The Lyceum: Cyber Intelligence Daily — May 29, 2026

Three things matter before your second coffee. Google shipped an emergency Chrome update overnight patching four high-severity flaws, two of which let attackers escape the browser sandbox. Attackers are actively exploiting a critical FortiClient EMS flaw — the platform many enterprises use to manage their endpoint security — to push credential-stealing malware disguised as a Fortinet update. And Kaspersky published detailed technical analysis showing North Korea's Kimsuky group is now writing malware with apparent AI assistance and routing command-and-control traffic through Microsoft's own VS Code tunnels. The day's quiet undercurrent: the LiteSpeed cPanel KEV deadline expires this evening, and it's the second critical zero-day in the same hosting stack in roughly a month.

• CVE-2026-10014 — Chrome on Android prior to 148.0.7778.216: patched, use-after-free in WebMIDI enabling sandbox escape from a compromised renderer.
• CVE-2026-10013 — Chrome prior to 148.0.7778.216: patched, use-after-free in WebCodecs allowing arbitrary code execution inside the sandbox.
• CVE-2026-10012 — Chrome prior to 148.0.7778.216: patched, use-after-free in Skia enabling sandbox escape.
• CVE-2026-10015 — Chrome prior to 148.0.7778.216: patched, integer overflow in WTF allowing arbitrary code execution inside the sandbox.
• CVE-2026-35616 — FortiClient EMS: patched in early April, actively exploited to deploy the EKZ infostealer via the platform's own update channel.
• CVE-2026-48172 — LiteSpeed cPanel Plugin 2.3 through 2.4.4: actively exploited, KEV deadline expires today, fixed in 2.4.5.
• Linux kernel LPE PoC — fresh Exploit-DB entry for a local privilege escalation in the Linux kernel; sparse vendor coordination, treat as early signal.

If you're reading this in Chrome and haven't updated overnight, you're running a browser with four freshly-disclosed high-severity holes in it — two of which let an attacker who's already inside the rendering engine break out entirely.

Google promoted Chrome to version 148.0.7778.216 on the stable channel for Windows, Mac, and Linux, with rollout staged over days and weeks. Two of the four new bugs are "use-after-free" flaws — a memory error where a program keeps referencing a chunk of memory after it's been freed, which attackers can exploit to run their own code in that space. CVE-2026-10014 (WebMIDI on Android) and CVE-2026-10012 (Skia) are both sandbox escapes: an attacker who's already compromised Chrome's rendering layer can break out of the protective container and reach the rest of your system. CVE-2026-10013 (WebCodecs) and CVE-2026-10015 (an integer overflow in WTF) complete the set.

The win condition for defenders is straightforward: push this patch today and close the window before exploit code matures. The failure mode is the staged rollout — Google ships updates progressively, so a significant portion of your fleet won't have 148.0.7778.216 by Monday unless you force it. Watch for these CVEs in exploit kit telemetry over the next week; if they appear, the window between Google disclosure and weaponization has closed faster than the rollout. Check Help → About Google Chrome now and confirm 148.0.7778.216.

The most dangerous attacks look exactly like legitimate software updates — because your users have been trained to accept those.

According to BleepingComputer reporting on Arctic Wolf research published in the past 24 hours, attackers are exploiting CVE-2026-35616, a pre-authentication flaw in FortiClient Enterprise Management Server, to deliver a previously undocumented credential stealer called EKZ. FortiClient EMS is the centralized platform enterprises use to push policies and updates to every endpoint running FortiClient — which means a single compromised EMS server becomes a malware distribution platform for the entire managed fleet. The flaw carries CVSS 9.1 and was patched by Fortinet in early April. The new detail is what attackers do once inside. Per Arctic Wolf's analysis, threat actors modify the Remote Access Profile and endpoint policy to inject malicious scripts targeting all managed devices, weaponizing FortiClient's legitimate on_connect VPN scripting feature. The payload is disguised as a Fortinet update.

EKZ targets Chromium and Firefox browsers, extracting credentials, payment data, addresses, phone numbers, and session cookies — the last of which provide access to MFA-protected accounts without ever needing the password. The operational lesson is brutal: management consoles for security tooling become the highest-value initial-access targets in the environment, because they bypass every endpoint defense by impersonating the vendor. If Arctic Wolf's IOCs let defenders catch this early, watch for a sharp drop in EKZ-tagged credential dumps on infostealer marketplaces over the next month. If you run FortiClient EMS and skipped the April hotfix, treat every managed endpoint's stored browser credentials as already gone.

North Korea's Kimsuky group has been running cyberespionage for over a decade. Their latest toolkit contains two details that should make defenders uncomfortable: at least one new backdoor appears to have been written with AI assistance, and command-and-control traffic is hiding inside Microsoft's developer infrastructure.

According to Securelist's analysis, Kimsuky (also tracked as Velvet Chollima) targeted South Korean military and corporate entities through March and April 2026 with a suite of new tools built around the PebbleDash and AppleSeed malware families — including HTTPSpy, HelloDoor, and httpMalice. HelloDoor is a DLL-based backdoor written in Rust, a language rarely used by the group, first identified in August 2025 and deployed via a malicious JSE dropper. Its C2 routes through TryCloudflare, a free temporary tunneling service that obscures the upstream infrastructure. The Korea Times, citing the same Kaspersky research, reports that comments embedded in HelloDoor's code appear to have been generated by a large language model — traces including emojis used for debug logging suggest the author leaned on an AI assistant during development. For post-exploitation, the group used Visual Studio Code tunnels combined with GitHub authentication, alongside the DWAgent remote administration tool and Cloudflare Quick Tunnels.

The practical implication is uncomfortable. Blocking malicious traffic at the firewall doesn't work when the C2 channel is indistinguishable from a developer's normal VS Code remote session. If this approach spreads to other state-aligned actors — and the GreyVibe campaign suggests it already is — "spot the unusual outbound connection" stops working when the unusual connection is a sanctioned developer tool. The signal worth watching: whether SOC teams start logging which processes initiate VS Code tunnel sessions, and from where. If they don't, this becomes the default living-off-the-land technique for the back half of 2026.

Today is the federal remediation deadline. The pattern around it matters more than the individual bug.

CISA added CVE-2026-48172 to its Known Exploited Vulnerabilities catalog on May 26 with a three-day window — a compressed timeline reflecting active exploitation already confirmed across shared and VPS hosting infrastructure. The flaw lives in the LiteSpeed user-end cPanel plugin, versions 2.3 through 2.4.4. Attackers exploit it by calling the lsws.redisAble function through the cPanel JSON API, which incorrectly assigns root privileges during Redis enable/disable operations — allowing arbitrary script execution at the highest system level. Per The Hacker News, no prior privileges beyond a basic cPanel account are required. On a multi-tenant server, a single compromised account hands an attacker root over every site on the box.

The deeper signal, per SC Media's reporting: a previous critical 9.8 cPanel bug, CVE-2026-41940, compromised roughly 44,000 cPanel servers less than a month ago and was weaponized to drop Mirai and ransomware at scale. Two critical zero-days in the same hosting stack within a month is targeting behavior, not bad luck. If today's deadline passes with significant federal non-compliance, expect a CISA emergency directive within days. If a third critical cPanel-adjacent bug surfaces in June, shared hosting has become a category-level initial-access market — and the small-business compromises that surface as "unrelated" incidents in July will trace back here. The fix is plugin version 2.4.5. To check for exploitation: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ — any output is a problem.

Russian-language outlet Xakep reported overnight that the threat cluster Fluffy Wolf has attacked Russian organizations using a new malware family that hasn't surfaced in Western reporting. The targeting profile is worth tracking precisely because it inverts the usual direction — non-state actors hitting Russian commercial targets occasionally pioneer tooling that resurfaces against Western organizations months later. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep published technical detail overnight on the disruption of the Glassworm botnet's command-and-control infrastructure — the same operation CrowdStrike disclosed in English, but with additional context on the takedown's reach into the developer-targeting ecosystem. For defenders modeling supply-chain attacker resilience, the Russian-language version contains operational specifics on infrastructure attribution that the English coverage so far omits. Source: Xakep.ru — Russian. English coverage of the takedown exists; this specific infrastructure detail does not.

Xakep reports that Russia's Minсifры has broadened the list of subscriber and traffic data that telecommunications operators must collect and hand to security services under the SORM lawful-intercept regime. The expansion matters beyond Russia's borders because multinational carriers operating Russian subsidiaries face new compliance obligations that conflict with EU and US data-protection frameworks — and because the expanded dataset becomes a high-value target the moment a Russian operator is compromised. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Today's tableau: a Chrome sandbox cracking open like an egg, a Fortinet management console cheerfully shipping an infostealer to every endpoint it manages, and a North Korean operator pasting his Rust into ChatGPT between sips of something hot. The training material that taught your users to "look for typos in phishing emails" is now itself a vintage artifact — meanwhile, a Russian telecom subscriber database just got a few columns wider for reasons nobody outside Moscow can read. Stay paranoid; the toolchain is paranoid back.

Forward this to the colleague who still hasn't restarted Chrome.