The Lyceum: Cyber Intelligence Daily — May 11, 2026

Today's theme is trust collapsing in the places we don't normally look — the official download page, the AI chat share link, the firewall that's supposed to be guarding the door. CISA's actively exploited list now reads like a tour of modern infrastructure: a mobile device manager, an AI gateway, a perimeter firewall. And a Palo Alto patch arrives tomorrow for a flaw that's been quietly burning since April 9, which means the next 24 hours are the gap.

• CVE-2026-0300 — Palo Alto Networks PAN-OS User-ID Authentication Portal: actively exploited as zero-day, patches roll out Tuesday May 12. Unauthenticated buffer overflow yielding root on the firewall itself. Unit 42 attributes exploitation to CL-STA-1132.
• CVE-2026-6973 — Ivanti Endpoint Manager Mobile: KEV-listed with a federal due date of May 10 (already past). High-severity flaw where admin-level attackers achieve arbitrary code execution; credentials stolen in January attacks are reportedly being reused now.
• CVE-2026-42208 — BerriAI LiteLLM: KEV-listed, federal due date today (May 11). Critical RCE in the proxy that routes traffic between apps and model providers — the AI gateway has joined the firewall on the priority shelf.
• CVE-2026-7482 — Ollama before 0.17.1: CVSS 9.1 out-of-bounds read in the GGUF model loader. Remote unauthenticated process-memory leak — model weights, cached prompts, API keys, anything in RAM.
• CVE-2026-23918 / CVE-2026-24072 — Apache HTTP Server 2.4.66 and earlier: double-free in HTTP/2 with possible RCE, plus a privilege-escalation path via mod_rewrite and .htaccess. Fixed in 2.4.67. No KEV listing yet.
• ThingsBoard 4.2.0 SSRF PoC — Public proof-of-concept on Exploit-DB for an unauthenticated SSRF in the widely deployed IoT telemetry platform. Turns a dashboarding server into an internal-network pivot.
• JDownloader installer hijack — Official site served malicious Windows and Linux installers May 6–7 carrying a Python RAT; affected users should treat machines as compromised and reinstall.

If you've ever wondered what "modern attack surface" actually means in practice, this week's KEV additions are the answer. CISA added three flaws being actively exploited in the wild: CVE-2026-6973 in Ivanti Endpoint Manager Mobile (the software that controls your fleet of corporate phones and laptops), CVE-2026-42208 in BerriAI LiteLLM (the proxy that routes your apps' requests to OpenAI, Anthropic, and AWS Bedrock), and CVE-2026-0300 in Palo Alto Networks PAN-OS (the firewall guarding your perimeter). Federal due dates were May 10, May 11, and May 9 respectively — all immediate as of publication.

What changes if this matters as much as it looks: LiteLLM in particular is the first time an AI gateway has shown up on the same priority list as a firewall. That promotes the AI plumbing layer — which a lot of organizations still treat as developer convenience tooling — into the same risk category as your edge devices. Dark Web Informer reports the Ivanti exploitation is using credentials stolen in January attacks that organizations never rotated; the bug rewards inaction in the most direct way possible.

The signal to watch: whether the next two weeks bring more AI-adjacent tooling onto KEV. If they do, the pattern stops being coincidence and starts being a campaign.

CVE-2026-0300 has been the slow-motion emergency of the week, but two new details sharpened it overnight. Palo Alto's Unit 42 has attributed the exploitation to a "likely state-sponsored" group it tracks as CL-STA-1132, and the patch arrives tomorrow, May 12. The flaw itself is an unauthenticated buffer overflow in PAN-OS's User-ID Authentication Portal — meaning anyone who can reach that portal over the network can land root on the firewall without credentials.

Unit 42's timeline, per The Register, is unusually specific: first failed exploitation attempts on April 9; successful RCE about a week later; logs and crash reports wiped on the way out; lateral movement into Active Directory using credentials lifted from the firewall itself; post-exploitation traffic tunneled through EarthWorm and ReverseSocks5, both publicly available tools. A working PoC went public on May 6, which means the floor for exploitation just dropped — you no longer need to be CL-STA-1132 to use this. Cybernews and Field Effect both have additional confirming detail.

What success and failure look like here are mirror images: success is a clean patch deployment Tuesday with no widespread secondary exploitation. Failure looks like Shadowserver's count of 5,800+ exposed VM-Series firewalls turning into a Mirai-style scan event by Wednesday. The CL-STA-1132 attribution is single-vendor and should be treated as a working hypothesis, not settled fact — Unit 42 hasn't published the indicators that would let other firms confirm it independently.

Between May 6 and May 7, the official JDownloader website pointed users to malicious Windows and Linux installers carrying a Python-based remote access trojan. According to Security Affairs and BleepingComputer's follow-up, the attackers didn't tamper with JDownloader's legitimate binaries — they altered the website's content management system to swap the download links for the "Alternative Installer" (Windows) and the shell installer (Linux). In-app updates, macOS downloads, Flatpak, Winget, Snap packages, and the main JAR were untouched.

The JDownloader developers have advised that anyone who ran the affected installers during that window should treat the machine as compromised and reinstall the OS — standard AV scans may miss the persistence. Legitimate Windows installers show "AppWork GmbH" as the publisher; anything else is hostile.

What changes if this keeps happening: the security guidance that's been gospel for two decades — "download from the official site" — becomes meaningfully weaker. The observable signal that defenders are losing the trust-boundary fight is more incidents like this one, where the official domain serves the malicious payload and code-signing on the binary is the only thing left between users and infection. Watch package-manager and signature verification adoption climb in the weeks ahead; that's the rational response.

The timing is theatrical and the message is unsubtle. BleepingComputer reports ShinyHunters defaced Canvas login portals at hundreds of colleges and universities for roughly 30 minutes, using the schools' own infrastructure as a billboard to claim it had breached Instructure again and would publish stolen data by Tuesday, May 12. The Verge reports the actor is claiming roughly 275 million records and a separate Tuesday, May 13 deadline — those numbers and dates are attacker claims and unverified by Instructure, but the deadline window is still active as of publication.

Instructure has said it found no indication that passwords, dates of birth, government identifiers, or financial information were compromised. The attackers, meanwhile, claim to have pulled user records, private messages, and enrollment data via Canvas export features and APIs. The asymmetry between those two statements is itself the story.

What's different about this one is the public-pressure mechanic. A defacement isn't a data-theft technique — it's a coercion technique aimed at students, parents, and administrators rather than IT. The success signal for ShinyHunters is whether Instructure or affected schools issue fresh notices before the deadline expires. The failure signal — for defenders — is a phishing wave hitting university inboxes Wednesday morning with very convincing "your Canvas account needs verification" framing. A breach becomes more dangerous when it converts into social engineering fuel, and that conversion is happening in real time.

Russian security outlet Xakep published an extensive reconstruction of the "TeamPCP" campaign that began with a compromise of Aqua Security's open-source Trivy vulnerability scanner and cascaded outward into package repositories and cloud environments. The piece details how attackers abused a misconfigured pull_request_target trigger in GitHub Actions to escalate from initial maintainer-account compromises into broader system access, and cites Mandiant incident-response estimates that more than 1,000 SaaS environments were affected. Why it matters here: this is the most concrete recent example of a security tool itself becoming the supply-chain attack vector, and it lines up directly with this week's themes around AI gateways, package managers, and CI pipelines as the soft underbelly of modern infrastructure. English-language coverage of the broader campaign is limited; the technical timeline in the Xakep piece is the most complete public account so far.

Source: Xakep — Russian. No English-language coverage confirmed at time of publication.

Xakep published a technical walkthrough demonstrating that large language models, paired with dynamic instrumentation tools like Frida, can dismantle commercial code obfuscation in hours rather than the months it traditionally required. The piece is essentially a practical demonstration of what the agentic-AI offense research papers are forecasting — only with working code and timing measurements rather than scenario models. Why it matters: a meaningful share of anti-piracy, DRM, and malware-analysis-resistance economics has rested on the assumption that reverse engineers are scarce and slow. If that assumption breaks, defenders relying on obfuscation as a layer of their security posture need to reprice it — fast.

Source: Xakep — Russian. No English-language coverage confirmed at time of publication.

A firewall that helpfully wipes its own logs on the way out, a download button that ships you a Python RAT instead of a download manager, and a defaced Canvas login screen telling 275 million students that finals week just got worse. The week's running joke is that the AI gateway, the firewall, and the official software site have all turned into the threat — and the IT help desk hasn't even had coffee yet. Patch what you can, assume the rest, and reinstall the OS if you grabbed JDownloader on May 6 or May 7.

If this landed, send it to the friend who runs IT for a school district — they're going to need it before Tuesday, May 12.