Cybersecurity Week in Review: May 26, 2026

Introduction

This week’s cybersecurity landscape was marked by a surge in high-impact data breaches, aggressive exploitation of critical vulnerabilities, and a series of government advisories aimed at bolstering defenses across sectors. The period from Tuesday, May 26, through Monday, June 1, 2026, saw threat actors targeting major enterprises, public infrastructure, and widely used software platforms, underscoring the relentless pace and sophistication of modern cyber threats.

Major Data Breaches

Charter Communications: Massive Data Leak Impacts Millions

Charter Communications, one of the largest US telecommunications providers, suffered a significant data breach after the ShinyHunters group leaked over 13 million customer records on the dark web. Exposed data included full names, email addresses (primarily workplace domains), company and home addresses, and details from nearly 10 million customer support tickets. Additionally, records on approximately 27,000 employees—including work emails and job titles—were compromised. The breach is believed to have originated from a vishing attack that compromised an employee’s Microsoft Entra account, allowing attackers to pivot into the company’s Salesforce environment. Charter has denied that sensitive personal or proprietary network information was exfiltrated, but the leaked data poses substantial risks for social engineering and spearphishing attacks targeting both customers and staff12.

Attack vector: Vishing, credential compromise, Salesforce exploitation
Threat actor: ShinyHunters
Response: Charter refused ransom demands, leading to public data release; authorities notified

Trump Mobile: Pre-Order Customer Data Exposed

Trump Mobile confirmed a data breach affecting over 27,000 customers who pre-ordered the T1 smartphone. The incident was traced to a security flaw in the company’s website pre-order form, which exposed names, addresses, email addresses, order identifiers, and mobile phone numbers. No payment or highly sensitive financial data was reported as compromised. The company has implemented additional safeguards and is evaluating notification obligations3.

Attack vector: Web application vulnerability
Data exposed: Personal contact details of pre-order customers
Response: Security enhancements, customer vigilance advisories

7-Eleven: Franchisee and Customer Data Breach

7-Eleven disclosed a breach that exposed the personal information of approximately 185,000 individuals, including franchisee application records. The breach increased the risk of identity theft and phishing attacks across its North American franchise network4.

Attack vector: Internal system compromise
Data exposed: Names, addresses, sensitive franchisee data

Significant Cyberattacks

LA Metro: State-Sponsored Attack Disrupts Public Transit

A disruptive cyberattack targeting the Los Angeles Metro system was attributed to Iranian state-sponsored hackers. The incident highlights the ongoing threat posed by nation-state actors to critical infrastructure in the US5.

Attack vector: Not publicly disclosed
Impact: Service disruption, heightened sectoral alert

Canvas (Instructure): Ransomware Attack Disrupts Education Sector

Instructure, the parent company of the Canvas learning platform, reached an agreement with the ShinyHunters group after a ransomware attack threatened to leak data tied to nearly 275 million users across 9,000 educational institutions. The attackers claimed to have exfiltrated over 3.65 TB of data, including student records, email addresses, and private communications. The incident caused widespread disruption during a critical academic period and underscored the dilemma organizations face when negotiating with cybercriminals6.

Attack vector: Ransomware, data exfiltration
Impact: Disrupted academic operations, data privacy risks

Critical Vulnerabilities

cPanel/WHM (CVE-2026-41940): Mass Exploitation and Ransomware

A critical authentication bypass vulnerability in cPanel and WebHost Manager (CVE-2026-41940, CVSS 9.8) was aggressively exploited, compromising over 40,000 servers. Attackers leveraged the flaw to gain administrative access, deploy the “SORRY” ransomware, and recruit servers into Mirai botnets. The vulnerability, stemming from a CRLF injection in session handling, was patched on April 28, but exploitation persisted due to slow patch adoption. Shadowserver and CISA issued urgent advisories, and organizations were urged to update immediately and rotate all credentials72.

Affected software: cPanel & WHM (all versions after 11.40 through 11.136.0.4)
Remediation: Immediate patching, credential rotation, session purging

LiteSpeed cPanel Plugin (CVE-2026-48172): Root Privilege Escalation

A maximum-severity flaw (CVSS 10.0) in the LiteSpeed User-End cPanel Plugin allowed attackers to execute arbitrary scripts as root. The vulnerability, actively exploited in the wild, affected plugin versions 2.3 to 2.4.4. LiteSpeed released patches and provided indicators of compromise for detection8.

Remediation: Upgrade to plugin v2.4.7 or higher; remove vulnerable plugin if patching is not possible

Palo Alto GlobalProtect VPN (CVE-2026-0257): Authentication Bypass

Hackers began exploiting a critical authentication bypass flaw in Palo Alto Networks’ GlobalProtect VPN (CVE-2026-0257), targeting corporate networks. The flaw was added to CISA’s Known Exploited Vulnerabilities catalog, and organizations were urged to patch and audit VPN logs immediately2.

Remediation: Apply vendor patches, review authentication logs

Microsoft Defender Zero-Days

Microsoft rolled out emergency patches for two zero-day vulnerabilities in Microsoft Defender, known as UnDefend and RedSun. UnDefend allowed attackers to block antivirus updates, while RedSun enabled local privilege escalation. Both were actively exploited in the wild9.

Remediation: Apply latest Microsoft security updates

Government Responses

CISA and FBI: Multiple Vulnerabilities Added to KEV Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) added several actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by specified deadlines. Notable additions included:

Drupal Core (CVE-2026-9082): Critical SQL injection flaw exploited in large-scale campaigns, affecting thousands of sites globally.
Trend Micro Apex One (CVE-2026-34926): Directory path traversal flaw under active exploitation.
Ghost CMS (CVE-2026-26980): SQL injection vulnerability used in widespread malware campaigns2.

The FBI also issued a formal warning about the Silent Ransom Group (Luna Moth) intensifying attacks on US law firms, employing callback phishing and social engineering to steal sensitive legal data.

Miscellaneous & Industry Trends

AI Arms Race in Cybersecurity

The week saw continued debate over the role of AI in both offensive and defensive cybersecurity. Microsoft’s MDASH and Anthropic’s Claude Mythos models are driving rapid advances in vulnerability detection, but also enabling attackers to discover and weaponize flaws at unprecedented speed. Experts warn that organizations must invest in network segmentation and containment strategies to limit the impact of inevitable breaches6.

Federal Procurement Overhaul

A new White House directive (M-26-10) mandates centralized IT procurement oversight across federal agencies, aiming to eliminate redundant software purchases and enhance cybersecurity governance. While the move promises efficiency and cost savings, experts caution that it could introduce bottlenecks if not managed with streamlined review processes6.

Conclusion

This week’s events highlight the critical importance of rapid patch management, robust incident response, and proactive network segmentation. As attackers leverage both technical vulnerabilities and social engineering, organizations must remain vigilant, prioritize timely remediation, and foster a culture of cybersecurity resilience.

Sources: