IT, Telecom & Cyber · International (Houston)

Force Immediate Patching and Identity Controls Across IT, Telecom & Cyber

Published May 26, 2026, 5:06 AM CSTINTERNATIONALFull category signal
Ask AI
FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

In 60 seconds

Top move

CISA added an actively exploited Drupal SQL injection to its Known Exploited Vulnerabilities list — buyers should treat hosted and multi-site Drupal instances as high-priority remediation items and confirm patching or mitigations with providers

Key takeaways

  • CISA added an actively exploited Drupal SQL injection to its Known Exploited Vulnerabilities list — buyers should treat hosted and multi-site Drupal instances as high-priority remediation items and confirm patching or mitigations with providers.[1]
  • A phishing-as-a-service product (Kali365) that abuses Microsoft device-code OAuth flows has been publicized by the FBI, meaning token- and session-based account takeovers are becoming easier for low-skilled attackers — tighten OAuth consent controls and device-code monitoring with SaaS suppliers.[4]
  • Vendors pushed critical fixes this week across the stack — Ubiquiti patched multiple maximum-severity UniFi OS flaws and Microsoft acknowledged a domain controller discovery failure after a May security update — both create short-term remediation and compatibility workstreams for buyers who depend on legacy or internet-exposed appliances.[5][2]
  • Anthropic’s restricted Mythos model signals a new tooling vector where AI could automatically generate high-quality exploit code; treat this as an emerging attacker capability that increases the value of automated vulnerability scanning and supplier proof-of-fix workflows.[3]
  • Operational impact is practical and supplier-facing: expect increased emergency patch demand, higher vendor support escalations for appliance fleets, and tighter SLAs around identity/session abuse — buyers should verify contractual responsibilities now rather than after incidents.[1]

What changed since last run

  • New operational driver: CISA added an actively exploited Drupal SQL injection to KEV, creating a federal-driven remediation priority not present in the previous brief (which focused on firmware and DDoS).
  • Identity risk surfaced at scale: FBI advisory on Kali365 elevates device-code OAuth phishing from niche to widely available PhaaS, changing supplier controls needed for Microsoft 365 and SSO integrations.

Key facts

  • CVE-2026-9082 tracked as actively exploited
  • Shadowserver tracking nearly 670 exposed Drupal installations
  • CISA added the flaw to its Known Exploited Vulnerabilities catalog
  • Multiple maximum-severity UniFi OS CVEs patched
  • Censys tracking nearly 100,000 internet-exposed UniFi OS endpoints
  • Vulnerabilities exploitable without privileges in low-complexity attacks

Why it matters

CISA added an actively exploited Drupal SQL injection to its Known Exploited Vulnerabilities list — buyers should treat hosted and multi-site Drupal instances as high-priority remediation items and confirm patching or mitigations with providers. A phishing-as-a-service product (Kali365) that abuses Microsoft device-code OAuth flows has been publicized by the FBI, meaning token- and session-based account takeovers are becoming easier for low-skilled attackers — tighten OAuth consent controls and device-code monitoring with SaaS suppliers. Vendors pushed critical fixes this week across the stack — Ubiquiti patched multiple maximum-severity UniFi OS flaws and Microsoft acknowledged a domain controller discovery failure after a May security update — both create short-term remediation and compatibility workstreams for buyers who depend on legacy or internet-exposed appliances. Anthropic’s restricted Mythos model signals a new tooling vector where AI could automatically generate high-quality exploit code; treat this as an emerging attacker capability that increases the value of automated vulnerability scanning and supplier proof-of-fix workflows

Cost / money

  • Immediate patching and validation work for hosted Drupal and UniFi farms will increase short-term remediation spend and raise demand for vendor/consultant support for internet‑exposed endpoints.[1]
  • Microsoft’s known issue with domain controller lookups can produce administrative downtime and extra labor for identity and directory teams to troubleshoot legacy hostnames and recovery workflows.[2]
  • Kali365 lowers the skill barrier for account takeover, which can increase spend on incident response, token/session revocation, and accelerated SSO hardening with SaaS suppliers.[4]

Supplier / commercial

  • Hosting and managed-service providers that run multi-site Drupal or UniFi control planes will face heightened demand for patched builds and incident SLA commitments; buyers can press suppliers for verified patch schedules and remediation SLAs.[1]
  • Vendors shipping appliances or unified OS stacks (e.g., UniFi) may tighten quote validity or push faster cadence on maintenance windows — expect constrained scheduling and potential premium for emergency on‑site or remote remediation.[5]
  • For identity and SaaS suppliers, buyers should negotiate explicit responsibilities for device-code OAuth flows and token revocation processes since threats exploit SSO and session mechanics.[4]

Safety / operations

  • Active exploitation of a pre-auth SQL injection in widely used CMS instances increases the risk of data exposure and privilege escalation — operational teams must verify backups, access logs, and external exposure lists for multi-site deployments.[1]
  • Breaks in domain-controller discovery impair admin tooling and DFS/namespace operations, which can cascade into degraded file access and delayed recovery actions if not tracked and mitigated promptly.[2]

What to watch

  • Anthropic’s Mythos and similar frontier models may accelerate automated exploit development and vulnerability discovery; treat public claims as an early, directional risk that could change attacker capabilities and tooling availability.[3]
  • Ubiquiti disclosed multiple maximum‑severity UniFi OS flaws with a very large exposed endpoint footprint tracked by researchers; verify which appliances in your fleet are internet-exposed and whether vendor patches have been applied.[5]

Top stories

Story 1BleepingComputerMay 26, 2026

CISA orders feds to patch actively exploited Drupal vulnerability

Signal strongSource-grounded
Source notes [1]Read source

What happened

CISA ordered federal agencies to patch an actively exploited SQL injection in Drupal (CVE-2026-9082) after evidence of in-the-wild exploitation. Shadowserver is tracking nearly 670 unpatched Drupal installations, most in North America and Europe, making this an operationally real exposure for multi-site and hosted Drupal instances. Watch whether vendors and hosting partners publish coordinated patch schedules and mitigation proof for customer sites

Buyer takeaway

Treat hosted Drupal stacks as a live remediation priority and require hosting suppliers to prove patch deployment or compensating mitigations

Cost / money

Expect short-term remediation costs for emergency patch deployment and verification in managed hosting, plus potential consultant fees if suppliers cannot patch quickly

Supplier / commercial

Use the KEV listing to demand fixed timelines and evidence from hosting providers; consider price protection or indemnity language for breach-related remediation

Safety / operations

Successful exploit can lead to data disclosure and privilege escalation on multi-site deployments, creating immediate operational risk for content and identity systems

What to watch

Confirm which supplier-managed instances are on PostgreSQL backends (the exploitation vector) and watch for vendors offering temporary mitigations rather than full patches

Key facts

  • CVE-2026-9082 tracked as actively exploited
  • Shadowserver tracking nearly 670 exposed Drupal installations
  • CISA added the flaw to its Known Exploited Vulnerabilities catalog

Source excerpts

Unpatched Drupal instances (Shadowserver) ​On Friday, the U
S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems by midnight on Wednesday, May 27, as mandated by Binding Operational Directive (BOD) 22-01
S. government agencies until Wednesday evening to secure their servers against an SQL injection vulnerability in the Drupal content management system (CMS) that it flagged as actively exploited
Story 2BleepingComputerMay 22, 2026

Ubiquiti patches three max severity UniFi OS vulnerabilities

Signal strongSource-grounded
Source notes [5]Read source

What happened

Ubiquiti released patches for multiple maximum‑severity UniFi OS vulnerabilities that allow unauthenticated remote actions, file access, and command injection. Censys is tracking nearly 100,000 internet-exposed UniFi OS endpoints, so many fleets may be vulnerable until patches are applied or appliances isolated. Watch supplier advisories for exploit reports and prioritize internet-exposed consoles in remediation plans

Buyer takeaway

Inventory UniFi consoles and require vendor proof-of-patch or isolations for internet-exposed appliances during contract reviews

Cost / money

Patching large appliance fleets can spike labor and potential temporary replacement costs if devices are taken offline

Supplier / commercial

Negotiate maintenance-window commitments and emergency remediation credits for critical appliance classes to avoid premium charges during mass patch rollouts

Safety / operations

Remote command injection and unauthorized changes increase the risk of lateral compromise and network disruption if consoles are reachable externally

What to watch

Verify whether suppliers have applied patches at scale and watch for exploit activity targeting unpatched management planes

Key facts

  • Multiple maximum-severity UniFi OS CVEs patched
  • Censys tracking nearly 100,000 internet-exposed UniFi OS endpoints
  • Vulnerabilities exploitable without privileges in low-complexity attacks

Source excerpts

However, there is currently no information on how many have been secured against potential attacks targeting the vulnerabilities Ubiquiti patched this week. UniFi OS endpoints exposed online (Censys) ​In March, Ubiquiti patched another maximum-severity flaw (CVE-2026-22557) in the UniFi Network Application that may allow attackers to take over user accounts, as well as a vulnerability (CVE-2026-22558) that can be exploited to escalate privileges
Ubiquiti has released security updates to patch three maximum severity vulnerabilities in UniFi OS that can be exploited by remote attackers without privileges. UniFi OS is a unified operating system that powers UniFi Consoles and helps manage IT infrastructure, including networking, security, and other services, as well as UniFi applications such as UniFi Network, UniFi Protect, UniFi Access, UniFi Talk, and UniFi Connect
At the moment, threat intelligence company Censys is tracking nearly 100,000 Internet-exposed UniFi OS endpoints, most of them (nearly 50,000 IP addresses) found in the United States
Story 3BleepingComputerMay 25, 2026

Anthropic’s restricted Claude Mythos model may be coming to Claude Code

Signal moderateDirectional
Source notes [3]Read source

What happened

Anthropic’s restricted Mythos model reportedly can generate high-quality cyberattack code and has been used in a private preview where it found many vulnerabilities. The company is cautious about public release because of the security risk, but the existence of such tooling is an operational signal that exploit development velocity may increase. Watch for wider distribution of automated exploit tooling or partnerships that expose the model to more organizations

Buyer takeaway

Assume higher velocity of exploit discovery and prioritize automated, supplier‑integrated fix workflows and proof-of-remediation for critical systems

Cost / money

Over time, faster discovery may increase remediation spend unless buyers automate patching, testing, and supplier sign-off to lower manual costs

Supplier / commercial

Require suppliers to accept faster vulnerability escalation and to provide evidence of fixes; consider shifting to shorter patch windows in high-risk product categories

Safety / operations

Automated exploit generation can accelerate attack timelines, making delayed patches more dangerous for internet-exposed assets and critical services

What to watch

Treat public claims as an early signal — monitor whether exploit code or scanning outputs derived from such models appear in criminal tooling

Key facts

  • Mythos described as a frontier model with advanced code-reasoning abilities
  • Anthropic preview reportedly uncovered large volumes of high/critical vulnerabilities

Source excerpts

Anthropic appears to be preparing for the public rollout of "Mythos," which was announced in April as a restricted model that poses major security risks to private and public software. On April 7, Anthropic announced the Mythos in early preview and called it a new frontier model with strikingly advanced capabilities in computer security tasks
The Validation Gap: Automated Pentesting Answers One Question. You Need Six
This has vulnerabilities of all severities found by Mythos Preview. Mythos model managed to uncover 10,000 high- or critical-severity vulnerabilities in its first month alone, which explains why Anthropic has been holding off its public release
Story 4BleepingComputerMay 26, 2026

Microsoft: Domain Controller lookup may fail on Windows Server 2016

Signal strongSource-grounded
Source notes [2]Read source

What happened

Microsoft confirmed a known issue after a May security update where domain controller discovery fails on Windows Server 2016 hosts with 15-character hostnames. The problem prevents some admin tools from locating domain controllers and may affect DFS namespace management and other directory-dependent operations. Watch for Microsoft remediation guidance and inventory servers with the exact hostname constraint to avoid operational surprises

Buyer takeaway

Flag legacy server builds in supplier inventories and require patch compatibility checks for directory-dependent workloads before broad rollouts

Cost / money

Troubleshooting and rollback work for directory issues can raise operational support costs and stretch limited legacy-host maintenance resources

Supplier / commercial

Ask managed Windows suppliers for certified patching plans and rollback procedures for servers still on extended-support OS builds

Safety / operations

Failure to locate domain controllers can block admin recovery tasks and delay file-service operations, causing tangible operational downtime

What to watch

Inventory hosts with the exact hostname length condition and watch Microsoft for an out-of-band fix or mitigation guidance

Key facts

  • Issue tied to Windows Server 2016 and hostnames exactly 15 characters long
  • Impacts domain controller discovery and administrative scenarios like DFS management

Source excerpts

" Microsoft also noted that this known issue may also affect certain administrative scenarios that require access to a domain controller
"As a result, administrative operations that rely on domain controller lookup might fail, impacting scenarios such as DFS Namespace management," it noted
Microsoft has confirmed a new known issue affecting Windows Server 2016 systems that causes domain controller lookups to fail after installing the KB5087537 May 2026 security update
Story 5BleepingComputerMay 25, 2026

FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

Signal strongSource-grounded
Source notes [4]Read source

What happened

The FBI warned about Kali365, a phishing-as-a-service product that abuses Microsoft device-code OAuth flows to capture session tokens and bypass multi-factor authentication. Kali365 packages templates, AI-generated lures, victim-tracking dashboards, and token-capture features, making device-code phishing accessible to low-skilled attackers; defenders should assume this method will be used widely. Watch supplier telemetry for device-code abuse patterns and require partners to support token revocation workflows

Buyer takeaway

Treat device-code OAuth abuse as an immediate identity risk and validate supplier capabilities for consenting device flow controls and rapid token revocation

Cost / money

Mitigations and incident response for OAuth token theft increase identity-operational spend and may require supplier engagement for session invalidation

Supplier / commercial

Negotiate identity incident cooperation clauses and proof of revocation capabilities with SaaS and identity providers to reduce time-to-containment

Safety / operations

Compromised sessions grant access to all SaaS resources tied to the account, raising the operational severity of successful social-engineering attacks

What to watch

Monitor for resale and affiliate growth of Kali365-style platforms that expand the volume and geographic spread of device-code phishing attacks

Key facts

  • Kali365 emerged publicly in April and is distributed via Telegram
  • Platform offers device-code phishing and an adversary-in-the-middle 'Cookie Link' mode
  • Researchers observed widespread campaigns targeting Microsoft 365 and Entra

Source excerpts

The platform uses device code phishing, an increasingly popular method that abuses Microsoft's legitimate OAuth 2
The FBI recommends companies restrict or completely block device code authentication flows using Conditional Access policies where possible, audit existing device code usage, and block authentication transfer policies that allow authentication sessions to move between devices
Device code authentication formSource: BleepingComputer In February, BleepingComputer reported that extortion gangs, including the ShinyHunters cybercrime group, were targeting Microsoft Entra accounts via device-code and voice phishing. In these attacks, threat actors initiate the device authorization process themselves to generate a code, then trick targets into entering it on Microsoft's login page via phishing and social engineering

VP Snapshot

Executive Risk & Action View

CISA added an actively exploited Drupal SQL injection to its Known Exploited Vulnerabilities list — buyers should treat hosted and multi-site Drupal instances as high-priority remediation items and confirm patching or mitigations with providers.

Overall
60
Cost
79
Supply
61
Schedule
20
Compliance
15

Top signals

0-30dcost

Signal 1: Cost / money

Immediate patching and validation work for hosted Drupal and UniFi farms will increase short-term remediation spend and raise demand for vendor/consultant support for internet‑exposed endpoints.

30-180dcost

Signal 2: Cost / money

Microsoft’s known issue with domain controller lookups can produce administrative downtime and extra labor for identity and directory teams to troubleshoot legacy hostnames and recovery workflows.

Signal 3: Cost / money

Kali365 lowers the skill barrier for account takeover, which can increase spend on incident response, token/session revocation, and accelerated SSO hardening with SaaS suppliers.

30-180dcommercial

Signal 4: Supplier / commercial

Hosting and managed-service providers that run multi-site Drupal or UniFi control planes will face heightened demand for patched builds and incident SLA commitments; buyers can press suppliers for verified patch schedules and remediation SLAs.

Signal 5: Supplier / commercial

Vendors shipping appliances or unified OS stacks (e.g., UniFi) may tighten quote validity or push faster cadence on maintenance windows — expect constrained scheduling and potential premium for emergency on‑site or remote remediation.

Signal 6: Supplier / commercial

For identity and SaaS suppliers, buyers should negotiate explicit responsibilities for device-code OAuth flows and token revocation processes since threats exploit SSO and session mechanics.

Recommended actions

CategoryDue 3d

Inventory and confirm remediation status for all hosted or managed Drupal sites and public UniFi endpoints, prioritizing externally exposed instances.

All externally exposed Drupal and UniFi instances are identified and a remediation/mitigation status documented with supplier contact notes.

OpsDue 3d

Require Identity/SSO owners and primary SaaS suppliers to confirm device-code OAuth usage and to enable or tighten device-code consent dialogs and token revocation monitoring.

Documented supplier attestations and operational controls for device-code flows and a ticketed action plan where controls are inadequate.

ContractsDue 21d

Issue a contract change request or SLA addendum to hosting and managed‑service suppliers requiring proof-of-patch (or compensating mitigation) for KEV-listed Drupal vulnerabilit...

Amended supplier terms or documented exception workflows that require patch proof or approved mitigations for affected product lines.

OpsDue 21d

Run scoped phishing simulations and device-code phishing awareness training for teams with Microsoft Entra/365 access and update incident playbooks to include device-code token...

Playbook updated with device-code compromise steps and targeted teams have completed training and simulation results documented.

ContractsDue 60d

Reassess supplier risk profiles and procurement levers for network appliance and SaaS identity vendors: add explicit remediation SLAs, patch-proof requirements, and token/sessio...

Updated renewal templates that include remediation SLAs, proof-of-fix obligations, and incident cooperation language for critical appliance and identity suppliers.

CategoryDue 60d

Pilot automated vulnerability scanning and prioritized remediation pipelines for high-risk external services (CMS, SSO endpoints, and unified OS appliances) integrated with supp...

Operational pipeline that flags externally exposed high-risk services and produces supplier-tracked remediation tickets with verifiable closure evidence.

Risk register

RiskTriggerMitigation
Anthropic’s Mythos and similar frontier models may accelerate automated exploit development and vulnerability discovery; treat public claims as an early, directional risk that could change attacker capabilities and tooling availability.Anthropic’s Mythos and similar frontier models may accelerate automated exploit development and vulnerability discovery; treat public claims as an early, directional risk that could change attacker capabilities and tooling availability.Confirm exposure with category, contracts, and operations before the next supplier commitment.
Ubiquiti disclosed multiple maximum‑severity UniFi OS flaws with a very large exposed endpoint footprint tracked by researchers; verify which appliances in your fleet are internet-exposed and whether vendor patches have been applied.Ubiquiti disclosed multiple maximum‑severity UniFi OS flaws with a very large exposed endpoint footprint tracked by researchers; verify which appliances in your fleet are internet-exposed and whether vendor patches have been applied.Confirm exposure with category, contracts, and operations before the next supplier commitment.

CM Snapshot

Category Manager Decision Detail

Today's priorities

Inventory and confirm remediation status for all hosted or managed Drupal sites and public UniFi endpoints, prioritizing externally exposed instances.

because CISA added the Drupal SQLi to its KEV list and Ubiquiti patched maximum-severity UniFi flaws, so exposed instances are likely targets and must be validated with providers.

Due 3d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Require Identity/SSO owners and primary SaaS suppliers to confirm device-code OAuth usage and to enable or tighten device-code consent dialogs and token revocation monitoring.

because the FBI advisory on Kali365 shows attackers are abusing device-code OAuth flows to bypass MFA and hijack sessions, so controls and monitoring must be verified with ident...

Due 3d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Issue a contract change request or SLA addendum to hosting and managed‑service suppliers requiring proof-of-patch (or compensating mitigation) for KEV-listed Drupal vulnerabilit...

because suppliers operating multi-tenant CMS and network stacks will host the same vulnerabilities across many customers, so contractual proof-of-patch reduces buyer exposure an...

Due 21d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Run scoped phishing simulations and device-code phishing awareness training for teams with Microsoft Entra/365 access and update incident playbooks to include device-code token...

because Kali365 commoditizes device-code phishing and increases the likelihood of token-based compromises, so playbooks and user awareness must match the current attack vector.

Due 21d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Supplier radar

BleepingComputer

high

Observed supplier signal

Hosting and managed-service providers that run multi-site Drupal or UniFi control planes will face heightened demand for patched builds and incident SLA commitments; buyers can press suppliers for verified patch schedules and remediation SLAs.

Commercial implication

Hosting and managed-service providers that run multi-site Drupal or UniFi control planes will face heightened demand for patched builds and incident SLA commitments; buyers can press suppliers for verified patch schedules and remediation SLAs.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

BleepingComputer

high

Observed supplier signal

Vendors shipping appliances or unified OS stacks (e.g., UniFi) may tighten quote validity or push faster cadence on maintenance windows — expect constrained scheduling and potential premium for emergency on‑site or remote remediation.

Commercial implication

Vendors shipping appliances or unified OS stacks (e.g., UniFi) may tighten quote validity or push faster cadence on maintenance windows — expect constrained scheduling and potential premium for emergency on‑site or remote remediation.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

BleepingComputer

high

Observed supplier signal

For identity and SaaS suppliers, buyers should negotiate explicit responsibilities for device-code OAuth flows and token revocation processes since threats exploit SSO and session mechanics.

Commercial implication

For identity and SaaS suppliers, buyers should negotiate explicit responsibilities for device-code OAuth flows and token revocation processes since threats exploit SSO and session mechanics.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

Negotiation levers

Inventory and confirm remediation status for all hosted or managed Drupal sites and public UniFi endpoints, prioritizing externally exposed instances.

When to use: because CISA added the Drupal SQLi to its KEV list and Ubiquiti patched maximum-severity UniFi flaws, so exposed instances are likely targets and must be validated with providers.

Expected outcome: All externally exposed Drupal and UniFi instances are identified and a remediation/mitigation status documented with supplier contact notes.

Commercial mechanism to carry into the next supplier conversation

Require Identity/SSO owners and primary SaaS suppliers to confirm device-code OAuth usage and to enable or tighten device-code consent dialogs and token revocation monitoring.

When to use: because the FBI advisory on Kali365 shows attackers are abusing device-code OAuth flows to bypass MFA and hijack sessions, so controls and monitoring must be verified with ident...

Expected outcome: Documented supplier attestations and operational controls for device-code flows and a ticketed action plan where controls are inadequate.

Commercial mechanism to carry into the next supplier conversation

Issue a contract change request or SLA addendum to hosting and managed‑service suppliers requiring proof-of-patch (or compensating mitigation) for KEV-listed Drupal vulnerabilit...

When to use: because suppliers operating multi-tenant CMS and network stacks will host the same vulnerabilities across many customers, so contractual proof-of-patch reduces buyer exposure an...

Expected outcome: Amended supplier terms or documented exception workflows that require patch proof or approved mitigations for affected product lines.

Commercial mechanism to carry into the next supplier conversation

Run scoped phishing simulations and device-code phishing awareness training for teams with Microsoft Entra/365 access and update incident playbooks to include device-code token...

When to use: because Kali365 commoditizes device-code phishing and increases the likelihood of token-based compromises, so playbooks and user awareness must match the current attack vector.

Expected outcome: Playbook updated with device-code compromise steps and targeted teams have completed training and simulation results documented.

Commercial mechanism to carry into the next supplier conversation

Talking points

CISA added an actively exploited Drupal SQL injection to its Known Exploited Vulnerabilities list — buyers should treat hosted and multi-site Drupal instances as high-priority remediation items and confirm patching or mitigations with providers.
A phishing-as-a-service product (Kali365) that abuses Microsoft device-code OAuth flows has been publicized by the FBI, meaning token- and session-based account takeovers are becoming easier for low-skilled attackers — tighten OAuth consent controls and device-code monitoring with SaaS suppliers.
Vendors pushed critical fixes this week across the stack — Ubiquiti patched multiple maximum-severity UniFi OS flaws and Microsoft acknowledged a domain controller discovery failure after a May security update — both create short-term remediation and compatibility workstreams for buyers who depend on legacy or internet-exposed appliances.
Anthropic’s restricted Mythos model signals a new tooling vector where AI could automatically generate high-quality exploit code; treat this as an emerging attacker capability that increases the value of automated vulnerability scanning and supplier proof-of-fix workflows.

Supplier radar

SupplierSignalImplicationNext stepConfidence
BleepingComputerHosting and managed-service providers that run multi-site Drupal or UniFi control planes will face heightened demand for patched builds and incident SLA commitments; buyers can press suppliers for verified patch schedules and remediation SLAs.Hosting and managed-service providers that run multi-site Drupal or UniFi control planes will face heightened demand for patched builds and incident SLA commitments; buyers can press suppliers for verified patch schedules and remediation SLAs.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high
BleepingComputerVendors shipping appliances or unified OS stacks (e.g., UniFi) may tighten quote validity or push faster cadence on maintenance windows — expect constrained scheduling and potential premium for emergency on‑site or remote remediation.Vendors shipping appliances or unified OS stacks (e.g., UniFi) may tighten quote validity or push faster cadence on maintenance windows — expect constrained scheduling and potential premium for emergency on‑site or remote remediation.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high
BleepingComputerFor identity and SaaS suppliers, buyers should negotiate explicit responsibilities for device-code OAuth flows and token revocation processes since threats exploit SSO and session mechanics.For identity and SaaS suppliers, buyers should negotiate explicit responsibilities for device-code OAuth flows and token revocation processes since threats exploit SSO and session mechanics.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high

Negotiation levers

  • Inventory and confirm remediation status for all hosted or managed Drupal sites and public UniFi endpoints, prioritizing externally exposed instances.because CISA added the Drupal SQLi to its KEV list and Ubiquiti patched maximum-severity UniFi flaws, so exposed instances are likely targets and must be validated with providers.All externally exposed Drupal and UniFi instances are identified and a remediation/mitigation status documented with supplier contact notes.

    high confidence

  • Require Identity/SSO owners and primary SaaS suppliers to confirm device-code OAuth usage and to enable or tighten device-code consent dialogs and token revocation monitoring.because the FBI advisory on Kali365 shows attackers are abusing device-code OAuth flows to bypass MFA and hijack sessions, so controls and monitoring must be verified with ident...Documented supplier attestations and operational controls for device-code flows and a ticketed action plan where controls are inadequate.

    high confidence

  • Issue a contract change request or SLA addendum to hosting and managed‑service suppliers requiring proof-of-patch (or compensating mitigation) for KEV-listed Drupal vulnerabilit...because suppliers operating multi-tenant CMS and network stacks will host the same vulnerabilities across many customers, so contractual proof-of-patch reduces buyer exposure an...Amended supplier terms or documented exception workflows that require patch proof or approved mitigations for affected product lines.

    high confidence

  • Run scoped phishing simulations and device-code phishing awareness training for teams with Microsoft Entra/365 access and update incident playbooks to include device-code token...because Kali365 commoditizes device-code phishing and increases the likelihood of token-based compromises, so playbooks and user awareness must match the current attack vector.Playbook updated with device-code compromise steps and targeted teams have completed training and simulation results documented.

    high confidence

What to do / What to watch

What to do now

  • Inventory and confirm remediation status for all hosted or managed Drupal sites and public UniFi endpoints, prioritizing externally exposed instances.

    Why: because CISA added the Drupal SQLi to its KEV list and Ubiquiti patched maximum-severity UniFi flaws, so exposed instances are likely targets and must be validated with providers.

    Owner: Category

    Expected outcome: All externally exposed Drupal and UniFi instances are identified and a remediation/mitigation status documented with supplier contact notes.

    [1]
  • Require Identity/SSO owners and primary SaaS suppliers to confirm device-code OAuth usage and to enable or tighten device-code consent dialogs and token revocation monitoring.

    Why: because the FBI advisory on Kali365 shows attackers are abusing device-code OAuth flows to bypass MFA and hijack sessions, so controls and monitoring must be verified with ident...

    Owner: Ops

    Expected outcome: Documented supplier attestations and operational controls for device-code flows and a ticketed action plan where controls are inadequate.

    [4]

Next few weeks

  • Issue a contract change request or SLA addendum to hosting and managed‑service suppliers requiring proof-of-patch (or compensating mitigation) for KEV-listed Drupal vulnerabilit...

    Why: because suppliers operating multi-tenant CMS and network stacks will host the same vulnerabilities across many customers, so contractual proof-of-patch reduces buyer exposure an...

    Owner: Contracts

    Expected outcome: Amended supplier terms or documented exception workflows that require patch proof or approved mitigations for affected product lines.

    [1][5]
  • Run scoped phishing simulations and device-code phishing awareness training for teams with Microsoft Entra/365 access and update incident playbooks to include device-code token...

    Why: because Kali365 commoditizes device-code phishing and increases the likelihood of token-based compromises, so playbooks and user awareness must match the current attack vector.

    Owner: Ops

    Expected outcome: Playbook updated with device-code compromise steps and targeted teams have completed training and simulation results documented.

    [4]

Longer view

  • Reassess supplier risk profiles and procurement levers for network appliance and SaaS identity vendors: add explicit remediation SLAs, patch-proof requirements, and token/sessio...

    Why: because repeated maximum-severity disclosures (UniFi) and new OAuth PhaaS threats change uptime and identity dependency, so buying terms should shift supplier accountability and...

    Owner: Contracts

    Expected outcome: Updated renewal templates that include remediation SLAs, proof-of-fix obligations, and incident cooperation language for critical appliance and identity suppliers.

    [5][4]
  • Pilot automated vulnerability scanning and prioritized remediation pipelines for high-risk external services (CMS, SSO endpoints, and unified OS appliances) integrated with supp...

    Why: because Anthropic-style tooling and widely distributed exploit methods increase vulnerability discovery velocity, so buyers need automated scan-to-remediate paths and supplier s...

    Owner: Category

    Expected outcome: Operational pipeline that flags externally exposed high-risk services and produces supplier-tracked remediation tickets with verifiable closure evidence.

    [3]

What to watch

  • Anthropic’s Mythos and similar frontier models may accelerate automated exploit development and vulnerability discovery; treat public claims as an early, directional risk that could change attacker capabilities and tooling availability
  • Ubiquiti disclosed multiple maximum‑severity UniFi OS flaws with a very large exposed endpoint footprint tracked by researchers; verify which appliances in your fleet are internet-exposed and whether vendor patches have been applied
  • Anthropic’s Mythos and similar frontier models may accelerate automated exploit development and vulnerability discovery; treat public claims as an early, directional risk that could change attacker capabilities and tooling availability.: Anthropic’s Mythos and similar frontier models may accelerate automated exploit development and vulnerability discovery; treat public claims as an early, directional risk that could change attacker capabilities and tooling availability
  • Ubiquiti disclosed multiple maximum‑severity UniFi OS flaws with a very large exposed endpoint footprint tracked by researchers; verify which appliances in your fleet are internet-exposed and whether vendor patches have been applied.: Ubiquiti disclosed multiple maximum‑severity UniFi OS flaws with a very large exposed endpoint footprint tracked by researchers; verify which appliances in your fleet are internet-exposed and whether vendor patches have been applied
  • CISA added an actively exploited Drupal SQL injection to its Known Exploited Vulnerabilities list — buyers should treat hosted and multi-site Drupal instances as high-priority remediation items and confirm patching or mitigations with providers
  • A phishing-as-a-service product (Kali365) that abuses Microsoft device-code OAuth flows has been publicized by the FBI, meaning token- and session-based account takeovers are becoming easier for low-skilled attackers — tighten OAuth consent controls and device-code monitoring with SaaS suppliers
  • Vendors pushed critical fixes this week across the stack — Ubiquiti patched multiple maximum-severity UniFi OS flaws and Microsoft acknowledged a domain controller discovery failure after a May security update — both create short-term remediation and compatibility workstreams for buyers who depend on legacy or internet-exposed appliances
  • Anthropic’s restricted Mythos model signals a new tooling vector where AI could automatically generate high-quality exploit code; treat this as an emerging attacker capability that increases the value of automated vulnerability scanning and supplier proof-of-fix workflows

Market pulse

IndexLatestChangeAs of
Palo Alto (PANW)320 +0.00 (+0.00%)May 26, 2026, 10:07 AM
CrowdStrike (CRWD)285 +0.00 (+0.00%)May 26, 2026, 10:07 AM
Zscaler (ZS)195 +0.00 (+0.00%)May 26, 2026, 10:07 AM
Fortinet (FTNT)72 +0.00 (+0.00%)May 26, 2026, 10:07 AM
  • CrowdStrike: Identity compromise commoditization raises demand for endpoint and identity detection capabilities; this can increase leverage toward identity/security suppliers offering token/session protection
  • Fortinet: Increased exploit activity and appliance vulnerabilities may raise demand for network security and next-gen firewall controls, affecting procurement posture for perimeter and remediation services

Sources

Inline citations jump here. Expand a source to read the excerpt, the AI interpretation, and the original link.

[1] CISA orders feds to patch actively exploited Drupal vulnerability

bleepingcomputer.com · May 26, 2026

Expand

AI reading

CISA ordered federal agencies to patch an actively exploited SQL injection in Drupal (CVE-2026-9082) after evidence of in-the-wild exploitation. Shadowserver is tracking nearly 670 unpatched Drupal installations, most in North America and Europe, making this an operationally real exposure for multi-site and hosted Drupal instances. Watch whether vendors and hosting partners publish coordinated patch schedules and mitigation proof for customer sites

Buyer takeaway

Treat hosted Drupal stacks as a live remediation priority and require hosting suppliers to prove patch deployment or compensating mitigations

Cost / money

Expect short-term remediation costs for emergency patch deployment and verification in managed hosting, plus potential consultant fees if suppliers cannot patch quickly

Supplier / commercial

Use the KEV listing to demand fixed timelines and evidence from hosting providers; consider price protection or indemnity language for breach-related remediation

Safety / operations

Successful exploit can lead to data disclosure and privilege escalation on multi-site deployments, creating immediate operational risk for content and identity systems

What to watch

Confirm which supplier-managed instances are on PostgreSQL backends (the exploitation vector) and watch for vendors offering temporary mitigations rather than full patches

Key facts

  • CVE-2026-9082 tracked as actively exploited
  • Shadowserver tracking nearly 670 exposed Drupal installations
  • CISA added the flaw to its Known Exploited Vulnerabilities catalog

Source excerpts

Unpatched Drupal instances (Shadowserver) ​On Friday, the U
S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems by midnight on Wednesday, May 27, as mandated by Binding Operational Directive (BOD) 22-01
S. government agencies until Wednesday evening to secure their servers against an SQL injection vulnerability in the Drupal content management system (CMS) that it flagged as actively exploited

Used in this brief

  • Next 72 hours — Inventory and confirm remediation status for all hosted or managed Drupal sites and public UniFi endpoints, prioritizing externally exposed instances.. Rationale: because CISA added the Drupal SQLi to its KEV list and Ubiquiti patched maximum-severity UniFi flaws, so exposed instances are likely targets and must be validated with providers.. Owner: Category. KPI: All externally exposed Drupal and UniFi instances are identified and a remediation/mitigation status documented with supplier contact notes
  • Next 2-4 weeks — Issue a contract change request or SLA addendum to hosting and managed‑service suppliers requiring proof-of-patch (or compensating mitigation) for KEV-listed Drupal vulnerabilit.... Rationale: because suppliers operating multi-tenant CMS and network stacks will host the same vulnerabilities across many customers, so contractual proof-of-patch reduces buyer exposure an.... Owner: Contracts. KPI: Amended supplier terms or documented exception workflows that require patch proof or approved mitigations for affected product lines
  • New operational driver: CISA added an actively exploited Drupal SQL injection to KEV, creating a federal-driven remediation priority not present in the previous brief (which focused on firmware and DDoS)
Open original source

[2] Microsoft: Domain Controller lookup may fail on Windows Server 2016

bleepingcomputer.com · May 26, 2026

Expand

AI reading

Microsoft confirmed a known issue after a May security update where domain controller discovery fails on Windows Server 2016 hosts with 15-character hostnames. The problem prevents some admin tools from locating domain controllers and may affect DFS namespace management and other directory-dependent operations. Watch for Microsoft remediation guidance and inventory servers with the exact hostname constraint to avoid operational surprises

Buyer takeaway

Flag legacy server builds in supplier inventories and require patch compatibility checks for directory-dependent workloads before broad rollouts

Cost / money

Troubleshooting and rollback work for directory issues can raise operational support costs and stretch limited legacy-host maintenance resources

Supplier / commercial

Ask managed Windows suppliers for certified patching plans and rollback procedures for servers still on extended-support OS builds

Safety / operations

Failure to locate domain controllers can block admin recovery tasks and delay file-service operations, causing tangible operational downtime

What to watch

Inventory hosts with the exact hostname length condition and watch Microsoft for an out-of-band fix or mitigation guidance

Key facts

  • Issue tied to Windows Server 2016 and hostnames exactly 15 characters long
  • Impacts domain controller discovery and administrative scenarios like DFS management

Source excerpts

" Microsoft also noted that this known issue may also affect certain administrative scenarios that require access to a domain controller
"As a result, administrative operations that rely on domain controller lookup might fail, impacting scenarios such as DFS Namespace management," it noted
Microsoft has confirmed a new known issue affecting Windows Server 2016 systems that causes domain controller lookups to fail after installing the KB5087537 May 2026 security update

Used in this brief

  • Cost / money: Microsoft’s known issue with domain controller lookups can produce administrative downtime and extra labor for identity and directory teams to troubleshoot legacy hostnames and recovery workflows
  • Safety / operations: Breaks in domain-controller discovery impair admin tooling and DFS/namespace operations, which can cascade into degraded file access and delayed recovery actions if not tracked and mitigated promptly
  • Microsoft confirmed a known issue after a May security update where domain controller discovery fails on Windows Server 2016 hosts with 15-character hostnames. The problem prevents some admin tools from locating domain controllers and may affect DFS namespace management and other directory-dependent operations. Watch for Microsoft remediation guidance and inventory servers with the exact hostname constraint to avoid operational surprises
Open original source

[3] Anthropic’s restricted Claude Mythos model may be coming to Claude Code

bleepingcomputer.com · May 25, 2026

Expand

AI reading

Anthropic’s restricted Mythos model reportedly can generate high-quality cyberattack code and has been used in a private preview where it found many vulnerabilities. The company is cautious about public release because of the security risk, but the existence of such tooling is an operational signal that exploit development velocity may increase. Watch for wider distribution of automated exploit tooling or partnerships that expose the model to more organizations

Buyer takeaway

Assume higher velocity of exploit discovery and prioritize automated, supplier‑integrated fix workflows and proof-of-remediation for critical systems

Cost / money

Over time, faster discovery may increase remediation spend unless buyers automate patching, testing, and supplier sign-off to lower manual costs

Supplier / commercial

Require suppliers to accept faster vulnerability escalation and to provide evidence of fixes; consider shifting to shorter patch windows in high-risk product categories

Safety / operations

Automated exploit generation can accelerate attack timelines, making delayed patches more dangerous for internet-exposed assets and critical services

What to watch

Treat public claims as an early signal — monitor whether exploit code or scanning outputs derived from such models appear in criminal tooling

Key facts

  • Mythos described as a frontier model with advanced code-reasoning abilities
  • Anthropic preview reportedly uncovered large volumes of high/critical vulnerabilities

Source excerpts

Anthropic appears to be preparing for the public rollout of "Mythos," which was announced in April as a restricted model that poses major security risks to private and public software. On April 7, Anthropic announced the Mythos in early preview and called it a new frontier model with strikingly advanced capabilities in computer security tasks
The Validation Gap: Automated Pentesting Answers One Question. You Need Six
This has vulnerabilities of all severities found by Mythos Preview. Mythos model managed to uncover 10,000 high- or critical-severity vulnerabilities in its first month alone, which explains why Anthropic has been holding off its public release

Used in this brief

  • What to watch: Anthropic’s Mythos and similar frontier models may accelerate automated exploit development and vulnerability discovery; treat public claims as an early, directional risk that could change attacker capabilities and tooling availability
  • Next quarter — Pilot automated vulnerability scanning and prioritized remediation pipelines for high-risk external services (CMS, SSO endpoints, and unified OS appliances) integrated with supp.... Rationale: because Anthropic-style tooling and widely distributed exploit methods increase vulnerability discovery velocity, so buyers need automated scan-to-remediate paths and supplier s.... Owner: Category. KPI: Operational pipeline that flags externally exposed high-risk services and produces supplier-tracked remediation tickets with verifiable closure evidence
  • Anthropic’s Mythos and similar frontier models may accelerate automated exploit development and vulnerability discovery; treat public claims as an early, directional risk that could change attacker capabilities and tooling availability
Open original source

[4] FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

bleepingcomputer.com · May 25, 2026

Expand

AI reading

The FBI warned about Kali365, a phishing-as-a-service product that abuses Microsoft device-code OAuth flows to capture session tokens and bypass multi-factor authentication. Kali365 packages templates, AI-generated lures, victim-tracking dashboards, and token-capture features, making device-code phishing accessible to low-skilled attackers; defenders should assume this method will be used widely. Watch supplier telemetry for device-code abuse patterns and require partners to support token revocation workflows

Buyer takeaway

Treat device-code OAuth abuse as an immediate identity risk and validate supplier capabilities for consenting device flow controls and rapid token revocation

Cost / money

Mitigations and incident response for OAuth token theft increase identity-operational spend and may require supplier engagement for session invalidation

Supplier / commercial

Negotiate identity incident cooperation clauses and proof of revocation capabilities with SaaS and identity providers to reduce time-to-containment

Safety / operations

Compromised sessions grant access to all SaaS resources tied to the account, raising the operational severity of successful social-engineering attacks

What to watch

Monitor for resale and affiliate growth of Kali365-style platforms that expand the volume and geographic spread of device-code phishing attacks

Key facts

  • Kali365 emerged publicly in April and is distributed via Telegram
  • Platform offers device-code phishing and an adversary-in-the-middle 'Cookie Link' mode
  • Researchers observed widespread campaigns targeting Microsoft 365 and Entra

Source excerpts

The platform uses device code phishing, an increasingly popular method that abuses Microsoft's legitimate OAuth 2
The FBI recommends companies restrict or completely block device code authentication flows using Conditional Access policies where possible, audit existing device code usage, and block authentication transfer policies that allow authentication sessions to move between devices
Device code authentication formSource: BleepingComputer In February, BleepingComputer reported that extortion gangs, including the ShinyHunters cybercrime group, were targeting Microsoft Entra accounts via device-code and voice phishing. In these attacks, threat actors initiate the device authorization process themselves to generate a code, then trick targets into entering it on Microsoft's login page via phishing and social engineering

Used in this brief

  • CISA added an actively exploited Drupal SQL injection to its Known Exploited Vulnerabilities list — buyers should treat hosted and multi-site Drupal instances as high-priority remediation items and confirm patching or mitigations with providers. A phishing-as-a-service product (Kali365) that abuses Microsoft device-code OAuth flows has been publicized by the FBI, meaning token- and session-based account takeovers are becoming easier for low-skilled attackers — tighten OAuth consent controls and device-code monitoring with SaaS suppliers. Vendors pushed critical fixes this week across the stack — Ubiquiti patched multiple maximum-severity UniFi OS flaws and Microsoft acknowledged a domain controller discovery failure after a May security update — both create short-term remediation and compatibility workstreams for buyers who depend on legacy or internet-exposed appliances. Anthropic’s restricted Mythos model signals a new tooling vector where AI could automatically generate high-quality exploit code; treat this as an emerging attacker capability that increases the value of automated vulnerability scanning and supplier proof-of-fix workflows
  • Next 72 hours — Require Identity/SSO owners and primary SaaS suppliers to confirm device-code OAuth usage and to enable or tighten device-code consent dialogs and token revocation monitoring.. Rationale: because the FBI advisory on Kali365 shows attackers are abusing device-code OAuth flows to bypass MFA and hijack sessions, so controls and monitoring must be verified with ident.... Owner: Ops. KPI: Documented supplier attestations and operational controls for device-code flows and a ticketed action plan where controls are inadequate
  • Next 2-4 weeks — Run scoped phishing simulations and device-code phishing awareness training for teams with Microsoft Entra/365 access and update incident playbooks to include device-code token.... Rationale: because Kali365 commoditizes device-code phishing and increases the likelihood of token-based compromises, so playbooks and user awareness must match the current attack vector.. Owner: Ops. KPI: Playbook updated with device-code compromise steps and targeted teams have completed training and simulation results documented
Open original source

[5] Ubiquiti patches three max severity UniFi OS vulnerabilities

bleepingcomputer.com · May 22, 2026

Expand

AI reading

Ubiquiti released patches for multiple maximum‑severity UniFi OS vulnerabilities that allow unauthenticated remote actions, file access, and command injection. Censys is tracking nearly 100,000 internet-exposed UniFi OS endpoints, so many fleets may be vulnerable until patches are applied or appliances isolated. Watch supplier advisories for exploit reports and prioritize internet-exposed consoles in remediation plans

Buyer takeaway

Inventory UniFi consoles and require vendor proof-of-patch or isolations for internet-exposed appliances during contract reviews

Cost / money

Patching large appliance fleets can spike labor and potential temporary replacement costs if devices are taken offline

Supplier / commercial

Negotiate maintenance-window commitments and emergency remediation credits for critical appliance classes to avoid premium charges during mass patch rollouts

Safety / operations

Remote command injection and unauthorized changes increase the risk of lateral compromise and network disruption if consoles are reachable externally

What to watch

Verify whether suppliers have applied patches at scale and watch for exploit activity targeting unpatched management planes

Key facts

  • Multiple maximum-severity UniFi OS CVEs patched
  • Censys tracking nearly 100,000 internet-exposed UniFi OS endpoints
  • Vulnerabilities exploitable without privileges in low-complexity attacks

Source excerpts

However, there is currently no information on how many have been secured against potential attacks targeting the vulnerabilities Ubiquiti patched this week. UniFi OS endpoints exposed online (Censys) ​In March, Ubiquiti patched another maximum-severity flaw (CVE-2026-22557) in the UniFi Network Application that may allow attackers to take over user accounts, as well as a vulnerability (CVE-2026-22558) that can be exploited to escalate privileges
Ubiquiti has released security updates to patch three maximum severity vulnerabilities in UniFi OS that can be exploited by remote attackers without privileges. UniFi OS is a unified operating system that powers UniFi Consoles and helps manage IT infrastructure, including networking, security, and other services, as well as UniFi applications such as UniFi Network, UniFi Protect, UniFi Access, UniFi Talk, and UniFi Connect
At the moment, threat intelligence company Censys is tracking nearly 100,000 Internet-exposed UniFi OS endpoints, most of them (nearly 50,000 IP addresses) found in the United States

Used in this brief

  • What to watch: Ubiquiti disclosed multiple maximum‑severity UniFi OS flaws with a very large exposed endpoint footprint tracked by researchers; verify which appliances in your fleet are internet-exposed and whether vendor patches have been applied
  • Next quarter — Reassess supplier risk profiles and procurement levers for network appliance and SaaS identity vendors: add explicit remediation SLAs, patch-proof requirements, and token/sessio.... Rationale: because repeated maximum-severity disclosures (UniFi) and new OAuth PhaaS threats change uptime and identity dependency, so buying terms should shift supplier accountability and.... Owner: Contracts. KPI: Updated renewal templates that include remediation SLAs, proof-of-fix obligations, and incident cooperation language for critical appliance and identity suppliers
  • Ubiquiti disclosed multiple maximum‑severity UniFi OS flaws with a very large exposed endpoint footprint tracked by researchers; verify which appliances in your fleet are internet-exposed and whether vendor patches have been applied
Open original source

[6] CrowdStrike

finance.yahoo.com · n.d.

Expand
Open original source

[7] Fortinet

finance.yahoo.com · n.d.

Expand
Open original source
More from IT, Telecom & CyberBack to Executive View