Back to All Signals

CISO Signals Radar

Weekly Intelligence Report — May 25, 2026

Last Updated: May 31, 2026, 9:00 AM (Manila Time)

6 Signals

Executive Snapshot

Main Signals (≥80)
5
Secondary Watch (65-79)
1
Total Signals
6
What Matters Most This Week
  • Charter/Spectrum breach: ShinyHunters published 13M customer records exfiltrated from Charter's Salesforce instance via vishing of an Entra account — Salesforce vishing is the 2026 enterprise pattern (7-Eleven, Panera, ADT)
  • NGINX Rift (CVE-2026-42945): heap RCE in ngx_http_rewrite_module present since 2008 — single crafted HTTP request, unauthenticated, worker process RCE
  • CISA KEV May 1: CVE-2026-31431 Linux kernel root LPE — federal remediation deadline May 15, treat as enterprise priority
  • CISA KEV mid-May: Microsoft Defender 'UnDefend' (CVE-2026-45498) DoS creates a blind-spot window for ransomware deployment

Signals Overview

RankCategoryHeadlineScoreUrgencyAction
1Data Breach
Charter/Spectrum Breach: 13M Customer Records Leaked via Salesforce Vishing (ShinyHunters)
Techlicious, Cybernews
92
CriticalCISO: rotate Salesforce SSO/Entra credentials, enforce phishing-resistant MFA on all admin accounts, audit Salesforce data exports in last 90 days — IAM and SOC, 7 days
2Vulnerabilities/CVE
NGINX 'Rift' CVE-2026-42945: Unauthenticated Heap RCE in ngx_http_rewrite_module (Present Since 2008)
Security Boulevard
90
CriticalCISO: emergency-patch all NGINX edge instances, audit WAF logs for crafted rewrite requests, isolate any unpatched edge nodes — network/platform team, 48 hours
3Vulnerabilities/CVE
CISA KEV May 1: CVE-2026-31431 Linux Kernel 'Copy Fail' Local Root Privilege Escalation
CISA, The Hacker News
85
CriticalCISO: roll the upstream kernel patch across Linux fleet, prioritize internet-facing and shared-tenant hosts — Infra team, federal deadline mirror May 15
4Vulnerabilities/CVE
CISA KEV: Microsoft Defender 'UnDefend' CVE-2026-45498 DoS Creates Ransomware Blind-Spot Window
CISA, Carthage Electronics CVE Tracker
84
CriticalCISO: deploy May 2026 Defender update, validate EDR fall-back posture, run tabletop on Defender outage scenario — SOC and endpoint team, 7 days
5Vulnerabilities/CVE
Microsoft SharePoint CVE-2026-45659: Authenticated Deserialization RCE Patched May 26
Help Net Security
81
HighCISO/IT Ops: apply May 2026 SharePoint cumulative update across on-prem and hybrid, audit recent uploads — IT operations, 14 days
6Compliance/Regulation
Colorado SB 26-189 Signed May 14 — AI Act Replaced with Disclosure Framework, Effective Jan 1 2027
Consumer Finance Monitor, Hunton AK
72
MediumCISO/Privacy: refresh Colorado AI compliance plan, remove risk-management program work, plan disclosure controls — privacy/legal team, 60 days

Deep Dive: All Signals

Charter/Spectrum Breach: 13M Customer Records Leaked via Salesforce Vishing (ShinyHunters)
92
Data Breach2026-05-27

Summary

ShinyHunters published at least 13M Charter customer records after Charter refused a ransom with a May 27 deadline. Initial access was a voice-phishing attack on an employee Microsoft Entra account, used to export consumer and business customer records from Charter's Salesforce instance. The same actor has hit Panera (5M+), Canvas, Aura (~1M), ADT (5.5M), Zara (197k) and 7-Eleven (600k) in 2026.

Impact on Retail/CPG

CPG and retail enterprises run their consumer data, trade promo and B2B account records inside Salesforce. The repeated vishing → Entra → Salesforce export pattern is now the dominant exfiltration path for the sector and must be treated as a board-level material risk.

Recommended Actions

  • Enforce phishing-resistant MFA (FIDO2/Passkeys) on every Salesforce admin and integration user — IAM team, 14 days
  • Conditional Access policy blocking high-risk sign-ins for Salesforce SAML/OIDC apps — IAM, 7 days
  • Run vishing simulation against helpdesk and Salesforce admin populations — SOC, 30 days
  • Audit Salesforce bulk-export and Data Loader activity for the last 90 days — DLP/SOC, immediate

Risks

  • ShinyHunters retains data leverage even after public leak — secondary extortion risk
  • Salesforce as a single data concentration point amplifies impact across loyalty, trade and B2B data sets
Share:
NGINX 'Rift' CVE-2026-42945: Unauthenticated Heap RCE in ngx_http_rewrite_module (Present Since 2008)
90
Vulnerabilities/CVE2026-05-13

Summary

CVE-2026-42945, dubbed 'NGINX Rift,' is a heap buffer overflow in ngx_http_rewrite_module present in every NGINX build since 2008. A single crafted HTTP request from an unauthenticated attacker overwrites the heap and yields remote code execution in the worker process.

Impact on Retail/CPG

NGINX runs CPG and retail web storefronts, customer APIs and ingress traffic for many e-commerce and B2B portals. Unauthenticated worker-process RCE on the edge is a direct path to consumer PII, payment tokenization brokers, and inventory APIs.

Recommended Actions

  • Inventory every NGINX edge node and apply vendor patch immediately — platform engineering, 48 hours
  • Add specific WAF detection for the published exploit signature — SOC/AppSec, immediate
  • Restrict rewrite-module use behind authenticated paths where feasible — application platform team
  • Review ingress NGINX in Kubernetes clusters serving retail digital surfaces — DevSecOps

Risks

  • 17-year exposure means many forks and embedded distributions exist — patch coverage will lag
  • Edge compromise enables pivot into payment and identity flows
Share:
CISA KEV May 1: CVE-2026-31431 Linux Kernel 'Copy Fail' Local Root Privilege Escalation
85
Vulnerabilities/CVE2026-05-01

Summary

CVE-2026-31431 is an actively-exploited Linux kernel 'Incorrect Resource Transfer Between Spheres' flaw enabling an unprivileged local user to obtain root. CISA added it to the KEV catalog on May 1 with a mandatory remediation deadline of May 15, 2026.

Impact on Retail/CPG

Linux hosts power CPG e-commerce, demand-planning, manufacturing edge and POS back-end stacks. Local root LPE is the standard escalation step for any web-shell or supply-chain implant, including in retail Kubernetes nodes.

Recommended Actions

  • Schedule emergency patch window across Linux production fleet — Infra/SRE, 7 days
  • Force rotation of long-lived service-account credentials on patched hosts — IAM
  • Enable eBPF-based runtime detection for kernel exploit indicators — SOC/EDR team

Risks

  • Kernel patches on production POS and SCM nodes carry availability risk — needs staged rollout
  • Container runtimes sharing kernel inherit the exposure — multi-tenant nodes are higher priority
Share:
CISA KEV: Microsoft Defender 'UnDefend' CVE-2026-45498 DoS Creates Ransomware Blind-Spot Window
84
Vulnerabilities/CVE2026-05-20

Summary

CISA added Microsoft Defender vulnerabilities CVE-2026-41091 (EoP) and CVE-2026-45498 ('UnDefend' DoS) to the KEV on May 20. UnDefend can be triggered remotely with no credentials, crashing or destabilizing Defender and creating a blind-spot window during which attackers can deploy ransomware, exfiltrate data, or move laterally without detection.

Impact on Retail/CPG

Retail and CPG endpoint estates (store associates, DC workforce, head office) are heavily Microsoft Defender-dependent. A reliable AV/EDR DoS is the missing primitive for a ransomware actor with initial access to run an undetected payload.

Recommended Actions

  • Push May 2026 Defender platform/security intelligence updates across endpoints — endpoint management, 7 days
  • Enable tamper protection and verify cloud-delivered protection signals — endpoint security
  • Add Defender process-health telemetry to SOC alerting — SOC engineering
  • Tabletop: 'Defender silently disabled at 8 sites for 4 hours' — IR team, 30 days

Risks

  • Existing IR playbooks may not include EDR-down detection paths
  • Endpoint visibility loss disproportionately affects retail store environments with no on-site IT
Share:
Microsoft SharePoint CVE-2026-45659: Authenticated Deserialization RCE Patched May 26
81
Vulnerabilities/CVE2026-05-26

Summary

CVE-2026-45659 is a high-severity SharePoint Server deserialization-of-untrusted-data flaw patched by Microsoft on May 26, 2026. Authenticated exploitation enables remote code execution against vulnerable SharePoint instances.

Impact on Retail/CPG

SharePoint hosts trade-spend agreements, supplier contracts and product formulation documents at most CPG enterprises. Authenticated RCE is reachable through any compromised vendor or low-trust internal account — a common scenario in CPG supplier portals.

Recommended Actions

  • Apply May 2026 SharePoint CU across on-prem and hybrid farms — IT operations, 14 days
  • Reduce supplier-facing SharePoint privileges and disable upload to deserialization-prone libraries — collaboration team
  • Audit IIS and ULS logs for anomalous /_layouts payloads in last 30 days — SOC

Risks

  • On-prem SharePoint patch velocity lags SharePoint Online materially
  • Supplier-facing portals create persistent external authentication paths
Share:
Colorado SB 26-189 Signed May 14 — AI Act Replaced with Disclosure Framework, Effective Jan 1 2027
72
Compliance/Regulation2026-05-14

Summary

Governor Polis signed SB 26-189 on May 14, 2026 repealing SB 24-205 and replacing it with a disclosure-and-rights framework focused on automated decision-making technology, effective January 1, 2027. The reset eliminates the EU-style duty of care, deployer risk-management program, impact-assessment and AG reporting obligations. Enforcement is exclusively the Colorado Attorney General under the Colorado Consumer Protection Act.

Impact on Retail/CPG

CPG and retail enterprises building Colorado AI Act risk-management programs can pause that workstream and pivot to disclosure tooling and consumer rights workflows. Resource savings should redirect to EU AI Act high-risk obligations now delayed to 2027.

Recommended Actions

  • Update AI compliance roadmap to retire duplicated risk-management work — privacy/legal, 60 days
  • Stand up ADMT disclosure template and consumer-rights intake workflow — privacy ops, by Q4 2026
  • Align EU AI Act and Colorado disclosure stack onto a single control set — privacy engineering

Risks

  • Other US states may revert to the EU model — keep risk-management capability in reserve
  • Disclosure-only regime still carries CCPA-style enforcement risk through state AG
Share:

Watchlist

Upcoming events, hearings, earnings & renewals
DateEventRelevance
2026-06-10CISA KEV federal remediation deadline for May 20 batchDefender, Langflow and Trend Micro Apex One deadlines arrive — align enterprise patch SLA to federal pace
2026-08-02EU AI Act high-risk obligations application datePost May 7 political agreement, high-risk obligations may be delayed to 2027 — track final text closely
2026-06-09Microsoft June 2026 Patch TuesdayWatch for follow-on Defender, Exchange and SharePoint hardening following May 2026 KEV activity

Diff vs Last Week

New (6)
  • Charter/Spectrum Breach: 13M records, Salesforce vishing92
  • NGINX Rift CVE-2026-4294590
  • Linux Kernel CVE-2026-31431 (KEV May 1)85
  • Microsoft Defender 'UnDefend' CVE-2026-4549884
  • SharePoint CVE-2026-45659 deserialization RCE81
  • Colorado SB 26-189 AI Act repeal-and-replace72
Resolved (3)
  • Cisco SD-WAN CVE-2026-20133 (April KEV — patched window closed)
  • JetBrains TeamCity CVE-2026-33825 (April KEV — patched window closed)
  • SharePoint CVE-2026-32201 (April KEV — superseded by CVE-2026-45659)

Foundations

Evergreen briefings from Sunil's Second Brain — free subscriber access.

concept
Shadow AI

Shadow AI The new variant of Shadow IT: employees adopting AI tools / building AI agents without central IT approval. Three sources in this wiki agree it's an inevitable byproduct of AI tooling becoming consumer-grade an

shadow-aigovernancecisoenterprise-aiagent-sprawl
concept
Zombie AI Agent

Zombie AI Agent An agent spun up for a project (often a proof-of-concept), still running and authenticated long after the project ended, holding API keys and access nobody is monitoring anymore . Coined by Martin Keen in

agentssecuritygovernanceshadow-aisprawl
concept
AWARE Framework

AWARE Framework A technical control structure for governing AI agents at enterprise scale. Developed by Glean's Work AI Institute in collaboration with Databricks and Palo Alto Networks. Per Ben Mayrides (CISO at Cvent),

awaregovernanceframeworkenterprise-aiciso
concept
Capabilities vs Instructions (Agent Keys)

Capabilities vs Instructions (Agent Keys) Nate Herk (AI Automation)'s sharpest safety principle: instructions are not the same as capabilities. Picture every tool the agent has as a key on a key ring . There's a world of

agentsagent-risksecuritygovernancepermissions
concept
Human in the Loop

Human in the Loop The pattern of keeping a human approval/review step inside an agentic workflow. Default operating model in 2026 enterprise AI per all three CXOTalk sources in this wiki. When humans should stay in the l

human-in-the-loopgovernanceautonomyagents
concept
Recursive Self-Improvement

Recursive Self-Improvement The hypothesis that a sufficiently capable AI system can iteratively improve its own design — write better versions of itself, refine its own training process, or evolve its agentic scaffolding

recursive-self-improvementai-safetyalignmentgodel-machinemeta-agent

Briefing archive