Leadership is asking: are we getting value from AI? Which tools are worth the spend? Where are we exposed? Right now, most teams have no idea.

Harmonic Security Usage Explorer changes that. It automatically classifies every AI interaction across your organization into the use cases driving real work, specific to your business. Not generic categories. Not raw prompts. Actual patterns to understand: how your teams are using AI, how much time they spend in AI, the cost, and where risk lives.

CIOs get the data to rationalize spend and cut wasted licenses. CISOs get risk in context. AI committees get proof of impact.

Early access is now open to a limited number of organizations. Request your spot.

Get early access

A Linux root exploit fits in a tweet, Ollama leaks your secrets to the internet, and Iran faked a ransomware attack through Microsoft Teams.

GM IT pros!

Happy Thursday! Welcome to your weekly security briefing — the one where I tell you everything that's on fire so you can decide which fire to put out first.

-Stetson

This week's CVEs, breaches, and threat intel in 5-minutes-ish or less

The "drop everything and patch" section...

🐧 Linux Root in 732 Bytes — CISA Says Patch by May 15
CVE-2026-31431 is a local privilege escalation flaw that lets any unprivileged user go straight to root with a 732-byte Python script. CISA slapped it on the KEV catalog and gave federal agencies until May 15 to fix it. Patches are in kernel versions 6.18.22, 6.19.12, and 7.0. If you're running Linux servers and haven't patched yet, congratulations — you're the vulnerability. Read more

🔥 Palo Alto PAN-OS Zero-Day — Unpatched, CVSS 9.3
CVE-2026-0300 is an unauthenticated RCE in PAN-OS when the User-ID Authentication Portal faces the internet. It's actively exploited and Palo Alto won't have patches until May 13. That's six more days of "please don't hack us" energy. Disable internet-facing User-ID portals NOW. Read more

🔓 cPanel Auth Bypass — CVSS 9.8, 44,000 IPs Hammering It
CVE-2026-41940 lets remote attackers bypass authentication in cPanel/WHM and gain elevated control. It was weaponized within 24 hours of disclosure, with 44,000 IPs joining the party. Government and MSP networks already hit. If you manage cPanel boxes, patch immediately or start drafting your incident response report. Read more

🌐 Apache HTTP/2 Double-Free RCE (CVE-2026-23918)
CVSS 8.8 — a double-free bug in HTTP/2 handling that can lead to remote code execution. Fixed in Apache 2.4.67. If your web servers are still on 2.4.66, today's a great day to change that. Read more

📱 Ivanti EPMM RCE — Because It's Always Ivanti
CVE-2026-6973 (CVSS 7.2) affects Ivanti Endpoint Manager Mobile. Authenticated admins can achieve RCE. Update to 12.6.1.1, 12.7.0.1, or 12.8.0.1. At this point, "Ivanti CVE" should be a free square on your bingo card. Read more

Your self-hosted AI is not as safe as you think...

🦙 "Bleeding Llama" — Ollama Leaks Everything, 300K Servers Exposed
CVE-2026-7482 (CVSS 9.1) is a heap out-of-bounds read in Ollama's GGUF model loader. Three unauthenticated API calls and an attacker can dump your entire process memory — system prompts, chat messages, API keys, database credentials, all of it. 300,000 servers are exposed globally. Patch to Ollama 0.17.1 and for the love of all that is holy, stop exposing your Ollama instance directly to the internet. Read more

🧠 AI Is Making Zero-Day Exploitation Stupid Fast
New research shows AI-powered offensive tools can now discover and exploit zero-days in under 10 minutes. What used to take weeks now takes a coffee break. Commercial surveillance vendors were responsible for more zero-days than state-sponsored groups for the first time. The future is here and it's terrifying. Read more

📦 vm2 Node.js Sandbox Escape — CVSS 9.8
A dozen critical vulnerabilities in the vm2 Node.js library, with CVE-2026-24118 allowing full sandbox escape and arbitrary code execution on the host. If your app uses vm2 for sandboxing untrusted code, your sandbox has a vm2-shaped hole in it. Read more

This week's data breach obituaries...

🎓 ShinyHunters Hits Instructure Canvas — 275M Student Records
The ShinyHunters crew breached Instructure (the company behind Canvas LMS) and claims to have grabbed 275 million records across 8,800+ schools and universities. Names, emails, student IDs, and private messages — all compromised. If you work in edu-IT, your phone is probably already ringing. Read more

💰 Fiserv Listed on Everest Ransomware Leak Site
Fiserv — one of the world's largest fintech providers — showed up on the Everest ransomware group's leak site. When your payment processor gets ransomwared, everybody's having a bad day. Read more

🎬 Vimeo Confirms Third-Party Vendor Breach
Attackers accessed user data, video metadata, and customer emails through a compromised third-party vendor. Supply chain attacks: the gift that keeps on giving. Read more

State-sponsored shenanigans and advanced persistent headaches...

🇮🇷 MuddyWater Fakes Ransomware Attack via Microsoft Teams
Iran's MuddyWater APT group used Microsoft Teams screen-sharing to steal credentials and bypass MFA, then dropped Chaos ransomware artifacts as a false flag to disguise what was actually a state-sponsored espionage campaign. They never encrypted anything — the ransomware was theater. The real play was data exfiltration and persistence via DWAgent. If your org uses Teams externally, tighten those external access policies. Read more

🏛️ CISA Launches "CI Fortify" — Tells Critical Infrastructure to Brace for Impact
CISA's new initiative is pushing water utilities, transportation, and other critical infrastructure to prepare for geopolitical cyber crises. Translation: the government thinks things are about to get spicier and wants you ready. Read more

Your dependencies are trying to kill you...

📦 SAP npm Packages Compromised — 572K Weekly Downloads Poisoned
Four official SAP npm packages were hijacked by the "Mini Shai-Hulud" campaign. Malicious preinstall scripts silently stole GitHub tokens, npm tokens, AWS/Azure/GCP credentials, and CI/CD secrets. The packages collectively pull 572,000 downloads per week. If you build on SAP's JS ecosystem, audit your lockfiles and rotate every credential that touched those packages. Read more

Your Thursday to-do list, whether you like it or not...

Here's what to prioritize this week:

🔴 CRITICAL — Linux kernel (CVE-2026-31431), cPanel (CVE-2026-41940), Ollama (CVE-2026-7482), PAN-OS (mitigate until May 13 patch)
🟠 HIGH — Apache HTTP Server 2.4.67, Ivanti EPMM, vm2 Node.js, Chrome (if not auto-updated)
🟡 HEADS UP — SAP npm supply chain (audit + rotate creds), Teams external access policies, May Patch Tuesday drops next Tuesday (May 12)

Stay paranoid. Stay patched.

Want to learn Linux the hands-on way? Shell Samurai teaches you by doing — not by reading man pages and crying. Shameless plug, zero regrets.

That's your security briefing for this Thursday. Go patch something before it patches your reputation.

Stay paranoid. Stay patched. See you next Friday 🤠