Tenable Blog

Mini Shai-Hulud: Frequently asked questions about the TeamPCP npm and PyPI supply chain campaign

Research Special Operations — Thu, 21 May 2026 11:28:22 -0400

A self-propagating worm has compromised more than 170 npm and PyPI packages, defeating provenance attestation and breaching OpenAI and Mistral AI. Here is what you need to know.

Key takeaways

Mini Shai-Hulud is a self-propagating worm by TeamPCP that steals developer and cloud credentials across the npm and PyPI ecosystems.
The campaign achieved a critical security first by compromising packages with valid SLSA Build Level 3 provenance attestations, proving that process integrity controls can be defeated.
Any system that installed a compromised package must be treated as fully compromised.

Background

Between September 2025 and May 2026, a threat group tracked as TeamPCP has conducted a series of coordinated supply chain attacks across the npm and PyPI package ecosystems. The campaign, which the group calls Shai-Hulud, uses a self-propagating worm that steals developer and cloud credentials, then leverages those credentials to publish poisoned versions of additional packages. Each compromised continuous integration and continuous deployment (CI/CD) pipeline becomes a new distribution vector, enabling exponential spread. The current iteration is known as Mini Shai-Hulud.

Tenable’s Research Special Operations Team (RSO) has compiled this FAQ to discuss what Mini Shai-Hulud is, how the campaign operates, who has been affected and what organizations should do to protect their software supply chains.

FAQ

What is Mini Shai-Hulud?

Mini Shai-Hulud is a multi-wave supply chain attack campaign that targets the npm and PyPI open-source package registries. The name, chosen by the threat group TeamPCP, is a reference to the sandworms in Frank Herbert's "Dune" novels, and the campaign carries a consistent Dune-universe theme throughout its infrastructure (dead-drop repository branch names, marker strings and operational messaging all draw from the Dune lexicon).

What is the difference between Shai-Hulud and Mini Shai-Hulud?

Shai-Hulud is the worm family. Mini Shai-Hulud is the current generation of that worm and the name TeamPCP uses for the active campaign.

When did these campaigns start?

The original Shai-Hulud worm appeared in September 2025 as the first self-replicating malware observed in the npm ecosystem. It could steal maintainer tokens and use them to publish poisoned versions of other packages without further attacker input.

A second generation, sometimes called SHA1-Hulud, surfaced in November 2025 with updated wiper functionality and improved credential harvesting.

A third variant designated SANDWORM_MODE, introduced adaptive targeting that allowed the worm to enumerate CI/CD pipeline structures before deciding how to propagate. Each generation directly addressed detection and takedown techniques applied to its predecessor, suggesting the operators monitored defensive responses and adapted accordingly.

Mini Shai-Hulud is the fourth generation, active since late April 2026. The "Mini" is TeamPCP's own ironic branding; in practice, this variant is far more destructive than the original. Its distinguishing capabilities include:

SLSA Build Level 3 provenance attestation forgery (allowing malicious packages to pass cryptographic verification)
OIDC token extraction directly from GitHub Actions runner process memory
Persistence hooks targeting AI coding agents and developer IDEs
Cross-ecosystem propagation spanning both npm and PyPI,
Triple-redundant credential exfiltration through a dedicated command-and-control server

Iteration	Name	First Observation
First	Shai-Hulud	September 2025
Second	SHA1-Hulud	November 2025
Third	SANDWORM_MODE	March 2026
Fourth	Mini Shai-Hulud	April 2026

What are the vulnerabilities associated with Mini Shai-Hulud?

The TanStack compromise has been assigned a single CVE:

CVE	Description	CVSSv3	VPR
CVE-2026-45321	Malicious code injection in 42 @tanstack packages via three chained GitHub Actions	9.6	9.2

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on May 21, 2026 and reflects VPR at that time.

What is CVE-2026-45321

CVE-2026-45321 describes a chained exploitation of three weaknesses in TanStack's GitHub Actions CI/CD configuration. The attacker created a fork of the TanStack/router repository under a renamed account to avoid detection, then opened a pull request that triggered a pull_request_target workflow. This workflow executed code from the attacker's fork in the base repository's trusted context, allowing the attacker to poison the GitHub Actions cache with malicious binaries. When legitimate maintainer pull requests were later merged, the release workflow restored the poisoned cache. Attacker-controlled code then extracted OpenID Connect (OIDC) tokens directly from the runner's process memory and exchanged them with npm's federation endpoint for full publish credentials.

The result was 84 malicious package versions published across 42 TanStack packages in under six minutes, all carrying valid SLSA Build Level 3 provenance attestations from Sigstore.

Are there other CVEs associated with Mini Shai-Hulud?

At present, only CVE-2026-45321 has been assigned. It applies specifically to the TanStack wave of the campaign. The broader Mini Shai-Hulud campaign exploits CI/CD trust relationships and stolen credentials rather than traditional software vulnerabilities.

Which threat actors are behind this campaign?

Multiple independent security firms attribute the campaign to TeamPCP, a financially motivated cybercriminal group that emerged in late 2025. Google's Threat Intelligence Group tracks the group as UNC6780. Other tracked aliases include DeadCatx3, PCPcat, ShellForce, and CipherForce, according to Snyk and Palo Alto Networks Unit 42.

TeamPCP is assessed as responsible for several prior high-profile supply chain compromises, including the Aqua Security Trivy scanner compromise (March 2026), the Bitwarden CLI npm compromise (April 2026), the Checkmarx Jenkins AST Plugin backdoor (May 2026) and GitHub (May 2026). Unit 42 has documented TeamPCP's announced partnership with the Vect ransomware group, suggesting the credential harvesting pipeline may serve as an initial access pathway for ransomware deployment.

What organizations have been affected?

At least four organizations have publicly confirmed breaches linked to the campaign:

OpenAI disclosed on May 15 that two employee devices in its corporate environment were compromised after ingesting a malicious TanStack package. Limited credential material was exfiltrated from internal source code repositories, including code-signing certificates for macOS, Windows, iOS, and Android applications. OpenAI is rotating those certificates and requiring all macOS users to update their applications before June 12, 2026. The company stated it found no evidence that customer data, production systems, or intellectual property were compromised.
Mistral AI confirmed that a codebase management system was compromised and SDK packages were contaminated. Non-core code repositories were accessed. On May 17, a TeamPCP-linked forum account claimed to be selling alleged Mistral AI repositories.
The European Commission (europa.eu) was reportedly affected by the earlier Trivy wave in March 2026, with over 90 gigabytes of data exfiltrated according to ReversingLabs reporting.
GitHub disclosed on May 19 that they were investigating claims made by TeamPCP after the group posted GitHub source code for sale. Shortly after, they confirmed that roughly 3,800 internal repositories were breached. The root cause was a trojanized Visual Studio Code extension that had been installed by an employee. That extension was later revealed to be Nx Console, in which a malicious copy of the extension was available for around 18 minutes on the Visual Studio Marketplace. According to the Nx Console security advisory, the root cause was a developer's account that had been compromised via theTanstack supply-chain compromise. The leaked credentials were then abused to run workflows on the Nx Console GitHub repository.

Beyond named victims, the campaign has compromised over 170 packages spanning both npm and PyPI with more than 518 million cumulative weekly downloads. OX Security data shows that at least 400 GitHub repositories of stolen credentials were created as part of the campaign.

How does the worm spread?

The campaign's core mechanism is a self-propagating worm. When a developer or CI/CD runner installs a compromised package, the malware executes during installation and harvests credentials stored on the system, including npm tokens, GitHub personal access tokens, AWS credentials, Kubernetes secrets, SSH keys and HashiCorp Vault tokens. The worm then uses those harvested credentials to publish poisoned versions of other packages the victim has access to, creating a chain reaction that spreads across the ecosystem without requiring further action from the attacker.

Mini Shai-Hulud employs three distinct attack chains depending on the access conditions available:

Token theft and automated mass-publish is the most common method. The attacker compromises an npm maintainer account or token through prior credential harvesting, then runs an automated script that publishes trojanized versions of every package accessible to the compromised account. The trojanized packages include a preinstall hook that downloads the Bun JavaScript runtime and executes a large, obfuscated credential-stealing payload before the dependency installation completes.
OIDC hijack with provenance defeat was used in the TanStack wave and represents the most technically sophisticated variant. Instead of stealing a stored credential, the attacker extracted a short-lived OIDC token from the runner's process memory, allowing publication through the project's own trusted pipeline with valid cryptographic attestation.
PyPI injection targets Python packages through compromised maintainer accounts. A dropper injected into the package's initialization file downloads a separate malicious payload from attacker-controlled infrastructure.

All three chains converge on the same post-exploitation behavior: credentials are exfiltrated through three redundant channels (a dedicated command-and-control server, the decentralized Session messenger network and GitHub API dead drops), and the harvested tokens are used to propagate the worm to additional packages.

Why is the SLSA provenance defeat significant?

SLSA (Supply-chain Levels for Software Artifacts) is a framework for verifying that software was built from a trusted source through a trusted process. Build Level 3, the highest practical level, requires cryptographic provenance generated by the build system itself, verified through Sigstore. Running npm audit signatures on a Level 3-attested package should confirm that the package was built exactly as the maintainer intended.

The Mini Shai-Hulud TanStack wave demonstrated that provenance attestation can verify that the build pipeline is legitimate without verifying that the code being built is safe. Because the attacker hijacked the legitimate pipeline itself (rather than publishing from an unauthorized account), the resulting packages carried valid attestations. Organizations that relied on provenance verification as a primary supply chain security control were unable to detect the compromise.

This finding has implications beyond this specific campaign. Any security control that verifies process integrity without independently verifying code integrity is vulnerable to the same class of attack. Provenance remains valuable but is no longer sufficient as a standalone trust signal for open-source packages. When malicious code can bypass cryptographic build verification, code scanning cannot live in a vacuum; it must be continuously validated alongside identity entitlements and runtime posture.

What about the open-sourced code and copycat attacks?

On May 12, 2026, TeamPCP published the Shai-Hulud worm source code on GitHub under an MIT License with the message: "Shai-Hulud: Open Sourcing The Carnage." The release included operational guidance encouraging users to customize encryption keys and infrastructure for their own campaigns. TeamPCP simultaneously announced a $1,000 contest on BreachForums for the largest supply chain attack using the code.

OX Security detected four malicious npm packages from separate threat actors deploying Shai-Hulud clones in May 2026, including chalk-tempalte (a typosquat of the popular Chalk library), @deadcode09284814/axios-util, axois-utils, and color-style-utils. These copycat packages use the open-sourced worm code with modified command-and-control infrastructure and credential exfiltration targets.

A rival worm called PCPJack has also been observed actively evicting TeamPCP infections while stealing credentials independently, adding further complexity to the threat landscape.

Is CVE-2026-45321 in the CISA Known Exploited Vulnerabilities (KEV) catalog?

As of May 20, 2026, CVE-2026-45321 is not listed in the CISA KEV catalog. NHS England issued a security alert related to the campaign, but no public advisory from CISA has been published.

What should organizations do?

Scan your dependency trees immediately. Check lockfiles and CI logs for any affected package versions across the @tanstack, @uipath, @mistralai, @opensearch-project, @antv, and @squawk namespaces. Community-maintained detection scripts can assist, though organizations should verify third-party scanning tools before deployment.
Check for persistence before revoking tokens. The worm installs a gh-token-monitor daemon (via systemd on Linux or launchctl on macOS) that polls GitHub every 60 seconds and triggers a recursive file deletion if it detects that the token has been revoked. Search for and remove this daemon, as well as injected tasks in.vscode/tasks.json and Claude Code hooks in ~/.claude/settings.json, before rotating credentials.
Rotate all credentials on potentially affected systems. If exposure is suspected, rotate GitHub tokens, npm tokens, AWS credentials, HashiCorp Vault tokens, Kubernetes service accounts, Docker credentials, and CI/CD secrets. Treat any system that installed a compromised package version as fully compromised.
Harden CI/CD pipeline configurations. Replace pull_request_target workflows with pull_request for any workflow that executes code from pull requests. Pin all GitHub Actions and workflow steps to immutable commit SHAs rather than tags or branches. Implement cache isolation between fork-originated and maintainer-originated workflows. Restrict secret access to named workflow steps using the GitHub Actions permissions key.
Implement structural dependency controls. Deploy --ignore-scripts as the default for npm installs with explicit allowlisting for trusted lifecycle hooks. Pin all dependencies to exact versions and enforce lockfile integrity verification in CI. Consider implementing minimumReleaseAge policies to delay automatic installation of newly published versions.
Audit for credential storage on developer machines. The payload targets more than 80 environment variables and filesystem paths, including.aws/credentials, .npmrc, .ssh/ directories, .kube/config, and .docker/config.json. Transition from long-lived filesystem credentials to short-lived tokens and ephemeral CI/CD environments wherever possible.
Monitor for campaign indicators. Watch for network connections to 83.142.209[.]194, DNS queries to getsession[.]org endpoints from CI runners, and GitHub repository creation matching Dune-themed naming patterns. Organizations with Software Composition Analysis tools should ensure their rulesets include the campaign's known payload hashes and behavioral indicators.

Has Tenable released any product coverage for these vulnerabilities?

Yes, Tenable customers can use Tenable One Exposure Management Platform to assess their exposure surface related to Mini Shai-Hulud. Tenable One provides visibility into software dependencies and CI/CD pipeline configurations, enabling organizations to identify potentially compromised packages within their environments and prioritize remediation based on their specific exposure context.

Tenable One Cloud Exposure Management provides immediate inventory and prioritization coverage across five dimensions:

Continuous package inventory across every cloud workload allowing you to scan container images, VMs, and registry artifacts to maintain a live software bill of materials (SBOM). The moment indicators of compromise (IOCs) publish, Tenable identifies every asset pulling the compromised versions.
Reachability and exploitability context. This is where Tenable One Cloud Exposure Management separates from list-based software composition analysis (SCA), determining whether the compromised package is actually loaded at runtime, whether the workload is internet-exposed and whether the malicious code path executes on import.
Pipeline-to-cloud lineage. Tenable One Cloud Exposure Management traces compromised packages back through CI/CD to the build artifacts they produced, through runtime. Tenable also provides runtime reachability analysis with eBPF scanning and AI-powered Threat Stories, adding yet another actionable layer of threat discovery and response.
Asset-criticality prioritization. Tenable ranks findings by business context, identity blast radius via cloud infrastructure entitlement management (CIEM), and data sensitivity via data security posture management (DSPM) so response teams work the highest-risk assets first.
Unified findings inside Tenable One. SCA hits don’t sit in isolation. They land alongside CSPM misconfigurations, identity exposures, and runtime signals from CDR, correlated by Hexa AI into a single prioritized exposure. The SCA finding joins to the IAM role that pipeline assumes, the secrets it can access and the data those secrets unlock.

Additionally, a list of Tenable plugins for CVE-2026-45321 can be found on the individual CVE page as they’re released. Coverage for the original Shai-Hulud variants can be found in plugin ID 265897.

These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)

Satnam Narang — Thu, 21 May 2026 09:25:37 -0400

A highly critical SQL injection vulnerability in Drupal core's database abstraction layer affects sites running PostgreSQL.

Key Takeaways

CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core's database abstraction API that can be exploited by unauthenticated attackers on sites using PostgreSQL.
No exploitation has been observed in the wild, but a detection PoC was published on the same day as the advisory and the patch diff was shared publicly within hours.
Patches are available across six supported Drupal branches, including two exceptional releases for end-of-life versions.

Background

On May 20, Drupal published a security advisory (SA-CORE-2026-004) for a highly critical SQL injection vulnerability in Drupal core:

CVE	Description	CVSSv3
CVE-2026-9082	Drupal Core SQL Injection Vulnerability	6.5

The advisory was preceded by a public service announcement (PSA-2026-05-18) on May 18, which warned administrators to prepare for a highly critical release and cautioned that exploitation could occur "within hours or days" of disclosure.

Drupal rates this vulnerability 20 out of 25 on its own risk scoring scale ("Highly Critical"), noting that the confidentiality impact includes "all non-public data accessible" and the integrity impact is "all data modifiable or deletable." NVD assigned a CVSSv3 score of 6.5, rating the confidentiality and integrity impacts as Low. Given the vendor's own characterization of impact and the unauthenticated attack vector, the Drupal risk rating better reflects the potential severity for affected configurations.

Analysis

CVE-2026-9082 is an SQL injection vulnerability in Drupal core's database abstraction API, specifically in the PostgreSQL EntityQuery condition handler. An unauthenticated, remote attacker can exploit this vulnerability by sending specially crafted requests to a vulnerable Drupal site running on PostgreSQL. Successful exploitation could lead to information disclosure, data modification or deletion, and in some configurations, privilege escalation or remote code execution.

User-controlled PHP array keys could reach SQL placeholder construction unsanitized. Drupal fixed this by applying ‘array_values()’ which strips attacker-supplied keys and replaces them with numeric indexes.

Scope: PostgreSQL only

This vulnerability only affects Drupal sites using PostgreSQL as their database backend. Sites running MySQL, MariaDB, or SQLite are not affected. The vulnerable code resides in Drupal’s PostgreSQL EntityQuery condition handler, which is only invoked on PostgreSQL configurations.

No exploitation observed

At the time this blog post was published on May 21, Drupal's advisory describes the exploit status as "Theoretical," and no in-the-wild exploitation has been reported.

Historical exploitation of Drupal Core

Drupal core has a well-documented history of critical vulnerabilities that attracted rapid mass exploitation. CISA's Known Exploited Vulnerabilities (KEV) catalog contains four Drupal entries, two of which have confirmed ransomware use. The Drupalgeddon vulnerabilities (CVE-2018-7600 and CVE-2018-7602) in particular became a case study in how quickly attackers weaponize Drupal flaws once details are available.

CVE	Description	Date Added	Tenable Blogs
CVE-2018-7600	Drupal Core Remote Code Execution (Drupalgeddon 2)	2021-11-03	Critical Drupal Core Vulnerability: What You Need to Know
CVE-2018-7602	Drupal Core Remote Code Execution (Drupalgeddon 3)	2022-04-13	Drupalgeddon Attacks Continue on Sites Missing Security Updates
CVE-2019-6340	Drupal Core Arbitrary PHP Code Execution	2022-03-25	Highly Critical Drupal Security Advisory Released
CVE-2020-13671	Drupal Core File Extension Sanitization	2022-01-18	--

Proof of concept

On the same day as the security release, a detection PoC and reproduction lab was published. The patch diff was also shared on social media within hours of the release.

The minimal complexity of this patch, combined with the availability of AI-powered code analysis tools that can analyze diffs and assist in exploit development, compresses the timeline between patch release and weaponization. Historically, Drupal vulnerabilities of this severity have seen exploitation within hours to days of disclosure. Administrators running PostgreSQL-backed Drupal sites face a shortening window to apply patches before exploitation attempts begin.

Solution

Drupal has released fixed versions across all currently supported branches, as well as exceptional releases for two end-of-life branches due to the severity of this vulnerability:

Affected Versions	Fixed Version
Drupal 11.3.0 - 11.3.9	11.3.10
Drupal 11.2.0 - 11.2.11	11.2.12
Drupal 11.0.0 - 11.1.9	11.1.10 (EOL, exceptional release)
Drupal 10.6.0 - 10.6.8	10.6.9
Drupal 10.5.0 - 10.5.9	10.5.10
Drupal 10.4.0 - 10.4.9	10.4.10 (EOL, exceptional release)

Sites running Drupal 8.9 or 9.5 have reached end-of-life and will not receive packaged updates. However, Drupal has published hotfix files for sites running 9.5.11 or 8.9.20. Sites on Drupal 7 are not affected.

Sites using Drupal Steward are protected against known attack vectors for this vulnerability.

According to the security advisory, these releases also include coordinated upstream security updates for Symfony and Twig. These include separate vulnerabilities from CVE-2026-9082, but Drupal core is affected by some of them. Even sites not running PostgreSQL benefit from updating to these releases.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-9082 as they're released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Drupal by using the following query: CMS contains Drupal.

Get more information

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Tenable One deepens third-party integrations with new Open Connector for unified risk visibility

Nathan Dyer — Thu, 21 May 2026 08:30:00 -0400

The days of rigid, vendor-locked security stacks are over. The Tenable One Open Connector amplifies Tenable One’s extensive capacity to ingest and consolidate third-party security data, giving you more complete visibility across your attack surface, so you can keep using your preferred cybersecurity tools.

Key takeaways

The Tenable One Open Connector enables you to integrate data from previously unsupported sources of security data, eliminating silos and providing a more unified view of cyber risk.
Break free from vendor lock-in by ingesting and mapping data from the tools that work best for your business.
Automate data ingestion to ensure your exposure management decisions always use up-to-date data insights.

If you’re running a security organization, you likely struggle with this persistent and disruptive problem: Security data is spread across too many disparate tools, making it nearly impossible to get a clear, unified picture of your organization’s overall risk exposure.

This is one of the fundamental challenges that an effective exposure management program addresses.

One of the primary goals of the Tenable One Exposure Management Platform is to serve as the central hub for unified risk reduction across your entire environment, including on-premises assets, cloud workloads, IoT devices, OT systems, AI tools, identity platforms, and more. With Tenable One, you can break down data-security silos that heterogeneous tools create and unify fragmented visibility into one place.

Earlier this year, Tenable introduced Tenable One Connectors. To date, we have more than 300 of these validated integrations, which give security teams the ability to integrate these tools and consolidate their data into Tenable One. These custom-built connectors have established Tenable One as one of the most open and interconnected exposure management platforms on the market.

Now, we are delivering the final piece of the puzzle with the launch of the Tenable One Open Connector.

By expanding your reach beyond the 300-plus official integrations, the Tenable One Open Connector allows you to ingest data from other unsupported tools, spreadsheets, and even homegrown internal systems. This includes everything from manual pentesting results and specialized security tools to custom internal configuration-management databases (CMDBs) and AI-driven security audits.

A truly open approach to exposure management

Unified visibility across your attack surface provides context to see how individual risks relate to one another. What may look like a low-priority issue on its own can become a critical weakness when linked to others, forming dangerous attack paths for adversaries. This relationship-driven view allows you to separate real threats from background noise, prioritize with confidence, and focus on the exposures that pose real risk to your business’s operations, revenue, and reputation. This is what exposure management is all about: building a security program that sees the whole picture, not just isolated pieces.

The Tenable One Open Connector redefines how you manage data across your attack surface. By unifying your security data into a single source of truth, it gives your security team the visibility and control they need to see more, act faster, and work smarter. Here’s how:

Get a more complete view of risk
The Tenable One Open Connector empowers you to bring more of your security data together into one unified, contextual view of cyber risk. With this more expansive visibility, you can perform a more holistic risk analysis and accurately prioritize to reduce critical exposures across your entire attack surface.
Unlock an open, flexible platform for your security stack
A rigid, vendor-locked security stack hampers your team’s ability to assess cyber risk. At Tenable, we believe you should use the security tools that work best for your business, instead of having to make compromises driven by vendor restrictions. The Tenable One Open Connector gives you that freedom. As your priorities and tools evolve, the Tenable One Open Connector evolves with you, ensuring your heterogeneous toolset doesn’t hold your exposure management strategy back.
Act faster with automated, always-current data
The Tenable One Open Connector helps you base your exposure management decisions on the latest, most complete data — without being limited to manual updates. If you rely only on manual uploads, your data will likely become outdated, impacting your ability to make accurate risk assessments. Continuous, automated insights empower your team to act faster, reduce risk more effectively, and confidently demonstrate security outcomes to your business.
Tailor your data mapping for deeper insights
Instead of being locked into rigid, vendor-defined field mappings, the Tenable One Open Connector gives you complete control over data organization within Tenable One. This flexibility allows you to segment data in ways that best fit your needs, leading to more precise data organization and helping you conduct tailored analysis.

Tenable One Open Connector: How it works

The Tenable One Open Connector is powerful yet simple, so you can get your security data into Tenable One in minutes.

Automated uploads: Fully automate the ingestion process by establishing a seamless connection between Tenable One and an S3 bucket in your cloud storage. As source files refresh, Tenable One automatically ingests new data for continuous, up-to-date visibility without manual intervention. In addition, you also have the option to manually upload files, such as CSV, Excel, or ZIP files.
Flexible data mapping: Control exactly how the system organizes your data. Map file fields to Tenable One fields, combine multiple fields into one, or split a single field across several, so you have ample flexibility to structure and analyze your data precisely.
Automated data correlation: Automatically deduplicate, correlate, and normalize all incoming data for accurate, consistent comparisons across your entire dataset.

See it in action

Watch the Tenable One Open Connector guided demo to see just how easy it is to connect a new data source.

Tenable One Open Connector FAQ

1. What is the Tenable One Open Connector?

The Tenable One Open Connector is the newest addition to the Tenable One ecosystem, specifically designed to further break down data silos in your security stack. While Tenable One Connectors focus on pre-configured custom integrations with specific third-party products, the Open Connector allows you to capture and integrate data from previously out-of-reach sources — including internal systems, niche third-party tools, and spreadsheets — directly into Tenable One.

2. Why do I need the Tenable Open Connector?

Fragmented data creates massive blind spots, and attackers thrive in the shadows between those silos. Adversaries don’t view your environment as a collection of separate domains or disconnected tools. They see it as one interconnected map of assets. With data scattered among tens or even hundreds of siloed tools, you struggle to see the critical connections and lateral paths that an attacker would exploit to move through your environment. To stay ahead of today’s threats, especially those boosted by AI, you must adopt the attacker’s perspective. The Tenable One Open Connector gives you clarity to identify exposures and block attacks before they ever have a chance to start.

3. What is the value of the Tenable One Open Connector?

The Tenable One Open Connector delivers comprehensive flexibility and visibility to your security operations. You can perform a more holistic risk analysis by unifying disparate data sources that were once impossible to correlate. Beyond just visibility, the connector offers flexible data mapping to segment and organize your information to fit your specific business needs, rather than getting locked in a rigid, pre-defined template. You also get true independence from vendor integration roadmaps, so you can use the tools that work for your business and integrate them into Tenable One on your own terms.

Ready to break down even more data silos and achieve a truly unified view of risk? Request a demo of Tenable One today.

Implement agentic AI in cybersecurity with Tenable Hexa AI: Reduce cyber risk at machine speed

Eric Doerr — Wed, 20 May 2026 09:00:00 -0400

As frontier AI models collapse the traditional exploit window, Tenable Hexa AI transforms the security operating model from manual triage to agentic orchestration. See how you can automate vulnerability remediation and super-charge exposure management with Tenable Hexa AI.

Key takeaways

AI models like Claude Mythos have reduced the time from vulnerability discovery to weaponization from weeks to minutes, making manual defense untenable.
Tenable Hexa AI serves as an agentic engine that orchestrates complex, multi-step remediation workflows across modern attack surfaces to accelerate the speed of preemptive security and propel your exposure management program.
Using the Model Context Protocol (MCP) included in Tenable Hexa AI, your team can build and deploy custom agents that anchor your preferred LLMs in the Tenable Exposure Data Fabric, ensuring every automated action is governed, auditable, and accurate.

Why you need to implement agentic AI in cybersecurity (and specifically, in vulnerability management)

For most of my career in cybersecurity, we’ve operated on a fundamental, if unspoken, assumption: We had a grace period. Whenever a new vulnerability was discovered, we knew we had time, often weeks or months, before adversaries would begin exploiting it. The time between vulnerability discovery and exploitation gave us breathing room. It gave us time to patch, triage, and remediate.

But not any more. The gap between discovery and exploitation has been shrinking for years, and the vulnerability discovery capabilities demonstrated by frontier AI models like Claude Mythos are narrowing it even more.

We have entered the era of AI speed. When an LLM can unearth a 27-year-old vulnerability in a hardened OS in minutes, and then weaponize it in seconds, old defensive cycles can’t keep up, and that’s untenable.

This is why I’m so excited to announce the general availability of Tenable Hexa AI, the agentic engine of the Tenable One Exposure Management Platform, at EXPOSURE 2026: because it’s designed to help your organization address the escalating, AI-driven pace of vulnerability discovery.

The agentic AI imperative in cybersecurity: Scale your preemptive defense to match machine speed with agentic innovation from Tenable

Tenable Hexa AI is built to be a force multiplier and a flexible engine for innovation. Featuring a suite of built-in agents ready to automate assessment configuration, asset tagging, dashboard creation, ticket creation, and more, Tenable Hexa AI is designed to help your organization overcome the operational challenges deepened by adversarial AI use.

When the window between discovery and exploitation hits near-zero, security teams locked in manual vulnerability management operating models are forced into a state of perpetual emergency. Manually stitching together context and telemetry from cloud, identity, OT, and vulnerability silos in an arduous effort to prioritize remediation for downstream IT and DevOps teams is a losing battle.

And when you can’t provide clear, risk-based remediation priorities to IT and DevOps teams, you end up bombarding them with seemingly urgent tickets that may not in fact be critical to your organization. Constant shifts in remediation priorities and endless debates over what needs fixing and why is not sustainable. It creates friction and causes you to lose the cybersecurity race.

In a world where attackers move at machine speed, only comprehensive exposure intelligence combined with the agentic AI orchestration capabilities provided by the Tenable One Exposure Management Platform can give you clarity and control.

Tenable Hexa AI doesn’t just tell you where you are vulnerable; it mobilizes your preemptive defense.

Capabilities of Tenable Hexa AI

With this GA release, Tenable delivers foundational capabilities to help your organization accelerate the pace of vulnerability discovery and remediation, including:

Your choice of agents - Use our pre-built, out-of-the-box agents to start reducing risk immediately, or use the Model Context Protocol (MCP) server built into Tenable Hexa AI to create custom agents tailored to your organization’s environment.
Advanced multi-step reasoning - Tenable Hexa AI executes complex, end-to-end workflows spanning your attack surface (e.g., IT, cloud, identity, OT, etc.) in a single request, eliminating the need for practitioners to toggle between views to get exposure context. It understands that a CVE in your web app is a critical threat specifically because it is linked to a privileged service account with a path to your sensitive data.
Automated remediation workflows - Tenable Hexa AI orchestrates remediation workflows, automatically creating and routing tickets, generating custom policies, and producing audit-ready reports, so security teams can act fast on every critical exposure.
End-to-end exposure path insights - Practitioners can query their environment by identity attributes, such as service accounts, privileged users, and Active Directory groups, to surface exposure paths that traditional asset inventories miss. Tenable Hexa AI also provides guided assistance for complex Active Directory sensor configurations.

Build your own AI agents for cybersecurity with Tenable Hexa AI

In addition to out-of-the-box agentic capabilities for use cases like automated assessment configuration, asset tagging, and ticket creation, customers can also build custom agents via Tenable Hexa AI's built-in MCP that are informed by your organization’s unique security policies and internal business logic.

Tenable Hexa AI serves as the orchestration layer connecting your favorite AI tools to your infrastructure and other security tools, all with the data and context from the Tenable Exposure Data Fabric. By anchoring the models your organization uses in the authoritative context of your own environment, Tenable Hexa AI moves you beyond generic AI answers to governed and auditable automation. Whether you are automating complex remediation or generating board-ready dashboards, Tenable Hexa AI ensures the output is both verifiable and auditable.

The Tenable Exposure Data Fabric is key because an agent is only as effective as the data it has access to. Tenable Hexa AI is powered by the Tenable Exposure Data Fabric, a repository of 20 years of vulnerability research and the industry’s largest collection of contextualized exposure data. In other words, we’ve built an agentic engine for cybersecurity that uses the world’s best exposure data to drive machine-speed actions. This is the only way to ensure your AI is validating the real state of your environment, rather than just guessing.

Real-world agentic AI use cases for Tenable Hexa AI

While there are virtually infinite ways to apply agentic orchestration to your unique cybersecurity challenges, here are four high-impact areas where manual workflows traditionally break down and make it impossible for you to keep pace with AI-powered vulnerability discovery:

Supply chain response - Neutralize third-party threats by using Tenable Hexa AI to correlate software components with affected internal assets.

Automated patching - Use custom Hexa agents to beat the Mythos clock by orchestrating patches the moment a vulnerability is validated.

Remediation assignment - Use Tenable Hexa AI to automatically match CVEs to asset owners in seconds and trigger immediate response workflows.

These use cases demonstrate how Tenable Hexa AI can bridge the gap between exposure intelligence and action.

Make the untenable Tenable

The collapse of the exploit window is a wake-up call. It gives us the opportunity to change how we work. By shifting from manual triage to agentic orchestration, organizations are seeing a shift in productivity and how they prioritize and action exposure reduction.

While early design partners have already reclaimed days per month on foundational tasks like asset tagging, the value is not found solely in the hours saved, but rather, in the precision of the response. By automating the correlation between cloud, identity, AI, OT, and vulnerability data, Tenable One provides the clear, contextualized instructions that IT and DevOps teams need to act with confidence.

This eliminates the administrative friction and back-and-forth negotiation that often results in critical vulnerabilities going unaddressed. Reclaiming those days means your best people are no longer buried in spreadsheets; they are focused on high-impact strategy, architecture hardening, and preemptive defense.

Tenable Hexa AI is available today as part of the Tenable One Foundation and Tenable One Advanced packages.

Key findings from the Verizon DBIR 2026: Slower vulnerability remediation meets faster exploitation

Scott Caveza — Tue, 19 May 2026 09:17:00 -0400

The 2026 Verizon Data Breach Investigations Report (DBIR) reveals a troubling trend: vulnerability exploitation has surged to become the number one initial access vector while remediation rates have worsened.

Key takeaways

Vulnerability exploitation has surged to become the leading initial access vector for breaches, accounting for 31% of data breaches during the study period.
Security teams’ patching efforts are falling further behind, with the median time-to-patch growing by 11 days in the past year.
As AI-powered tools increase the speed and volume of vulnerability discovery and vulnerability exploitation, exposure management helps organizations keep up by continually assessing their attack surfaces, prioritizing risks, and orchestrating automated remediation of security weaknesses.

What is the Verizon DBIR report

Verizon’s annual Data Breach Investigations Report (DBIR) has helped organizations understand evolving cyber threats since its first release in 2008. For the 2026 edition, Tenable Research once again contributed enriched data on vulnerability exploitation and vulnerability remediation trends. This year’s findings paint a stark picture: Compared with last year, organizations are facing a significant increase in the volume of “must-patch” vulnerabilities from the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.

The widening gap between vulnerability disclosure and remediation represents one of the most pressing challenges in cybersecurity today. Security teams are already overwhelmed, both by the rising number of vulnerabilities and the lack of time for patch management. This reality underscores the critical need for comprehensive exposure management, a strategic, AI-driven approach to preemptive security designed to help organizations reduce cyber risk by continually assessing their attack surfaces, prioritizing risks, and orchestrating automated remediation of security weaknesses.

Verizon DBIR 2026 overview and analysis

The 2026 Verizon DBIR found that vulnerability exploitation is the top initial access vector, accounting for 31% of data breaches during the study period. Even more concerning is that the median time-to-patch has increased from 32 days to 43 days, a 34% increase. This year’s findings paint a stark picture: The number of vulnerabilities continues to snowball, as organizations’ patching rates continue to fall behind.

The CVE explosion continues — and AI will accelerate it

The vulnerability landscape continues to see explosive growth as the CVE program currently reports more than 351,000 registered CVEs with more than 21,500 already reserved in 2026. As we’re on the path for another record number of CVEs, this flood of vulnerabilities creates an extremely difficult situation for security teams already stretched thin. With median time-to-patch increasing and exploitation timelines shrinking, attackers are winning the race between disclosure and remediation.

The situation may be poised to worsen dramatically. The cybersecurity community is increasingly concerned about AI-powered vulnerability discovery tools like Anthropic’s Claude Mythos, which can automatically identify security flaws in codebases at unprecedented speed and scale. While such tools hold promise for defensive security teams, they also represent a potential inflection point: if AI can discover vulnerabilities faster than organizations can patch them, the already immense patch burden could become truly unmanageable.

This AI-driven acceleration comes at the worst possible time. Organizations are already struggling to remediate vulnerabilities, with the Verizon data breach investigations report finding that organizations successfully remediate only 26% of KEV vulnerabilities. Adding to this concern, the DBIR points out that there has been a nearly 50% increase in the number of CISA KEV vulnerabilities to patch in 2025, putting even more pressure on security teams.

If AI models begin flooding the CVE database with newly discovered vulnerabilities, or worse, if attackers leverage these models to find and exploit zero-days before defenders can respond, the current remediation crisis is likely to escalate into a systemic failure of the traditional patch-based defense model.

The exposure management imperative

While vulnerability exploitation dominates headlines as the number one initial access vector, it represents only a slice of the exposure problem. The DBIR notably highlights credential abuse as another significant threat vector, underscoring that vulnerabilities don’t exist in isolation. Stolen credentials can transform a moderate-severity vulnerability into a critical breach pathway, while exposed configurations can provide attackers with the access needed to exploit unpatched systems.

This interconnected nature of exposures highlights why more and more organizations are adopting comprehensive exposure management. Understanding and addressing the full attack surface, including identity risks, misconfigurations, excessive permissions, and vulnerable assets, is essential to reducing breach risk in today’s threat landscape.

The emergence of AI-powered vulnerability discovery makes exposure management absolutely essential. As AI tools accelerate vulnerability identification, organizations cannot simply try to patch more vulnerabilities faster. Instead, they must focus on understanding and remediating the vulnerabilities that matter most in the context of their specific environment. A newly discovered vulnerability on an isolated system with no credentials exposed and strong access controls poses far less risk than an older CVE on an internet-facing asset with weak authentication. The Tenable One Exposure Management Platform provides both the contextual framework needed to make these critical prioritization decisions and the agentic orchestration engine required to accelerate remediation in an era of AI-accelerated vulnerability discovery.

Notable data insights from the DBIR reporting period

As Tenable Research examined the trends in the data, our team decided to distill the CVEs into product categories and compare which categories saw the largest percentage of unremediated assets. For our analysis, we focused on KEV CVEs as these are vulnerabilities known to have been exploited and in attackers’ crosshairs.

As you can see in the figure below, vulnerabilities affecting development tools saw the highest rate of unremediated assets, followed by virtualization/hypervisor flaws and remote monitoring and management (RMM) flaws. While the remediation process across these product categories can vary, the overall trend of nearly all of the product categories having an above 50% unremediated rate demonstrates that organizations are still struggling with vulnerability remediation.

Similarly, we looked at the average number of days that assets remained unremediated while comparing that to the number of CVEs affecting that category during the DBIR reporting period.

Tenable analysis of the data reinforces the stark reality highlighted in the Verizon DBIR: Organizations are taking longer to patch known and exploited vulnerabilities while facing a rapid increase in the number of vulnerabilities that require immediate attention.

DBIR findings

The 2026 DBIR findings are sobering but not surprising to those on the front lines of cybersecurity. The data confirms what many security teams experience daily: The patch burden is growing faster than organizations’ ability to respond. With vulnerability exploitation now the top initial access vector and median time-to-patch continuing to climb, the gap between attacker speed and defender response continues to widen.

Organizations must adopt an exposure-centric approach that considers not just the presence of vulnerabilities, but the full risk context of their environment:

Which assets are exposed?
Who has access?
Which credentials are compromised?
Which exposure combinations create the most dangerous attack paths?

In an era where AI is discovering vulnerabilities faster than humans can patch them, understanding which exposures truly matter represents the only sustainable path forward.

The 2026 DBIR, enriched with Tenable Research’s data, provides valuable insights into today’s threat landscape. Tenable encourages security professionals to read the full Verizon DBIR to understand current attack trends and use these findings to inform their exposure management strategies. The crisis documented in this report signals that the traditional vulnerability-centric model needs a fundamental evolution toward comprehensive, AI-driven exposure management.

Identifying affected systems

Tenable provides comprehensive detection coverage for CISA’s KEV catalog, with detection capabilities deployed rapidly following vulnerability disclosure. This coverage spans diverse asset categories, enabling comprehensive visibility into actively exploited vulnerabilities across your environments. CVEs on the KEV catalog will have a tag on the individual CVE pages, and you can browse our upcoming plugins on our Plugins Pipeline page.

Get more information

Verizon 2026 Data Breach Investigations Report (DBIR)

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Frequently asked questions about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182)

Research Special Operations — Thu, 14 May 2026 21:05:46 -0400

Multiple critical authentication bypass vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager are under active exploitation by multiple threat clusters, including CVE-2026-20182, which has been exploited as a zero-day by a sophisticated threat actor.

Key Takeaways

CVE-2026-20182 is a critical (CVSSv3 10.0) authentication bypass in Cisco Catalyst SD-WAN Controller and Manager disclosed on May 14 with confirmed active exploitation.
A sophisticated threat actor designated UAT-8616 has exploited Cisco SD-WAN vulnerabilities since at least 2023, and 10 additional threat clusters began exploitation of multiple vulnerabilities in SD-WAN after public proof-of-concept code became available.
Patches are available for all supported Cisco Catalyst SD-WAN releases and CISA has mandated remediation by May 17 under Emergency Directive 26-03.

Background

Tenable's Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding the ongoing exploitation of multiple vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager.

FAQ

When were these Cisco SD-WAN vulnerabilities first disclosed?

On February 25, 2026, Cisco published an advisory for CVE-2026-20127, a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager that was already being exploited in the wild at the time of disclosure. Alongside that advisory, Cisco also released patches for three additional vulnerabilities in SD-WAN Manager: CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122. The security advisory for these CVEs (cisco-sa-sdwan-authbp-qwCX8D4v) was updated in March to confirm exploitation of CVE-2026-20128 and CVE-2026-20122 and then again in April to confirm that CVE-2026-20133 had also been exploited.

On May 14, 2026, Cisco published a new advisory (cisco-sa-sdwan-rpa2-v69WY2SW) for CVE-2026-20182, a separate critical authentication bypass vulnerability that was discovered during the investigation into the earlier exploitation. This vulnerability is also under active exploitation.

What are the vulnerabilities associated with the Cisco SD-WAN exploitation?

There are five CVEs associated with this ongoing campaign, plus one older vulnerability used for post-compromise privilege escalation:

CVE	Description	CVSSv3	Cisco Advisory
CVE-2026-20182	Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability	10.0	cisco-sa-sdwan-rpa2-v69WY2SW
CVE-2026-20127	Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability	10.0	cisco-sa-sdwan-rpa-EHchtZk
CVE-2026-20133	Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability	7.5	cisco-sa-sdwan-authbp-qwCX8D4v
CVE-2026-20128	Cisco Catalyst SD-WAN Manager Credential Access Vulnerability	7.5	cisco-sa-sdwan-authbp-qwCX8D4v
CVE-2026-20122	Cisco Catalyst SD-WAN Manager Arbitrary File Overwrite Vulnerability	5.4	cisco-sa-sdwan-authbp-qwCX8D4v
CVE-2022-20775	Cisco SD-WAN CLI Path Traversal Privilege Escalation Vulnerability	7.8	cisco-sa-sd-wan-priv-E6e8tEdF

Both CVE-2026-20182 and CVE-2026-20127 are critical-severity flaws that enable remote, unauthenticated access to administrative functions due to broken peering authentication logic. CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122, when chained together, allow a remote unauthenticated attacker to gain access to the SD-WAN Manager.

What products are affected?

The following table lists the CVEs and affected devices. None of these vulnerabilities require specific device configurations to be exploitable, and all deployment models are affected:

CVE	Affected Device(s)
CVE-2026-20182	Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager
CVE-2026-20127	Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager
CVE-2026-20133	Cisco Catalyst SD-WAN Manager
CVE-2026-20128	Cisco Catalyst SD-WAN Manager
CVE-2026-20122	Cisco Catalyst SD-WAN Manager
CVE-2022-20775	Cisco SD-WAN Software: - SD-WAN vBond Orchestrator Software - SD-WAN vEdge Cloud Routers - SD-WAN vEdge Routers - SD-WAN vManage Software - SD-WAN vSmart Controller Software

How severe is the exploitation?

Successful exploitation of CVE-2026-20182 or CVE-2026-20127 provides access to a privileged (but non-root) internal account on the SD-WAN Controller. That access opens NETCONF, giving the attacker the ability to alter network configuration across the entire SD-WAN fabric. In observed attacks, the threat actor UAT-8616 then leveraged CVE-2022-20775 via a software version downgrade technique to escalate privileges to root.

Post-compromise activities observed by Cisco Talos include SSH key injection, NETCONF configuration manipulation, malicious account creation, and extensive log clearing to cover tracks.

Who is UAT-8616?

UAT-8616 is a designation assigned by Cisco Talos to a “highly sophisticated cyber threat actor” that has been exploiting Cisco SD-WAN infrastructure since at least 2023. According to Cisco Talos, UAT-8616 targets critical infrastructure sectors and its infrastructure overlaps with monitored Operational Relay Box (ORB) networks.

UAT-8616 exploits CVE-2026-20182 and CVE-2026-20127 for initial access, then, in the case of CVE-2026-20127 exploitation, performs software version downgrades to expose CVE-2022-20775 for root privilege escalation. After achieving root access, the actor restores the original software version to conceal the exploitation path. Additional persistence techniques include injecting SSH keys into authorized_keys files, enabling PermitRootLogin in the SSH daemon configuration, and clearing forensic evidence from syslog, wtmp, lastlog, bash_history and cli-history files.

Are there other threat actors exploiting these vulnerabilities?

Yes. Cisco Talos has identified 10 additional threat clusters that are distinct from UAT-8616. These clusters have been exploiting the CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 chain since early March 2026, following the publication of proof-of-concept code by ZeroZenX Labs. The tools deployed by these clusters range from webshells (Godzilla, Behinder, XenShell) and red team frameworks (AdaptixC2, Sliver) to cryptocurrency miners (XMRig) and credential stealers targeting admin hashes, JWT tokens and AWS credentials.

Are proofs-of-concept (PoCs) available?

Yes. ZeroZenX Labs published proof-of-concept code for the CVE-2026-20133, CVE-2026-20128, CVE-2026-20122 exploit chain in March 2026. This PoC release directly correlated with the surge in exploitation activity across multiple threat clusters. The availability of public PoC code highlights the risk to any exposed SD-WAN infrastructure that remains unpatched.

What actions has CISA taken?

CISA has taken multiple actions in response to the Cisco SD-WAN exploitation campaign:

February 25, 2026: Added CVE-2026-20127 and CVE-2022-20775 to the Known Exploited Vulnerabilities (KEV) catalog
April 20, 2026: Added CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to the KEV catalog
May 14, 2026: Added CVE-2026-20182 to the KEV catalog with an action deadline of May 17, 2026
May 14, 2026: Issued Emergency Directive 26-03 and published Hunt & Hardening Guidance for Cisco SD-WAN Devices

All five CVEs in this campaign are now in CISA's KEV catalog.

Are patches available?

Cisco has released patches for each of the vulnerabilities discussed in this blog. We recommend reviewing the security advisories issued by Cisco for each CVE to identify the patch release and any considerations that may apply in order to apply the patches successfully.

Are there indicators of compromise (IoC)?

Cisco has published detailed IoC information across its advisories and Talos blog posts. The indicators include:

Log evidence: Check /var/log/auth.log for "Accepted publickey for vmanage-admin" entries from unknown or unauthorized IP addresses
Control connection anomalies: Run show control connections detail or show control connections-history detail and look for connections with state:up and challenge-ack: 0, which may indicate unauthorized peering
Post-compromise artifacts: Unauthorized SSH keys in /home/vmanage-admin/.ssh/authorized_keys/, PermitRootLogin enabled in /etc/ssh/sshd_config, unexplained software downgrades followed by reboots

Full IoC lists including C2 server IPs, malware file hashes, and attacker source IPs are available in the Cisco Talos blog.

Has Tenable Research classified these vulnerabilities as part of Vulnerability Watch?

Yes. CVE-2026-20182, CVE-2026-20127, CVE-2026-20128, and CVE-2026-20122 have been classified as Vulnerabilities of Interest under Vulnerability Watch due to confirmed active exploitation and the availability of public proof-of-concept code. Tenable has been tracking this cluster of vulnerabilities since the original disclosure in February 2026, with watches re-established as exploitation escalated in March and again in May 2026 when CVE-2026-20182 was disclosed.

Has Tenable released product coverage?

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-20182, CVE-2026-20127, CVE-2026-20133, CVE-2026-20128, CVE-2026-20122, and CVE-2022-20775. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Cisco Catalyst SD-WAN devices by using the following query: Document Title contains Cisco Catalyst SD-WAN.

Get more information

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Bring out your dead: How agentic AI for cybersecurity helps you rid your cloud of forgotten, risky assets

Brinton Taylor — Thu, 14 May 2026 17:17:00 -0400

Tenable Hexa AI eliminates “zombie” cloud infrastructure, helping you reduce risk and make a “killing” on cost reduction.

Key takeaways

As AI accelerates cloud growth, zombie cloud assets multiply in your environment. You need agentic AI to prevent a cloud zombie apocalypse.
Cloud assets no longer in production may seem harmless, but they expand your attack surface and can elevate your organization’s cyber risk.
Every zombie asset is a line item. When cloud security reduces costs, it stops being a hard conversation and becomes a welcome budget meeting.
Tenable Hexa AI acts as an agentic "zombie hunter" that finds and eliminates forgotten cloud assets, shrinking the attack surface and reducing costs and boosting cloud infrastructure security.

Picture the scene from “Monty Python and the Holy Grail”: a plague-ravaged village, a cart rolling through the mud, and a lone collector bellowing, "Bring out your dead!" Bodies piling up. Costs mounting. Nobody quite sure how it got this bad.

Your cloud environment isn't so different.

In the race to maintain engineering velocity, cloud environments have quietly become a sprawling graveyard for forgotten resources. We call them zombie assets: unused, unmanaged resources that just... sit there. Not alive. Not dead. Just lingering. Accruing cost. Expanding your attack surface. And waiting for an attacker patient enough to notice nobody's watching.

According to Tenable Research, 49% of cloud infrastructure currently sits idle and untracked, with neglected resources going unpatched for six months or longer. In addition to being budget leaks, these unused cloud assets are vulnerability goldmines for attackers. Here's the twist though: every zombie asset you kill puts money in your pocket.

So let's go hunting with Tenable Hexa AI.

The graveyard no one meant to build

Software engineering speed is the goal. It always has been. But it comes at a cost that rarely shows up in sprint reviews. Organizations are deploying ephemeral resources (containers, serverless

functions, virtual machines) faster than they're retiring them. They get spun up for a sprint, a test, a proof of concept, and then quietly abandoned when the next priority arrives. This is how the zombie assets pile up: With a forgotten checkbox and a billing cycle that keeps running.

Knowing zombie assets are out there is one thing. Finding them across AWS, Azure, and Google Cloud Platform (GCP) is another. This is where Tenable Hexa AI transforms the game from periodic audits to a continuous, active bounty-hunting operation. This isn’t a chatbot! Tenable Hexa AI is an agentic AI engine built into the Tenable One platform that moves organizations from conversation to execution by automatically performing complex security tasks. It leverages the Tenable Exposure Data Fabric to interpret user intent and deliver finished results.

With one click from anywhere in the Tenable One Cloud Exposure interface, you open Tenable Hexa AI. From there, you describe what you're after in plain language, and Tenable Hexa AI does something most AI tools don't: it automatically builds the query for you inside the “Explorer”, Tenable's unified data model query tool. You can see exactly what it constructed, manipulate it, refine it, and save it as a standing policy your team can run again and again. Your query history is preserved, your investigations are traceable, and when your organization is ready, those findings can trigger automations you've approved and trust.

Think of it this way: Tenable Hexa AI is the zombie hunter. Explorer is the map that shows you where the zombies are. And the query it builds? That's your standing order to be on a continuous hunt.

Let's walk through what that looks like in practice, step by step, or watch our guided demo.

Step 1: Find the dangling keys, orphaned public IPs

The scene: You decommission a server. The team celebrates shipping the new version. But the public IP that pointed at that server? It's still out there, still associated with your DNS records and security whitelists, attached to nothing, watched by no one. We call these dangling IPs. They're the cloud equivalent of leaving your company's official stationery and a set of master keys on a park bench. Someone will find them. And they won't call you when they do.

How Tenable Hexa AI finds them: You tell Tenable Hexa AI what you're looking for in plain language, and it automagically builds an Explorer query that finds every AWS Elastic IP, Azure Public IP, or GCP External IP with no network interface, no running instance, and no attached resource to justify its existence. The logic is visible, editable, and ready to save as policy the moment you've confirmed the results. What you get back is a complete list of open doors in your environment that nobody is standing behind.

The bounty: Each unneeded Elastic IP costs roughly $3.60S/month. Across a large, fast-moving environment, orphaned IPs silently drain thousands annually for infrastructure that's actively making you less secure.

Step 2: The gate with no guard, load balancers without listeners

The scene: A load balancer without a listener is a high-tech security gate with no guard and no intercom. It's physically there. It's on your bill. But it isn't directing traffic, isn't protecting anything, and isn't being monitored, which means it's muddying your security audits while quietly running up a tab. It seems safe because it isn't active. That's exactly what makes it dangerous. Assumptions of safety are how the dead multiply.

How Tenable Hexa AI finds them: Describe the scenario and Tenable Hexa AI builds an Explorer query that sweeps every load balancer across your environment for a single condition: no listener attached. A load balancer listener is the configuration that tells the balancer what to do with incoming traffic. No listener means no purpose. The query Tenable Hexa AI constructs is immediately reviewable, so your team can validate the logic, adjust thresholds if needed, and lock it in as a standing policy that flags every ghost gate going forward.

The bounty: In AWS, an application load balancer without a listener runs $15 to $20/month. Find a hundred across your accounts and you've just recovered $20,000 in annual spend, with zero security value lost in the process.

Step 3: Frozen in time, stopped compute instances

The scene: Think of an orphaned compute instance like a house that was temporarily closed up after a renovation. The utilities are still on, the locks haven't been changed, and the last occupant left in a hurry. Nobody lives there. Nobody checks on it. But the bills keep coming, and anyone who tries the door finds it easier to get into than the house next door.

Stopped virtual machines account for a large portion of unpatched workloads across typical organizations, frozen at whatever vulnerability state they were in when someone hit "stop.” If an attacker breaches one, they inherit the IAM role or service account attached to it. Since nobody is logging in, nobody notices.

How Tenable Hexa AI finds them: Tell Tenable Hexa AI you want stopped instances that have been idle beyond a set threshold and still have volumes attached. It builds the Explorer query with the right filters already in place: stop time thresholds (90 days for AWS EC2, as few as seven days for Azure deallocated machines), state conditions, and volume attachment status. Your team can review the query, tune those parameters to match your environment's specific retention standards, and save it as a policy that runs continuously. The machine isn't just idle; it's sitting on data, and now you know exactly which ones.

The bounty: A stopped instance still accrues Amazon Elastic Block Store (EBS) storage charges. A fleet of abandoned instances, common in organizations scaling fast, can represent significant and immediately recoverable spend before you've even addressed the security exposure.

Step 4: Paying rent on junk, dated snapshots

The scene: A snapshot is meant to be a time capsule, a point-in-time backup you can restorefrom if something goes wrong. But most organizations have thousands of snapshots that are\years old, attached to nothing, and serving no documented recovery purpose. It's like owning amassive storage unit filled with boxes you haven't opened in five years. You're paying rent onjunk. And some of those boxes might contain hazardous materials.

In the cloud, snapshots are the hidden cost leader and one of the most overlooked sources of data exfiltration risk. Old snapshots often contain configuration files, credentials, and customer data from systems that no longer exist in their current form.

How Tenable Hexa AI finds them: Describe your retention concern and Tenable Hexa AI builds an Explorer query that surfaces every snapshot older than your specified threshold across AWS EBS, Azure, and GCP Compute simultaneously. The results come back organized and actionable.

Once your team reviews the query and confirms it aligns with your backup retention policy, save it. From that point forward, it's a standing policy: anything older than your threshold that isn't tied to a legal hold gets flagged automatically. It is no longer a useful asset but rather a liability with a storage invoice.

The bounty: Snapshot costs compound silently. Organizations running their first real cleanup pass frequently discover tens of thousands of dollars in recoverable spend, sometimes more, from snapshots alone.

Step 5: The unmonitored goldmine, unattached volumes

The scene: This is the one that should keep your security team up at night. An unattached volume is a disk full of real data that’s no longer in the radar of any of your security tools. Because it isn't "live" (not attached to a running OS), your EDR and antivirus are blind to it. No monitoring. No alerts. No tripwires.

An attacker with basic storage permissions doesn't need to breach your running servers. They can snapshot the unattached volume, export it to their own account, mount it in their] environment, and browse your configuration files, API keys, and customer records at their leisure. No alerts fired. No logs written on your side. No noise.

How Tenable Hexa AI finds them: Tenable Hexa AI builds an Explorer query that maps every storage volume with no running instance attached to it. Across AWS that means EBS volumes with no EC2 instance. In Azure, Managed Disks with no Virtual Machine. In GCP, Compute Disks with no VM instance. Review the query, confirm the logic, and save it as policy. What you're left with is a continuously maintained inventory of every unmonitored data blob in your environment, surfaced before an attacker finds it first. The reality is poignant; if a volume isn’t attached to a live operating system, your EDR can’t hunt that.

The bounty: Unattached EBS volumes run $0.08 to $0.10 per GB/month. A single forgotten 1TB database volume costs nearly $100/month to store. The financial case writes itself. The security case is even more urgent.

Step 6: The empty control plane of K8s clusters without nodes

The scene: A Kubernetes cluster without nodes is a management layer with nothing to manage. It's like building a fully staffed air traffic control tower for an airport with no runways. The infrastructure exists. The overhead exists. The attack surface exists. The planes do not. It seems dormant, and therefore safe. But that's precisely the assumption that lets these resources accumulate unnoticed: each one a cost center and a compliance headache waiting to be discovered by the wrong person first.

How Tenable Hexa AI finds them: Tenable Hexa AI constructs an Explorer query built around absence: every cluster with no node group and no hosted virtual machines. For AWS EKS and GCP GKE alike, the query surfaces every empty control plane in your environment. Review it, tune it to your standards, and save it as a policy. Clusters that were stood up, never fully provisioned, and never cleaned up are no longer invisible. The context makes the risk visible in a way a raw inventory list never could.

The bounty: An empty EKS control plane carries a flat cluster fee of roughly $73/month before a single workload runs on it. In environments scaling fast across multiple teams, these accumulate quietly. A handful of abandoned clusters found and removed can represent meaningful recovered spend before you’ve even counted the security benefits.

One query. One bounty. Real numbers.

Here's where it gets good. Everything we just walked you through — five categories of zombie assets, spanning orphaned IPs,

idle load balancers, stale snapshots, unattached volumes, and detached network interfaces — we ran against a real AWS environment. We didn’t have to stitch together five separate searches after a week-long audit. All it took was one conversation with Tenable Hexa AI.

The cart came back very full!

In a single pass, Tenable Hexa AI surfaced 1,658 orphaned resources across the environment — an estimated monthly waste of $2,400 to more than $4,000.

Resource Type (The zombie asset)	Count	Security Risk (the "Why")	Financial Waste (The "Bleed")	Real-World "Smoking Gun"
Unattached EBS Volumes	476	Unmonitored Data Blobs. No EDR or antivirus can see these. High risk for snapshot exfiltration.	$1,500 – $3,000+ /mo	Found across 6 regions; storage for data nobody has touched in years.
Unassociated Elastic IPs	34	Routable Entry Points. 34 unlocked doors that provide a footprint for reconnaissance.	~$124 /mo	Billing at $3.65/mo per IP for literally nothing.
Idle Load Balancers (ALB/NLB)	33	Public Attack Surface. Publicly routable endpoints with zero backend value or monitoring.	~$528 /mo	"NetLoadBalancer" – billing since 2020. Six years of charges for a gate with no road.
Stale EBS Snapshots	185	Cold Storage Exposure. Likely contains credentials or PII from decommissioned services.	~$277 /mo	"debug-snapshot-deleteme" – still accruing charges despite the “deleteme” in the name.
Detached ENIs	930	Shadow Infrastructure. Potential footholds for lateral movement and hidden IP hijacking.	~$50 /mo	A massive subset carrying idle IPs, adding "hidden" costs to the bill.
TOTALS	1,658	High-Probability Attack Path	Up to $3,979 /mo	~$47,700 in annual waste.

Worth noting, these findings and analysis are from a Tenable demo environment. A controlled, relatively small footprint whose primary purpose is showing customers how Tenable works. It isn’t a sprawling enterprise cloud built up over years of product launches, team reorganizations, departed engineers, and shifting infrastructure strategies.

Now imagine your environment. The resources spun up for a project that got cancelled in 2021 The test instances a team left running when they were absorbed into another org. The snapshots from a compliance audit that nobody remembered to retire. The load balancers from an architecture that was deprecated two product generations ago. Still quietly billing every month because nobody thought to look. Years of organizational memory loss, encoded in your cloud bill and your attack surface simultaneously.

The dead accumulate in real environments in ways a demo can only hint at. The cart Tenable Hexa AI fills in your environment won’t look like this one. It will almost certainly be much more bloated.

This is more than a one-time cleanup: every query Tenable Hexa AI built is saved, reviewable, and running a standing policy now. The next time a zombie asset tries to quietly take up residence in your environment, the next asset physically labeled, “delete me”, that never gets deleted, the next load balancer someone spins up for a test in 2026 still billing… it doesn’t get six months. It gets hunted, and marked for a proper burial.

One conversation. One cleaner, tighter, safer cloud environment. And a number you can actually take to the CFO.

Bring out your dead… and make them pay on the way out.

Part of a bigger picture

This hunt for zombie assets is part of our ongoing series where we showcase how Tenable Hexa AI handles the high-impact security tasks that traditionally break manual workflows. Identifying forgotten infrastructure is a major win for cloud security, but Tenable Hexa AI’s ability to bridge the gap between intelligence and action goes even further.

If you’re interested in seeing how Tenable Hexa AI tackles other critical challenges, check out our previous deep dives:

Neutralize supply chain threats: See how Tenable Hexa AI correlates third-party software components with your internal assets to stop threats, like supply chain attacks, in its tracks.
Orchestrate automated patching: Learn how to beat the "Mythos clock" by using custom agents to deploy patches the moment a vulnerability is validated.
Automate remediation assignment: Discover how to match CVEs to their specific asset owners in seconds, getting the right fix to the right person without the manual spreadsheet shuffle.

Each of these use cases demonstrates how moving from conversation to execution can fundamentally change your security posture.

Ready to clean up your cloud graveyard? Discover how Tenable Hexa AI transforms exposure intelligence into machine-speed risk reduction. Learn more here.

Fragnesia (CVE-2026-46300): Frequently asked questions about new Linux Kernel XFRM ESP-in-TCP privilege escalation

Satnam Narang — Thu, 14 May 2026 15:38:03 -0400

A new Linux kernel local privilege escalation exploit with a public proof-of-concept targets the same subsystem as Dirty Frag but requires a separate patch.

Key Takeaways

CVE-2026-46300 (Fragnesia) is the latest high severity local privilege escalation vulnerability in the Linux kernel, following the disclosure of both Dirty Frag and Copy Fail.
A public proof-of-concept is available and the exploit has been confirmed working on Ubuntu systems, though no in-the-wild exploitation has been reported.
A kernel patch was released on May 13; the existing Dirty Frag patches do not address this flaw, though the module blacklist mitigation protects against both.

Background

Tenable's Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding Fragnesia, a new Linux kernel local privilege escalation vulnerability.

FAQ

When was Fragnesia first disclosed?

On May 13, William Bowling of V12 Security publicly disclosed Fragnesia alongside a proof-of-concept exploit and a corresponding kernel patch. CVE-2026-46300 was assigned the same day.

What is Fragnesia?

Fragnesia is a local privilege escalation vulnerability in the Linux kernel's XFRM ESP-in-TCP subsystem. The name references how the socket buffer (skb) "forgets" that a frag is shared during coalescing. Specifically, when the kernel coalesces socket buffer fragments via skb_try_coalesce(), it fails to propagate the SKBFL_SHARED_FRAG flag that marks certain pages as shared with other subsystems. Without that flag, the kernel treats those file-cache-backed pages as safe to write.

CVE	Description	CVSSv3
CVE-2026-46300	Linux Kernel XFRM ESP-in-TCP Local Privilege Escalation Vulnerability	7.8 (estimated)

How does Fragnesia relate to Dirty Frag?

Fragnesia belongs to the same vulnerability class as Dirty Frag (CVE-2026-43284/CVE-2026-43500) in that both achieve page-cache writes through the XFRM/ESP subsystem. However, they are distinct vulnerabilities:

	Dirty Frag	Fragnesia
Researcher	Hyunwoo Kim	William Bowling (V12 Security)
Entry point	xfrm-ESP page-cache write	TCP coalescing in ESP-in-TCP (ULP mode transition)
Write primitive	4-byte STORE	192-byte XOR via AES-GCM keystream
Patch	Existing Dirty Frag patches	New patch (May 13)

The existing kernel patches for Dirty Frag do not fix Fragnesia. A separate patch is required.

How severe is Fragnesia?

Any local user on a system running a vulnerable kernel can exploit Fragnesia to gain root access. The exploit does not rely on a race condition. The technique uses user and network namespaces (enabled by default on most distributions) to obtain CAP_NET_ADMIN without requiring elevated host privileges.

The public PoC targets /usr/bin/su, modifying it in the page cache to grant root on execution. The on-disk binary is never changed, and a reboot or cache flush restores normal behavior. The technique is not limited to a single binary: any file readable by the attacker is a viable target, including [redacted].

Which Linux distributions are affected?

Fragnesia affects the same kernel versions as Dirty Frag. Any distribution shipping a kernel without the May 13 patch is vulnerable. The vulnerability was confirmed working on Ubuntu 6.8.0-111-generic (April 11, 2026 build) running on a Linode VPS.

Affected distributions include:

Distribution	Patch Status
Ubuntu	Vulnerable
Red Hat Enterprise Linux	Vulnerable
openSUSE	Vulnerable
CentOS Stream	Vulnerable
AlmaLinux	Patched
CloudLinux	Patching
Debian	Vulnerable
Gentoo	Vulnerable
Fedora	Patched
Amazon Linux	Not affected

Amazon Linux is not affected as it does not ship the espintcp module. CloudLinux 7 is also unaffected.

As of May 14, Ubuntu's patch status remains "needs evaluation" across all releases. CloudLinux has patches in testing for CL9/CL10 and a KernelCare livepatch in validation.

Is there a proof-of-concept (PoC) available?

Yes. A public PoC was released on GitHub alongside the disclosure.

Are patches or mitigations available?

A kernel patch was submitted to the netdev mailing list on May 13. The fix ensures skb_try_coalesce() propagates the SKBFL_SHARED_FRAG marker, preventing in-place decryption of shared page-cache fragments.

AlmaLinux has released patched kernels for all supported releases:

Distribution	Fixed Kernel Version
AlmaLinux 8	kernel-4.18.0-553.124.2.el8_10
AlmaLinux 9	kernel-5.14.0-611.54.4.el9_7
AlmaLinux 10	kernel-6.12.0-124.56.2.el10_1

For systems where an immediate kernel update is not feasible, the same module blacklist mitigation used for Dirty Frag is effective:

rmmod esp4 esp6 rxrpc
printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf

Organizations that applied this mitigation for Dirty Frag are already protected against Fragnesia. Organizations that applied only the kernel patches for Dirty Frag without the module blacklist are not protected and need the new patch.

Historical exploitation of Linux kernel vulnerabilities

The Linux kernel has been a recurring target for privilege escalation attacks. CISA's Known Exploited Vulnerabilities catalog contains entries for several Linux kernel flaws:

CVE	Description	Date Added to KEV	Known Ransomware Use
CVE-2016-5195	Linux Kernel Race Condition (Dirty Cow)	2022-03-03	Unknown
CVE-2022-0847	Linux Kernel Improper Initialization (Dirty Pipe)	2022-04-25	Unknown
CVE-2024-1086	Linux Kernel nf_tables Use-After-Free	2024-05-30	Known
CVE-2026-31431	Linux Kernel Incorrect Resource Transfer (Copy Fail)	2026-05-01	Unknown

Copy Fail (CVE-2026-31431) was added to the KEV catalog on May 1. CVE-2026-46300 (Fragnesia) is not currently in the KEV catalog.

Tenable published an FAQ blog on Dirty Frag and Copy Fail, both of which are Linux kernel privilege escalation vulnerabilities disclosed in 2026.

Has Tenable released any product coverage for this vulnerability?

A list of Tenable plugins for this vulnerability can be found on the CVE-2026-46300 page as they're released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Securing data centers in the agentic AI era

Bill Olson — Wed, 13 May 2026 09:00:00 -0400

Find out how data center operators can protect critical building-management systems and cyber-physical infrastructure from AI-powered threats, as well as comply with evolving regulations.

Key takeaways

Data centers have evolved from simple storage hubs into critical national infrastructure and the "brains" of the modern enterprise, directly impacting global economic stability and national security.
Protection of critical infrastructure requires strict virtual and physical micro-segmentation to prevent AI-powered threats from moving laterally between legacy building systems and the broader data center network.
Data center security teams must navigate a high-stakes conflict between maintaining "five nines" availability and the urgent need to patch vulnerabilities, while pivoting focus toward securing the data pipelines and identities that autonomous agents depend on.

Data centers have undergone a radical transformation. They are no longer just passive warehouses used for storing customer data or hosting cloud backups. Today, they represent the autonomous engine rooms that power the global digital supply chain. Because these facilities process some of the world's most sensitive data and processes, the definition of data center security has evolved to become a matter of global economic stability.

As we enter the era of agentic AI — where AI systems don’t just summarize data but actually execute business decisions — data centers have become the brain of the modern enterprise. This shift is causing governments and regulators to take notice. For example, in late 2024, the U.K. government officially designated data centers as critical national infrastructure (CNI), putting them on the same level of importance as water, energy, and emergency services. This move reflects a global trend: major data center outages and security breaches put massive capital expenditures at risk, with some data center campus investments exceeding $15 billion or more, and present significant national security concerns.

However, to power the most advanced AI, we are relying on physical infrastructure — cooling and power systems, UPS systems, and power grids — that often runs on 20-year-old operational technology (OT) devices never designed for the modern threat landscape. Furthermore, while true physical air gaps — protected by hardware like one-way data diodes — remain a gold standard for high-security facilities, the rise of cloud-managed xIoT (extended internet of things) devices has introduced significant connectivity risks. In data center environments where isolation is often perceived rather than physically absolute, the lack of a true air gap means isolated networks can be inadvertently bridged, leaving data centers and downstream enterprise processes exposed.

The two-fold challenge for data center security

To secure the modern data center, asset owners and operators must balance two competing priorities that are increasingly at odds in the AI era:

Maintaining “five nines” availability amidst a rapid patch cycle: Operators must keep the facility running with 99.999% uptime to keep AI clusters and servers online and available while managing a vulnerability landscape that is moving faster than ever before. In an era of AI-driven exploits, the pressure to “patch everything, everywhere, all at once” is immense. However, for data center security, the risk of a patching error causing an adverse outcome or unplanned downtime can be higher than the probability of a successful exploit.
Securing AI access and dependent systems: For most enterprises, AI security isn't about protecting the model weights or the LLM hardware itself — which often resides in a provider's cloud — but rather securing the gateways and data pipelines. This means protecting the sensitive training and retrieval-augmented generation (RAG) data stored within your data center and ensuring the identity-based network communication pathways that allow autonomous agents to interact with that data are ironclad.

The modern attack surface: operational denial

While data theft remains a massive industry, we are seeing a shift in the motive of sophisticated attackers, particularly state-sponsored actors and hacktivists. To understand this shift, we have to look at the relationship between the “bytes” and the “bricks.”

In the age of agentic AI, security teams are facing a tsunami of bytes — an exponential spike in legitimate customer and employee connections that makes traditional network traffic monitoring nearly impossible. In this flood of data, it is becoming increasingly difficult to distinguish between a stealthy attacker performing reconnaissance from the millions of active, automated AI and customer sessions being processed every second.

The goal of today’s threat actors isn’t always to steal information; it’s to use this digital noise as cover to disrupt physical processes and trigger widespread outages. In other words, they hide in the bytes to target the bricks: the physical infrastructure of the modern data center. If an attacker can disable a cooling system, for example, the resulting heat may force a high-value AI cluster to shut down to prevent a hardware meltdown. This operational denial causes immediate financial chaos, triggers massive SLA penalties, and halts business operations more effectively than any traditional data breach.

Your AI data center infrastructure is only secure if you have full visibility into the control systems connected to the 15-year-old cooling system in the mechanical gallery.

Risk often starts with the supply chain. A breach of a third-party vendor’s maintenance portal or of an engineering workstation in the data center can lead to a pivot into the process control layer. By manipulating cyber-physical systems (OT/IoT), such as HVAC controls or other building management systems (BMS), a threat actor may be able to trigger automated safety shutdowns or unplanned downtime. This may result in SLA penalties and costly downstream impact.

Understanding the layers of exposure for data centers

To build strategic resilience, asset owners and operators must look beyond the IT perimeter and address the three distinct layers of data center risk:

OT/ICS: Many cooling and power systems run on legacy protocols (like BACnet or Modbus) designed decades ago without security in mind. Many of these systems lack basic encryption and authentication. As these systems are connected to the cloud for remote access and to ensure centralized governance and compliance with environmental sustainability mandates, these connections create new entry points for attackers.
xIoT: Smart devices (e.g., climate sensors, IP cameras, badge access) represent the hidden majority of assets inside the modern data center. According to a survey by the SANS Institute, more than half of organizations lack specialized monitoring for these assets. Because xIoT devices sit outside the standard IT inventory, they become invisible entry points that are easy targets for cyber-compromise if left unmanaged.
Non-human identities: The risk to data centers goes beyond people and includes the devices and agents they deploy. Tenable research shows that 52% of organizations possess non-human identities (e.g., AI agents and connected sensors) with critical excessive permissions, outpacing the risk associated with human users. This creates an extended attack surface that is increasingly difficult for security teams to manage.
AI gateways: While cloud providers secure the underlying LLM infrastructure, the enterprise is responsible for the server housing and data paths. This layer includes the RAG data sets that give AI its context and the identity-driven gateways that connect your corporate environment to the cloud. If an attacker manipulates the RAG input or compromises an AI gateway, they don't need to compromise the LLM to weaponize it against your organization.

Streamlining regulatory compliance

The “build fast and fix it later” approach to AI is hitting a regulatory wall. Recent mandates such as the EU Digital Operational Resilience Act (DORA) and the UK Cyber Security and Resilience Bill now require organizations to prove they have continuous, real-time monitoring of their entire infrastructure. Compliance is moving away from annual “check-the-box” audits toward firm requirements for proof of posture — requiring operators to proactively monitor exposures impacting every asset across their network–federated identities, IT, OT, web apps, cloud containers, and everything in between.

Exposure management delivers proactive security for data centers

To stay ahead of AI-powered threats and meet new regulatory requirements, operators are adopting holistic exposure management to unify visibility across identity, IT, OT, and AI domains.

Security teams can no longer rely on legacy scanners. Because you cannot patch faster without risking critical downtime, you must patch smarter. To stay ahead of AI-powered threats and align with new and evolving regulatory requirements, operators are adopting holistic exposure management to secure data center assets at the speed of AI by correlating exposure across identity, cloud, OT/IoT, and AI domains.

Here are the core pillars of a modern data center security strategy:

Secure internet-exposed assets: True security starts with a complete, ground-truth inventory of the entire estate. This means identifying every asset — from internet-exposed management apps (DCIMs) to legacy OT/IoT devices — without risking the uptime of sensitive systems and operations. Tenable recommends that organizations adopt a hybrid approach to asset discovery that blends passive monitoring of network traffic, safe active query using native OT protocols, and agent-based discovery.
Anticipate likely attack paths: Attackers don’t think in silos; they look for the path of least resistance. A robust strategy involves mapping how a vulnerability in a third-party vendor portal could allow a lateral pivot into your process control layer. By visualizing these attack chains, you can break the link before an intruder ever reaches your crown jewels.
Prioritize real risk, not just vulnerabilities: In a data center with thousands of connected devices, trying to patch everything or implement hardware-intensive passive monitoring solutions across every site is a losing battle and incomplete approach. Security teams should focus on the 1.6% of vulnerabilities that actually sit on a path to your most critical systems by going beyond basic vulnerability management and risk scoring to correlate exposure across security domains with business criticality and full context.
Secure the identity perimeter and prevent lateral movement: Identity has become the most vulnerable entry point for IT/OT environments. Protecting data centers requires continuous monitoring of Active Directory and cloud permissions to ensure that a compromised credential in the enterprise IT network cannot be used to escalate privileges and move laterally to disrupt data center operations. Tenable solutions help security teams identify risky entitlements and misconfigurations to enforce strict zero-trust architectures and implement proactive security measures, such as rule-based alerts, micro-segmentation and policy monitoring.
Monitor third-party vendor risk: Data centers rely on a web of third-party technicians and remote maintenance. Holistic exposure management means establishing clear rulesets and real-time alerts for vendor-managed systems, allowing you to detect unauthorized remote access and mitigate cyber risk you don't directly control.
Streamline data center security compliance and governance: Streamline reporting and monitoring for regulatory and compliance frameworks like SOC 2, PCI DSS, ISO 27001, NIS2, HIPAA, and NERC-CIP with built-in dashboards and reporting tools for relevant compliance frameworks and industry standards.

Securing the future

As organizations continue to scale data center infrastructure to meet rapidly accelerating AI and cloud compute demands, OT/IoT security must be treated as a foundational component of data center operations. Whether you are managing a data center expansion or conversion, or breaking ground on a multi-billion-dollar campus, having a right-sized exposure management strategy in place helps ensure your data center investments are secure from the threats of tomorrow.

Request a demo to find out more about how Tenable helps data center operators secure critical national infrastructure and building facility environments.

Learn more

Microsoft’s May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103)

Research Special Operations — Tue, 12 May 2026 13:42:34 -0400

16Critical
102Important
0Moderate
0Low

Microsoft addresses 118 CVEs in its May 2026 Patch Tuesday release, with no zero-days exploited in the wild or publicly disclosed for the first time since June 2024.

Microsoft patched 118 CVEs in its May 2026 Patch Tuesday release, with 16 rated critical and 102 rated as important. Our counts omitted CVE-2025-54518, an AMD CPU OP Cache Corruption vulnerability issued by AMD.

This month’s update includes patches for:

.NET
ASP.NET Core
Azure AI Foundry M365 published agents
Azure Cloud Shell
Azure Connected Machine Agent
Azure DevOps
Azure Entra ID
Azure Logic Apps
Azure Machine Learning
Azure Managed Instance for Apache Cassandra
Azure Monitor Agent
Azure Notification Service
Azure SDK
Copilot Chat (Microsoft Edge)
Data Deduplication
Dynamics Business Central
GitHub Copilot and Visual Studio
M365 Copilot
M365 Copilot for Desktop
Microsoft Data Formulator
Microsoft Dynamics 365 (on-premises)
Microsoft Dynamics 365 Customer Insights
Microsoft Edge (Chromium-based)
Microsoft Edge for Android
Microsoft Office
Microsoft Office Click-To-Run
Microsoft Office Excel
Microsoft Office PowerPoint
Microsoft Office SharePoint
Microsoft Office Word
Microsoft Partner Center
Microsoft SSO Plugin for Jira & Confluence
Microsoft Teams
Microsoft Windows DNS
Power Automate
SQL Server
Telnet Client
Visual Studio Code
Windows Admin Center
Windows Ancillary Function Driver for WinSock
Windows Application Identity (AppID) Subsystem
Windows Cloud Files Mini Filter Driver
Windows Common Log File System Driver
Windows Cryptographic Services
Windows DWM Core Library
Windows Event Logging Service
Windows Filtering Platform (WFP)
Windows GDI
Windows Hyper-V
Windows Internet Key Exchange (IKE) Protocol
Windows Kernel
Windows Kernel-Mode Drivers
Windows LDAP - Lightweight Directory Access Protocol
Windows Link-Layer Discovery Protocol (LLDP)
Windows Message Queuing
Windows Native WiFi Miniport Driver
Windows Netlogon
Windows Print Spooler Components
Windows Projected File System
Windows Remote Desktop
Windows Rich Text Edit
Windows Rich Text Edit Control
Windows SMB Client
Windows Secure Boot
Windows Storage Spaces Controller
Windows Storport Miniport Driver
Windows TCP/IP
Windows Telephony Service
Windows Volume Manager Extension Driver
Windows Win32K - GRFX
Windows Win32K - ICOMP

Elevation of Privilege (EoP) vulnerabilities accounted for 48.3% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 24.6%.

Critical

CVE-2026-41103 | Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability

CVE-2026-41103 is an elevation of privilege vulnerability affecting Microsoft Single-Sign-On (SSO) Plugin for Jira & Confluence. It was assigned a CVSSv3 score of 9.1 and is rated as critical. It was assessed as "Exploitation More Likely" according to Microsoft's Exploitability Index. An unauthorized attacker could exploit this vulnerability during the process of logging in by sending a specially crafted response message. Successful exploitation would allow the attacker to sign-in using a forged identity without Microsoft Entra ID authentication, enabling access to or allowing an attacker to modify data in Jira and Confluence. However, the accessible information is not unfettered, as it is limited by the access defined by the targeted servers for the authorized user.

Important

CVE-2026-33841, CVE-2026-35420, CVE-2026-40369 | Windows Kernel Elevation of Privilege Vulnerabilities

CVE-2026-33841, CVE-2026-35420 and CVE-2026-40369 are EoP vulnerabilities affecting the Windows Kernel. Each of the flaws have been assigned CVSSv3 scores of 7.8 and rated as important. Both CVE-2026-33841 and CVE-2026-40369 were assessed as "Exploitation More Likely," which could be abused by a local attacker to elevate to SYSTEM or Medium/High integrity level in the case of CVE-2026-33841. Including these three EoPs, there have been 13 disclosed Windows Kernel EoP vulnerabilities addressed so far in 2026.

Critical

CVE-2026-40361, CVE-2026-40364, CVE-2026-40366 and CVE-2026-40367 | Microsoft Word Remote Code Execution Vulnerabilities

CVE-2026-40361, CVE-2026-40364, CVE-2026-40366 and CVE-2026-40367 RCE vulnerabilities affecting Microsoft Word. Each of these RCEs were assigned CVSSv3 scores of 8.4 and rated as critical, though CVE-2026-40361 and CVE-2026-40364 were the only ones assessed to be “Exploitation More Likely.” An attacker could exploit these flaws through social engineering by sending the malicious file to an intended target. Successful exploitation would grant code execution privileges to the attacker. Additionally, Microsoft notes that the Preview Pane is an attack vector for each of these vulnerabilities.

Critical

CVE-2026-41089 | Windows Netlogon Remote Code Execution Vulnerability

CVE-2026-41089 is a RCE vulnerability affecting Windows Netlogon, a Windows Server process used for authentication within a domain. It was assigned a CVSSv3 score of 9.8 and rated as critical. A remote, unauthenticated attacker could exploit this flaw by sending a crafted network request to a Windows server running as a domain controller. This packet could exploit a stack-based buffer overflow flaw, allowing the attacker to execute code on an affected system. Despite the critical severity and near perfect CVSSv3 score, this flaw was assessed by Microsoft as “Exploitation Less Likely.”

Tenable Solutions

A list of all the plugins released for Microsoft’s May 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.