Tenable Blog

Discover how continuous control validation in Tenable One can improve your CTEM program by filtering out alert noise and factoring in your active cyber defenses. Focus your team on accessible and exploitable attack paths. 

Key takeaways:

1. With vulnerability exploitation ranking as the top initial access vector and frontier AI accelerating vulnerability discovery, organizations must shift from managing theoretical cyber risks to validating actual, accessible exposure.
    
2. Tenable One maps active security controls including EDR, MFA, and firewalls directly onto potential attack paths, allowing teams to automatically deprioritize weaknesses that existing defenses already neutralize.
    
3. Ingesting penetration testing results via the Tenable One Open Connector allows organizations to layer real-world attack simulations over real-time exposure insights to identify toxic risk combinations that threaten critical assets.

Your security tools probably indicate you have thousands, perhaps tens or hundreds of thousands, of vulnerabilities across your environment. Maybe your tools prioritize these vulnerabilities based on CVSS scores or other criteria, but how do you know which vulnerabilities combine with other preventable security risks, like misconfigured cloud buckets and identity weaknesses, to create attack paths threat actors could realistically traverse? How do you validate which vulnerabilities an existing security control mitigates? You need this context to distinguish the real risks from the theoretical ones to ensure your team focuses on remediating what matters most. 

The work of validating, prioritizing, and remediating vulnerabilities alongside other security weaknesses to understand the true exposure they create has become much more urgent, as frontier AI models accelerate vulnerability discovery. In this environment, the traditional patch-based defense model will get crushed. Moreover, defenders cannot afford inaccurate decision-making and wasted remediation work that addresses low-priority vulnerabilities. They desperately need the context and validation that a continuous threat exposure management (CTEM) program provides.

This is why security leaders are evolving their vulnerability management programs to exposure management programs. Exposure management allows you to continually assess your attack surface, prioritize risks, and orchestrate automated remediation of security weaknesses at machine speed. 

Exposure management also helps validate which exposures attackers can actually reach by understanding the accessibility and exploitability of an attack path. It uses validation to shift your organization from managing theoretical risks to executing on actual exposure. 

Validation is one of the five steps in the CTEM lifecycle. It is the process of providing consistent, continuous, and automated evidence of an attack’s feasibility. It stress-tests your defenses against real-world attack conditions, using your own environment’s controls and configurations to confirm whether an exposure is genuinely reachable and exploitable. 

Validation moves security from a reactive “patch everything” mindset to a preemptive, evidence-based exposure strategy. It continuously confirms which weaknesses your existing defenses have already blocked and surfaces the ones that demand immediate attention.

Validation isn’t new to Tenable: we’ve been using validation techniques in Tenable solutions for more than 25 years. Tenable developed nearly 3,000 direct check plugins to actively probe a vulnerability and prove its exploitability in situations where software version detection isn’t sufficient for our high-accuracy standards. These plugins actually mimic attack techniques and monitor the target’s response to confirm the presence of the vulnerability.

What is new in Tenable One is the addition of continuous control validation in the platform. By factoring in your active security controls, Tenable One helps eliminate the noise of theoretically exposed assets that are functionally blocked from exploitation. Security teams can visually map their active prevention and detection controls directly onto potential attack paths, automatically prioritizing weaknesses that existing controls already neutralize. Analysts can also filter top attack paths based on the presence of security controls and whether you can prevent attack chains for faster triage and investigation.

Common control validation examples include:

• Endpoint detection and response (EDR) tools that block Local Security Authority Subsystem Service (LSASS) memory dump tools used to harvest credentials.
• Multi-factor authentication (MFA) methods that prevent unauthorized access via password guessing, password spraying, or credential stuffing.
• Firewall and data loss prevention (DLP) tools that prevent data exfiltration by detecting data staging and enforcing egress rules.

See how continuous control validation works in Tenable One.

Beyond direct check plugins and continuous control validation, security teams can also integrate penetration testing results into Tenable One that simulate real-world attacks against your cyber defenses. This is another way to validate which exposures are truly exploitable and contextualizes them against your broader attack surface. 

The Tenable One Open Connector makes it easy to ingest the latest pentest results and layer them with real-time exposure insights to turn your findings into active, continuous defenses. Integrating pentest data into an exposure management program adds critical context to help you understand toxic risk combinations and enrich your understanding of high-severity weaknesses that threaten your most critical business assets. 

In the AI era, your security team can’t waste precious time on the wrong issues. With exposure management, context is essential to pinpoint the most critical risks to your organization. Security control validation, coupled with asset criticality, threat activity, entitlement privileges, and attack pathways, give your security team the advantage it needs to stay ahead of threat actors.

Learn more about Tenable One, the exposure management platform for the modern attack surface.

CISA issued BOD 26-04, which replaces BOD 22-01 with a four-variable vulnerability prioritization model requiring federal agencies to patch the most dangerous vulnerabilities in as few as three days.

1. BOD 26-04 replaces BOD 22-01 with a four-variable risk model that assigns graduated remediation timelines, from as few as three days with mandatory forensic triage for the most dangerous vulnerabilities to full deferral for the lowest-risk ones, ending the era of flat, one-size-fits-all patching deadlines for federal agencies.
    
2. The transition represents a significant operational lift at a time when AI is compressing the window between vulnerability disclosure and weaponization, and industry remediation rates are declining: only 26% of KEV vulnerabilities were fully remediated in 2025 according to the 2026 Verizon DBIR, down from 38% the prior year.
    
3. Organizations that have invested in continuous asset discovery, risk-based prioritization, and exposure management are well positioned to operationalize the directive’s four-variable model. Those still relying on periodic scanning and CVSS-based prioritization face a significant gap between current capability and compliance requirements.

On June 10, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 26-04, “Prioritizing Security Updates Based on Risk.” BOD 26-04 represents a fundamental shift in how federal agencies are expected to manage vulnerabilities. Rather than treating every known exploited vulnerability (KEV) with the same remediation deadline, the new directive introduces a graduated model that accounts for asset exposure, exploitation evidence, adversary automation capability, and technical impact severity. The result is a 16-tier remediation matrix where the most dangerous vulnerabilities must be patched within three days (with mandatory forensic triage), while lower-risk vulnerabilities can be deferred to the next system upgrade cycle.

Tenable applauds this directive, which replaces both BOD 22-01 (Reducing the Significant Risk of Known Exploited Vulnerabilities, November 2021) and BOD 19-02 (Vulnerability Remediation Requirements for Internet-Accessible Systems, April 2019). It is directionally correct in Tenable’s view, and it represents a significant improvement upon its predecessors, as it consolidates seven years of federal vulnerability remediation policy into a single, risk-weighted framework. More importantly, it aligns with the risk-based, exposure-driven approach to vulnerability management that Tenable has championed as the originator of the exposure management paradigm. For years, Tenable’s Research Special Operations (RSO) team has maintained the position that defenders must move beyond volume-based patching toward intelligent prioritization grounded in real-world exploitation evidence, asset context, and threat actor intelligence. BOD 26-04 codifies that position as federal policy.

BOD 26-04 is a binding operational directive from CISA that requires all Federal Civilian Executive Branch (FCEB) agencies to prioritize vulnerability remediation based on a four-variable risk model. Unlike its predecessor BOD 22-01, which assigned flat remediation timelines to all vulnerabilities in the KEV catalog, BOD 26-04 evaluates each vulnerability against four criteria and assigns a remediation deadline based on the specific combination of risk factors present.

The directive is mandatory for federal agencies but not for the private sector. However, CISA explicitly encourages private sector adoption, and the track record of BOD 22-01 suggests the framework will become a de facto standard across industries. BOD 22-01’s KEV catalog is already used by organizations worldwide as a prioritization signal, and BOD 26-04’s more sophisticated model will likely follow the same adoption curve.

BOD 26-04 determines remediation urgency using four binary variables:

1. Publicly exposed - Is the vulnerable asset reachable from outside the agency network via a routable IP address? This is the only variable agencies must determine themselves.
2. In the KEV - Is the CVE listed in CISA’s Known Exploited Vulnerabilities catalog? This confirms real-world exploitation.
3. Automatable by adversary - Can an attacker automate all the steps necessary to exploit the vulnerability? This assesses weaponization maturity.
4. Technical impact - Does exploitation give attackers total control of the affected system or only partial control?

CISA publishes the answers to variables two, three, and four for every CVE through its Vulnrichment Program. Agencies must determine variable one (public exposure) using their own asset inventory and CISA’s Internet Exposure Reduction Guidance.

Table 1 in Appendix A of the directive maps all 16 possible combinations of the four binary variables to specific remediation deadlines across five tiers:

• Three days with forensic triage - Required when a vulnerability is in the KEV and yields total system control (regardless of whether the asset is publicly exposed or the exploit is automatable). This is the most aggressive vulnerability management timeline in federal directive history. The forensic triage component requires agencies to assess whether their systems have already been compromised.
• Three days (without forensic triage) - Required for certain high-risk combinations, such as a publicly exposed asset with an automatable vulnerability yielding total control, even if the CVE is not yet in the KEV.
• 14 days - The standard accelerated timeline for most KEV-listed vulnerabilities and several high-risk non-KEV combinations.
• 60 days - Applied to lower-risk combinations, such as non-exposed assets with automatable but partial-control vulnerabilities.
• Fix on system upgrade - Applied when no risk criteria are met. This is the deferral tier, and it represents a significant operational relief for agencies: vulnerabilities that meet none of the four criteria can wait for the next scheduled upgrade cycle.

Timelines are dynamic. If an agency removes a system from public internet exposure, the applicable timeline shifts to a longer window. Conversely, if CISA adds a vulnerability to the KEV catalog, the remediation timeline accelerates immediately.

In an initial analysis at one large civilian agency, CISA found that only 1% of vulnerability instances fell into the three-day category, while over 60% qualified for deferral to the next system upgrade. The model is designed to focus resources, not overwhelm them.

1. BOD 26-04 revokes and replaces BOD 22-01 entirely. The key differences are substantial:
2. BOD 22-01 applied a flat remediation timeline to every vulnerability in the KEV catalog (14 days for CVEs assigned after 2021, six months for older CVEs). BOD 26-04 replaces this with a graduated model where KEV status is one of four variables, not the sole determinant of urgency. A KEV vulnerability on an internal system with partial control and no automation capability now receives 14 days, while the same KEV on a publicly exposed system with full automation and total control receives just three days with mandatory forensic triage.
3. BOD 22-01 had no deferral mechanism. Every KEV required action. BOD 26-04 introduces the “fix on system upgrade” tier for vulnerabilities that meet none of the four risk criteria, allowing agencies to focus on the ones that matter most rather than chasing every vulnerability with equal urgency.
4. BOD 22-01 had no forensic triage requirement. BOD 26-04 introduces mandatory forensic analysis for the highest-risk tier, recognizing that when a vulnerability is actively exploited and yields total system control, patching alone is insufficient: organizations need to determine whether they’ve been compromised.
5. The underlying methodology also shifts. BOD 22-01 relied primarily on the KEV catalog and CVSS scoring. BOD 26-04 is informed by CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC) system, which provides a more nuanced, risk-informed vulnerability analysis methodology.

Two converging factors drove the directive. The first is the deteriorating effectiveness of traditional vulnerability management. Citing the 2026 Verizon Data Breach Investigations Report, CISA’s blog post accompanying the directive notes that only 26% of KEV-listed vulnerabilities were fully remediated by organizations in 2025, a decline from 38% the previous year. Meanwhile, the median time to fully resolve vulnerabilities rose to 43 days. In an environment where exploitation can occur within hours of disclosure, the remediation gap is widening.

The second factor is artificial intelligence. CISA explicitly states that AI is accelerating both vulnerability discovery and weaponization, narrowing the window of time that exists between vulnerability disclosure and exploitation. The directive aligns with priorities in the recent AI Executive Order, Promoting Advanced Artificial Intelligence Innovation and Security. As AI-enabled tools make it easier for adversaries to identify, weaponize, and deploy exploits at scale, the traditional “patch everything eventually” approach becomes untenable. Defenders need a framework that tells them what to patch first, and BOD 26-04 provides the framework enabling them to prioritize on an accelerated timeframe.

This is a challenge Tenable’s Research Special Operations (RSO) team has been tracking closely. The intersection of an AI-enabled threat landscape with already-declining remediation effectiveness creates a compounding problem: adversaries are getting faster while defenders fall farther behind. BOD 26-04 is a necessary policy response to this environment.

While BOD 26-04 is mandatory only for FCEB agencies, its influence extends well beyond the federal government. BOD 22-01’s KEV catalog became the most widely adopted vulnerability prioritization signal in the industry, used by private sector organizations, state and local governments, critical infrastructure operators, and international allies. BOD 26-04’s four-variable model will likely follow the same trajectory.

Organizations should evaluate the directive’s framework as a model for their own exposure management programs. The four variables (asset exposure, exploitation evidence, automation potential, and technical impact) represent a defensible, data-driven approach to prioritization that any organization can adopt. For organizations in regulated industries, federal supply chains, or critical infrastructure sectors, aligning with BOD 26-04’s framework before it becomes an industry expectation is a strategic advantage.

This directive represents a significant operational lift. BOD 22-01 was conceptually simple: if a CVE is in the KEV, patch it within the specified window. BOD 26-04 requires agencies to operationalize a four-variable decision model, which means they need answers to four questions for every vulnerability on every asset in their environment, and they need those answers continuously.

The compliance deadlines are aggressive. Agencies must immediately update their vulnerability management policies. Within 60 days (approximately August 2026), they must update their processes for remediating common vulnerabilities per the new tiered model. Within 180 days (approximately December 2026), they must meet the full remediation timelines defined in Table 1. CISA will also publish machine-level asset tagging data requirements within 60 days.

The most demanding new requirement is the combination of continuous asset exposure identification (variable one) with dynamic timeline tracking. An asset that moves from internal to publicly exposed shifts its remediation deadline immediately. An agency that cannot maintain real-time visibility into which assets are internet-facing cannot comply with the directive’s graduated and dynamic timelines.

This is where the right technology platform makes the difference. Organizations that have invested in continuous asset discovery, risk-based vulnerability prioritization, and exposure management capabilities are positioned to operationalize BOD 26-04 efficiently. Those still relying on periodic scanning and CVSS-based prioritization face a significant gap between their current capabilities and what the directive demands.

BOD 26-04 arrives at a critical moment. Artificial intelligence is accelerating adversaries' workflows at every stage: vulnerability discovery, exploit development, target selection, and operational execution. CISA acknowledges this directly, citing AI-driven vulnerability discovery as a motivating factor for the directive.

The implications are sobering. The 2026 Verizon DBIR data shows defenders already falling behind even at the current pace of vulnerability exploitation. As AI compresses the time from vulnerability disclosure to weaponization, the 43-day median remediation time becomes not just inadequate but dangerous. Agencies and organizations implementing BOD 26-04 will be doing so against a backdrop of accelerating threat velocity.

The operational reality is that manually evaluating four variables across thousands of vulnerabilities on thousands of assets, on a continuous basis, does not scale with human analysts alone. The organizations best positioned to meet BOD 26-04’s accelerated timelines will be those whose platforms can ingest Vulnrichment data, correlate it against asset exposure in real time, and surface the vulnerabilities that require three-day action versus those that can wait for the next upgrade cycle. 

The parallel challenge is real: organizations must simultaneously transition to a new compliance framework and adapt to a threat landscape that is evolving faster than their current processes can handle. The organizations best positioned to succeed are those with platforms that already operationalize risk-based prioritization, continuous asset discovery, and AI-assisted decision-making.

Organizations should take three immediate steps:

1. Audit your current vulnerability management posture against the four-variable model. Can you identify which assets are publicly exposed? Do your tools integrate KEV status into prioritization decisions? Can you assess exploit automation potential and technical impact for the vulnerabilities in your environment? If you can answer these questions today, you are well positioned for BOD 26-04. If you cannot, the 60-day process update deadline creates urgency.
2. Prepare for the BOD 22-01 to BOD 26-04 transition. If your organization has built compliance workflows around BOD 22-01, those workflows reference a revoked directive. Begin updating policies, dashboards, and reporting to reflect the four-variable model. The immediate policy update requirement means this work should start now, not at the 60-day mark.
3. Assess your forensic triage readiness. For the highest-risk tier (KEV + total control), BOD 26-04 requires agencies to conduct forensic triage alongside remediation within three days. This means organizations need the ability to identify not just what is vulnerable, but what may already be compromised. Evaluate whether your current tooling provides the threat attribution and detection context needed to support forensic triage.

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about the Tenable One Exposure Management Platform.

• CISA BOD 26-04: Prioritizing Security Updates Based on Risk
• June 2026 AI Executive Order: What federal agencies need to know and how Tenable can help
• CISA: Patch Smarter, Not Harder
• CISA Known Exploited Vulnerabilities Catalog
• Verizon 2026 Data Breach Investigations Report

1. 32Critical
2. 166Important
3. 0Moderate
4. 0Low

Microsoft addresses 198 CVEs in the largest Patch Tuesday release, including three zero-days.

Microsoft patched 198 CVEs in its June 2026 Patch Tuesday release, with 32 rated critical and 166 rated as important. Our counts omitted 6 CVEs that were already addressed by Microsoft via servicing and do not require additional customer action to resolve as well as 2 CVEs that were disclosed by other CNAs (CVE-2025-10263 and CVE-2026-8863). This Patch Tuesday release is the largest release since the Patch Tuesday program began, smashing the previous record of 167 CVEs in the October 2025 Patch Tuesday release.

This month’s update includes patches for:

• .NET
• ASP.NET Core
• Active Directory Domain Services
• Azure HorizonDB
• Azure Stack Edge
• Copilot Chat (Microsoft Edge)
• Function Discovery Service (fdwsd.dll)
• GitHub Copilot and Visual Studio Code
• HTTP/2
• Linux MANA Driver
• M365 Copilot
• Microsoft Azure Attestation service and Device Health Attestation Service
• Microsoft Azure Kubernetes Service
• Microsoft Bing
• Microsoft Copilot
• Microsoft Defender for Endpoint
• Microsoft Dynamics 365 (on-premises)
• Microsoft Exchange Online
• Microsoft Exchange Server
• Microsoft Graph
• Microsoft Graphics Component
• Microsoft Kinect
• Microsoft Live Share Canvas SDK
• Microsoft Office
• Microsoft Office Click-To-Run
• Microsoft Office Excel
• Microsoft Office Project
• Microsoft Office SharePoint
• Microsoft Office Word
• Microsoft PC Manager
• Microsoft PowerToys
• Microsoft Teams for Android
• Microsoft UxTheme Library (uxtheme.dll)
• Microsoft Windows DNS
• Nuance PowerScribe
• Office for Android
• Remote Desktop Client
• Role: Windows Hyper-V
• UI Automation Manager (uiamanager.dll)
• Universal Plug and Play (upnp.dll)
• Visual Studio Code
• Windows Administrator Protection
• Windows Ancillary Function Driver for WinSock
• Windows Application Identity (AppID) Subsystem
• Windows BitLocker
• Windows Bluetooth Port Driver
• Windows Bluetooth Service
• Windows Boot Manager
• Windows Collaborative Translation Framework
• Windows Common Log File System Driver
• Windows Cryptographic Services
• Windows DHCP Client
• Windows DHCP Server
• Windows DWM Core Library
• Windows Deployment Services
• Windows HTTP.sys
• Windows Hotpatch Monitoring Service
• Windows Hyper-V
• Windows Internet (wininet.dll)
• Windows Kerberos
• Windows Kernel
• Windows Kernel-Mode Drivers
• Windows Mark of the Web (MOTW)
• Windows Media
• Windows NT OS Kernel
• Windows NTFS
• Windows Narrator Braille
• Windows Network Controller (NC) Host Agent
• Windows Performance Monitor
• Windows Program Compatibility Assistant Service
• Windows Projected File System Filter Driver
• Windows Push Notifications
• Windows RDP
• Windows SDK
• Windows Secure Boot
• Windows Shell
• Windows Storage
• Windows TCP/IP
• Windows Telephony Service
• Windows UEFI
• Windows Universal Disk Format File System Driver (UDFS)
• Windows Win32K - GRFX
• Winlogon

Elevation of Privilege (EoP) vulnerabilities accounted for 31.8% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 27.3%.

CVE-2026-50507 is a security feature bypass vulnerability affecting Windows BitLocker. It received a CVSSv3 score of 6.8 and is rated as important. It was publicly disclosed prior to a patch being available and assessed as “Exploitation More Likely” according to Microsoft's Exploitability Index.

According to Microsoft, an attacker with physical access to the system could bypass the BitLocker Device Encryption feature in order to gain access to the device's encrypted data. This vulnerability appears to be the flaw known as Bitskrieg and a collaboration between Chaotic Eclipse (Nightmare Eclipse) and Jonas L.

CVE-2026-49160 is a denial of service (DoS) vulnerability affecting HTTP.sys. It received a CVSSv3 score of 7.5 and is rated as important. It was assessed as “Exploitation More Likely” and publicly disclosed prior to a patch being available. According to the advisory, this DoS affects HTTP/2. The advisory notes that this update adds a MaxHeadersCount registry setting which can be used to limit the number of headers included in HTTP/2 and HTTP/3 requests.

Dubbed HTTP/2 Bomb by researchers at Calif, which is credited by Microsoft for reporting the DoS, their blog describes the technical details and provides a proof-of-concept which can be used to test web servers against this vulnerability. As noted in the blog post, at the time it was released, Microsoft had not yet released patches.

CVE-2026-45586 is an EoP vulnerability affecting Windows Collaborative Translation Framework (CTFMON), a process that supports voice and handwriting recognition. It was assigned a CVSSv3 score of 7.8 and rated as important. This EoP flaw was one of three zero-days disclosed prior to patches being made available. Successful exploitation would grant an attacker SYSTEM privileges and Microsoft has assessed this vulnerability as “Exploitation More Likely.”

CVE-2026-42909, CVE-2026-42913, CVE-2026-42985, CVE-2026-42992, CVE-2026-42993, CVE-2026-44799, CVE-2026-44801, CVE-2026-47289, CVE-2026-47653, CVE-2026-47654 and CVE-2026-48563 are RCE vulnerabilities affecting Remote Desktop Client. CVSSv3 scores ranged from 8.8 (CVE-2026-42985, CVE-2026-47289 and CVE-2026-47653) to 7.5 and seven were rated as critical while CVE-2026-42993, CVE-2026-42909, CVE-2026-47653 and CVE-2026-42913 were rated as important. Successful exploitation would require a victim to connect to an attacker controlled server using an affected version of the Remote Desktop Client. This action could trigger a heap-based buffer overflow, resulting in remote code execution.

While no public details have been released about these vulnerabilities as of June 9, Microsoft has assessed CVE-2026-42985 as “Exploitation More Likely” while the other CVEs were classified as either “Exploitation Unlikely” or “Exploitation Less Likely.” Patches are available for supported versions of Windows and Windows Server.

While these updates were released prior to the Patch Tuesday release on June 9, they were outside the window for the May release and are noted here as they are significant.

CVE-2026-41091 is an EoP vulnerability in Microsoft Defender. It received a CVSSv3 score of 7.8 and is rated important. An unprivileged attacker could exploit this vulnerability by writing a specially crafted file to a privileged location. Successful exploitation would result in Microsoft Defender writing the file back to the privileged location, gaining privileges as SYSTEM.

According to reports, CVE-2026-41091 is RedSun, a zero-day vulnerability disclosed by a researcher named Chaotic Eclipse or Nightmare Eclipse on April 15, 2026. This researcher has also published several additional zero-days recently, including BlueHammer (CVE-2026-33825), GreenPlasma, MiniPlasma and collaborated on Bitskrieg (CVE-2026-50507). It has since been exploited in the wild and added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (CISA KEV) catalog on May 20.

CVE-2026-45585 is a security feature bypass vulnerability affecting Windows BitLocker. It received a CVSSv3 score of 6.8 and is rated as important. This vulnerability is known as YellowKey, named by the researcher known as Chaotic Eclipse or Nightmare Eclipse.

A proof-of-concept (PoC) was made public on May 13, prompting Microsoft to publish the original advisory and CVE identifier on May 19th, offering mitigation guidance.

Exploitation does require physical access to the device, however Microsoft has assessed this vulnerability as “Exploitation More Likely.”

A list of all the plugins released for Microsoft’s June 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

• Microsoft's June 2026 Security Updates
• Tenable plugins for Microsoft June 2026 Patch Tuesday Security Updates

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

On June 2, 2026, the White House signed an Executive Order directing federal agencies to harden their systems with AI-enabled cyber defenses and to stand up a new AI cybersecurity clearinghouse — most of it on a 30-day clock. Here’s what the EO requires and how Tenable can help.

• The new AI Security Executive Order will require national security and civilian federal agencies to prioritize cyber defenses to account for new frontier AI model capabilities.
   
• Tenable is well positioned to help federal agencies gain visibility across their environments, including AI assets, and to prioritize the vulnerabilities and other exposures that pose the highest risk; Tenable AI-enabled exposure management capabilities can help support vulnerability remediation and automate multi-step remediation workflows.
   
• The vulnerability and patching clearinghouse which will be developed under the Executive Order will require strong engagement from private sector partners, including Tenable, to drive actionable insights on AI-associated vulnerabilities and mitigation prioritization.

On June 2, 2026, the President signed an Executive Order (EO) titled “Promoting Advanced Artificial Intelligence Innovation and Security.” The direction is clear and the calls to action are fast-moving. Within 30 days: 

• Federal agencies must begin hardening their information systems with AI-enabled cyber defenses.
• CISA must issue new directives or guidance for civilian agencies.
• The Department of the Treasury (Treasury), with the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), must stand up a new AI cybersecurity clearinghouse focused on finding and fixing software vulnerabilities. 

Within 60 days, Treasury, with the Department of War (DoW), NSA and CISA, in consultation with the White House and other agencies, must establish a classified benchmarking process to assess the capabilities of frontier AI models through voluntary collaboration with AI developers.

While the Executive Order applies to U.S. federal agencies, the need to prepare for changes in the threat landscape brought about by the advanced cyber capabilities of frontier AI models applies to any organization that needs to manage cyber risk. Here’s a breakdown of what the AI EO requires, the deadlines that matter, and where Tenable fits.

The EO’s operative provisions sit in Section 2 (“Upgrading American systems for advanced AI”) and Section 3 (“Secure frontier model deployment”). The cybersecurity core is in Section 2.

National security and defense systems. The Committee on National Security Systems must prioritize the cyber defense of National Security Systems (NSS) and the Secretary of War must do the same for DoW information systems (Section 2(a) and 2(b)).

Civilian federal systems and critical infrastructure. CISA, in consultation with the Office of Management and Budget (OMB), the Assistant to the President for National Security Affairs, and the National Cyber Director, must release Binding Operational Directives (BODs) “and other guidance as appropriate” to:

• Expedite and prioritize the cyber defense of civilian federal information systems.
• Establish or expand federal programs and services that enhance AI-enabled defensive tools.
• Facilitate access to cybersecurity tools and services, including where appropriate, covered frontier models, for agencies, state and local authorities, and critical infrastructure operators such as rural hospitals, community banks, and local utilities.

Worth noting, while the EO directs CISA to release BODs or other guidance for federal civilian agencies, the specific implementation directives are not yet known (Section 2(c)).

The AI cybersecurity clearinghouse. The Secretary of the Treasury, with the National Cyber Director, NSA, and CISA, must form an AI cybersecurity clearinghouse, in voluntary collaboration with the AI industry and critical infrastructure operators. The EO tasks the clearinghouse with three concrete functions, per Section 2(d): 

• Coordinate and deconflict scanning for software vulnerabilities
• Discover and validate those vulnerabilities
• Coordinate and prioritize the remediation and distribution of vulnerability patches. 

Grant funding for AI vulnerability detection. OMB, with the National Cyber Director and CISA, must determine whether existing federal grant programs have funding that can be directed toward applicants developing advanced AI vulnerability detection (Section 2(e)).

Cybersecurity workforce. The Office of Personnel Management must expand hiring and placement pathways for cybersecurity specialists through the United States Tech Force (Section 2(f)). 

Secure frontier model deployment. Treasury, NSA, and CISA, in consultation with NIST and others, must develop a classified benchmarking process to assess the advanced cyber capabilities of AI models. They must also set the threshold for designating a “covered frontier model,” and design a voluntary framework through which developers can give the government up to 30 days of pre-release access to those models. The Executive Order is explicit that it does not create any mandatory licensing, preclearance, or permitting requirement for AI models (Section 3).

Criminal enforcement. The EO directs the Attorney General to prioritize enforcement against those who use AI to illegally access or damage computer systems (Section 4).

For federal cybersecurity leaders, this is less a future-state policy document than a near-term planning trigger. Watch for CISA’s issuance of BODs and other guidance, and for readouts on the clearinghouse, during June and July.

The EO’s center of gravity — finding software vulnerabilities, validating them, prioritizing them, and driving remediation — is the work Tenable's platform is built to do. While the AI Executive Order focuses on vulnerability discovery, validation, prioritization, and remediation, the benefit of the Tenable One Exposure Management Platform is that it addresses vulnerabilities alongside other security weaknesses, including misconfigurations of AI systems and overpermissioned AI agents, to serve as the system of action for mitigating cyber exposure and reducing cyber risk across organizations’ expanding attack surfaces. Below, learn how specific Tenable capabilities map to the EO’s requirements.

Sections 2(a) through 2(d) turn on the ability to find vulnerabilities across a wide range of systems continuously. Tenable One Vulnerability Management and Tenable Security Center provide network-based and agent-based assessment across IT assets, with credentialed scanning for greater depth. Tenable One Cloud Exposure extends that visibility to cloud workloads and configurations, and Tenable One Attack Surface Management maps internet-facing assets that agencies may not know they have. 

For agencies operating classified or air-gapped environments — relevant to the National Security Systems named in Section 2(a) — Tenable Enclave Security is built to run vulnerability and configuration assessment inside those boundaries.

Section 2(d) doesn’t only call for discovering vulnerabilities — it calls for prioritizing them for remediation. That distinction matters because no agency can patch everything at once.

Tenable’s Vulnerability Priority Rating (VPR) uses machine learning, trained on the company’s corpus of more than 1.7 trillion security findings accumulated over more than 25 years of continuous scanning, to forecast which vulnerabilities are most likely to be exploited, so defenders can focus on the smaller set that represents real, immediate risk. By leveraging AI-generated features and expert intelligence from Tenable's Research Special Operations team, VPR helps organizations pinpoint the critical 1.6% of vulnerabilities that represent actual business risk. Tenable also ingests CISA’s Known Exploited Vulnerabilities (KEV) catalog — the continuously updated, authoritative list of Common Vulnerabilities and Exposures (CVEs) under active exploitation — directly into prioritization, aligning remediation guidance to the same source CISA uses to track risk across the federal enterprise. 

Section 2(c) directs CISA to establish or expand programs that enhance AI-enabled defensive tools. As frontier AI models accelerate the rate at which vulnerabilities can be discovered and exploited, the traditional window for manual remediation is rapidly closing. The June 2026 AI Executive Order recognizes this shift, directing federal agencies to counter machine-speed threats with AI-enabled cyber defenses within 30 days.

Tenable Hexa AI, the agentic engine of the Tenable One Exposure Management Platform, is designed to help counter machine-speed threats, supercharge productivity, and accelerate risk reduction by automating multi-step remediation workflows. Security teams can leverage pre-built agents directly in the user interface or build custom agents via the Model Context Protocol (MCP), turning exposure intelligence into decisive action at machine speed. 

At the same time, as agencies build custom models or adopt third-party tools like ChatGPT and Copilot, they fundamentally expand their attack surface. It is now critical to protect enterprise AI, shadow AI, training data, and underlying infrastructure from emerging threats like adversarial attacks, data poisoning, and model theft. Tenable secures this expanding attack surface with Tenable One AI Exposure, which is designed to help agencies see, manage, and control the risks introduced by generative AI. Tenable One AI Exposure allows agencies to discover and inventory AI tools and libraries, and apply AI usage policies across the environment — a growing requirement as agencies adopt AI and need to account for it as part of their attack surface. By addressing critical supply chain vulnerabilities and a lack of identity controls, Tenable actively closes the growing AI exposure gap to ensure agencies can adopt new technologies without introducing unmanaged business risk. 

Recognized by Gartner as the company to beat for AI-powered exposure assessment, Tenable has cemented its role as the go-to platform for organizations looking to stay ahead of risk in an increasingly AI-driven threat environment. 

The vulnerability and patching clearinghouse provision is arguably the most operationally consequential requirement in the AI Executive Order because it describes a capability, not a policy: the need to coordinate vulnerability scanning, discover and validate vulnerabilities, and prioritize remediation. That is the work the Tenable One platform and research organization are built to do, and the AI-enabled dimension of that work is already in production.

For scanning at scale, the Tenable platform (including Tenable One Vulnerability Management, Tenable Security Center, Tenable Nessus, Tenable One Cloud Exposure, and Tenable One OT Exposure) handles millions of daily scans across critical infrastructure using non-intrusive methods, which is essential for avoiding disruption in government environments.

In vulnerability discovery and validation, Tenable Research has publicly disclosed over 450 zero-day vulnerabilities and tracks 1,000 zero-days tagged all-time. Additionally, the Tenable Research team tracks more than 2,000 vulnerabilities which have been verified to be exploited in the wild. The team uses a hybrid intelligence model that combines expert analysis with large language models, resulting in a curated library of over 11,000 CVEs enriched with exploitation evidence and threat actor links and that operates independently of the National Vulnerability Database (NVD).

For vulnerability prioritization and remediation, Tenable's Vulnerability Priority Rating (VPR) provides an advantage by not relying on NVD severity scores, a key consideration given recent changes limiting NVD enrichment. Tenable Research consistently identifies actively exploited vulnerabilities a median of seven days before they appear on CISA’s Known Exploited Vulnerabilities catalog. In addition, Tenable Hexa AI automates remediation workflows, and Tenable One AI Exposure helps agencies inventory AI tools and libraries, addressing the expanding attack surface.

Section 2(c)(iii) directs CISA to facilitate access to cybersecurity tools for rural hospitals, community banks, and local utilities. Note the verb facilitate: this is an access-and-incentive provision, not a mandate imposed on those operators. Many of these organizations have historically lacked the budget and staff for enterprise-grade vulnerability management.

Tenable One OT Exposure is built for the operational technology environments common in utilities and healthcare delivery, including industrial control systems and SCADA networks. It has been listed on CISA’s Continuous Diagnostics and Mitigation (CDM) Approved Products List since October 2021. Tenable's research into threat activity targeting operational technology at water and energy utilities gives these operators current, actionable context for the risks this provision is meant to address.

Section 2(e) directs OMB to identify federal grant funding that can be steered toward advanced AI vulnerability detection. Several existing programs already fund this kind of work, including the State and Local Cybersecurity Grant Program (SLCGP) and the Department of Energy's Rural and Municipal Utility Advanced Cybersecurity Grant (RMUC) program. Tenable solutions help fulfill SLCGP requirements, and Tenable works with public sector customers and channel partners to align purchases to available grant funding. 

The June 2026 Executive Order moves AI policy toward operational cybersecurity, and it does so on a short clock. The provisions that matter most — continuous detection, validation, risk-based prioritization, and remediation — describe the discipline of exposure management. Agencies that already have those practices and tools in place will be best positioned to meet the EO’s requirements as CISA, Treasury, and OMB translate it into specific directives, programs, and funding over the coming weeks.

Tenable resources:

• Exposure Management for federal government agencies
• Tenable One Exposure Management Platform
• Tenable One Vulnerability Management
• Tenable One OT Exposure
• Tenable Vulnerability Priority Rating (VPR) Solution Overview

Government resources:

• Executive Order, "Promoting Advanced Artificial Intelligence Innovation and Security" (June 2, 2026)
• President Trump's Cyber Strategy for America (March 2026)
• CISA Known Exploited Vulnerabilities Catalog
• State and Local Cybersecurity Grant Program
• DOE Rural and Municipal Utility Advanced Cybersecurity Grant (RMUC) Program

By participating in Project Glasswing and working with Claude Mythos Preview, Tenable can help customers better understand how emerging frontier AI models behave, their evolving risks and benefits for cybersecurity, and the kinds of controls organizations will need as AI adoption accelerates.

1. Tenable is also interested in using Mythos Preview to drive new research, strengthen the security of Tenable, and help customers better understand how emerging frontier AI models behave, their evolving risks and benefits, and the kinds of controls organizations will need as they accelerate AI adoption.
    
2. Tenable previously announced the integration of the Tenable One Exposure Management Platform with the Claude Compliance API to give Tenable customers better AI visibility and governance capabilities, along with Claude-powered workflows in Tenable Hexa AI, the agentic engine of the Tenable One platform.

Over the past year, it has become increasingly clear that AI is going to fundamentally reshape cybersecurity. 

Not eventually. Now.

The pace of vulnerability discovery is accelerating. Attack surfaces are expanding faster than ever. Security teams are already overwhelmed trying to determine what actually matters.

At the same time, frontier AI models like Claude Mythos Preview are demonstrating that new capabilities in reasoning and agentic workflows are on the horizon and could significantly accelerate cyber offense and challenge cyber defense over the next few years.

Tenable joining Project Glasswing is a strategic step forward for defenders, and an extension of our existing partnership with Anthropic. 

We also believe the industry is entering a period where defender advantage will not come from access to any single model. It will come from understanding what matters most, reducing exposure before attackers strike, and coordinating remediation at the speed modern threats demand. 

The industry already has more findings than humans can realistically process. The real challenge is understanding what matters most.

Which exposures are actually dangerous? Which combinations create meaningful attack paths? What should be fixed first? What actions will materially reduce risk?

Those are exposure management problems. 

We’re working with frontier AI models to evaluate and benchmark how advanced reasoning capabilities may improve exposure analysis, attack path understanding, prioritization, and remediation decision-making to help our customers and partners improve their own security and risk management initiatives.

As part of Project Glasswing, we’re particularly interested in driving new research using Mythos Preview to better understand where it can help reinforce existing security analysis, and strengthen our own defenses by using frontier models to improve the security of Tenable. We also plan to use Mythos alongside other models to help challenge assumptions, and identify relationships and risk patterns faster than traditional approaches alone.

We believe frontier models will increasingly become another important source of security insight and telemetry flowing into exposure management platforms. The long-term differentiator for defenders will not be access to a single model. It will be the ability to combine those signals with authoritative context, asset intelligence, attack path analysis, and coordinated remediation across the enterprise.

Another important reality is that organizations are increasingly responsible for AI systems they did not build themselves. That creates a rapidly expanding attack surface.

Our goal is simple: when meaningful advances in AI capabilities arrive, we will be ready to translate them into practical customer value quickly and responsibly.

Participating in frontier AI initiatives like Project Glasswing help us better understand emerging model behaviors, evolving risks, and the kinds of controls organizations will need as AI adoption accelerates.

That learning directly informs both our products and our own internal security practices.

One thing is becoming increasingly clear: frontier AI capabilities will not remain rare for long.

Capabilities that seem extraordinary today will eventually become widely available across the industry, including to attackers.

In that world, defender advantage will not come from access to any single model. It will come from understanding what matters most, reducing exposure before attackers strike, and coordinating remediation at the speed modern threats demand.

That is the work we’re focused on at Tenable. That is our commitment to our partners and customers.

And we’re excited to be doing it alongside Anthropic and the broader Project Glasswing community.

Tenable CTO Vlad Korsunsky talks about participating in the World Economic Forum’s Annual Meeting on Cybersecurity and Tenable’s EXPOSURE 2026 conference, where he talked with global leaders about new game-changing AI threats and the groundbreaking benefits of exposure management.

1. The patching cycle is obsolete. Advanced AI models have compressed exploitation timelines into “negative days,” meaning adversaries actively weaponize vulnerabilities before vendor patches are even released.
2. Shift from static CVE severity scores to AI-powered exposure management. Point-in-time vulnerability-risk snapshots fall short. You need AI insights to prioritize remediation based on real-world exploitability of your entire attack surface.
3. Secure the agentic economy. The rapid explosion of autonomous non-human AI identities demands the immediate application of zero trust and least-privilege cryptographic primitives to mitigate severe, systemic internal risks.
4. Don’t focus only on vulnerabilities. While the 2026 Verizon DBIR ranks vulnerability exploitation as the top initial access vector for breaches (about 30%), the majority of breaches (70%) stem from human errors, such as misconfigurations and identity flaws.

Tenable Chief Technology Officer Vlad Korsunsky recently participated in the World Economic Forum’s Annual Meeting on Cybersecurity in Geneva, Switzerland, an annual summit that takes the pulse of global cyber risk. Korsunsky was one of 150 senior leaders from global industry and government who gathered to discuss how to strengthen businesses’ cyber defenses. The sobering, collective consensus: The traditional cybersecurity playbook is obsolete, as AI becomes an unprecedented threat multiplier.

For Tenable, participating in foundational, high-level dialogues and collaborations such as this one is both a privilege and an immense responsibility. As the cybersecurity operating model gets rewritten in real-time, Tenable feels a duty to help shape cyber defenders’ collective insights and strategies. Tenable has spent years addressing the structural cybersecurity operational gaps that worry C-level executives and government leaders worldwide. 

Korsunsky also had a chance to sit down with many of the hundreds of cybersecurity executives who gathered recently at Tenable’s EXPOSURE 2026 conference. The EXPOSURE 2026 discussions ranged from the death of reactive patching cycles to the need to counter AI threats with systemic cyber resilience, and signaled an urgent need to shift away from a siloed, fragmented approach to cybersecurity and move toward AI-powered exposure management.

Below is an in-depth Q&A with Korsunsky, expanding on his participation in the Geneva and Tenable meetings, the rapid escalation of AI threats, and the way to tame cyber risk today and in the coming years.

Vlad Korsunsky: The energy was highly focused and, frankly, deeply sober. We are witnessing an unprecedented compression of the threat landscape, and everyone in that room, whether they were running a multinational bank, directing a national cyber defense agency, or leading an NGO, realized that conventional cyber defenses cannot keep up with this velocity.

A telling example of how high the stakes have jumped occurred just recently in Washington, D.C. The then Federal Reserve Chair Jerome Powell and U.S. Treasury Secretary Scott Bessent convened an emergency, high-level meeting with the CEOs of some of America's largest financial institutions, including Wall Street giants like Goldman Sachs, Citigroup, Wells Fargo, Bank of America, and Morgan Stanley. 

The entire meeting focused on a single AI model: Anthropic’s Claude Mythos Preview. Anthropic had flagged that while it built Mythos to bolster cyber defense, its raw capabilities were so advanced that, if weaponized or leaked, it could pose a major threat to the structural stability of the global financial system. When the highest echelons of fiscal and state power are holding emergency briefings over the capabilities of a single generative AI model, you know you’re dealing with a fundamentally different cyber threat landscape.

Vlad Korsunsky: The threat of AI in the hands of attackers is absolutely a global concern today. Look at the empirical metrics tracking adversary speed over the last decade and a half. For years, Mandiant tracked a linear trend that actually looked like a win for defenders. Time-to-exploit, which is the window between a vulnerability being disclosed and an active exploit hitting the wild, shrank steadily from 63 days in 2018 down to 32 days by 2022. 

Concurrently, average attacker dwell time — the time an attacker remains undiscovered after breaching a network – plummeted from more than 400 days in 2011 down to just 14 days in 2025. In short, defenders were actively closing the gap.

Then came 2023, and the trend broke violently. Time-to-exploit collapsed from 32 days to just five. By 2024, it went negative: minus one day. 

According to Mandiant’s latest “M-Trends 2026 Report,” published last month, the average time-to-exploit sits at minus seven days. Think about that structural asymmetry. Attackers are successfully weaponizing and exploiting vulnerabilities a full week before a vendor compiles and ships a patch. 

Meanwhile, the median timeline for an enterprise to deploy a patch across their environment is roughly 43 to 55 days, according to this year’s Verizon Data Breach Investigations Report (DBIR). If adversaries are operating in negative time and defenders are operating across months, the traditional patching cycle is effectively a dead strategy.

Vlad Korsunsky: It is driven entirely by advanced frontier LLMs doing in minutes what used to require weeks of highly specialized human labor. Back in February, Anthropic’s Opus 4.6 model uncovered more than 500 zero-day vulnerabilities in widely utilized open-source software, flaws that had remained undiscovered despite decades of manual peer review by brilliant human engineers. 

Less than two months later, Anthropic’s Mythos model found thousands more vulnerabilities across foundational operating systems, web browsers, and core cryptographic libraries. More importantly, Mythos went further after spotting them; it boasted an 83% autonomous success rate in chaining disparate, low-severity logic flaws into devastating, end-to-end critical exploits.

Essentially, we have reached a watershed moment reminiscent of when Google DeepMind’s AlphaGo defeated human Go champions. Experts believed a computer was decades away from mastering the Go game because the game features more potential board configurations than there are atoms in the observable universe. Brute force was impossible. Yet, AlphaGo won by leveraging deep neural networks to synthesize a form of machine intuition, discovering creative moves no human had conceived in 2,500 years of play.

Today, frontier AI models are applying that exact evolutionary leap to cybersecurity. The most powerful LLMs can now execute 32-step complex reasoning chains to autonomously map and compromise simulated corporate networks. The asymmetry is stark. This massive capability curve means the absolute volume of known exposures is poised for a massive step-change, and GenAI has poured pure gasoline on the fire.

Vlad Korsunsky: This is where we have to look at the whole board and avoid panic. While the influx of AI-driven zero-day disclosures is a massive upstream pressure on software vendors, data from this year’s Verizon DBIR shows that breaches directly leveraging software exploits account for about 30% of incidents. It's a significant percentage, yes, but what about the other 70%?

Cybersecurity leaders I talked to at EXPOSURE 2026 realize that the overwhelming majority of enterprise breaches do not begin with an ultra-sophisticated, state-sponsored zero-day exploit. They start with incredibly simple, unforced human errors: unsecured shadow IT cloud assets running outside corporate governance; misconfigured databases left wide open to the public internet; over-privileged corporate identities; a lack of multi-factor authentication (MFA); and highly targeted, AI-driven spear phishing. This is a critical insight for guiding your cyber strategy today.

These misconfigurations and unsecured cloud credentials are the dry fuel sitting inside an enterprise network. When an AI hacking agent comes looking, that fuel ignites faster than any traditional cybersecurity team can react. So organizations must be diligent about proactively maintaining stringent security hygiene.

Vlad Korsunsky: We have to look at this the way wildland firefighters have looked at massive forest fires for over a century. When a wildfire is roaring toward a town faster than a human can run, firefighters don’t just stand at the edge of the flames reaching for a bigger water hose. They get ahead of the blaze and light a controlled burn. They intentionally clear out the brush, trees, and fuel ahead of time. When the main fire line reaches that cleared zone, it starves and dies because there is nothing left to consume.

Enterprise security must adopt this exact philosophy. We have to stop reacting to the fire and start aggressively clearing the fuel before the adversary arrives. This requires a wholesale shift from reactive vulnerability patching to continuous exposure management.

The traditional Common Vulnerability Scoring System (CVSS) is effectively dead as a primary prioritization tool. A static CVSS score tells you the theoretical severity of a single CVE in a vacuum; it tells you absolutely nothing about real-world exploitability within the specific context of your unique enterprise environment. 

At EXPOSURE 2026, we heard from our customers how continuous, AI-driven exposure management is helping them counter today’s evolving AI threats successfully. With exposure management, you use advanced analytics to gain unified, real-time visibility across your entire modern attack surface, encompassing data centers, cloud infrastructure, OT/IoT environments, corporate identities, and newly deployed AI pipelines. We must use AI on the defense side to continuously map true attack paths; for example, pinpointing exactly where a minor misconfiguration chains into a critical business asset.

Vlad Korsunsky: Security is fundamentally a team sport, and AI vendors like OpenAI and Anthropic are not our adversaries. AI is the single most potent tool ever introduced into the defender’s toolkit; we simply need to wield it with machine-speed orchestration. Because our adversaries are deploying fully autonomous hacking agents today — tools that are already topping commercial bug bounty leaderboards — the only fair fight is to meet machine speed with machine speed.

This means building and deploying agentic AI workflows on the side of the defense to power autonomous exposure management. However, this must always be balanced with strict human-in-the-loop oversight. In Geneva, we spent a great deal of time discussing the systemic risks of unchecked automation. If an autonomous system applies a sweeping remediation script without understanding the broader business context, it can inadvertently trigger a massive operational outage: a self-inflicted systemic failure.

Defenders must maintain deep visibility into the “behind-the-scenes” logic of their automation. We need human control to govern business context, while leveraging machine speed to continuously ingest, prioritize, and neutralize exposures before an attacker can strike.

Vlad Korsunsky: We are transitioning rapidly into what we call the “Agentic Economy.” Historically, enterprise security focused on securing human users and a relatively manageable set of non-human service accounts. As organizations embed AI agents into core business workflows — from code generation to customer operations to financial automation — we are seeing an exponential growth of non-human, agentic identities and agentic workflows. These autonomous agents are fundamentally different. Instead of operating just “on behalf” of a human in a tightly bound session, they execute complex tasks independently.

The alarming reality discussed in Geneva and in our EXPOSURE 2026 conference is that our current security frameworks lack effective, native guardrails for these agents. LLMs routinely bypass system prompts or ignore markdown safety files. They can even actively manipulate or hack neighboring AI agents to achieve their algorithmic goals. We’ve seen anecdotal instances of an enterprise AI agent autonomously writing a script to bypass an internal access restriction, and when flagged, its underlying logic essentially argued that the script committed the violation, not the agent itself.

Because AI agents behave essentially like trusted corporate insiders that have been let loose across internal data silos, we must immediately apply foundational cryptographic primitives to agentic identities. We need strict zero-trust architectures, rigorous least-privilege access controls, and absolute defense-in-depth tailored specifically for non-human identities before they morph into the next great vector of unmanageable global risk.

Vlad Korsunsky: Attackers are increasingly rocketing laterally across enterprise networks after the initial breach, often in minutes and even seconds, whereas before it could take them days or weeks. The adversary’s inherent advantages will always be timing, velocity, and the luxury of only needing to find a single weak link in your exposure landscape.

But as defenders, we possess the ultimate home-field advantage: We can see the whole board, and we have the power to fundamentally alter the terrain. By abandoning obsolete point-in-time checkmarks, embracing continuous, AI-driven exposure management, and proactively clearing out our operational fuel at machine speed through foundational cyber hygiene, we can break the adversary’s curve and effectively secure our environments.

Oracle addresses 35 CVEs in its May 2026 Critical Security Patch Update with 35 patches, including 11 critical updates.

1. The May 2026 Critical Security Patch Update (CSPU) contains fixes for 35 unique CVEs in 35 security updates
2. 11 issues (31.4% of all patches) were assigned a critical severity rating
3. Oracle E-Business Suite received the highest number of patches at 12, accounting for 34.3% of all patches

On May 28, Oracle released its Critical Security Patch Update (CSPU) for May 2026. Beginning in May 2026, Oracle introduced CSPUs as a monthly release cycle that sits between the larger quarterly Critical Patch Updates (CPUs), addressing a focused set of high-severity issues on a faster cadence. This CSPU contains fixes for 35 unique CVEs in 35 security updates across 5 Oracle product families. Out of the 35 security updates published, 31.4% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 51.4%, followed by critical severity patches at 31.4%.

This month's update includes 11 critical patches across 11 CVEs.

This month's update saw the Oracle E-Business Suite product family contain the highest number of patches at 12, accounting for 34.3% of the total patches, followed by Oracle REST Data Services at 11 patches, which accounted for 31.4% of the total patches.

A full breakdown of the patches for this CSPU can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Customers are advised to apply all relevant patches in this CSPU. Please refer to the May 2026 advisory for full details.

A list of Tenable plugins to identify these vulnerabilities will appear here as they're released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

• Oracle Critical Security Patch Update Advisory - May 2026
• Oracle May 2026 Critical Security Patch Update Risk Matrices
• Oracle Advisory to CVE Map

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Learn how attackers exploit automated bot traffic as part of software supply chain attacks to artificially inflate download counters and mask malicious payloads as legitimate.

1. Volume doesn’t equal trust. Packages with numerous versions and high download counts might seem legitimate, but attackers can easily manipulate those metrics.
    
2. Attackers exploit automated infrastructure. By initially flooding the registry with numerous benign versions of a package, threat actors trigger automatic downloads from mirrors, scanners, and analysis bots, which artificially inflate traffic.
    
3. Although old download-inflation techniques still work, attackers are developing new sophisticated techniques to deceive developers into installing malicious packages.

Following recent software supply chain attacks in which Tenable has seen attackers steal access tokens and secrets from developer workstations and CI/CD build servers, we started actively monitoring and analyzing npm packages uploaded to the public registry. Initially, we used download counts as a primary metric to determine package relevance.

During our monitoring, we identified a recurring anomaly: Brand new packages displayed unusually high download counts within hours of upload. Upon further investigation, we discovered that those packages also had many versions.

We found that packages whose content got updated frequently — usually by systematically uploading many new versions for the same package — had an unusually high downloads count.

We observed this technique being used deliberately in the wild for the first time in our analysis of the malicious “ambar-src” package, which reached more than 50,000 downloads in three days after attackers uploaded more than 700 versions. We named this technique “download pumping.”

Developers and security tools frequently use download counts as one of the metrics to assess a package's legitimacy. Since there is no simple method for determining if a package is legitimate, this artificial inflation effectively disguises the threat.

In the “ambar-src” campaign, threat actors systematically published hundreds of benign versions of the package before introducing the actual malicious payload.

Because npm registers each interaction with these updates as traffic, this repetitive version-publishing process achieved two goals: 

• It heavily populated the package’s release history, creating a dense changelog that made the project appear actively maintained and historically legitimate to developers evaluating it.
• Every time a new version was published, automated systems like repository mirrors and analysis bots automatically downloaded it. Because the attackers systematically uploaded hundreds of versions, they artificially generated a massive wave of automated traffic, inflating the package's download count to more than 50,000 downloads in just three days.

From Tenable’s initial analysis, each version uploaded to the npm public registry typically receives between 100 and 150 downloads from automated systems. We verified that fact by running our proof-of-concept (POC) and analyzing the download count.

To validate these mechanisms, we conducted a POC that replicated the download pumping behavior. We created test packages and systematically published a high volume of new versions to the npm registry. 

As the npm team stated in their blog, their download stats are naive by design, and they do not put much effort into filtering automated bot traffic. 

Thus, various repository mirrors, analytical bots, and automated security scanners immediately pulled each new version we uploaded. This validated that an attacker can predictably generate a baseline of downloads entirely through automated publishing, requiring zero organic user interaction.

During our POC, we wanted to see how different package properties might affect the automated download volume. We were working under the assumption that packages with postinstall scripts raise the interest level of security scanners.

Postinstall scripts are highly interesting to defenders because attackers frequently use these lifecycle hooks to automatically execute malicious payloads the moment a package is installed. Since this is a common malware-deployment technique, automated security scanners prioritize downloading and inspecting packages that have these scripts configured.

It is important to note that security scanners don’t have to download the package itself to determine if the npm package has a postinstall script configured, as this data is available in the package metadata in the public registry.

For those reasons, we believed that security scanners are more likely to download packages with install scripts configured, as they are more likely to contain malicious code. We deployed three distinct test packages to npm to test our assumption and observed the following results:

• Version bump only: 135.55 downloads per version
  This was our baseline test package. We didn’t add or remove any code when publishing a new version, nor did we make any other attempt to make the package look interesting. We simply bumped up the version number each time.
   
• Static postinstall script: 141.91 downloads per version
  This was our second test package, and the first one to have a postinstall script configured, but we didn’t change the script when publishing new versions.
   
• Dynamic postinstall script: 158.16 downloads per version
  In this third test package, we changed the postinstall script every time we bumped up the version. We did this as we believed that security scanners would be more interested in packages whose postinstall script changed, as it could be an indicator of compromise.
   

Graph showing how Tenable’s first POC software package experienced a spike in downloads when we started publishing new versions of it. 

This data demonstrates a straightforward cause-and-effect: automated infrastructure and security scanners naturally generate more download traffic for packages that exhibit interesting or actively changing behaviors.

While our research focused specifically on the npm ecosystem, the fundamental mechanics behind this technique are not unique to npm. Other package registries such as PyPI, RubyGems, and NuGet operate with similar automated infrastructure — mirrors, security scanners, and analysis bots — that pull new versions as they are published. Although the specific download amplification and trust metrics may differ across ecosystems, the core principle remains the same: where automated systems react to new publications, there is potential for abuse.

As already stated, we first observed this technique being used in the wild during our analysis of the “ambar-src” package. 

Let’s look at this in more detail.

The attackers created an npm package containing utility code that can be used for legitimate purposes, such as MathUtils, StringUtils and Time functions. The attackers then systematically uploaded 428 legitimate versions of the package in just two hours. The attackers did this to gain initial credibility and attempt to lure developers to use their code.

Three days later, the attackers uploaded a new version containing malicious code. By this point, the attackers’ package already had more than 30,000 downloads.

In total, the attackers uploaded 724 versions including malicious and legitimate versions. This led to an artificially generated wave of automated traffic, resulting in around 50,000 downloads total.

This repetitive version-publishing process successfully inflated the package's download count and created a dense release history, making the project appear historically legitimate before the malware was deployed.

The manipulation of npm downloads metrics is not a new discovery. In a 2021 research blog, independent developer Andy Richardson showed how prone the npm registry’s download tracking is to abuse, by demonstrating that bad actors can send HTTP requests to a package’s tarball URL to fake downloads. 

Using automated tools, the researcher successfully drove nearly 1 million spoofed downloads in a single week for a completely unused package.

Tenable validated this technique still works in 2026. By sending HTTP requests directly to the URL of the package’s tarball, Tenable successfully inflated a test package’s metric to 17,000 downloads in approximately one hour, using nothing more than a standard office laptop and an internet connection.

However, this new version-flooding method we’ve identified offers two distinct advantages: 

• First, it provides amplification, because an attacker gains 100 to 150 automated downloads from repository mirrors for every single version they upload, rather than just one download per HTTP request.
• Second, systematically publishing these updates populates the release history, creating a dense version log that makes the package appear actively maintained and historically legitimate.

Organizations should not depend on download counts or version histories to determine if a package is legitimate. As we have demonstrated, attackers can easily fake these metrics using automated systems, creating a false sense of trust.

Instead, organizations should adopt common industry best practices, such as version pinning and implementing minimum package-age restrictions. 

These best practices are effective, as security vendors and the open-source community actively monitor these registries and typically detect malicious packages fairly quickly, within a couple of days at most. 

By enforcing a short waiting period of three to four days before allowing a new package or new version of an existing package into your environment, you allow the community time to identify these threats in the public registry. Once they are detected, they are removed from the public registry, eliminating the risk.

It is worth noting that npm is actively working to improve the security of its ecosystem. Recent efforts include adding support for package-age checks directly in the npm CLI, as well as strengthening authentication mechanisms for package maintainers to reduce the risk of account takeovers. 

While these are meaningful steps in the right direction, the reality is that no single measure can fully prevent malicious code from reaching the public registry. Supply chain attacks will continue to evolve, and organizations should also layer their own defenses rather than rely on the ecosystem alone.

For example, organizations can add extra protection for CI/CD build servers by deploying ephemeral CI/CD runners that are destroyed immediately after a single use to prevent malware from lingering. Operating those temporary runners without persistent storage makes it harder for threat actors to save their payloads or establish persistence across different build jobs.

Additionally, organizations should enforce least-privilege network access. Restricting outbound traffic makes it harder for malicious payloads running on the build server to reach the open internet to download second-stage malware payloads like “msinit.exe.”

Currently, developers are still being hacked through open-source supply chain techniques. The metrics developers and security tools depend on — download counts, version history, maintenance activity — are superficial indicators that, as we have demonstrated, an attacker can manipulat with minimal effort. But the problem runs deeper than fake signals.

Even when a package has a legitimate track record with a trusted maintainer behind it, that trust can be compromised overnight. Recent waves of account takeovers, social engineering campaigns, and credential theft targeting established maintainers have shown that a package's history is no guarantee of its current safety, even for legitimate packages. A new version published under a trusted name can carry a malicious payload, and the package manager has no built-in mechanism to catch it.

In practice, there is no deterministic method to determine if a new package is malicious or not. Therefore, each package you install and use must be treated like it could be malicious. The meaningful trust signal comes after the fact: from security vendors and the open-source community actively scanning and analyzing packages once they are published. 

This is exactly why enforcing minimum-age requirements on new packages and new versions is such an effective control. A short waiting period of a few days gives the security community time to detect, flag, and remove threats from the public registry before they ever reach your environment. Organizations that consume packages the moment they are published are accepting risk that is entirely avoidable.

Download pumping is ultimately just the initial entry vector for a much larger objective. Attackers using these techniques are generally aiming for one of two outcomes.

First, they aim to compromise build servers and CI/CD pipelines. By successfully injecting a malicious dependency into these systems, threat actors achieve “God-mode” over the infrastructure, which can lead to a full compromise of the entire production environment.

Second, and even worse, they aim to compromise the developers of highly popular packages. By hijacking a trusted maintainer’s environment, attackers can inject malicious code that thousands of downstream organizations automatically pull, creating a massive cascading effect across the broader software supply chain.

To defend against supply chain attacks, you need to know exactly what code is running in your environment. The Tenable One Exposure Management Platform and Tenable Nessus can help you build a complete asset inventory of the npm packages used across your organization.

Use the following Nessus plugins to build an inventory of the npm modules in your environment:

• 200172 - Node.js Modules Installed (Windows)
• 179440 - Node.js Modules Installed (macOS)
• 178772 - Node.js Modules Installed (Linux)

As Tenable continuously analyzes your environment, you get direct visibility into exactly what is installed on your systems. This visibility ensures you can quickly locate and remove compromised packages as soon as a new threat is discovered.

Beyond building a complete inventory, organizations also need to actively monitor their environments for live threats. Tenable One Cloud Exposure, a CNAPP, builds on this visibility by continuously monitoring your cloud environment to proactively detect these types of supply chain attacks in real time.

Together as part of the Tenable One Exposure Management Platform, these tools proactively detect supply chain attacks across your environments, ensuring your security teams can immediately identify and neutralize malicious activity before attackers can fully compromise your production systems.

Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploitation, and organizational risk.

1. The "patch everything" strategy is dead: Vulnerability prioritization based on exploitation risk offers a path forward. A directed graph model linking 600+ threat actors to vulnerabilities in 7,800 customer environments reveals that 68% of organizations carry at least one CVE previously exploited by a named adversary, and 321 tracked threat groups can reach at least one customer environment through an active vulnerability.
    
2. Prevalence of "Elite Arsenal" CVEs requires immediate attention: The 242 "Elite Arsenal" CVEs — those meeting all three criteria of critical VPR (≥ 9), CISA KEV listing, and documented threat group exploitation — are nearly universally present across the studied customer base, with 241 of 242 actively detected. More than half are five or more years old, and 78% of the persistently exploited core are simultaneously weaponized by nation-state APTs, commodity malware operators, and ransomware gangs.
    
3. Non-CVE exposures are universally dangerous: Non-CVE exposures, including misconfigurations, weak credentials, and end-of-life software, are present in virtually 100% of studied organizations, with 60% carrying at least one that maps to a tracked threat actor's preferred techniques. Preliminary modeling suggests these exposures may confer more breach risk than CVE-linked findings, yet no industry-standard scoring infrastructure exists to prioritize them.

While the first two posts in this blog series documented the accelerating vulnerability flood and the widening remediation gap, today we answer the outstanding question: Where do these forces actually collide inside customer environments? Using a directed graph model that maps more than 600 tracked threat groups to vulnerabilities observed across 7,800 organizations, Tenable Research shows you which exposures likely carry the highest real-world risk and where defenders should focus their finite remediation capacity.

The case for urgency has been made. In the first post, Tenable Research documented the convergence of three forces reshaping the vulnerability management landscape: 

• AI-driven vulnerability discovery tools accelerating CVE volume toward a projected 59,000 disclosures in 2026
• NIST’s decision to scale back enrichment of the National Vulnerability Database (NVD) to only three narrow categories
• The resulting structural gap for organizations that depend on public severity metadata to prioritize patching

The second post, produced in collaboration with the Verizon 2026 Data Breach Investigations Report (DBIR), quantified the remediation side of the equation: 

• Vulnerability exploitation has surged to become the leading initial access vector at 31% of breaches.
• Median time-to-patch has grown from 32 to 43 days.
• Only 26% of the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) are fully remediated across surveyed organizations.

Together, those findings support what Tenable has been saying for years: The “patch everything” strategy is no longer viable. But the findings also leave critical questions unanswered. If organizations cannot patch everything, they need to know precisely where the greatest risk concentrates inside their own environments.

This post answers these questions:

• Which of the tens of thousands of active vulnerabilities do named adversaries actually exploit?
• How many organizations carry those specific exposures right now?
• What does the intersection of severity, active exploitation, and real-world exposure look like when you map it concretely?

To move beyond per-CVE scoring into adversary-aware prioritization, Tenable Research built a directed graph model that links four categories of real-world entities: threat actors; the attack techniques they employ; the vulnerabilities those techniques exploit; and the customer environments where those vulnerabilities are actively detected.
 

A simplified view of the threat-exposure graph. The graph links four kinds of real-world entities: threat actors; the techniques they use; the vulnerabilities they exploit (both CVE and non-CVE); and the customers in whose environments vulnerabilities are detected . The graph also links them along the directions in which risk actually flows. 

The customer base in this analysis comprises 7,800 U.S. and Canadian organizations actively monitored by Tenable’s vulnerability management products as of May 2026. Plugin-finding telemetry, indicating which CVE and non-CVE vulnerabilities are present in each environment, was joined to proprietary threat actor tracking data curated by Tenable’s Research Special Operations (RSO) team and publicly available MITRE ATT&CK technique data.

The graph tracks more than 600 named threat actor groups. Each has been documented either to directly exploit specific CVEs (more than 6,000 CVEs across all tracked groups) or to favor specific MITRE ATT&CK techniques (58 unique techniques observed). 

Because techniques map to the CVEs and non-CVE weaknesses they are known to exploit, a named adversary can reach a customer environment along two routes: directly through an exploited vulnerability, or indirectly through a technique that exploits a weakness present in their environment.

This framework transforms the prioritization question from “how severe is this CVE?” into “which named adversaries can reach my environment through this CVE, and how many other organizations share that exposure?” That is a fundamentally different kind of intelligence that per-CVE scoring layers were never designed to provide. 

• The Common Vulnerability Scoring System (CVSS) tells you how technically dangerous a vulnerability is.
• The Exploit Prediction Scoring System (EPSS) tells you how likely it is a threat actor will exploit it.
• The CISA KEV catalog tells you a bad actor has exploited it.
• Tenable's Vunerability Priority Rating (VPR) and Vulnerability Watch combine these signals with proprietary threat intelligence into a per-CVE priority recommendation. 

All of these are valuable, but none tie the score to your specific asset inventory and the named adversary documented to exploit it.

Two important caveats before we present the findings:

1. We are reporting exposure metrics, not breach predictions. When Tenable says a customer is “exposed” to a named adversary, we mean their environment contains one or more vulnerabilities that the threat actor has previously exploited or that aligns with the group’s documented technique profile. We are not predicting attacks or claiming breaches.
2. All analyses represent scan windows beginning May 1, 2026. “Active” means at least one Tenable scan observed the vulnerability since that date. Customers may have patched between their last scan and publication.

The prevalence data is sobering. Of the 7,800 organizations in this study, 5,333 (68%) have at least one active CVE that at least one named threat actor has previously exploited. That figure alone warrants attention, but the concentration is what makes it actionable: 3,517 organizations (45%) carry 25 or more such CVEs, and 653 (8%) carry more than 100.

The problem extends well beyond CVEs. A total of 4,686 organizations (60%) carry at least one active non-CVE vulnerability, such as a misconfiguration, weak credential, or end-of-life software exposure, that maps to an attack technique a tracked threat actor is known to prefer. These findings do not receive CVE identifiers, but they are operationally exploitable, and adversary playbooks routinely depend on them.

On the adversary side, 321 of the more than 600 tracked threat actors can reach at least one customer environment through an active vulnerability. This includes the ransomware operations that most security teams already track (Conti, Ryuk, RansomHub); nation-state operators with public attribution histories (Cozy Bear, Fancy Bear, Andariel, Volt Typhoon, Salt Typhoon); and well-documented APT clusters (APT1, FIN7, MuddyWater, Earth Lusca).

Organizations in this study likely have well-developed cybersecurity programs. Tenable provides them with detailed vulnerability prioritization data. They represent the more-prepared end of the spectrum of potential threat actor targets. The exposure picture for organizations with less mature security capabilities is, by any reasonable inference, significantly worse.

The 6,000-plus distinct CVEs linked to threat groups in this study are dramatically over-represented in elevated VPR tiers compared to the full CVE population.

At the critical tier (VPR ≥ 9), CVEs associated with the study’s threat groups are nine times more concentrated than the global baseline. The persistence of these exposures is not primarily a failure of prioritization effort. Tenable data suggests the majority of customers in this study have significantly improved remediation rates for CVEs with VPR scores of 7 or higher over the past several years. Rather, continued persistence is further evidence of the central finding from the first two posts in this series: the flood of new vulnerabilities is outpacing even well-resourced organizations’ capacity to remediate.

If organizations cannot patch every threat group-associated vulnerability, where should they concentrate? Among the threat group-associated CVE set, 512 (8%) are listed in the CISA KEV catalog, an order of magnitude above the less-than-1% KEV share across the global CVE program. As the DBIR post documented, even KEV-listed vulnerabilities go unremediated in the majority of environments.

The intersection of Tenable’s critical VPR tier (VPR ≥ 9), the KEV catalog, and documented threat group exploitation gives us a tight shortlist: 242 CVEs that meet all three criteria simultaneously. We refer to this subset as the Elite Arsenal. Of the 242, all but one were actively detected in at least one organization's environment.

The age profile of the Elite Arsenal underscores why these exposures persist: 

• More than half (53%) of Elite Arsenal CVEs are at least five years old.
• Nearly one in five (19%) are at least a decade old, with the oldest dating to 2009.
• The median age is five years. 

These vulnerabilities represent a structural condition in which certain high-value CVEs become permanent fixtures of the attack surface, surviving years of remediation effort across thousands of organizations.

What makes that persistence especially dangerous is the breadth of adversaries exploiting them. Tenable Research has independently designated 54 of the 242 Elite Arsenal CVEs as “persistently exploited,” meaning they show sustained, multi-actor weaponization over years rather than months. 

• Of those 54, state-sponsored APT groups have weaponized every single one.
• 98% have been incorporated into commodity malware delivery.
• 80% are exploited by ransomware operations.
• 78% are what Tenable calls “triple-weaponized”: simultaneously exploited by nation-state espionage actors, commodity malware operators, and ransomware gangs. 

An organization carrying an unpatched Elite Arsenal CVE is exposed to all three at once.

The adversary concentration across these 54 CVEs is striking: 

• The most prevalent nation-state actor, Salt Typhoon, appears in association with 12 of the 54.
• The most prevalent ransomware operation, Black Basta, appears across 15.
• Cobalt Strike, the most common offensive tool in the set, is documented across 20. 

These are not isolated associations. They represent overlapping ecosystems of exploitation where the same vulnerability serves as an entry point for espionage, extortion, and financially motivated crime simultaneously. As the previous two posts in this series alluded to, the cyber attack landscape is rapidly evolving together with AI advancements. The widespread availability of frontier models means that mapping, chaining, and exploiting distinct attack paths has gotten substantially easier. Findings here indicate that far too many organizations still carry well-known Elite Arsenal CVEs in their environments that can act as relatively-easy exploit targets for AI-assisted attacks.

Prominent examples of widely-reported, multi-year fixtures in the Elite Arsenal include:

Network-edge devices: 

• Citrix NetScaler ADC “Citrix Bleed” (CVE-2023-4966)
• Cisco IOS XE web UI privilege chain (CVE-2023-20198, CVE-2023-20273)
• Atlassian Confluence (CVE-2022-26134, CVE-2023-22515, CVE-2023-22518)
• F5 BIG-IP iControl REST (CVE-2022-1388)
• Palo Alto Networks PAN-OS (CVE-2024-0012, CVE-2024-3400)
• Ivanti Connect Secure VPN (CVE-2024-21887, CVE-2023-46805)
• ConnectWise ScreenConnect (CVE-2024-1708, CVE-2024-1709)

Endpoint and office: 

• Microsoft Office remote code execution flaws (CVE-2017-0199, CVE-2017-11882)
• Windows kernel privilege escalations (CVE-2018-8453, CVE-2021-1732)
• Outlook NTLM credential leak (CVE-2023-23397)
• VMware vCenter (CVE-2023-34048)
• JetBrains TeamCity (CVE-2023-42793).

Domain and SMB: 

• EternalBlue family (CVE-2017-0144, CVE-2017-0143, CVE-2017-0146)
• Zerologon (CVE-2020-1472)
• Sandworm/BlackEnergy (CVE-2014-4114).

Per-CVE remediation also misses the compound risk these vulnerabilities create when they coexist in the same environment. The Elite Arsenal contains several documented exploit chains where attackers use multiple CVEs in sequence to achieve objectives that no single vulnerability would permit. 

• The ProxyLogon chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) gives attackers full Exchange Server control through four chained flaws.
• The Ivanti Connect Secure chain (CVE-2024-21887 with CVE-2023-46805) combines an authentication bypass with a command injection.
• FortiOS SSL-VPN credential theft (CVE-2018-13379) has been documented chaining directly into Zerologon (CVE-2020-1472) for full domain compromise. 

Patching one link in these chains reduces risk, but patching all of them breaks the attack path entirely. Organizations that prioritize based on individual CVE scores alone may leave compound chains intact.

The 10 most prevalent Elite Arsenal CVEs, each detected in more than 2,000 customer environments, are:

1. CVE-2013-3900 — WinVerifyTrust signature validation (3,027 environments)
2. CVE-2026-21513
3. CVE-2020-1472 — Zerologon
4. CVE-2023-28252 — CLFS
5. CVE-2023-32046 — Windows MSHTML
6. CVE-2013-2465 — Java SE
7. CVE-2023-36874 — Windows Error Reporting
8. CVE-2025-41244
9. CVE-2021-44228 — Log4Shell
10. CVE-2022-30190 — Follina

The prevalence curve across the full 242 Elite Arsenal CVEs drops steeply (see chart below): The most prevalent CVE appears in more than 3,000 environments, while the long tail includes CVEs present in only a handful. 

But the critical finding is that 241 of the 242 are active somewhere. Nearly every CVE that meets all three elite criteria is currently live in at least one monitored environment.

Elite Arsenal CVE set prevalence, May 2026. Each point on the curve is one of the 242 elite-criteria CVEs (critical VPR ≥ 9, listed in CISA KEV, and reachable from a tracked threat group), ordered from most to least prevalent across the studied organization base. The y-axis shows the number of organization environments where each CVE was actively detected.

While the Elite Arsenal is not typically reported as a distinct CVE set, we encourage organizations that cannot remediate all KEV vulnerabilities with VPR ≥ 9 to prioritize those appearing on Tenable's Vulnerability Watch list, at minimum. More than 52% of Elite Arsenal CVEs published since 2024 have appeared on Vulnerability Watch at least once. It is a resource that security teams can use to inform high-impact remediation decisions.

CVE-side prioritization works because CVEs are enumerated. Each gets a globally unique identifier, and every scoring framework in the industry is built on that identifier. 

No analogous standardized infrastructure exists for non-CVE findings such as misconfigured Active Directory privileges, improper password management, unencrypted database connections, or exposed management interfaces. These items do not receive CVE numbers, VPR scores, or KEV catalog entries.

The lack of standard scoring for non-CVE findings is problematic because these findings are relevant to the attack surface. Across the customer base in this study, 7,769 organizations (effectively 100%) carry at least one actionable non-CVE finding, and 4,686 (60%) carry one that maps back to a tracked threat actor’s preferred techniques. 

Roughly half of observed non-CVE findings are software misconfigurations, 15% are end-of-life software exposures, and the remainder are weak credentials, audit gaps, and policy gaps that adversary playbooks routinely depend on.

There is no Elite Arsenal equivalent for misconfigurations. But the graph model allows us to answer a useful question: Which non-CVE findings sit on a path that a tracked adversary’s technique profile is likely to walk? Based on that analysis, four principles should guide non-CVE prioritization today.

1. Do not deprioritize non-CVE exposures simply because they lack a CVE number or a VPR score. Preliminary breach prediction modeling based on our graph suggests that non-CVE exposures may confer more data-breach risk than CVE-linked findings.
2. Prioritize misconfigurations and end-of-life software first within the non-CVE bucket. Together, they account for 65% of actionable non-CVE findings, and end-of-life software is by definition unpatchable. Configuration drift and end-of-life inventory are among the most consistently exploited entry points in MITRE ATT&CK adversary playbooks.
3. Use ATT&CK technique reachability as the prioritization axis. The 4,686 organizations carrying threat actor-mapped non-CVE findings are the non-CVE analogue of the customer set carrying Elite Arsenal CVEs. A misconfiguration that maps to a high-frequency technique threat actors use that’s active in your industry is operationally more urgent than a higher-volume but technique-unmapped finding.
4. Recognize that non-CVE remediation is identity and configuration work, not patch work. Many of the non-CVE findings that appear in adversary playbooks, such as over-privileged service accounts, exposed management interfaces, weak authentication, and unmonitored privileged access, are addressed by tightening identity and configuration controls. The question shifts from “have we patched this?” to “have we hardened this?”

Tenable continues to invest in the scoring and prioritization infrastructure for the non-CVE surface, including the Tenable One Exposure Management Platform’s attack path analysis capabilities, which make adversary-technique reachability a first-class prioritization signal.

The three blog posts in this series trace a single argument from macro- to micro-scale attack surface evaluations.

The volume crisis documented in “Why the Approaching Flood of Vulnerabilities Changes Everything” means the patch queue will keep growing. The remediation gap documented in “Key findings from the Verizon DBIR 2026” means organizations cannot work through that queue fast enough using traditional methods. 

And the exposure data in this post shows the consequences of falling behind are measurable, attributable to specific adversaries, and concentrated in specific vulnerability sets that can be named and prioritized.

The data is unambiguous. Most of the 7,800 organizations in this study carry vulnerabilities that named threat actors have exploited. More than 200 critical, KEV-listed, threat group-associated CVEs are actively present across the customer base, many of them years old. And the non-CVE exposure surface, which receives far less attention than it deserves, is nearly universal and directly aligned with documented adversary techniques.

The prioritization question is no longer: “What is critical?” It is: “What is critical and likely to be exploited by threat groups that may target my industry, and is it actually present in my environment?” 

Per-CVE scores alone cannot answer that question. The answer requires graph-based methods that link threat actor behavior to the specific weaknesses in your environment. Organizations that anchor their remediation programs to this kind of reachability-aware prioritization will spend their finite capacity on measurable risk reduction rather than chasing volume.

The intelligence, the platform, and the evidence base exist to make that shift today. The volume is not going to slow down. The remediation window is not going to widen. The adversaries are not going to wait. What you can control is where you focus.

The data and threat-exposure mapping methodology presented here represent the beginning of a broader effort to give organizations a clearer view of what adversaries can actually reach in their environments. Tenable is expanding our ability to capture and integrate threat actor intelligence into customer-facing prioritization, and we look forward to sharing more of that work in the months ahead.

Learn more about how Tenable One Exposure Management Platform helps organizations prioritize what matters in a world of accelerating vulnerability discovery.

Cybersecurity leaders and practitioners brought their burning AI cybersecurity questions to EXPOSURE 2026. They left with clear answers and a blueprint for building an exposure management program. Get a recap and see highlights from the event in words and pictures. 

1. As frontier AI models simultaneously accelerate the pace of vulnerability discovery and exploitation and drastically reduce the cost and complexity of launching attacks, cybersecurity faces a critical inflection point where traditional threat models and manual workflows are no longer viable.
    
2. EXPOSURE 2026 gave attendees a much-needed opportunity to connect with peers, learn how they’re addressing the challenges of AI and building it into their workflows, and develop a game plan, with exposure management at its core, for protecting their organizations from AI-powered adversaries.

For the cybersecurity leaders and practitioners who attended EXPOSURE 2026 in Boston this week, the event could not have come at a better time. 

While momentum for exposure management as a means to proactively reduce cyber risk has been building for more than a year, recent rapid advances in frontier AI models have made it even more critical. 

EXPOSURE ‘26 attendees arrived at Boston’s historic Park Plaza Hotel on Monday, May 18, 2026, just six weeks after Anthropic unveiled its groundbreaking frontier model, Claude Mythos Preview. They showed up with pressing questions about securing AI, the impact of frontier AI models on cybersecurity, and how exposure management can address all that and more. 

They left with clear answers, following an intensive day of training and two days of thought-provoking mainstage and breakout sessions featuring Anthropic Field CTO (Cyber) Brett Andrews, CISOs from GEICO, Smithfield Foods, Munich Re, and EōS Fitness, and Tenable experts. 

EXPOSURE 2026 gave attendees a rare opportunity to catch their breath amid the escalating, machine-speed pace of cybersecurity. It kicked off with an immersive day of training that provided attendees with a blueprint for building a successful exposure management program. And it offered them a chance to compare notes with peers and work collaboratively to develop a game plan for protecting their organizations from AI-powered adversaries with exposure management at its core. 

Four challenges that AI creates for cybersecurity underpinned every session at EXPOSURE 2026: 

1. Frontier AI models like Anthropic’s Claude Opus 4.6 and Mythos make it vastly faster, easier, and more economical for threat actors to discover new vulnerabilities and build exploits for them.
2. AI creates new attack vectors (e.g., prompt injection, jailbreaks, model poisoning, context poisoning in memory, etc.) that traditional cybersecurity controls weren’t designed to address.
3. AI expands every organization’s attack surface, giving threat actors even more entry points to exploit.
4. AI functions as a force-multiplier for threat actors, giving them speed and the advanced, 32-step reasoning capabilities required to autonomously execute an entire network attack chain.

Anthropic’s Andrews discussed the impact of frontier models on cybersecurity, the threat landscape, and how defenders can leverage AI to their advantage.

To illustrate what organizations are up against, several presentations highlighted the sharp contrast between the steady acceleration in vulnerability discovery and exploitation, and the simultaneous deceleration in organizations’ patching and remediation. 

In 2021, for example, the median time to exploit was 84 days, according to Zero Day Clock. Today, it’s 1.6 days. Meanwhile, in 2025, it took organizations an average of 43 days to patch critical CVEs, up 34% from 32 days in 2024, according to data that Tenable Research contributed to the 2026 Verizon Data Breach Investigations Report (DBIR), which was released on the first day of EXPOSURE 2026. 

Referencing additional data from the DBIR, Tenable Chief Product Officer Eric Doerr noted that 31% of breaches in 2025 began with an unpatched CVE as the initial access vector. This trend will likely intensify, as frontier AI models accelerate vulnerability discovery, unless security teams adapt. 

Doerr also spoke to data from Tenable showing that nearly two-thirds of breaches begin with something that isn’t a CVE, such as a misconfiguration, stolen credential, or exposed secret. He used this stat to prove the point that if you’re only concerned about CVEs, you’re leaving two-thirds of your organization’s attack surface exposed. It’s this other attack surface beyond just CVEs that exposure management addresses. 

Presenters used these and other statistics from the DBIR, Tenable’s own telemetry, and other sources to make the case for cybersecurity transformation focused on a preemptive and much more autonomous defense. 

They showed how explosive, enterprisewide adoption of AI combined with AI-enabled threat actors requires that organizations build these exposure management capabilities into their cybersecurity programs: 

• Unified visibility - Continuous, deterministic asset discovery across the entire hybrid attack surface, capturing every vulnerability, misconfiguration, and excessive permission across on-prem and cloud infrastructure, OT environments, and the rapidly expanding AI attack surface.
• Contextual, AI-powered insights - Moving past standard CVSS scores to focus on real-world exploitability and business impact, and mapping viable attack paths to understand exactly how an attacker could move laterally toward core assets.
• Machine-speed action - Shifting from manual workflows to automated, orchestrated fixes. Because human teams cannot triage alerts at machine speed, organizations must deploy agentic AI workflows with appropriate guardrails, including human oversight, to proactively harden posture and isolate active threats.

Tenable CSO Robert Huber shared his experience transforming his vulnerability management program and team into an exposure management program and team, which began two years ago. The impetus was the challenge that Huber and his team faced every quarter when he needed to report on cyber risk to the board of directors: His team had to manually gather, aggregate, harmonize, and analyze data from 50 different security tools that each had their own unique way of reporting on risk. Now, Huber’s team can produce reports in minutes. They’ve also extended their scope of visibility from less than 10,000 assets to more than 100,000 assets and reduced alert to ticket volume by 1,500 to 1, all with the same number of staff. 

A live AI vs. AI attack simulation created and led by Tenable Researchers Robert McSulla and Ben Smith demonstrated the capabilities of a fully autonomous, agentic defense against a fully autonomous, agentic adversary. 

McSulla and Smith impressed several key points upon their audience, including:

1. Speed is not the only factor in AI-driven attacks. Yes, AI makes threat actors faster. It also makes them smarter. The demo showed how the adversarial agents reason, make decisions, adapt, and find new, unmapped attack surfaces.
2. Defenders can gain the same advantages as attackers. Defensive agents proactively assess posture, develop and deploy patches for vulnerabilities, and take other hardening actions to reduce risk and mitigate threats.
3. Security leaders and their teams need to get comfortable with autonomous defense. Consider your tolerance for fully autonomous defensive agents: Would you let them shut down a service, configure firewall rules, rotate credentials, or write and deploy patches? That’s what it takes to keep up with agentic attacks that achieve their objectives within three minutes.
4. It’s time to build a governance framework for agentic defense. McSulla and Smith built a governance framework for the defensive agents in their simulation that determines intent, evaluates severity levels, and applies rules, such as when to require a human to make a decision or take an action.

Amid the seriousness of cybersecurity, attendees got to pick out custom Converse sneakers featuring Tenable’s iconic new branding. 

EXPOSURE attendees also had the chance to experience the perfect summer evening at Fenway Park, home of the Boston Red Sox. 

EXPOSURE 2026 was punctuated by a host of significant announcements from Tenable, including:

1. The general availability of Tenable Hexa AI, the agentic engine of the Tenable One Exposure Management Platform that gives preemptive security teams capabilities to operate at machine speed.
2. New AI initiatives with Anthropic to increase the agentic capabilities of Tenable One.
3. A strategic integration with the Claude Compliance API designed to help customers improve their visibility into Claude usage across their organizations.
4. The release of the Tenable One Open Connector, which allows customers to bring third-party, custom, and internal data from any source into Tenable One.
5. The launch of the Tenable Open Partner Exchange Network.
6. The Tenable Research team’s prolific contributions to the 2026 Verizon Data Breach Investigations Report.

A self-propagating worm has compromised more than 170 npm and PyPI packages, defeating provenance attestation and breaching OpenAI and Mistral AI. Here is what you need to know.

1. Mini Shai-Hulud is a self-propagating worm by TeamPCP that steals developer and cloud credentials across the npm and PyPI ecosystems.
2. The campaign achieved a critical security first by compromising packages with valid SLSA Build Level 3 provenance attestations, proving that process integrity controls can be defeated.
3. Any system that installed a compromised package must be treated as fully compromised.

Between September 2025 and May 2026, a threat group tracked as TeamPCP has conducted a series of coordinated supply chain attacks across the npm and PyPI package ecosystems. The campaign, which the group calls Shai-Hulud, uses a self-propagating worm that steals developer and cloud credentials, then leverages those credentials to publish poisoned versions of additional packages. Each compromised continuous integration and continuous deployment (CI/CD) pipeline becomes a new distribution vector, enabling exponential spread. The current iteration is known as Mini Shai-Hulud.

Tenable’s Research Special Operations Team (RSO) has compiled this FAQ to discuss what Mini Shai-Hulud is, how the campaign operates, who has been affected and what organizations should do to protect their software supply chains.

What is Mini Shai-Hulud?

Mini Shai-Hulud is a multi-wave supply chain attack campaign that targets the npm and PyPI open-source package registries. The name, chosen by the threat group TeamPCP, is a reference to the sandworms in Frank Herbert's "Dune" novels, and the campaign carries a consistent Dune-universe theme throughout its infrastructure (dead-drop repository branch names, marker strings and operational messaging all draw from the Dune lexicon).

What is the difference between Shai-Hulud and Mini Shai-Hulud?

Shai-Hulud is the worm family. Mini Shai-Hulud is the current generation of that worm and the name TeamPCP uses for the active campaign.

When did these campaigns start?

The original Shai-Hulud worm appeared in September 2025 as the first self-replicating malware observed in the npm ecosystem. It could steal maintainer tokens and use them to publish poisoned versions of other packages without further attacker input.

A second generation, sometimes called SHA1-Hulud, surfaced in November 2025 with updated wiper functionality and improved credential harvesting.

A third variant designated SANDWORM_MODE, introduced adaptive targeting that allowed the worm to enumerate CI/CD pipeline structures before deciding how to propagate. Each generation directly addressed detection and takedown techniques applied to its predecessor, suggesting the operators monitored defensive responses and adapted accordingly.

Mini Shai-Hulud is the fourth generation, active since late April 2026. The "Mini" is TeamPCP's own ironic branding; in practice, this variant is far more destructive than the original. Its distinguishing capabilities include:

• SLSA Build Level 3 provenance attestation forgery (allowing malicious packages to pass cryptographic verification)
• OIDC token extraction directly from GitHub Actions runner process memory
• Persistence hooks targeting AI coding agents and developer IDEs
• Cross-ecosystem propagation spanning both npm and PyPI,
• Triple-redundant credential exfiltration through a dedicated command-and-control server

What are the vulnerabilities associated with Mini Shai-Hulud?

The TanStack compromise has been assigned a single CVE:

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on May 21, 2026 and reflects VPR at that time.

What is CVE-2026-45321

CVE-2026-45321 describes a chained exploitation of three weaknesses in TanStack's GitHub Actions CI/CD configuration. The attacker created a fork of the TanStack/router repository under a renamed account to avoid detection, then opened a pull request that triggered a pull_request_target workflow. This workflow executed code from the attacker's fork in the base repository's trusted context, allowing the attacker to poison the GitHub Actions cache with malicious binaries. When legitimate maintainer pull requests were later merged, the release workflow restored the poisoned cache. Attacker-controlled code then extracted OpenID Connect (OIDC) tokens directly from the runner's process memory and exchanged them with npm's federation endpoint for full publish credentials.

The result was 84 malicious package versions published across 42 TanStack packages in under six minutes, all carrying valid SLSA Build Level 3 provenance attestations from Sigstore.

Are there other CVEs associated with Mini Shai-Hulud?

At present, only CVE-2026-45321 has been assigned. It applies specifically to the TanStack wave of the campaign. The broader Mini Shai-Hulud campaign exploits CI/CD trust relationships and stolen credentials rather than traditional software vulnerabilities.

Which threat actors are behind this campaign?

Multiple independent security firms attribute the campaign to TeamPCP, a financially motivated cybercriminal group that emerged in late 2025. Google's Threat Intelligence Group tracks the group as UNC6780. Other tracked aliases include DeadCatx3, PCPcat, ShellForce, and CipherForce, according to Snyk and Palo Alto Networks Unit 42.

TeamPCP is assessed as responsible for several prior high-profile supply chain compromises, including the Aqua Security Trivy scanner compromise (March 2026), the Bitwarden CLI npm compromise (April 2026), the Checkmarx Jenkins AST Plugin backdoor (May 2026) and GitHub (May 2026). Unit 42 has documented TeamPCP's announced partnership with the Vect ransomware group, suggesting the credential harvesting pipeline may serve as an initial access pathway for ransomware deployment.

What organizations have been affected?

At least four organizations have publicly confirmed breaches linked to the campaign:

• OpenAI disclosed on May 15 that two employee devices in its corporate environment were compromised after ingesting a malicious TanStack package. Limited credential material was exfiltrated from internal source code repositories, including code-signing certificates for macOS, Windows, iOS, and Android applications. OpenAI is rotating those certificates and requiring all macOS users to update their applications before June 12, 2026. The company stated it found no evidence that customer data, production systems, or intellectual property were compromised.
• Mistral AI confirmed that a codebase management system was compromised and SDK packages were contaminated. Non-core code repositories were accessed. On May 17, a TeamPCP-linked forum account claimed to be selling alleged Mistral AI repositories.
• The European Commission (europa.eu) was reportedly affected by the earlier Trivy wave in March 2026, with over 90 gigabytes of data exfiltrated according to ReversingLabs reporting.
• GitHub disclosed on May 19 that they were investigating claims made by TeamPCP after the group posted GitHub source code for sale. Shortly after, they confirmed that roughly 3,800 internal repositories were breached. The root cause was a trojanized Visual Studio Code extension that had been installed by an employee. That extension was later revealed to be Nx Console, in which a malicious copy of the extension was available for around 18 minutes on the Visual Studio Marketplace. According to the Nx Console security advisory, the root cause was a developer's account that had been compromised via theTanstack supply-chain compromise. The leaked credentials were then abused to run workflows on the Nx Console GitHub repository.

Beyond named victims, the campaign has compromised over 170 packages spanning both npm and PyPI with more than 518 million cumulative weekly downloads. OX Security data shows that at least 400 GitHub repositories of stolen credentials were created as part of the campaign.

How does the worm spread?

The campaign's core mechanism is a self-propagating worm. When a developer or CI/CD runner installs a compromised package, the malware executes during installation and harvests credentials stored on the system, including npm tokens, GitHub personal access tokens, AWS credentials, Kubernetes secrets, SSH keys and HashiCorp Vault tokens. The worm then uses those harvested credentials to publish poisoned versions of other packages the victim has access to, creating a chain reaction that spreads across the ecosystem without requiring further action from the attacker.

Mini Shai-Hulud employs three distinct attack chains depending on the access conditions available:

• Token theft and automated mass-publish is the most common method. The attacker compromises an npm maintainer account or token through prior credential harvesting, then runs an automated script that publishes trojanized versions of every package accessible to the compromised account. The trojanized packages include a preinstall hook that downloads the Bun JavaScript runtime and executes a large, obfuscated credential-stealing payload before the dependency installation completes.
• OIDC hijack with provenance defeat was used in the TanStack wave and represents the most technically sophisticated variant. Instead of stealing a stored credential, the attacker extracted a short-lived OIDC token from the runner's process memory, allowing publication through the project's own trusted pipeline with valid cryptographic attestation.
• PyPI injection targets Python packages through compromised maintainer accounts. A dropper injected into the package's initialization file downloads a separate malicious payload from attacker-controlled infrastructure.

All three chains converge on the same post-exploitation behavior: credentials are exfiltrated through three redundant channels (a dedicated command-and-control server, the decentralized Session messenger network and GitHub API dead drops), and the harvested tokens are used to propagate the worm to additional packages.

Why is the SLSA provenance defeat significant?

SLSA (Supply-chain Levels for Software Artifacts) is a framework for verifying that software was built from a trusted source through a trusted process. Build Level 3, the highest practical level, requires cryptographic provenance generated by the build system itself, verified through Sigstore. Running npm audit signatures on a Level 3-attested package should confirm that the package was built exactly as the maintainer intended.

The Mini Shai-Hulud TanStack wave demonstrated that provenance attestation can verify that the build pipeline is legitimate without verifying that the code being built is safe. Because the attacker hijacked the legitimate pipeline itself (rather than publishing from an unauthorized account), the resulting packages carried valid attestations. Organizations that relied on provenance verification as a primary supply chain security control were unable to detect the compromise.

This finding has implications beyond this specific campaign. Any security control that verifies process integrity without independently verifying code integrity is vulnerable to the same class of attack. Provenance remains valuable but is no longer sufficient as a standalone trust signal for open-source packages. When malicious code can bypass cryptographic build verification, code scanning cannot live in a vacuum; it must be continuously validated alongside identity entitlements and runtime posture.

What about the open-sourced code and copycat attacks?

On May 12, 2026, TeamPCP published the Shai-Hulud worm source code on GitHub under an MIT License with the message: "Shai-Hulud: Open Sourcing The Carnage." The release included operational guidance encouraging users to customize encryption keys and infrastructure for their own campaigns. TeamPCP simultaneously announced a $1,000 contest on BreachForums for the largest supply chain attack using the code.

OX Security detected four malicious npm packages from separate threat actors deploying Shai-Hulud clones in May 2026, including chalk-tempalte (a typosquat of the popular Chalk library), @deadcode09284814/axios-util, axois-utils, and color-style-utils. These copycat packages use the open-sourced worm code with modified command-and-control infrastructure and credential exfiltration targets.

A rival worm called PCPJack has also been observed actively evicting TeamPCP infections while stealing credentials independently, adding further complexity to the threat landscape.

Is CVE-2026-45321 in the CISA Known Exploited Vulnerabilities (KEV) catalog?

As of May 20, 2026, CVE-2026-45321 is not listed in the CISA KEV catalog. NHS England issued a security alert related to the campaign, but no public advisory from CISA has been published.

What should organizations do?

1. Scan your dependency trees immediately. Check lockfiles and CI logs for any affected package versions across the @tanstack, @uipath, @mistralai, @opensearch-project, @antv, and @squawk namespaces. Community-maintained detection scripts can assist, though organizations should verify third-party scanning tools before deployment.
2. Check for persistence before revoking tokens. The worm installs a gh-token-monitor daemon (via systemd on Linux or launchctl on macOS) that polls GitHub every 60 seconds and triggers a recursive file deletion if it detects that the token has been revoked. Search for and remove this daemon, as well as injected tasks in.vscode/tasks.json and Claude Code hooks in ~/.claude/settings.json, before rotating credentials.
3. Rotate all credentials on potentially affected systems. If exposure is suspected, rotate GitHub tokens, npm tokens, AWS credentials, HashiCorp Vault tokens, Kubernetes service accounts, Docker credentials, and CI/CD secrets. Treat any system that installed a compromised package version as fully compromised.
4. Harden CI/CD pipeline configurations. Replace pull_request_target workflows with pull_request for any workflow that executes code from pull requests. Pin all GitHub Actions and workflow steps to immutable commit SHAs rather than tags or branches. Implement cache isolation between fork-originated and maintainer-originated workflows. Restrict secret access to named workflow steps using the GitHub Actions permissions key.
5. Implement structural dependency controls. Deploy --ignore-scripts as the default for npm installs with explicit allowlisting for trusted lifecycle hooks. Pin all dependencies to exact versions and enforce lockfile integrity verification in CI. Consider implementing minimumReleaseAge policies to delay automatic installation of newly published versions.
6. Audit for credential storage on developer machines. The payload targets more than 80 environment variables and filesystem paths, including.aws/credentials, .npmrc, .ssh/ directories, .kube/config, and .docker/config.json. Transition from long-lived filesystem credentials to short-lived tokens and ephemeral CI/CD environments wherever possible.
7. Monitor for campaign indicators. Watch for network connections to 83.142.209[.]194, DNS queries to getsession[.]org endpoints from CI runners, and GitHub repository creation matching Dune-themed naming patterns. Organizations with Software Composition Analysis tools should ensure their rulesets include the campaign's known payload hashes and behavioral indicators.

Has Tenable released any product coverage for these vulnerabilities?

Yes, Tenable customers can use Tenable One Exposure Management Platform to assess their exposure surface related to Mini Shai-Hulud. Tenable One provides visibility into software dependencies and CI/CD pipeline configurations, enabling organizations to identify potentially compromised packages within their environments and prioritize remediation based on their specific exposure context.

Tenable One Cloud Exposure Management provides immediate inventory and prioritization coverage across five dimensions:

• Continuous package inventory across every cloud workload allowing you to scan container images, VMs, and registry artifacts to maintain a live software bill of materials (SBOM). The moment indicators of compromise (IOCs) publish, Tenable identifies every asset pulling the compromised versions.
• Reachability and exploitability context. This is where Tenable One Cloud Exposure Management separates from list-based software composition analysis (SCA), determining whether the compromised package is actually loaded at runtime, whether the workload is internet-exposed and whether the malicious code path executes on import.
• Pipeline-to-cloud lineage. Tenable One Cloud Exposure Management traces compromised packages back through CI/CD to the build artifacts they produced, through runtime. Tenable also provides runtime reachability analysis with eBPF scanning and AI-powered Threat Stories, adding yet another actionable layer of threat discovery and response.
• Asset-criticality prioritization. Tenable ranks findings by business context, identity blast radius via cloud infrastructure entitlement management (CIEM), and data sensitivity via data security posture management (DSPM) so response teams work the highest-risk assets first.
• Unified findings inside Tenable One. SCA hits don’t sit in isolation. They land alongside CSPM misconfigurations, identity exposures, and runtime signals from CDR, correlated by Hexa AI into a single prioritized exposure. The SCA finding joins to the IAM role that pipeline assumes, the secrets it can access and the data those secrets unlock.

Additionally, a list of Tenable plugins for CVE-2026-45321 can be found on the individual CVE page as they’re released. Coverage for the original Shai-Hulud variants can be found in plugin ID 265897.

These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

• StepSecurity: Mini Shai-Hulud is Back
• Wiz: Mini Shai-Hulud Strikes Again
• Snyk: TanStack npm Packages Hit by Mini Shai-Hulud
• Akamai: Mini Shai-Hulud: The Worm Returns and Goes Public
• OpenAI: Our Response to the TanStack npm Supply Chain Attack
• ReversingLabs: Shai-Hulud Code Drop
• TanStack Postmortem
• OX Security: New Actors Deploy Shai-Hulud Clones

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

A highly critical SQL injection vulnerability in Drupal core's database abstraction layer affects sites running PostgreSQL.

Update May 27: The blog has been updated to include reports of observed exploitation attempts.

Update May 27: The blog has been updated to include reports of observed exploitation attempts.

1. CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core's database abstraction API that can be exploited by unauthenticated attackers on sites using PostgreSQL.
2. No exploitation has been observed in the wild, but a detection PoC was published on the same day as the advisory and the patch diff was shared publicly within hours.
3. Patches are available across six supported Drupal branches, including two exceptional releases for end-of-life versions.

On May 20, Drupal published a security advisory (SA-CORE-2026-004) for a highly critical SQL injection vulnerability in Drupal core:

The advisory was preceded by a public service announcement (PSA-2026-05-18) on May 18, which warned administrators to prepare for a highly critical release and cautioned that exploitation could occur "within hours or days" of disclosure.

Drupal rates this vulnerability 20 out of 25 on its own risk scoring scale ("Highly Critical"), noting that the confidentiality impact includes "all non-public data accessible" and the integrity impact is "all data modifiable or deletable." NVD assigned a CVSSv3 score of 6.5, rating the confidentiality and integrity impacts as Low. Given the vendor's own characterization of impact and the unauthenticated attack vector, the Drupal risk rating better reflects the potential severity for affected configurations.

CVE-2026-9082 is an SQL injection vulnerability in Drupal core's database abstraction API, specifically in the PostgreSQL EntityQuery condition handler. An unauthenticated, remote attacker can exploit this vulnerability by sending specially crafted requests to a vulnerable Drupal site running on PostgreSQL. Successful exploitation could lead to information disclosure, data modification or deletion, and in some configurations, privilege escalation or remote code execution.

User-controlled PHP array keys could reach SQL placeholder construction unsanitized. Drupal fixed this by applying ‘array_values()’ which strips attacker-supplied keys and replaces them with numeric indexes.

Scope: PostgreSQL only

This vulnerability only affects Drupal sites using PostgreSQL as their database backend. Sites running MySQL, MariaDB, or SQLite are not affected. The vulnerable code resides in Drupal’s PostgreSQL EntityQuery condition handler, which is only invoked on PostgreSQL configurations.

No exploitation observed

At the time this blog post was published on May 21, Drupal's advisory describes the exploit status as "Theoretical," and no in-the-wild exploitation has been reported.

Historical exploitation of Drupal Core

Drupal core has a well-documented history of critical vulnerabilities that attracted rapid mass exploitation. CISA's Known Exploited Vulnerabilities (KEV) catalog contains four Drupal entries, two of which have confirmed ransomware use. The Drupalgeddon vulnerabilities (CVE-2018-7600 and CVE-2018-7602) in particular became a case study in how quickly attackers weaponize Drupal flaws once details are available.

On the same day as the security release, a detection PoC and reproduction lab was published. The patch diff was also shared on social media within hours of the release.

The minimal complexity of this patch, combined with the availability of AI-powered code analysis tools that can analyze diffs and assist in exploit development, compresses the timeline between patch release and weaponization. Historically, Drupal vulnerabilities of this severity have seen exploitation within hours to days of disclosure. Administrators running PostgreSQL-backed Drupal sites face a shortening window to apply patches before exploitation attempts begin.

Update: On May 22, Drupal updated its advisory for CVE-2026-9082 to increase its risk score because "exploit attempts are now being detected in the wild" while CISA added CVE-2026-9082 to the KEV.

Drupal has released fixed versions across all currently supported branches, as well as exceptional releases for two end-of-life branches due to the severity of this vulnerability:

Sites running Drupal 8.9 or 9.5 have reached end-of-life and will not receive packaged updates. However, Drupal has published hotfix files for sites running 9.5.11 or 8.9.20. Sites on Drupal 7 are not affected.

Sites using Drupal Steward are protected against known attack vectors for this vulnerability.

According to the security advisory, these releases also include coordinated upstream security updates for Symfony and Twig. These include separate vulnerabilities from CVE-2026-9082, but Drupal core is affected by some of them. Even sites not running PostgreSQL benefit from updating to these releases.

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-9082 as they're released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Drupal by using the following query: CMS contains Drupal.

• Drupal Security Advisory SA-CORE-2026-004
• Drupal PSA-2026-05-18: Pre-release announcement

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The days of rigid, vendor-locked security stacks are over. The Tenable One Open Connector amplifies Tenable One’s extensive capacity to ingest and consolidate third-party security data, giving you more complete visibility across your attack surface, so you can keep using your preferred cybersecurity tools.

1. The Tenable One Open Connector enables you to integrate data from previously unsupported sources of security data, eliminating silos and providing a more unified view of cyber risk.
2. Break free from vendor lock-in by ingesting and mapping data from the tools that work best for your business.
3. Automate data ingestion to ensure your exposure management decisions always use up-to-date data insights.

If you’re running a security organization, you likely struggle with this persistent and disruptive problem: Security data is spread across too many disparate tools, making it nearly impossible to get a clear, unified picture of your organization’s overall risk exposure.

This is one of the fundamental challenges that an effective exposure management program addresses.

One of the primary goals of the Tenable One Exposure Management Platform is to serve as the central hub for unified risk reduction across your entire environment, including on-premises assets, cloud workloads, IoT devices, OT systems, AI tools, identity platforms, and more. With Tenable One, you can break down data-security silos that heterogeneous tools create and unify fragmented visibility into one place.

Earlier this year, Tenable introduced Tenable One Connectors. To date, we have more than 300 of these validated integrations, which give security teams the ability to integrate these tools and consolidate their data into Tenable One. These custom-built connectors have established Tenable One as one of the most open and interconnected exposure management platforms on the market.

Now, we are delivering the final piece of the puzzle with the launch of the Tenable One Open Connector.

By expanding your reach beyond the 300-plus official integrations, the Tenable One Open Connector allows you to ingest data from other unsupported tools, spreadsheets, and even homegrown internal systems. This includes everything from manual pentesting results and specialized security tools to custom internal configuration-management databases (CMDBs) and AI-driven security audits.

Unified visibility across your attack surface provides context to see how individual risks relate to one another. What may look like a low-priority issue on its own can become a critical weakness when linked to others, forming dangerous attack paths for adversaries. This relationship-driven view allows you to separate real threats from background noise, prioritize with confidence, and focus on the exposures that pose real risk to your business’s operations, revenue, and reputation. This is what exposure management is all about: building a security program that sees the whole picture, not just isolated pieces.

The Tenable One Open Connector redefines how you manage data across your attack surface. By unifying your security data into a single source of truth, it gives your security team the visibility and control they need to see more, act faster, and work smarter. Here’s how:

• Get a more complete view of risk
  The Tenable One Open Connector empowers you to bring more of your security data together into one unified, contextual view of cyber risk. With this more expansive visibility, you can perform a more holistic risk analysis and accurately prioritize to reduce critical exposures across your entire attack surface.
   
• Unlock an open, flexible platform for your security stack
  A rigid, vendor-locked security stack hampers your team’s ability to assess cyber risk. At Tenable, we believe you should use the security tools that work best for your business, instead of having to make compromises driven by vendor restrictions. The Tenable One Open Connector gives you that freedom. As your priorities and tools evolve, the Tenable One Open Connector evolves with you, ensuring your heterogeneous toolset doesn’t hold your exposure management strategy back.
   
• Act faster with automated, always-current data
  The Tenable One Open Connector helps you base your exposure management decisions on the latest, most complete data — without being limited to manual updates. If you rely only on manual uploads, your data will likely become outdated, impacting your ability to make accurate risk assessments. Continuous, automated insights empower your team to act faster, reduce risk more effectively, and confidently demonstrate security outcomes to your business.
   
• Tailor your data mapping for deeper insights
  Instead of being locked into rigid, vendor-defined field mappings, the Tenable One Open Connector gives you complete control over data organization within Tenable One. This flexibility allows you to segment data in ways that best fit your needs, leading to more precise data organization and helping you conduct tailored analysis. 

The Tenable One Open Connector is powerful yet simple, so you can get your security data into Tenable One in minutes.

• Automated uploads: Fully automate the ingestion process by establishing a seamless connection between Tenable One and an S3 bucket in your cloud storage. As source files refresh, Tenable One automatically ingests new data for continuous, up-to-date visibility without manual intervention. In addition, you also have the option to manually upload files, such as CSV, Excel, or ZIP files.
   
• Flexible data mapping: Control exactly how the system organizes your data. Map file fields to Tenable One fields, combine multiple fields into one, or split a single field across several, so you have ample flexibility to structure and analyze your data precisely.
   
• Automated data correlation: Automatically deduplicate, correlate, and normalize all incoming data for accurate, consistent comparisons across your entire dataset.

Watch the Tenable One Open Connector guided demo to see just how easy it is to connect a new data source.
 

1. What is the Tenable One Open Connector?

The Tenable One Open Connector is the newest addition to the Tenable One ecosystem, specifically designed to further break down data silos in your security stack. While Tenable One Connectors focus on pre-configured custom integrations with specific third-party products, the Open Connector allows you to capture and integrate data from previously out-of-reach sources — including internal systems, niche third-party tools, and spreadsheets — directly into Tenable One.  

2. Why do I need the Tenable Open Connector?

Fragmented data creates massive blind spots, and attackers thrive in the shadows between those silos. Adversaries don’t view your environment as a collection of separate domains or disconnected tools. They see it as one interconnected map of assets. With data scattered among tens or even hundreds of siloed tools, you struggle to see the critical connections and lateral paths that an attacker would exploit to move through your environment. To stay ahead of today’s threats, especially those boosted by AI, you must adopt the attacker’s perspective. The Tenable One Open Connector gives you clarity to identify exposures and block attacks before they ever have a chance to start.

3. What is the value of the Tenable One Open Connector?

The Tenable One Open Connector delivers comprehensive flexibility and visibility to your security operations. You can perform a more holistic risk analysis by unifying disparate data sources that were once impossible to correlate. Beyond just visibility, the connector offers flexible data mapping to segment and organize your information to fit your specific business needs, rather than getting locked in a rigid, pre-defined template. You also get true independence from vendor integration roadmaps, so you can use the tools that work for your business and integrate them into Tenable One on your own terms.

Ready to break down even more data silos and achieve a truly unified view of risk? Request a demo of Tenable One today.

As frontier AI models collapse the traditional exploit window, Tenable Hexa AI transforms the security operating model from manual triage to agentic orchestration. See how you can automate vulnerability remediation and super-charge exposure management with Tenable Hexa AI.

1. AI models like Claude Mythos have reduced the time from vulnerability discovery to weaponization from weeks to minutes, making manual defense untenable.
    
2. Tenable Hexa AI serves as an agentic engine that orchestrates complex, multi-step remediation workflows across modern attack surfaces to accelerate the speed of preemptive security and propel your exposure management program.
    
3. Using the Model Context Protocol (MCP) included in Tenable Hexa AI, your team can build and deploy custom agents that anchor your preferred LLMs in the Tenable Exposure Data Fabric, ensuring every automated action is governed, auditable, and accurate.

For most of my career in cybersecurity, we’ve operated on a fundamental, if unspoken, assumption: We had a grace period. Whenever a new vulnerability was discovered, we knew we had time, often weeks or months, before adversaries would begin exploiting it. The time between vulnerability discovery and exploitation gave us breathing room. It gave us time to patch, triage, and remediate.

But not any more. The gap between discovery and exploitation has been shrinking for years, and the vulnerability discovery capabilities demonstrated by frontier AI models like Claude Mythos are narrowing it even more.

We have entered the era of AI speed. When an LLM can unearth a 27-year-old vulnerability in a hardened OS in minutes, and then weaponize it in seconds, old defensive cycles can’t keep up, and that’s untenable. 

This is why I’m so excited to announce the general availability of Tenable Hexa AI, the agentic engine of the Tenable One Exposure Management Platform, at EXPOSURE 2026: because it’s designed to help your organization address the escalating, AI-driven pace of vulnerability discovery.

Tenable Hexa AI is built to be a force multiplier and a flexible engine for innovation. Featuring a suite of built-in agents ready to automate assessment configuration, asset tagging, dashboard creation, ticket creation, and more, Tenable Hexa AI is designed to help your organization overcome the operational challenges deepened by adversarial AI use. 

When the window between discovery and exploitation hits near-zero, security teams locked in manual vulnerability management operating models are forced into a state of perpetual emergency. Manually stitching together context and telemetry from cloud, identity, OT, and vulnerability silos in an arduous effort to prioritize remediation for downstream IT and DevOps teams is a losing battle. 

And when you can’t provide clear, risk-based remediation priorities to IT and DevOps teams, you end up bombarding them with seemingly urgent tickets that may not in fact be critical to your organization. Constant shifts in remediation priorities and endless debates over what needs fixing and why is not sustainable. It creates friction and causes you to lose the cybersecurity race.

In a world where attackers move at machine speed, only comprehensive exposure intelligence combined with the agentic AI orchestration capabilities provided by the Tenable One Exposure Management Platform can give you clarity and control. 

Tenable Hexa AI doesn’t just tell you where you are vulnerable; it mobilizes your preemptive defense.

With this GA release, Tenable delivers foundational capabilities to help your organization accelerate the pace of vulnerability discovery and remediation, including:

• Your choice of agents - Use our pre-built, out-of-the-box agents to start reducing risk immediately, or use the Model Context Protocol (MCP) server built into Tenable Hexa AI to create custom agents tailored to your organization’s environment.
• Advanced multi-step reasoning - Tenable Hexa AI executes complex, end-to-end workflows spanning your attack surface (e.g., IT, cloud, identity, OT, etc.) in a single request, eliminating the need for practitioners to toggle between views to get exposure context. It understands that a CVE in your web app is a critical threat specifically because it is linked to a privileged service account with a path to your sensitive data.
• Automated remediation workflows - Tenable Hexa AI orchestrates remediation workflows, automatically creating and routing tickets, generating custom policies, and producing audit-ready reports, so security teams can act fast on every critical exposure.
• End-to-end exposure path insights - Practitioners can query their environment by identity attributes, such as service accounts, privileged users, and Active Directory groups, to surface exposure paths that traditional asset inventories miss. Tenable Hexa AI also provides guided assistance for complex Active Directory sensor configurations.

In addition to out-of-the-box agentic capabilities for use cases like automated assessment configuration, asset tagging, and ticket creation, customers can also build custom agents via Tenable Hexa AI's built-in MCP that are informed by your organization’s unique security policies and internal business logic.

Tenable Hexa AI serves as the orchestration layer connecting your favorite AI tools to your infrastructure and other security tools, all with the data and context from the Tenable Exposure Data Fabric. By anchoring the models your organization uses in the authoritative context of your own environment, Tenable Hexa AI moves you beyond generic AI answers to governed and auditable automation. Whether you are automating complex remediation or generating board-ready dashboards, Tenable Hexa AI ensures the output is both verifiable and auditable.

The Tenable Exposure Data Fabric is key because an agent is only as effective as the data it has access to. Tenable Hexa AI is powered by the Tenable Exposure Data Fabric, a repository of 20 years of vulnerability research and the industry’s largest collection of contextualized exposure data. In other words, we’ve built an agentic engine for cybersecurity that uses the world’s best exposure data to drive machine-speed actions. This is the only way to ensure your AI is validating the real state of your environment, rather than just guessing.

While there are virtually infinite ways to apply agentic orchestration to your unique cybersecurity challenges, here are four high-impact areas where manual workflows traditionally break down and make it impossible for you to keep pace with AI-powered vulnerability discovery: 

• Supply chain response - Neutralize third-party threats by using Tenable Hexa AI to correlate software components with affected internal assets.

• Automated patching - Use custom Hexa agents to beat the Mythos clock by orchestrating patches the moment a vulnerability is validated.

• Remediation assignment - Use Tenable Hexa AI to automatically match CVEs to asset owners in seconds and trigger immediate response workflows.

These use cases demonstrate how Tenable Hexa AI can bridge the gap between exposure intelligence and action.

The collapse of the exploit window is a wake-up call. It gives us the opportunity to change how we work. By shifting from manual triage to agentic orchestration, organizations are seeing a shift in productivity and how they prioritize and action exposure reduction.

While early design partners have already reclaimed days per month on foundational tasks like asset tagging, the value is not found solely in the hours saved, but rather, in the precision of the response. By automating the correlation between cloud, identity, AI, OT, and vulnerability data, Tenable One provides the clear, contextualized instructions that IT and DevOps teams need to act with confidence.

This eliminates the administrative friction and back-and-forth negotiation that often results in critical vulnerabilities going unaddressed. Reclaiming those days means your best people are no longer buried in spreadsheets; they are focused on high-impact strategy, architecture hardening, and preemptive defense.

Tenable Hexa AI is available today as part of the Tenable One Foundation and Tenable One Advanced packages.

The 2026 Verizon Data Breach Investigations Report (DBIR) reveals a troubling trend: vulnerability exploitation has surged to become the number one initial access vector while remediation rates have worsened.

1. Vulnerability exploitation has surged to become the leading initial access vector for breaches, accounting for 31% of data breaches during the study period.
2. Security teams’ patching efforts are falling further behind, with the median time-to-patch growing by 11 days in the past year.
3. As AI-powered tools increase the speed and volume of vulnerability discovery and vulnerability exploitation, exposure management helps organizations keep up by continually assessing their attack surfaces, prioritizing risks, and orchestrating automated remediation of security weaknesses.

Verizon’s annual Data Breach Investigations Report (DBIR) has helped organizations understand evolving cyber threats since its first release in 2008. For the 2026 edition, Tenable Research once again contributed enriched data on vulnerability exploitation and vulnerability remediation trends. This year’s findings paint a stark picture: Compared with last year, organizations are facing a significant increase in the volume of “must-patch” vulnerabilities from the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.

The widening gap between vulnerability disclosure and remediation represents one of the most pressing challenges in cybersecurity today. Security teams are already overwhelmed, both by the rising number of vulnerabilities and the lack of time for patch management. This reality underscores the critical need for comprehensive exposure management, a strategic, AI-driven approach to preemptive security designed to help organizations reduce cyber risk by continually assessing their attack surfaces, prioritizing risks, and orchestrating automated remediation of security weaknesses.

The 2026 Verizon DBIR found that vulnerability exploitation is the top initial access vector, accounting for 31% of data breaches during the study period. Even more concerning is that the median time-to-patch has increased from 32 days to 43 days, a 34% increase. This year’s findings paint a stark picture: The number of vulnerabilities continues to snowball, as organizations’ patching rates continue to fall behind.

The vulnerability landscape continues to see explosive growth as the CVE program currently reports more than 351,000 registered CVEs with more than 21,500 already reserved in 2026. As we’re on the path for another record number of CVEs, this flood of vulnerabilities creates an extremely difficult situation for security teams already stretched thin. With median time-to-patch increasing and exploitation timelines shrinking, attackers are winning the race between disclosure and remediation.

The situation may be poised to worsen dramatically. The cybersecurity community is increasingly concerned about AI-powered vulnerability discovery tools like Anthropic’s Claude Mythos, which can automatically identify security flaws in codebases at unprecedented speed and scale. While such tools hold promise for defensive security teams, they also represent a potential inflection point: if AI can discover vulnerabilities faster than organizations can patch them, the already immense patch burden could become truly unmanageable.

This AI-driven acceleration comes at the worst possible time. Organizations are already struggling to remediate vulnerabilities, with the Verizon data breach investigations report finding that organizations successfully remediate only 26% of KEV vulnerabilities. Adding to this concern, the DBIR points out that there has been a nearly 50% increase in the number of CISA KEV vulnerabilities to patch in 2025, putting even more pressure on security teams.

If AI models begin flooding the CVE database with newly discovered vulnerabilities, or worse, if attackers leverage these models to find and exploit zero-days before defenders can respond, the current remediation crisis is likely to escalate into a systemic failure of the traditional patch-based defense model.

While vulnerability exploitation dominates headlines as the number one initial access vector, it represents only a slice of the exposure problem. The DBIR notably highlights credential abuse as another significant threat vector, underscoring that vulnerabilities don’t exist in isolation. Stolen credentials can transform a moderate-severity vulnerability into a critical breach pathway, while exposed configurations can provide attackers with the access needed to exploit unpatched systems.

This interconnected nature of exposures highlights why more and more organizations are adopting comprehensive exposure management. Understanding and addressing the full attack surface, including identity risks, misconfigurations, excessive permissions, and vulnerable assets, is essential to reducing breach risk in today’s threat landscape.

The emergence of AI-powered vulnerability discovery makes exposure management absolutely essential. As AI tools accelerate vulnerability identification, organizations cannot simply try to patch more vulnerabilities faster. Instead, they must focus on understanding and remediating the vulnerabilities that matter most in the context of their specific environment. A newly discovered vulnerability on an isolated system with no credentials exposed and strong access controls poses far less risk than an older CVE on an internet-facing asset with weak authentication. The Tenable One Exposure Management Platform provides both the contextual framework needed to make these critical prioritization decisions and the agentic orchestration engine required to accelerate remediation in an era of AI-accelerated vulnerability discovery.

As Tenable Research examined the trends in the data, our team decided to distill the CVEs into product categories and compare which categories saw the largest percentage of unremediated assets. For our analysis, we focused on KEV CVEs as these are vulnerabilities known to have been exploited and in attackers’ crosshairs.

As you can see in the figure below, vulnerabilities affecting development tools saw the highest rate of unremediated assets, followed by virtualization/hypervisor flaws and remote monitoring and management (RMM) flaws. While the remediation process across these product categories can vary, the overall trend of nearly all of the product categories having an above 50% unremediated rate demonstrates that organizations are still struggling with vulnerability remediation.

Similarly, we looked at the average number of days that assets remained unremediated while comparing that to the number of CVEs affecting that category during the DBIR reporting period.

Tenable analysis of the data reinforces the stark reality highlighted in the Verizon DBIR: Organizations are taking longer to patch known and exploited vulnerabilities while facing a rapid increase in the number of vulnerabilities that require immediate attention.

The 2026 DBIR findings are sobering but not surprising to those on the front lines of cybersecurity. The data confirms what many security teams experience daily: The patch burden is growing faster than organizations’ ability to respond. With vulnerability exploitation now the top initial access vector and median time-to-patch continuing to climb, the gap between attacker speed and defender response continues to widen.

Organizations must adopt an exposure-centric approach that considers not just the presence of vulnerabilities, but the full risk context of their environment:

• Which assets are exposed?
• Who has access?
• Which credentials are compromised?
• Which exposure combinations create the most dangerous attack paths?

In an era where AI is discovering vulnerabilities faster than humans can patch them, understanding which exposures truly matter represents the only sustainable path forward.

The 2026 DBIR, enriched with Tenable Research’s data, provides valuable insights into today’s threat landscape. Tenable encourages security professionals to read the full Verizon DBIR to understand current attack trends and use these findings to inform their exposure management strategies. The crisis documented in this report signals that the traditional vulnerability-centric model needs a fundamental evolution toward comprehensive, AI-driven exposure management.

Tenable provides comprehensive detection coverage for CISA’s KEV catalog, with detection capabilities deployed rapidly following vulnerability disclosure. This coverage spans diverse asset categories, enabling comprehensive visibility into actively exploited vulnerabilities across your environments. CVEs on the KEV catalog will have a tag on the individual CVE pages, and you can browse our upcoming plugins on our Plugins Pipeline page.

• Verizon 2026 Data Breach Investigations Report (DBIR)

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Multiple critical authentication bypass vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager are under active exploitation by multiple threat clusters, including CVE-2026-20182, which has been exploited as a zero-day by a sophisticated threat actor.

1. CVE-2026-20182 is a critical (CVSSv3 10.0) authentication bypass in Cisco Catalyst SD-WAN Controller and Manager disclosed on May 14 with confirmed active exploitation.
2. A sophisticated threat actor designated UAT-8616 has exploited Cisco SD-WAN vulnerabilities since at least 2023, and 10 additional threat clusters began exploitation of multiple vulnerabilities in SD-WAN after public proof-of-concept code became available.
3. Patches are available for all supported Cisco Catalyst SD-WAN releases and CISA has mandated remediation by May 17 under Emergency Directive 26-03.

Tenable's Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding the ongoing exploitation of multiple vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager.

When were these Cisco SD-WAN vulnerabilities first disclosed?

On February 25, 2026, Cisco published an advisory for CVE-2026-20127, a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager that was already being exploited in the wild at the time of disclosure. Alongside that advisory, Cisco also released patches for three additional vulnerabilities in SD-WAN Manager: CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122. The security advisory for these CVEs (cisco-sa-sdwan-authbp-qwCX8D4v) was updated in March to confirm exploitation of CVE-2026-20128 and CVE-2026-20122 and then again in April to confirm that CVE-2026-20133 had also been exploited.

On May 14, 2026, Cisco published a new advisory (cisco-sa-sdwan-rpa2-v69WY2SW) for CVE-2026-20182, a separate critical authentication bypass vulnerability that was discovered during the investigation into the earlier exploitation. This vulnerability is also under active exploitation.

What are the vulnerabilities associated with the Cisco SD-WAN exploitation?

There are five CVEs associated with this ongoing campaign, plus one older vulnerability used for post-compromise privilege escalation:

Both CVE-2026-20182 and CVE-2026-20127 are critical-severity flaws that enable remote, unauthenticated access to administrative functions due to broken peering authentication logic. CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122, when chained together, allow a remote unauthenticated attacker to gain access to the SD-WAN Manager.

What products are affected?

The following table lists the CVEs and affected devices. None of these vulnerabilities require specific device configurations to be exploitable, and all deployment models are affected:

How severe is the exploitation?

Successful exploitation of CVE-2026-20182 or CVE-2026-20127 provides access to a privileged (but non-root) internal account on the SD-WAN Controller. That access opens NETCONF, giving the attacker the ability to alter network configuration across the entire SD-WAN fabric. In observed attacks, the threat actor UAT-8616 then leveraged CVE-2022-20775 via a software version downgrade technique to escalate privileges to root.

Post-compromise activities observed by Cisco Talos include SSH key injection, NETCONF configuration manipulation, malicious account creation, and extensive log clearing to cover tracks.

Who is UAT-8616?

UAT-8616 is a designation assigned by Cisco Talos to a “highly sophisticated cyber threat actor” that has been exploiting Cisco SD-WAN infrastructure since at least 2023. According to Cisco Talos, UAT-8616 targets critical infrastructure sectors and its infrastructure overlaps with monitored Operational Relay Box (ORB) networks.

UAT-8616 exploits CVE-2026-20182 and CVE-2026-20127 for initial access, then, in the case of CVE-2026-20127 exploitation, performs software version downgrades to expose CVE-2022-20775 for root privilege escalation. After achieving root access, the actor restores the original software version to conceal the exploitation path. Additional persistence techniques include injecting SSH keys into authorized_keys files, enabling PermitRootLogin in the SSH daemon configuration, and clearing forensic evidence from syslog, wtmp, lastlog, bash_history and cli-history files.

Are there other threat actors exploiting these vulnerabilities?

Yes. Cisco Talos has identified 10 additional threat clusters that are distinct from UAT-8616. These clusters have been exploiting the CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 chain since early March 2026, following the publication of proof-of-concept code by ZeroZenX Labs. The tools deployed by these clusters range from webshells (Godzilla, Behinder, XenShell) and red team frameworks (AdaptixC2, Sliver) to cryptocurrency miners (XMRig) and credential stealers targeting admin hashes, JWT tokens and AWS credentials.

Are proofs-of-concept (PoCs) available?

Yes. ZeroZenX Labs published proof-of-concept code for the CVE-2026-20133, CVE-2026-20128, CVE-2026-20122 exploit chain in March 2026. This PoC release directly correlated with the surge in exploitation activity across multiple threat clusters. The availability of public PoC code highlights the risk to any exposed SD-WAN infrastructure that remains unpatched.

What actions has CISA taken?

CISA has taken multiple actions in response to the Cisco SD-WAN exploitation campaign:

• February 25, 2026: Added CVE-2026-20127 and CVE-2022-20775 to the Known Exploited Vulnerabilities (KEV) catalog
• April 20, 2026: Added CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to the KEV catalog
• May 14, 2026: Added CVE-2026-20182 to the KEV catalog with an action deadline of May 17, 2026
• May 14, 2026: Issued Emergency Directive 26-03 and published Hunt & Hardening Guidance for Cisco SD-WAN Devices

All five CVEs in this campaign are now in CISA's KEV catalog.

Are patches available?

Cisco has released patches for each of the vulnerabilities discussed in this blog. We recommend reviewing the security advisories issued by Cisco for each CVE to identify the patch release and any considerations that may apply in order to apply the patches successfully.

Are there indicators of compromise (IoC)?

Cisco has published detailed IoC information across its advisories and Talos blog posts. The indicators include:

• Log evidence: Check /var/log/auth.log for "Accepted publickey for vmanage-admin" entries from unknown or unauthorized IP addresses
• Control connection anomalies: Run show control connections detail or show control connections-history detail and look for connections with state:up and challenge-ack: 0, which may indicate unauthorized peering
• Post-compromise artifacts: Unauthorized SSH keys in /home/vmanage-admin/.ssh/authorized_keys/, PermitRootLogin enabled in /etc/ssh/sshd_config, unexplained software downgrades followed by reboots

Full IoC lists including C2 server IPs, malware file hashes, and attacker source IPs are available in the Cisco Talos blog.

Has Tenable Research classified these vulnerabilities as part of Vulnerability Watch?

Yes. CVE-2026-20182, CVE-2026-20127, CVE-2026-20128, and CVE-2026-20122 have been classified as Vulnerabilities of Interest under Vulnerability Watch due to confirmed active exploitation and the availability of public proof-of-concept code. Tenable has been tracking this cluster of vulnerabilities since the original disclosure in February 2026, with watches re-established as exploitation escalated in March and again in May 2026 when CVE-2026-20182 was disclosed.

Has Tenable released product coverage?

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-20182, CVE-2026-20127, CVE-2026-20133, CVE-2026-20128, CVE-2026-20122, and CVE-2022-20775. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Cisco Catalyst SD-WAN devices by using the following query: Document Title contains Cisco Catalyst SD-WAN.

• Cisco Security Advisory: cisco-sa-sdwan-rpa2-v69WY2SW
• Cisco Talos: SD-WAN Ongoing Exploitation
• Cisco Talos: UAT-8616 SD-WAN Campaign
• Tenable blog: CVE-2026-20127: Cisco Catalyst SD-WAN Controller/Manager Zero-Day Authentication Bypass Vulnerability Exploited in the Wild

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Tenable Hexa AI eliminates “zombie” cloud infrastructure, helping you reduce risk and make a “killing” on cost reduction.

1. As AI accelerates cloud growth, zombie cloud assets multiply in your environment. You need agentic AI to prevent a cloud zombie apocalypse.
2. Cloud assets no longer in production may seem harmless, but they expand your attack surface and can elevate your organization’s cyber risk.
3. Every zombie asset is a line item. When cloud security reduces costs, it stops being a hard conversation and becomes a welcome budget meeting.
4. Tenable Hexa AI acts as an agentic "zombie hunter" that finds and eliminates forgotten cloud assets, shrinking the attack surface and reducing costs and boosting cloud infrastructure security.

Picture the scene from “Monty Python and the Holy Grail”: a plague-ravaged village, a cart rolling through the mud, and a lone collector bellowing, "Bring out your dead!" Bodies piling up. Costs mounting. Nobody quite sure how it got this bad.

Your cloud environment isn't so different.

In the race to maintain engineering velocity, cloud environments have quietly become a sprawling graveyard for forgotten resources. We call them zombie assets: unused, unmanaged resources that just... sit there. Not alive. Not dead. Just lingering. Accruing cost. Expanding your attack surface. And waiting for an attacker patient enough to notice nobody's watching.

According to Tenable Research, 49% of cloud infrastructure currently sits idle and untracked, with neglected resources going unpatched for six months or longer. In addition to being budget leaks, these unused cloud assets are vulnerability goldmines for attackers. Here's the twist though: every zombie asset you kill puts money in your pocket.

So let's go hunting with Tenable Hexa AI.

Software engineering speed is the goal. It always has been. But it comes at a cost that rarely shows up in sprint reviews. Organizations are deploying ephemeral resources (containers, serverless

functions, virtual machines) faster than they're retiring them. They get spun up for a sprint, a test, a proof of concept, and then quietly abandoned when the next priority arrives. This is how the zombie assets pile up: With a forgotten checkbox and a billing cycle that keeps running.

Knowing zombie assets are out there is one thing. Finding them across AWS, Azure, and Google Cloud Platform (GCP) is another. This is where Tenable Hexa AI transforms the game from periodic audits to a continuous, active bounty-hunting operation. This isn’t a chatbot! Tenable Hexa AI is an agentic AI engine built into the Tenable One platform that moves organizations from conversation to execution by automatically performing complex security tasks. It leverages the Tenable Exposure Data Fabric to interpret user intent and deliver finished results.

With one click from anywhere in the Tenable One Cloud Exposure interface, you open Tenable Hexa AI. From there, you describe what you're after in plain language, and Tenable Hexa AI does something most AI tools don't: it automatically builds the query for you inside the “Explorer”, Tenable's unified data model query tool. You can see exactly what it constructed, manipulate it, refine it, and save it as a standing policy your team can run again and again. Your query history is preserved, your investigations are traceable, and when your organization is ready, those findings can trigger automations you've approved and trust.

Think of it this way: Tenable Hexa AI is the zombie hunter. Explorer is the map that shows you where the zombies are. And the query it builds? That's your standing order to be on a continuous hunt.

Let's walk through what that looks like in practice, step by step, or watch our guided demo.
 

The scene: You decommission a server. The team celebrates shipping the new version. But the public IP that pointed at that server? It's still out there, still associated with your DNS records and security whitelists, attached to nothing, watched by no one. We call these dangling IPs. They're the cloud equivalent of leaving your company's official stationery and a set of master keys on a park bench. Someone will find them. And they won't call you when they do.

How Tenable Hexa AI finds them: You tell Tenable Hexa AI what you're looking for in plain language, and it automagically builds an Explorer query that finds every AWS Elastic IP, Azure Public IP, or GCP External IP with no network interface, no running instance, and no attached resource to justify its existence. The logic is visible, editable, and ready to save as policy the moment you've confirmed the results. What you get back is a complete list of open doors in your environment that nobody is standing behind.

The bounty: Each unneeded Elastic IP costs roughly $3.60S/month. Across a large, fast-moving environment, orphaned IPs silently drain thousands annually for infrastructure that's actively making you less secure.

The scene: A load balancer without a listener is a high-tech security gate with no guard and no intercom. It's physically there. It's on your bill. But it isn't directing traffic, isn't protecting anything, and isn't being monitored, which means it's muddying your security audits while quietly running up a tab. It seems safe because it isn't active. That's exactly what makes it dangerous. Assumptions of safety are how the dead multiply.

How Tenable Hexa AI finds them: Describe the scenario and Tenable Hexa AI builds an Explorer query that sweeps every load balancer across your environment for a single condition: no listener attached. A load balancer listener is the configuration that tells the balancer what to do with incoming traffic. No listener means no purpose. The query Tenable Hexa AI constructs is immediately reviewable, so your team can validate the logic, adjust thresholds if needed, and lock it in as a standing policy that flags every ghost gate going forward.

The bounty: In AWS, an application load balancer without a listener runs $15 to $20/month. Find a hundred across your accounts and you've just recovered $20,000 in annual spend, with zero security value lost in the process.

The scene: Think of an orphaned compute instance like a house that was temporarily closed up after a renovation. The utilities are still on, the locks haven't been changed, and the last occupant left in a hurry. Nobody lives there. Nobody checks on it. But the bills keep coming, and anyone who tries the door finds it easier to get into than the house next door.

Stopped virtual machines account for a large portion of unpatched workloads across typical organizations, frozen at whatever vulnerability state they were in when someone hit "stop.” If an attacker breaches one, they inherit the IAM role or service account attached to it. Since nobody is logging in, nobody notices.

How Tenable Hexa AI finds them: Tell Tenable Hexa AI you want stopped instances that have been idle beyond a set threshold and still have volumes attached. It builds the Explorer query with the right filters already in place: stop time thresholds (90 days for AWS EC2, as few as seven days for Azure deallocated machines), state conditions, and volume attachment status. Your team can review the query, tune those parameters to match your environment's specific retention standards, and save it as a policy that runs continuously. The machine isn't just idle; it's sitting on data, and now you know exactly which ones.

The bounty: A stopped instance still accrues Amazon Elastic Block Store (EBS) storage charges. A fleet of abandoned instances, common in organizations scaling fast, can represent significant and immediately recoverable spend before you've even addressed the security exposure.

The scene: A snapshot is meant to be a time capsule, a point-in-time backup you can restorefrom if something goes wrong. But most organizations have thousands of snapshots that are\years old, attached to nothing, and serving no documented recovery purpose. It's like owning amassive storage unit filled with boxes you haven't opened in five years. You're paying rent onjunk. And some of those boxes might contain hazardous materials.

In the cloud, snapshots are the hidden cost leader and one of the most overlooked sources of data exfiltration risk. Old snapshots often contain configuration files, credentials, and customer data from systems that no longer exist in their current form.

How Tenable Hexa AI finds them: Describe your retention concern and Tenable Hexa AI builds an Explorer query that surfaces every snapshot older than your specified threshold across AWS EBS, Azure, and GCP Compute simultaneously. The results come back organized and actionable.

Once your team reviews the query and confirms it aligns with your backup retention policy, save it. From that point forward, it's a standing policy: anything older than your threshold that isn't tied to a legal hold gets flagged automatically. It is no longer a useful asset but rather a liability with a storage invoice.

The bounty: Snapshot costs compound silently. Organizations running their first real cleanup pass frequently discover tens of thousands of dollars in recoverable spend, sometimes more, from snapshots alone.

The scene: This is the one that should keep your security team up at night. An unattached volume is a disk full of real data that’s no longer in the radar of any of your security tools. Because it isn't "live" (not attached to a running OS), your EDR and antivirus are blind to it. No monitoring. No alerts. No tripwires.

An attacker with basic storage permissions doesn't need to breach your running servers. They can snapshot the unattached volume, export it to their own account, mount it in their] environment, and browse your configuration files, API keys, and customer records at their leisure. No alerts fired. No logs written on your side. No noise.

How Tenable Hexa AI finds them: Tenable Hexa AI builds an Explorer query that maps every storage volume with no running instance attached to it. Across AWS that means EBS volumes with no EC2 instance. In Azure, Managed Disks with no Virtual Machine. In GCP, Compute Disks with no VM instance. Review the query, confirm the logic, and save it as policy. What you're left with is a continuously maintained inventory of every unmonitored data blob in your environment, surfaced before an attacker finds it first. The reality is poignant; if a volume isn’t attached to a live operating system, your EDR can’t hunt that.

The bounty: Unattached EBS volumes run $0.08 to $0.10 per GB/month. A single forgotten 1TB database volume costs nearly $100/month to store. The financial case writes itself. The security case is even more urgent.

The scene: A Kubernetes cluster without nodes is a management layer with nothing to manage. It's like building a fully staffed air traffic control tower for an airport with no runways. The infrastructure exists. The overhead exists. The attack surface exists. The planes do not. It seems dormant, and therefore safe. But that's precisely the assumption that lets these resources accumulate unnoticed: each one a cost center and a compliance headache waiting to be discovered by the wrong person first.

How Tenable Hexa AI finds them: Tenable Hexa AI constructs an Explorer query built around absence: every cluster with no node group and no hosted virtual machines. For AWS EKS and GCP GKE alike, the query surfaces every empty control plane in your environment. Review it, tune it to your standards, and save it as a policy. Clusters that were stood up, never fully provisioned, and never cleaned up are no longer invisible. The context makes the risk visible in a way a raw inventory list never could.

The bounty: An empty EKS control plane carries a flat cluster fee of roughly $73/month before a single workload runs on it. In environments scaling fast across multiple teams, these accumulate quietly. A handful of abandoned clusters found and removed can represent meaningful recovered spend before you’ve even counted the security benefits. 

Here's where it gets good. Everything we just walked you through — five categories of zombie assets, spanning orphaned IPs,

idle load balancers, stale snapshots, unattached volumes, and detached network interfaces — we ran against a real AWS environment. We didn’t have to stitch together five separate searches after a week-long audit. All it took was one conversation with Tenable Hexa AI.

The cart came back very full!

In a single pass, Tenable Hexa AI surfaced 1,658 orphaned resources across the environment — an estimated monthly waste of $2,400 to more than $4,000. 

Worth noting, these findings and analysis are from a Tenable demo environment. A controlled, relatively small footprint whose primary purpose is showing customers how Tenable works. It isn’t a sprawling enterprise cloud built up over years of product launches, team reorganizations, departed engineers, and shifting infrastructure strategies.

Now imagine your environment. The resources spun up for a project that got cancelled in 2021 The test instances a team left running when they were absorbed into another org. The snapshots from a compliance audit that nobody remembered to retire. The load balancers from an architecture that was deprecated two product generations ago. Still quietly billing every month because nobody thought to look. Years of organizational memory loss, encoded in your cloud bill and your attack surface simultaneously.

The dead accumulate in real environments in ways a demo can only hint at. The cart Tenable Hexa AI fills in your environment won’t look like this one. It will almost certainly be much more bloated. 

This is more than a one-time cleanup: every query Tenable Hexa AI built is saved, reviewable, and running a standing policy now. The next time a zombie asset tries to quietly take up residence in your environment, the next asset physically labeled, “delete me”, that never gets deleted, the next load balancer someone spins up for a test in 2026 still billing… it doesn’t get six months. It gets hunted, and marked for a proper burial. 

One conversation. One cleaner, tighter, safer cloud environment. And a number you can actually take to the CFO.

Bring out your dead… and make them pay on the way out.

This hunt for zombie assets is part of our ongoing series where we showcase how Tenable Hexa AI handles the high-impact security tasks that traditionally break manual workflows. Identifying forgotten infrastructure is a major win for cloud security, but Tenable Hexa AI’s ability to bridge the gap between intelligence and action goes even further.

If you’re interested in seeing how Tenable Hexa AI tackles other critical challenges, check out our previous deep dives:

• Neutralize supply chain threats: See how Tenable Hexa AI correlates third-party software components with your internal assets to stop threats, like supply chain attacks, in its tracks.
• Orchestrate automated patching: Learn how to beat the "Mythos clock" by using custom agents to deploy patches the moment a vulnerability is validated.
• Automate remediation assignment: Discover how to match CVEs to their specific asset owners in seconds, getting the right fix to the right person without the manual spreadsheet shuffle.

Each of these use cases demonstrates how moving from conversation to execution can fundamentally change your security posture.

Ready to clean up your cloud graveyard? Discover how Tenable Hexa AI transforms exposure intelligence into machine-speed risk reduction. Learn more here.

A new Linux kernel local privilege escalation exploit with a public proof-of-concept targets the same subsystem as Dirty Frag but requires a separate patch.

1. CVE-2026-46300 (Fragnesia) is the latest high severity local privilege escalation vulnerability in the Linux kernel, following the disclosure of both Dirty Frag and Copy Fail.
2. A public proof-of-concept is available and the exploit has been confirmed working on Ubuntu systems, though no in-the-wild exploitation has been reported.
3. A kernel patch was released on May 13; the existing Dirty Frag patches do not address this flaw, though the module blacklist mitigation protects against both.

Tenable's Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding Fragnesia, a new Linux kernel local privilege escalation vulnerability.

When was Fragnesia first disclosed?

On May 13, William Bowling of V12 Security publicly disclosed Fragnesia alongside a proof-of-concept exploit and a corresponding kernel patch. CVE-2026-46300 was assigned the same day.

What is Fragnesia?

Fragnesia is a local privilege escalation vulnerability in the Linux kernel's XFRM ESP-in-TCP subsystem. The name references how the socket buffer (skb) "forgets" that a frag is shared during coalescing. Specifically, when the kernel coalesces socket buffer fragments via skb_try_coalesce(), it fails to propagate the SKBFL_SHARED_FRAG flag that marks certain pages as shared with other subsystems. Without that flag, the kernel treats those file-cache-backed pages as safe to write.

How does Fragnesia relate to Dirty Frag?

Fragnesia belongs to the same vulnerability class as Dirty Frag (CVE-2026-43284/CVE-2026-43500) in that both achieve page-cache writes through the XFRM/ESP subsystem. However, they are distinct vulnerabilities:

The existing kernel patches for Dirty Frag do not fix Fragnesia. A separate patch is required.

How severe is Fragnesia?

Any local user on a system running a vulnerable kernel can exploit Fragnesia to gain root access. The exploit does not rely on a race condition. The technique uses user and network namespaces (enabled by default on most distributions) to obtain CAP_NET_ADMIN without requiring elevated host privileges.

The public PoC targets /usr/bin/su, modifying it in the page cache to grant root on execution. The on-disk binary is never changed, and a reboot or cache flush restores normal behavior. The technique is not limited to a single binary: any file readable by the attacker is a viable target, including [redacted].

Which Linux distributions are affected?

Fragnesia affects the same kernel versions as Dirty Frag. Any distribution shipping a kernel without the May 13 patch is vulnerable. The vulnerability was confirmed working on Ubuntu 6.8.0-111-generic (April 11, 2026 build) running on a Linode VPS.

Affected distributions include:

Amazon Linux is not affected as it does not ship the espintcp module. CloudLinux 7 is also unaffected.

As of May 14, Ubuntu's patch status remains "needs evaluation" across all releases. CloudLinux has patches in testing for CL9/CL10 and a KernelCare livepatch in validation.

Is there a proof-of-concept (PoC) available?

Yes. A public PoC was released on GitHub alongside the disclosure.

Are patches or mitigations available?

A kernel patch was submitted to the netdev mailing list on May 13. The fix ensures skb_try_coalesce() propagates the SKBFL_SHARED_FRAG marker, preventing in-place decryption of shared page-cache fragments.

AlmaLinux has released patched kernels for all supported releases:

For systems where an immediate kernel update is not feasible, the same module blacklist mitigation used for Dirty Frag is effective:

Organizations that applied this mitigation for Dirty Frag are already protected against Fragnesia. Organizations that applied only the kernel patches for Dirty Frag without the module blacklist are not protected and need the new patch.

Historical exploitation of Linux kernel vulnerabilities

The Linux kernel has been a recurring target for privilege escalation attacks. CISA's Known Exploited Vulnerabilities catalog contains entries for several Linux kernel flaws:

Copy Fail (CVE-2026-31431) was added to the KEV catalog on May 1. CVE-2026-46300 (Fragnesia) is not currently in the KEV catalog.

Tenable published an FAQ blog on Dirty Frag and Copy Fail, both of which are Linux kernel privilege escalation vulnerabilities disclosed in 2026.

Has Tenable released any product coverage for this vulnerability?

A list of Tenable plugins for this vulnerability can be found on the CVE-2026-46300 page as they're released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

• Fragnesia PoC and Technical Details (V12 Security)
• Kernel Patch (netdev mailing list)
• oss-security Discussion
• Dirty Frag FAQ (Tenable Blog)
• Copy Fail FAQ (Tenable Blog)

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Find out how data center operators can protect critical building-management systems and cyber-physical infrastructure from AI-powered threats, as well as comply with evolving regulations.

1. Data centers have evolved from simple storage hubs into critical national infrastructure and the "brains" of the modern enterprise, directly impacting global economic stability and national security.
    
2. Protection of critical infrastructure requires strict virtual and physical micro-segmentation to prevent AI-powered threats from moving laterally between legacy building systems and the broader data center network.
    
3. Data center security teams must navigate a high-stakes conflict between maintaining "five nines" availability and the urgent need to patch vulnerabilities, while pivoting focus toward securing the data pipelines and identities that autonomous agents depend on.

Data centers have undergone a radical transformation. They are no longer just passive warehouses used for storing customer data or hosting cloud backups. Today, they represent the autonomous engine rooms that power the global digital supply chain. Because these facilities process some of the world's most sensitive data and processes, the definition of data center security has evolved to become a matter of global economic stability.

As we enter the era of agentic AI — where AI systems don’t just summarize data but actually execute business decisions — data centers have become the brain of the modern enterprise. This shift is causing governments and regulators to take notice. For example, in late 2024, the U.K. government officially designated data centers as critical national infrastructure (CNI), putting them on the same level of importance as water, energy, and emergency services. This move reflects a global trend: major data center outages and security breaches put massive capital expenditures at risk, with some data center campus investments exceeding $15 billion or more, and present significant national security concerns.

However, to power the most advanced AI, we are relying on physical infrastructure — cooling and power systems, UPS systems, and power grids — that often runs on 20-year-old operational technology (OT) devices never designed for the modern threat landscape. Furthermore, while true physical air gaps — protected by hardware like one-way data diodes — remain a gold standard for high-security facilities, the rise of cloud-managed xIoT (extended internet of things) devices has introduced significant connectivity risks. In data center environments where isolation is often perceived rather than physically absolute, the lack of a true air gap means isolated networks can be inadvertently bridged, leaving data centers and downstream enterprise processes exposed.

To secure the modern data center, asset owners and operators must balance two competing priorities that are increasingly at odds in the AI era:

1. Maintaining “five nines” availability amidst a rapid patch cycle: Operators must keep the facility running with 99.999% uptime to keep AI clusters and servers online and available while managing a vulnerability landscape that is moving faster than ever before. In an era of AI-driven exploits, the pressure to “patch everything, everywhere, all at once” is immense. However, for data center security, the risk of a patching error causing an adverse outcome or unplanned downtime can be higher than the probability of a successful exploit.
2. Securing AI access and dependent systems: For most enterprises, AI security isn't about protecting the model weights or the LLM hardware itself — which often resides in a provider's cloud — but rather securing the gateways and data pipelines. This means protecting the sensitive training and retrieval-augmented generation (RAG) data stored within your data center and ensuring the identity-based network communication pathways that allow autonomous agents to interact with that data are ironclad.

While data theft remains a massive industry, we are seeing a shift in the motive of sophisticated attackers, particularly state-sponsored actors and hacktivists. To understand this shift, we have to look at the relationship between the “bytes” and the “bricks.”

In the age of agentic AI, security teams are facing a tsunami of bytes — an exponential spike in legitimate customer and employee connections that makes traditional network traffic monitoring nearly impossible. In this flood of data, it is becoming increasingly difficult to distinguish between a stealthy attacker performing reconnaissance from the millions of active, automated AI and customer sessions being processed every second.

The goal of today’s threat actors isn’t always to steal information; it’s to use this digital noise as cover to disrupt physical processes and trigger widespread outages. In other words, they hide in the bytes to target the bricks: the physical infrastructure of the modern data center. If an attacker can disable a cooling system, for example, the resulting heat may force a high-value AI cluster to shut down to prevent a hardware meltdown. This operational denial causes immediate financial chaos, triggers massive SLA penalties, and halts business operations more effectively than any traditional data breach.

Your AI data center infrastructure is only secure if you have full visibility into the control systems connected to the 15-year-old cooling system in the mechanical gallery.

Risk often starts with the supply chain. A breach of a third-party vendor’s maintenance portal or of an engineering workstation in the data center can lead to a pivot into the process control layer. By manipulating cyber-physical systems (OT/IoT), such as HVAC controls or other building management systems (BMS), a threat actor may be able to trigger automated safety shutdowns or unplanned downtime. This may result in SLA penalties and costly downstream impact.

To build strategic resilience, asset owners and operators must look beyond the IT perimeter and address the three distinct layers of data center risk:

• OT/ICS: Many cooling and power systems run on legacy protocols (like BACnet or Modbus) designed decades ago without security in mind. Many of these systems lack basic encryption and authentication. As these systems are connected to the cloud for remote access and to ensure centralized governance and compliance with environmental sustainability mandates, these connections create new entry points for attackers.
• xIoT: Smart devices (e.g., climate sensors, IP cameras, badge access) represent the hidden majority of assets inside the modern data center. According to a survey by the SANS Institute, more than half of organizations lack specialized monitoring for these assets. Because xIoT devices sit outside the standard IT inventory, they become invisible entry points that are easy targets for cyber-compromise if left unmanaged.
• Non-human identities: The risk to data centers goes beyond people and includes the devices and agents they deploy. Tenable research shows that 52% of organizations possess non-human identities (e.g., AI agents and connected sensors) with critical excessive permissions, outpacing the risk associated with human users. This creates an extended attack surface that is increasingly difficult for security teams to manage.
• AI gateways: While cloud providers secure the underlying LLM infrastructure, the enterprise is responsible for the server housing and data paths. This layer includes the RAG data sets that give AI its context and the identity-driven gateways that connect your corporate environment to the cloud. If an attacker manipulates the RAG input or compromises an AI gateway, they don't need to compromise the LLM to weaponize it against your organization.

The “build fast and fix it later” approach to AI is hitting a regulatory wall. Recent mandates such as the EU Digital Operational Resilience Act (DORA) and the UK Cyber Security and Resilience Bill now require organizations to prove they have continuous, real-time monitoring of their entire infrastructure. Compliance is moving away from annual “check-the-box” audits toward firm requirements for proof of posture — requiring operators to proactively monitor exposures impacting every asset across their network–federated identities, IT, OT, web apps, cloud containers, and everything in between.

To stay ahead of AI-powered threats and meet new regulatory requirements, operators are adopting holistic exposure management to unify visibility across identity, IT, OT, and AI domains.

Security teams can no longer rely on legacy scanners. Because you cannot patch faster without risking critical downtime, you must patch smarter. To stay ahead of AI-powered threats and align with new and evolving regulatory requirements, operators are adopting holistic exposure management to secure data center assets at the speed of AI by correlating exposure across identity, cloud, OT/IoT, and AI domains. 

Here are the core pillars of a modern data center security strategy:

• Secure internet-exposed assets: True security starts with a complete, ground-truth inventory of the entire estate. This means identifying every asset — from internet-exposed management apps (DCIMs) to legacy OT/IoT devices — without risking the uptime of sensitive systems and operations. Tenable recommends that organizations adopt a hybrid approach to asset discovery that blends passive monitoring of network traffic, safe active query using native OT protocols, and agent-based discovery.
• Anticipate likely attack paths: Attackers don’t think in silos; they look for the path of least resistance. A robust strategy involves mapping how a vulnerability in a third-party vendor portal could allow a lateral pivot into your process control layer. By visualizing these attack chains, you can break the link before an intruder ever reaches your crown jewels.
• Prioritize real risk, not just vulnerabilities: In a data center with thousands of connected devices, trying to patch everything or implement hardware-intensive passive monitoring solutions across every site is a losing battle and incomplete approach. Security teams should focus on the 1.6% of vulnerabilities that actually sit on a path to your most critical systems by going beyond basic vulnerability management and risk scoring to correlate exposure across security domains with business criticality and full context.
• Secure the identity perimeter and prevent lateral movement: Identity has become the most vulnerable entry point for IT/OT environments. Protecting data centers requires continuous monitoring of Active Directory and cloud permissions to ensure that a compromised credential in the enterprise IT network cannot be used to escalate privileges and move laterally to disrupt data center operations. Tenable solutions help security teams identify risky entitlements and misconfigurations to enforce strict zero-trust architectures and implement proactive security measures, such as rule-based alerts, micro-segmentation and policy monitoring.
• Monitor third-party vendor risk: Data centers rely on a web of third-party technicians and remote maintenance. Holistic exposure management means establishing clear rulesets and real-time alerts for vendor-managed systems, allowing you to detect unauthorized remote access and mitigate cyber risk you don't directly control.
• Streamline data center security compliance and governance: Streamline reporting and monitoring for regulatory and compliance frameworks like SOC 2, PCI DSS, ISO 27001, NIS2, HIPAA, and NERC-CIP with built-in dashboards and reporting tools for relevant compliance frameworks and industry standards.

As organizations continue to scale data center infrastructure to meet rapidly accelerating AI and cloud compute demands, OT/IoT security must be treated as a foundational component of data center operations. Whether you are managing a data center expansion or conversion, or breaking ground on a multi-billion-dollar campus, having a right-sized exposure management strategy in place helps ensure your data center investments are secure from the threats of tomorrow.

Request a demo to find out more about how Tenable helps data center operators secure critical national infrastructure and building facility environments.

• Explore Tenable solutions for data center security
• Explore Tenable solutions for compliance frameworks and industry standards
• Five steps to become Mythos ready

1. 16Critical
2. 102Important
3. 0Moderate
4. 0Low

Microsoft addresses 118 CVEs in its May 2026 Patch Tuesday release, with no zero-days exploited in the wild or publicly disclosed for the first time since June 2024.

Microsoft patched 118 CVEs in its May 2026 Patch Tuesday release, with 16 rated critical and 102 rated as important. Our counts omitted CVE-2025-54518, an AMD CPU OP Cache Corruption vulnerability issued by AMD.

This month’s update includes patches for:

• .NET
• ASP.NET Core
• Azure AI Foundry M365 published agents
• Azure Cloud Shell
• Azure Connected Machine Agent
• Azure DevOps
• Azure Entra ID
• Azure Logic Apps
• Azure Machine Learning
• Azure Managed Instance for Apache Cassandra
• Azure Monitor Agent
• Azure Notification Service
• Azure SDK
• Copilot Chat (Microsoft Edge)
• Data Deduplication
• Dynamics Business Central
• GitHub Copilot and Visual Studio
• M365 Copilot
• M365 Copilot for Desktop
• Microsoft Data Formulator
• Microsoft Dynamics 365 (on-premises)
• Microsoft Dynamics 365 Customer Insights
• Microsoft Edge (Chromium-based)
• Microsoft Edge for Android
• Microsoft Office
• Microsoft Office Click-To-Run
• Microsoft Office Excel
• Microsoft Office PowerPoint
• Microsoft Office SharePoint
• Microsoft Office Word
• Microsoft Partner Center
• Microsoft SSO Plugin for Jira & Confluence
• Microsoft Teams
• Microsoft Windows DNS
• Power Automate
• SQL Server
• Telnet Client
• Visual Studio Code
• Windows Admin Center
• Windows Ancillary Function Driver for WinSock
• Windows Application Identity (AppID) Subsystem
• Windows Cloud Files Mini Filter Driver
• Windows Common Log File System Driver
• Windows Cryptographic Services
• Windows DWM Core Library
• Windows Event Logging Service
• Windows Filtering Platform (WFP)
• Windows GDI
• Windows Hyper-V
• Windows Internet Key Exchange (IKE) Protocol
• Windows Kernel
• Windows Kernel-Mode Drivers
• Windows LDAP - Lightweight Directory Access Protocol
• Windows Link-Layer Discovery Protocol (LLDP)
• Windows Message Queuing
• Windows Native WiFi Miniport Driver
• Windows Netlogon
• Windows Print Spooler Components
• Windows Projected File System
• Windows Remote Desktop
• Windows Rich Text Edit
• Windows Rich Text Edit Control
• Windows SMB Client
• Windows Secure Boot
• Windows Storage Spaces Controller
• Windows Storport Miniport Driver
• Windows TCP/IP
• Windows Telephony Service
• Windows Volume Manager Extension Driver
• Windows Win32K - GRFX
• Windows Win32K - ICOMP

Elevation of Privilege (EoP) vulnerabilities accounted for 48.3% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 24.6%.

CVE-2026-41103 is an elevation of privilege vulnerability affecting Microsoft Single-Sign-On (SSO) Plugin for Jira & Confluence. It was assigned a CVSSv3 score of 9.1 and is rated as critical. It was assessed as "Exploitation More Likely" according to Microsoft's Exploitability Index. An unauthorized attacker could exploit this vulnerability during the process of logging in by sending a specially crafted response message. Successful exploitation would allow the attacker to sign-in using a forged identity without Microsoft Entra ID authentication, enabling access to or allowing an attacker to modify data in Jira and Confluence. However, the accessible information is not unfettered, as it is limited by the access defined by the targeted servers for the authorized user.

CVE-2026-33841, CVE-2026-35420 and CVE-2026-40369 are EoP vulnerabilities affecting the Windows Kernel. Each of the flaws have been assigned CVSSv3 scores of 7.8 and rated as important. Both CVE-2026-33841 and CVE-2026-40369 were assessed as "Exploitation More Likely," which could be abused by a local attacker to elevate to SYSTEM or Medium/High integrity level in the case of CVE-2026-33841. Including these three EoPs, there have been 13 disclosed Windows Kernel EoP vulnerabilities addressed so far in 2026.

CVE-2026-40361, CVE-2026-40364, CVE-2026-40366 and CVE-2026-40367 RCE vulnerabilities affecting Microsoft Word. Each of these RCEs were assigned CVSSv3 scores of 8.4 and rated as critical, though CVE-2026-40361 and CVE-2026-40364 were the only ones assessed to be “Exploitation More Likely.” An attacker could exploit these flaws through social engineering by sending the malicious file to an intended target. Successful exploitation would grant code execution privileges to the attacker. Additionally, Microsoft notes that the Preview Pane is an attack vector for each of these vulnerabilities.

CVE-2026-41089 is a RCE vulnerability affecting Windows Netlogon, a Windows Server process used for authentication within a domain. It was assigned a CVSSv3 score of 9.8 and rated as critical. A remote, unauthenticated attacker could exploit this flaw by sending a crafted network request to a Windows server running as a domain controller. This packet could exploit a stack-based buffer overflow flaw, allowing the attacker to execute code on an affected system. Despite the critical severity and near perfect CVSSv3 score, this flaw was assessed by Microsoft as “Exploitation Less Likely.”

A list of all the plugins released for Microsoft’s May 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

• Microsoft's May 2026 Security Updates
• Tenable plugins for Microsoft May 2026 Patch Tuesday Security Updates

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.