The Lyceum: Cyber Intelligence Daily — May 18, 2026

Three things define the morning. A researcher operating as Chaotic Eclipse just dropped a third unpatched Windows zero-day that pops a SYSTEM shell on a fully patched Windows 11 machine — including the May Patch Tuesday updates from six days ago. The NGINX bug we flagged earlier this week has crossed from "scary disclosure" to active exploitation, with VulnCheck confirming attacks in the wild. And the Tycoon2FA phishing kit — which law enforcement reportedly disrupted in March — has returned with a technique that defeats multi-factor authentication without ever asking for the victim's password.

The connective tissue: the gap between disclosure and weaponization is now measured in days, not quarters.

• MiniPlasma Windows zero-day — Windows 11 fully patched with the May 2026 Patch Tuesday updates: no fix available, PoC public on GitHub, confirmed working on current builds. Grants SYSTEM privileges from a standard user account by exploiting cldflt.sys.
• CVE-2026-42945 — NGINX Open Source 0.6.27–1.30.0 and NGINX Plus: patches available (1.30.1/1.31.0; R32 P6 and R36 P4 for Plus), confirmed actively exploited per VulnCheck. CVSS 9.2 (v4.0) on the session; heap buffer overflow in ngx_http_rewrite_module, enables worker crashes and possible RCE.
• CVE-2026-42897 — Microsoft Exchange Server (on-prem): patch available, KEV-listed (due 2026-05-29), active exploitation confirmed by Microsoft. OWA spoofing via crafted email.
• CVE-2026-20182 — Cisco Catalyst SD-WAN Controller & Manager: patch available, KEV-listed (due 2026-05-17 — federal deadline expired Sunday), authentication bypass.
• Tycoon2FA device-code phishing — phishing kit, rebuilt after March takedown: actively deployed against Microsoft 365 tenants, abuses Microsoft Authentication Broker OAuth flow to harvest tokens without stealing passwords.

You patched Windows last Tuesday. You're still not current.

A researcher operating as Chaotic Eclipse (also called Nightmare-Eclipse) published proof-of-concept code on GitHub for a Windows privilege escalation flaw they're calling MiniPlasma. The bug lives in cldflt.sys — the Windows Cloud Files Mini Filter Driver — and revives a 2020 issue Microsoft believed it had fixed with CVE-2020-17103. BleepingComputer tested the exploit on a fully patched Windows 11 Pro system running the May 2026 Patch Tuesday updates. From a standard user account, the exploit opened a command prompt running as SYSTEM — the highest privilege level on Windows, full keys to the kingdom. Researcher Will Dormann independently confirmed it works on current builds.

The pattern is now well-established. This is the third unpatched zero-day from Chaotic Eclipse in roughly three weeks, following BlueHammer (CVE-2026-33825), RedSun, and UnDefend. After each prior disclosure, BleepingComputer reports the bugs were spotted in real attacks within days. The researcher is publishing in protest of Microsoft's bug bounty process and has promised a "big surprise" coinciding with June Patch Tuesday on June 10. Expect ransomware affiliates and initial-access brokers to integrate the MiniPlasma PoC into their post-exploitation chains this week.

The signal to watch: an out-of-band Microsoft patch before June 10 means Microsoft sees ransomware adoption as imminent. Silence means defenders are on their own — and per the researcher's own promise, a new zero-day may arrive alongside whatever fixes Microsoft ships on the 10th.

NGINX runs a meaningful fraction of the public internet — banks, APIs, WordPress sites, reverse proxies in front of just about everything. This week, that ubiquity is a liability.

CVE-2026-42945 is a heap-based buffer overflow in NGINX's ngx_http_rewrite_module affecting versions 0.6.27 through 1.30.0. The flaw was introduced in 2008, according to security firm Depth First Disclosures, and sat undiscovered for 18 years. VulnCheck has now confirmed exploitation in the wild — the gap between public disclosure and active attacks was under 72 hours.

Two paths matter. The first is denial-of-service: Orca Security demonstrated that just three crafted HTTP requests killed multiple NGINX workers simultaneously, and a continuous-loop PoC crashed worker processes faster than the master process could respawn them — complete service disruption from a handful of requests. The second is remote code execution, which requires Address Space Layout Randomization to be disabled plus a specific vulnerable configuration involving unnamed PCRE captures combined with question marks in replacement strings. Security researcher Kevin Beaumont noted the RCE path needs those specific conditions to be vulnerable.

The fix is straightforward. Upgrade NGINX Open Source to 1.30.1 or 1.31.0; for NGINX Plus, patches landed in R32 P6 and R36 P4. If you can't patch immediately, SOC Prime notes the vulnerable code path can be eliminated by replacing unnamed captures ($1, $2) with named captures in your rewrite rules — a configuration change with no downtime. Depth First Disclosures has also published working exploit code on GitHub tuned for real-world reverse-proxy configurations, not lab setups. With public exploit code now operationalized for common configs, expect mass scanning to ramp through this week.

In March, international law enforcement reportedly disrupted Tycoon2FA, one of the most prolific Microsoft 365 phishing platforms in circulation. It didn't stay down. Abnormal Security confirmed earlier this month that the operation rebuilt on new infrastructure and returned to normal activity levels — and the new technique sidesteps multi-factor authentication in a way most users won't see coming.

Here's how it works, according to eSentire's analysis. The lure email contains a Trustifi click-tracking URL — Trustifi is a legitimate email security vendor whose tracking links are being abused for credibility. The victim clicks through and lands on a real Microsoft page at microsoft.com/devicelogin, the genuine device-login flow used for signing into smart TVs and IoT devices with corporate credentials. The victim enters a code, completes their MFA prompt normally, and sees nothing suspicious. What they don't see is that they've just authorized an attacker-controlled "device" running in the background to receive OAuth tokens on their behalf.

The phish doesn't bypass MFA. It changes what MFA is authorizing. The attacker impersonates Microsoft Authentication Broker, a Microsoft first-party application that brokers tokens to Exchange Online, Microsoft Graph, and OneDrive for Business. A single successful consent yields working tokens for the entire Microsoft 365 surface area while appearing in Entra ID telemetry as a normal Microsoft application — nearly invisible to standard monitoring.

The standard defensive advice — "turn on MFA" — is insufficient on its own against this technique. Administrators should disable the OAuth device code flow via Conditional Access policies if users don't actually need to sign into shared devices with corporate credentials. eSentire reports the kit is being sold to multiple actors, so expect the same backend technique to surface under different phishing brands in the coming weeks.

Pwn2Own Berlin 2026 closed over the weekend with researchers collecting $1,298,250 after exploiting 47 zero-day flaws across Windows, Linux, VMware, Nvidia, and AI products, per BleepingComputer's tally. Working exploits against Windows 11 and Microsoft Edge were also demonstrated, according to Russian-language outlet Xakep.

Pwn2Own is a controlled demolition of software people actually use. Vendors named at the event now have 90 days under Zero Day Initiative's disclosure policy to ship patches before technical details go public. Miss that window and ZDI publishes anyway — the bugs become available to anyone scanning for them. Watch the cadence of out-of-band patches and the size of June, July, and August security bulletins: that's the leading indicator of how many of the 47 get fixed cleanly versus how many land in the KEV catalog before their patches ship.

There's a separate signal worth naming. The Record reports Microsoft is on pace to break its annual vulnerability record, with Microsoft and the U.K. National Cyber Security Centre both warning that AI-assisted discovery is driving larger and more urgent patch waves. The dnsmasq maintainer last week described "something of a revolution in AI-based security research." Pwn2Own is one feeder into that pipeline. The patch volume is now the operational problem — not just the bugs themselves.

CERT-UA's bulletin on the cluster it tracks as UAC-0247 (also UAC-0244) describes a campaign that simultaneously targets Ukrainian hospitals, organs of local government, and operators of FPV drones — all under the same toolkit. Delivery runs through humanitarian-themed phishing and a trojanized "update" for FPV drone operator software distributed through Signal. The malware families named include AGINGFLY (a DLL side-loading backdoor), SilentLoop, CHROMELEVATOR (browser credential theft), and ZAPIXDESK (WhatsApp data extraction), with internal pivoting via LIGOLO-NG, CHISEL, and RUSTSCAN. CERT-UA's mitigation guidance emphasizes restricting LNK, HTA, and JavaScript execution and limiting mshta.exe and PowerShell — standard living-off-the-land hygiene that most healthcare environments still don't enforce. The targeting profile — hospitals, emergency services, and drone operators in one campaign — is consistent with Russian intelligence priorities, though CERT-UA has not made a formal political attribution. Source: CERT-UA Advisory — Ukrainian. No English-language coverage confirmed at time of publication.

Russian-language outlet Xakep translated the CVE-2026-42945 disclosure for a practitioner audience days before VulnCheck confirmed in-the-wild exploitation, highlighting the unauthenticated RCE path when ASLR is off. That translation pipeline matters operationally: Russian-language security forums and outlets often surface practitioner-grade exploitation detail before Western outlets pick up the same material, and the lead time between Xakep coverage and active exploitation in this case was under three days. Source: Xakep — Russian. English coverage of the CVE exists, but Xakep's translation preceded the major English practitioner advisories.

A protest researcher pops SYSTEM on last Tuesday's patch, an 18-year-old NGINX bug gets weaponized in 72 hours, and a phishing kit teaches Microsoft Authentication Broker to hand its own house keys to a stranger in a parked van. Somewhere in Cupertino, an engineer who spent five years on Memory Integrity Enforcement is reading a Calif blog post about how it fell in five days to a chatbot — and there are still three weeks until Chaotic Eclipse's "big surprise" lands on June 10.

Stay patched. Stay paranoid.

Forward this to the person on your team who still thinks "we have MFA" is a complete sentence.