak password policies and management interfaces left exposed to the open internet. No zero-days. No bespoke malware. The bar to gain the technical capability to disrupt drinking water for tens of thousands of people was: a default credential and a public IP.

That last part is why this story matters beyond Poland. TechCrunch's framing is correct — the attack vectors ABW described are identical to vulnerabilities long known to exist across U.S. water utilities, where small, under-resourced municipal systems run the same exposed-OT pattern. This isn't a sophistication gap; it's a procurement and inspection gap. The signal worth watching is whether CISA or EPA issues a follow-on advisory in the coming days. The ABW report is detailed enough that it should — and the absence of one would itself be telling.

If your engineering team runs LiteLLM — the open-source proxy that routes requests between your applications and model providers like OpenAI, Anthropic, and AWS Bedrock — there is a patch that should have shipped yesterday.

CISA added CVE-2026-42208 to its Known Exploited Vulnerabilities catalog on May 8, with a federal patch deadline of May 11. The flaw is an SQL injection in the proxy's API key check, where the caller-supplied key was concatenated into the query string instead of passed as a parameter. An unauthenticated attacker can send a crafted Authorization header to any LLM API route, hit the error-handling path, and read or modify the proxy's database.

The reason this is a credentials-pocalypse and not a typical SQL injection: per The Hacker News reporting Sysdig research, a single LiteLLM credentials row often holds an OpenAI organization key with five-figure monthly spend caps, an Anthropic console key with workspace admin rights, and an AWS Bedrock IAM credential. "The blast radius of a successful database extraction is closer to a cloud-account compromise than a typical web-app SQL injection," Sysdig wrote.

Active exploitation began within 36 hours of public disclosure. Patch to the latest LiteLLM release. If you can't patch immediately, set disable_error_logs: true under general_settings to remove the attack path while you schedule the upgrade — and assume any keys stored on a vulnerable instance need rotation, not just patching.

Ukraine's national CERT published a detailed advisory documenting an intensifying campaign by the threat cluster UAC-0247 (also tracked as UAC-0244) against Ukrainian clinical hospitals, emergency services, municipal bodies, and — most notably — operators of first-person-view drones, the cheap, single-use drones that have transformed front-line tactics. Targeting FPV drone operators is a direct attempt to disrupt Ukrainian battlefield supply chains at the human level, identifying who builds and flies the drones rather than where they're stored. The hospital and municipal targeting fits the broader Russian doctrine of attacking civilian resilience alongside military capability. Source: CERT-UA Advisory #6288271 — Ukrainian. No English-language coverage confirmed at time of publication.

Russian specialist outlet Xakep, citing Positive Technologies research, describes an ongoing campaign tracked as CapFix that has targeted Russian industrial and aviation-sector organizations from late 2025 through March 2026. The notable tradecraft: phishing emails sent from already-compromised legitimate mail servers, with Positive Technologies analysts assessing that a critical Roundcube webmail flaw was likely used to build the mailing infrastructure. Phishing from genuine, reputation-good mail servers defeats most filtering, and the targeting suggests a Western-aligned actor methodically working Russian aerospace — a useful counterpoint to the symmetric Geo Likho campaign reported earlier this month. Source: Xakep — Russian. No English-language coverage confirmed at time of publication.

Xakep published a technical breakdown of a fresh privilege-escalation path through NFS — Network File System, the protocol Linux servers have used for decades to share files across a network. The walkthrough demonstrates how misconfigured no_root_squash settings combined with specific mount behaviors can be chained into a reliable local-to-root escalation on shared infrastructure. The piece reads as a defensive checklist as much as offensive research, and given the Dirty Frag activity this week, hardening NFS exports is a useful adjacent task while kernel patches are pending. Source: Xakep — Russian. No English-language coverage confirmed at time of publication.

Three default passwords stood between the Russian state and a Polish town's drinking water; a kernel exploit slipped its embargo while sysadmins were still admiring last week's patch; and somewhere a university bursar is staring at a wire-transfer form trying to remember the etiquette for paying ShinyHunters. Somewhere else, a man in Virginia who deleted 96 government databases with one stolen password is wondering how the cybersecurity industry built a multibillion-dollar zero-day economy on top of infrastructure that still falls over to "admin / admin." Stay patched, stay paranoid.

Forward this to the friend whose Canvas password is their dog's name and a number.