The Lyceum: Cyber Intelligence Daily — May 13, 2026

It's Patch Tuesday with teeth. Microsoft shipped fixes for around 120 vulnerabilities and — for the first time since June 2024 — none were reported as zero-days, which sounds like a quiet month until you read the Word entries and notice the Preview Pane is exploitable again. Meanwhile Fortinet patched two pre-auth RCEs (including one in the sandbox tool that's supposed to catch malware), the researcher behind BlueHammer/RedSun dumped a BitLocker bypass on GitHub with working code, and a dnsmasq mailing-list disclosure detailed six bugs that affect roughly every home router.

• CVE-2026-26083 — FortiSandbox (on-prem, cloud, PaaS): patched May 12, no known in-the-wild exploitation, CVSS 9.1. Missing authorization in the Web UI lets an unauthenticated remote attacker execute arbitrary code on the appliance whose entire job is detonating malicious files.
• CVE-2026-44277 — FortiAuthenticator 8.0.0/8.0.2, 6.6.0–6.6.8, 6.5.0–6.5.6: patched in 8.0.3, 6.6.9, 6.5.7. CVSS 9.1. Improper access control allowing unauthenticated RCE on Fortinet's identity and access management appliance. FortiAuthenticator Cloud unaffected.
• CVE-2026-41089 — Windows Netlogon: patched May 12, no public exploitation yet, CVSS 9.8 per Microsoft. Stack-based buffer overflow exploitable by an unauthenticated remote attacker against domain controllers via crafted network requests.
• CVE-2026-42898 — Microsoft Dynamics 365 on-premises: patched May 12, CVSS 9.9 per Microsoft. Unauthenticated RCE requiring no user interaction.
• CVE-2026-40361 / CVE-2026-40364 — Microsoft Word: patched May 12. Critical RCE flaws triggerable via the Preview Pane — no opening of the document required.
• YellowKey & GreenPlasma — Public PoC released May 12 by the researcher behind BlueHammer/RedSun. YellowKey is a BitLocker bypass; GreenPlasma is a Windows CTFMON-based local privilege escalation to SYSTEM. No CVEs assigned, no patches available.
• Six dnsmasq CVEs — Disclosed May 11, fixed in 2.92rel2. CVE-2026-2291 (heap overflow / cache poisoning) and CVE-2026-4892 (DHCPv6 heap OOB write → local root) lead the set. Affects nearly all non-ancient dnsmasq builds.

The headline number is encouraging — roughly 120 CVEs patched, none were reported as zero-days. Per Tenable, this is the first Patch Tuesday since June 2024 with no zero-days in the bundle. SecurityWeek counts the release at 137 across all components; the discrepancy reflects how each tracker aggregates product-specific subcomponents, not a disagreement about the underlying fixes.

The real story is in the Word entries. CVE-2026-40361 and CVE-2026-40364 are critical RCEs in Microsoft Word where, per Help Net Security, the Preview Pane is a sufficient trigger — the target doesn't open the document, just selects it in Outlook or Explorer. That is the exact attack surface phishing campaigns weaponize within days of disclosure, amid concerns that it collapses the user-education layer to zero.

Two server-side bugs deserve top-of-queue treatment. CVE-2026-41089 is a pre-auth stack-based buffer overflow in Netlogon — per Tenable, CVSS 9.8, exploitable against any domain controller reachable by an attacker. Half-patched Active Directory forests are not a defensible state for a bug like this. CVE-2026-42898, per The Cyber Express, is an unauthenticated RCE in on-prem Dynamics 365 at CVSS 9.9 with no user interaction required; if your ERP runs on-prem Dynamics, the maintenance window can't wait.

What success here looks like is boring: clean telemetry through the weekend, no out-of-band emergency, attackers chasing yesterday's bugs. What failure looks like is a phishing campaign in your SOC's queue Monday morning with .docx attachments and confused users explaining they "didn't even open it." The observable signal in between is whether CVE-2026-40361 shows up in vendor exploit-tracking feeds before Friday.

There is a particular flavor of dark comedy in a critical pre-auth RCE in the sandbox you bought to catch pre-auth RCEs. CVE-2026-26083 is a missing-authorization flaw in the FortiSandbox Web UI affecting on-prem, cloud, and PaaS variants. Per Fortinet's PSIRT advisory, it carries a CVSS of 9.1, was found internally during audit, and lets an unauthenticated remote attacker execute code on the appliance whose entire purpose is detonating suspicious files in a contained environment. The compromise isn't just a foothold — it's visibility into every payload the sandbox is currently analyzing.

The second bug, CVE-2026-44277, affects FortiAuthenticator — Fortinet's identity and access management product. Per Fortinet's PSIRT, it's also CVSS 9.1, improper access control allowing unauthenticated RCE via crafted requests. Affected versions are 8.0.0 / 8.0.2, 6.6.0–6.6.8, and 6.5.0–6.5.6; fixed releases are 8.0.3, 6.6.9, and 6.5.7. FortiAuthenticator Cloud is not affected. Fortinet says the bug is not known to be exploited in the wild at publication.

If both flaws stay quiet, the patches absorb the risk and this is a routine vendor advisory. If either appears in CISA's Known Exploited Vulnerabilities catalog in the coming weeks, the math changes — per BleepingComputer, CISA has added 24 Fortinet vulnerabilities to the KEV catalog in recent years, 13 of which were also abused in ransomware. The historical pattern is that Fortinet bugs travel from advisory to active exploitation in days, not months. The observable signal: KEV additions or a Fortinet PSIRT update noting in-the-wild activity.

The researcher behind BlueHammer, RedSun, and UnDefend has not become more patient. Per securityonline.info, they published two new proof-of-concept exploits on GitHub on May 12 under the alias Nightmare-Eclipse. The release accompanies a blog post framing the dump as retaliation against Microsoft's Security Response Center for what the researcher describes as ongoing failures to handle disclosures responsibly.

YellowKey is the alarming one. Per securityonline.info, it's a complete bypass of BitLocker — Windows' full-disk encryption — that the researcher describes as "insane," suggesting the bug almost feels deliberate. The public exploit demonstrates unrestricted shell access to a protected volume using a USB stick and a specific key combination during reboot. GreenPlasma targets the Windows CTFMON service via arbitrary section creation; per the same source, the researcher stripped the final SYSTEM-shell payload as a challenge to the community, but the core exploit logic is public.

The earlier round set the pattern. Per ebuildersecurity, Huntress confirmed active in-the-wild exploitation of all three prior techniques since April 10, 2026, with Microsoft patching only CVE-2026-33825 (BlueHammer) and leaving RedSun and UnDefend unpatched across all supported Windows versions. If YellowKey gets weaponized at the same tempo, encrypted laptops on the wrong end of a hotel-room burglary stop being encrypted in any meaningful sense. The observable signal is whether Microsoft ships an out-of-band patch this week — if they do, it means telemetry already shows attackers moving on the PoC.

Canvas is back. The learning management platform used by roughly 9,000 schools and millions of students recovered from the ShinyHunters ransomware attack that hit during finals week, and Instructure — Canvas's parent company — confirmed paying a ransom to restore access. The Verge reports the company has not disclosed the amount.

Paying did not retire the threat. ShinyHunters retains the exfiltrated data — student records, assignment submissions, grades, and potentially personal information — and continues to threaten public release. This is the structure of modern double-extortion: the decryption key buys operational recovery; it does not buy data destruction, and no rational defender should assume otherwise.

If the data leaks, every school running Canvas needs to assume student records are in the wild and prepare for credential-stuffing and phishing campaigns targeting students and staff who reuse passwords. If it doesn't leak, that tells you something quieter and more interesting about ShinyHunters' calculus — that a paid ransom is still worth honoring when the victim is a recurring revenue surface for future operations. Watch for posts on ShinyHunters' leak infrastructure over the next two weeks; that's the signal that decides which scenario you're in.

Xakep reports on a Linux kernel vulnerability dubbed Dirty Frag that, per their write-up, allows local privilege escalation to root across all major distributions. This lands in the same neighborhood as the Copy Fail and Pack2TheRoot bugs that defined late April — another kernel-layer flaw with cross-distribution reach and (per Xakep) working exploit code circulating. If the technical details hold up under English-language scrutiny, this is a third universal Linux root bug in roughly three weeks, and the operational reality for Linux fleet operators is now permanent kernel triage. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep, summarizing Google reporting, says Google's threat-intelligence teams have identified what they describe as the first in-the-wild zero-day exploit produced with meaningful AI assistance. The Russian-language coverage frames this as a confirmation of the trajectory the dnsmasq maintainer and the curl team are both reacting to from different directions: the floor for both vulnerability discovery and exploit development has moved, and defenders should expect the gap between disclosure and weaponization to keep compressing. Worth watching for the English-language Google writeup, which will likely carry the actual TTPs. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

A BitLocker bypass dropped on GitHub by someone with a grievance and a USB stick; a sandbox appliance that needed a sandbox; a disruption of high-speed rail with a radio you can buy on Amazon. Somewhere in Cambridge a dnsmasq maintainer is sorting through AI-generated bug reports and concluding, reasonably, that the embargo era is over — which is probably the most consequential sentence anyone wrote this week, and it appeared on a mailing list almost nobody reads.

Stay patched. Stay suspicious of "official."

Forward this to the person on your team who still thinks Preview Pane is safe.