Google's Threat Intelligence Group says it caught the first known case of a real attacker using a large language model to find and weaponize a zero-day - a 2FA bypass in a popular but unnamed open-source web-based system administration tool. Google has high confidence the Python exploit was AI-generated, citing textbook code structure, abundant educational docstrings, and a hallucinated CVSS score in the script. The flaw was a high-level logic bug, the kind LLMs excel at spotting, rather than a memory corruption issue. Google rules out Gemini and warns that AI-assisted exploit development is being industrialized via account-pooling and proxy relays for premium models.
Researchers at Cyera disclosed a critical bug in Ollama, the open-source tool that runs large language models locally on laptops and servers. The flaw, called Bleeding Llama (CVE-2026-7482), lets anyone with network access send a malformed model file and read raw process memory back - which typically contains API keys, environment variables, system prompts, and other users' chat history. Ollama ships without authentication by default, so an estimated 300,000 instances are exposed on the internet. Ollama 0.17.1 fixes it. Separately, Striga disclosed two unpatched Ollama Windows desktop flaws (CVE-2026-42248 and CVE-2026-42249) that chain into persistent code execution at login.
cPanel released patches Friday for three new vulnerabilities. The two worst (CVE-2026-29202 and CVE-2026-29203, both CVSS 8.8) let authenticated users execute arbitrary Perl code through the create_user API or escalate privileges via unsafe symlink chmod. The third (CVE-2026-29201, CVSS 4.3) lets authenticated users read arbitrary files. No exploitation observed yet. The disclosure lands while attackers are still mass-exploiting CVE-2026-41940 to deploy 'Sorry' ransomware against cPanel hosts, including a wave targeting government agencies and MSPs (covered May 5). Hosting providers face a compounding patch burden.
Researcher Hyunwoo Kim disclosed Dirty Frag yesterday after an unrelated third party broke the embargo five days early. The flaw chains two Linux kernel page-cache write bugs (xfrm-ESP and RxRPC) to give any local user root access on every major distribution - Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, Fedora. Like Dirty Pipe and last week's Copy Fail, it's a deterministic logic bug with no race condition required and no kernel panic on failure. PoC is public on GitHub. The ESP variant patch was merged into the netdev tree on May 7 but distribution kernels remain unpatched. No CVE assigned yet because the embargo broke early.
Ivanti disclosed Wednesday that attackers are exploiting a zero-day in Endpoint Manager Mobile (EPMM) to gain admin-level remote code execution on enterprise MDM servers. CVE-2026-6973. Successful exploitation gives the attacker control over the MDM platform that pushes apps and configurations to managed mobile fleets - a foothold that can pivot into managed devices and the corporate identity layer. CISA added the flaw to its Known Exploited Vulnerabilities catalog the same day with a federal patch deadline next week. Ivanti products have a long history of zero-day exploitation.
Palo Alto Networks confirmed Wednesday that attackers are exploiting a zero-day in its firewall login portal to run code as root on PA-Series and VM-Series firewalls. CVE-2026-0300 (CVSS 9.3) is a buffer overflow in the User-ID Authentication Portal (Captive Portal) that lets unauthenticated attackers send crafted packets and execute code without any login. Palo Alto Unit 42 attributed the activity to CL-STA-1132, a likely state-sponsored cluster that started probing on April 9 and achieved RCE a week later. Attackers deploy tunneling tools and enumerate Active Directory using the firewall's service account. First patches arrive May 13. Shadowserver counts 5,800+ exposed VM-Series firewalls.
vm2 maintainers disclosed a fresh batch of a dozen sandbox-escape vulnerabilities yesterday, including CVE-2026-43997, CVE-2026-44005, and CVE-2026-44006 - all CVSS 10.0. The library is used by 1.3 million weekly downloads worth of Node.js projects to run untrusted JavaScript inside a supposedly safe sandbox - online code runners, chatbots, automation tools, and SaaS platforms with user scripts. Each bug breaks the sandbox in a different way: prototype pollution, sandbox escape via inspect functions, allowlist bypass to reach child_process. vm2 was deprecated in 2023 over similar issues, then resurrected last October. Over 20 documented sandbox-escape bugs - the maintainer himself recommends Docker isolation instead.
Cisco patched a high-severity denial-of-service flaw in Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) that lets unauthenticated remote attackers exhaust connection resources and force the system into an unresponsive state. CVE-2026-20188. Recovery requires manual reboot. Cisco's PSIRT has not seen exploitation in the wild yet, but Cisco previously patched similar DoS bugs (CVE-2025-20362, CVE-2025-20333) that ended up being weaponized to force ASA and FTD firewalls into reboot loops, which CISA addressed with an emergency directive in November 2025.
Apache patched a double-free vulnerability in mod_http2 yesterday. CVE-2026-23918 (CVSS 8.8) lets a remote attacker crash the server immediately, with a path to remote code execution under specific memory-layout conditions. The bug is in the stream cleanup code in h2_mplx.c and is triggered by a crafted sequence of HTTP/2 frames including an early stream reset. mod_http2 ships in default Apache builds and HTTP/2 is widely enabled in production. The MPM prefork worker is not affected. Researchers warn practical RCE requires an info leak and probabilistic heap spray, but in lab conditions execution lands in minutes.
Progress Software released emergency patches Sunday for two MOVEit Automation flaws. The worst, CVE-2026-4670 (CVSS 9.8), lets remote attackers reach the management interface without logging in - and from there take administrative control. Airbus researchers disclosed both flaws privately and Progress hasn't seen exploitation in the wild, but the comparison with MOVEit's history is uncomfortable: the Cl0p ransomware gang exploited MOVEit Transfer in 2023 to steal data from 2,100 organizations and 62 million individuals. Shodan shows 1,400+ MOVEit Automation instances exposed online, including a dozen linked to US local and state government agencies.