The Lyceum: Cyber Intelligence Daily — May 14, 2026

An 18-year-old NGINX bug — found by an AI, not a human — just gave attackers a one-shot unauthenticated RCE against roughly a third of the web. A pharmaceutical packaging giant that ships 43 billion components a year is rebuilding from ransomware. And a Windows researcher with what they call a "dead man's switch" of unreleased zero-days just dumped a BitLocker bypass with working code, telling Microsoft to expect "a big surprise" next Patch Tuesday. The day after Patch Tuesday is becoming its own threat surface.

• CVE-2026-42945 — NGINX Rewrite Module Heap Overflow — NGINX Open Source <1.31.0/<1.30.1 and NGINX Plus pre-R36 P4/R32 P6: patched May 13, public PoC on GitHub, no NVD score yet (press reports CVSS v4 9.2). Unauthenticated RCE via a single HTTP request against vulnerable rewrite configurations.
• YellowKey — Windows BitLocker Bypass: Unpatched zero-day affecting Windows 11 and Server 2022/2025. Working PoC public on GitHub; unlocks BitLocker-protected drives via WinRE and a USB-staged 'FsTx' file. No Microsoft response yet.
• GreenPlasma — Windows SYSTEM Elevation: Companion zero-day to YellowKey, partial PoC released (the SYSTEM-shell pivot stripped out). Unpatched.
• Exim AV26-460 — Exim 4.97 through 4.99.2 on certain GnuTLS builds: vendor advisory published May 12 by Exim, reissued May 13 by Canada's Cyber Centre. Per the advisory, a crafted message can lead to remote code execution in vulnerable configurations.
• Six dnsmasq CVEs (CVE-2026-2291, -4890, -4891, -4892, -4893, -5172) — dnsmasq pre-2.93: bundle covers DNS cache poisoning, DHCPv6 local root, and DoS. Ubuntu shipped USN-8268-1 within the last 14 hours; embedded-device patching gap will be measured in months.
• Flowise unauthenticated exploit (EDB-52557): Working PoC for the open-source LLM orchestration UI. Affects older Flowise deployments; any internet-facing instance is at elevated risk from opportunistic scanners now.
• Chrome CVE-2026-5281 — Chrome <146.0.7680.177: confirmed exploited in the wild per Google's release notes. Use-after-free in Dawn (WebGPU).

If you run a website, there is roughly a one-in-three chance NGINX is somewhere in the stack. On May 13, F5 and a research firm called depthfirst jointly disclosed CVE-2026-42945 — a heap buffer overflow in NGINX's rewrite module that has been quietly sitting in the codebase since version 0.6.27 shipped in 2008.

A heap buffer overflow is the kind of bug where software writes past the edge of an allocated chunk of memory; with the right shape of input, an attacker uses that overflow to bend the program's execution toward code of their choosing. In this case, the overflow is reachable over plain HTTP, with no authentication, against any NGINX instance running a particular — but not unusual — rewrite configuration: unnamed regex captures like $1 or $2 paired with a replacement string containing a ?, followed by another rewrite, if, or set directive. The Hacker News reports a CVSS v4 score of 9.2; depthfirst's writeup notes RCE is most reliable on environments where ASLR or other memory hardening is weak. A working proof-of-concept is already on GitHub.

The other detail worth sitting with: this wasn't a human researcher. Per depthfirst, their autonomous vulnerability-analysis system was pointed at the NGINX source and surfaced the bug in roughly six hours — a flaw that survived 18 years of human review. That is the story underneath the story. If you patch (1.31.0 / 1.30.1 for Open Source; R36 P4 / R32 P6 for Plus), the immediate problem goes away. The longer problem — that AI-assisted code auditing now finds class-defining bugs in foundational OSS faster than embargo processes can absorb them — does not.

What to watch: mass-scanning telemetry over the next 48–72 hours. If GreyNoise lights up on / requests probing rewrite responses, the window between disclosure and opportunistic exploitation has closed. If it stays quiet, attackers are targeting specific high-value NGINX deployments rather than spraying — which is, in some ways, worse.

Most ransomware victims are invisible to people downstream. West Pharmaceutical Services is not one of them.

Founded in 1923 and headquartered in Exton, Pennsylvania, West makes the rubber stoppers, glass vials, and delivery components that go into injectable medicines — insulin, vaccines, biologics — across 50 sites and 10,000 employees worldwide, shipping roughly 43 billion units a year per its own materials. In an SEC 8-K filing this week, West disclosed that it detected an intrusion on May 4, determined by May 7 that the incident was material, found that data had been exfiltrated and systems encrypted, and proactively took systems offline globally to contain it. Palo Alto Networks' Unit 42 was retained for response; law enforcement was notified.

The detail that will reward careful reading is buried in West's SEC language: the company "has taken steps intended to mitigate the risk of dissemination of the exfiltrated data." In ransomware vernacular, that language often indicates a payment was made or negotiated. No group has claimed the attack on a leak site — also unusual, and consistent with a paid-and-quiet outcome. West says shipping, receiving, and manufacturing have restarted at some sites and that core enterprise systems are restored, though full financial impact remains under assessment.

The success signal here is silence over the next two weeks — no leak site post, no auction listing, no follow-on extortion. The failure signal is a sudden West data dump appearing on a known leak board, which would indicate negotiations collapsed. For everyone downstream — hospitals, pharmacies, vaccine manufacturers — the operational question is whether the silence holds long enough for global manufacturing to fully normalize before the next disruption.

A researcher operating as Chaotic Eclipse (and as Nightmare-Eclipse on GitHub) published proof-of-concept code on May 12 for two unpatched Windows zero-days. The more dramatic one, YellowKey, defeats BitLocker — Microsoft's full-disk encryption — on Windows 11 and Server 2022/2025. The recipe per BleepingComputer: place specially crafted FsTx files on a USB or EFI partition, reboot into the Windows Recovery Environment, hold CTRL, and you get a shell. The exploit then deletes its own staging files from the USB. The researcher additionally claims YellowKey works against TPM+PIN configurations, though that variant's code has not been released — treat it as unverified.

The second drop, GreenPlasma, is a SYSTEM-level privilege escalation; the published PoC is deliberately incomplete, with the final pivot to a SYSTEM shell stripped out. Microsoft has not publicly responded to either.

Per The Register, these are the fourth and fifth Microsoft zero-days this researcher has burned this year, following BlueHammer (CVE-2026-32201), RedSun, and UnDefend — the latter two still unpatched. Huntress told The Register that PoCs from this researcher have been picked up and used in real attacks within days of release. Chaotic Eclipse is now teasing "a big surprise" for next Patch Tuesday and has alluded to a dead man's switch of further unreleased bugs.

The success path for defenders — meaningful only in the short term — is BitLocker PIN plus BIOS password on any high-value endpoint, immediately, plus tighter physical access controls. The failure path is the one we are already on: a single researcher with a vendor grudge effectively setting the cadence of Microsoft's emergency response. The signal to watch is whether June's Patch Tuesday includes out-of-cycle fixes for YellowKey and GreenPlasma — if not, the "dead man's switch" claim becomes the most credible piece of unverified intelligence in the room.

There is a familiar satisfaction when a ransomware operator gets locked out of their own infrastructure, but the more useful part of this story is what the leaked internals show about how the business actually runs.

Per Dark Reading and a Check Point Research writeup titled "Thus Spoke…The Gentlemen," an OPSEC failure exposed internal data from a ransomware-as-a-service operation called The Gentlemen — the model where one group builds the malware and infrastructure and recruits affiliates (effectively contractors) to do the breaking-in for a revenue share. Dark Reading describes the group's growth as the product of "a generous affiliate model, opportunistic TTPs, and an effective organizational structure." In plain English: it's a company. With HR.

Check Point's companion DFIR report details two tradecraft choices worth flagging. The first is heavy use of SystemBC — a proxy that wraps attacker-to-victim traffic in encrypted tunnels that look like ordinary HTTPS, which is why so much of this traffic survives perimeter inspection. The second is Group Policy abuse, where the attackers hijack Windows' built-in policy-distribution system to push their ransomware to every domain-joined machine in one coordinated push, instead of laterally hopping host to host.

What success looks like for the defenders here is rare and tangible: Check Point has published indicators of compromise, so any blue team running threat hunting can sweep for SystemBC traffic patterns and Group Policy anomalies before the group rebuilds. What failure looks like is the same thing that's happened every prior time a top RaaS operation got exposed — BlackCat/ALPHV, DarkSide, Conti — they regroup, rebrand, and resume in 60 to 120 days, often with cleaner tradecraft as a result of the leak.

Korean security outlet BoanNews reports that Hanmaeum Blood Center — a dedicated blood supply organization — was hit by ransomware, with police now conducting a pre-indictment investigation. Korean coverage describes the attackers demanding cryptocurrency for decryption, and frames this as the first ransomware attack on a single blood supply organization in South Korea. Blood centers sit in a category with hospitals and dialysis clinics: the cost of downtime is not measured in dollars, it's measured in delayed transfusions. The fact that this is making news in Seoul and not in English-language press is itself a small failure of the global threat-sharing fabric. Source: BoanNews — Korean. No English-language coverage confirmed at time of publication.

China's national CERT issued a risk advisory on a botnet it's calling NutsBot, which is spreading via the React2Shell cloud-infrastructure vulnerability and compromising cloud instances for what the advisory describes as a "zombie network." React2Shell is the same flaw Google Cloud's H1 2026 Threat Horizons report singled out as being exploited within 48 hours of disclosure — meaning the window from CVE to mass-compromise here is effectively zero. No equivalent CISA or ENISA advisory exists yet. If your team runs anything React-adjacent on AWS, Azure, or GCP, this is a useful early read. Source: Security Internal Memo, citing CNCERT — Chinese (Simplified). No English-language coverage confirmed at time of publication.

Korean coverage via Daum and Security News reports that Foxconn's North American factory suffered a ransomware attack that allegedly paralyzed the plant's network, with attackers claiming to have stolen 8 TB of data. A parallel Korean report attributes a separate incident at an LG Energy Solution US plant to the Akira ransomware group, with claims of 1.7 TB exfiltrated and a temporary production halt. Neither has surfaced in English-language press in the way you'd expect for incidents at companies of this size, which is worth flagging on its own. If both confirm, the supply-chain impact — Foxconn for electronics, LG Energy Solution for batteries — would be the more important story than either breach individually. Source: Daum / Security News — Korean. No English-language coverage confirmed at time of publication.

An AI found an 18-year-old NGINX bug in six hours, a disgruntled researcher is publishing Windows zero-days on a Patch Tuesday timer, and somewhere in Pennsylvania the people who make the glass vials your insulin comes in are very quietly not naming who they paid. The dead man's switch isn't the scary part — the scary part is that we now know what's in it because someone wrote it on a Norton community forum. Patch what you can, monitor what you can't, and assume the next disclosure is already written.

Forward this to the friend who still thinks BitLocker plus TPM is the end of the conversation.