May 2026 CVEs: Firewall RCEs & Exchange Zero-Days

May 2026 delivered another aggressive wave of high-impact vulnerabilities, with attackers heavily targeting enterprise infrastructure, identity systems, and internet-facing services. This month’s disclosures included a critical Palo Alto firewall vulnerability under active exploitation, a Microsoft Exchange OWA zero-day added to CISA’s KEV catalog, and major risks affecting Azure DevOps, Android, and nginx environments.

What makes May especially significant is the concentration of vulnerabilities impacting the technologies organizations rely on most for security, communication, and cloud operations. From perimeter firewalls and email systems to CI/CD pipelines and mobile devices, these flaws demonstrate how attackers continue to focus on high-value platforms capable of enabling broad compromise and lateral movement.

Why May’s CVEs Matter

• Security infrastructure itself is under attack: Firewall and reverse proxy vulnerabilities create direct paths into enterprise networks

• Actively exploited enterprise flaws are increasing: Exchange and PAN-OS vulnerabilities were weaponized rapidly

• Cloud and DevOps platforms remain high-value targets: Azure DevOps exposure raises serious software supply chain concerns

• Mobile enterprise risk continues to grow: Android vulnerabilities increasingly impact corporate identity and MFA workflows

• Legacy exposure remains dangerous: The nginx flaw reportedly persisted undetected for nearly 18 years

Together, these vulnerabilities reinforce the growing importance of proactive patching, attack surface reduction, and visibility across hybrid enterprise environments.

1. Palo Alto PAN-OS Unauthenticated Root RCE (CVE-2026-0300)

Impact: Unauthenticated Root Remote Code Execution
 Severity: Critical (CVSS 9.3)
 Status: Actively exploited in the wild

CVE-2026-0300 is one of the most serious enterprise infrastructure vulnerabilities disclosed in May 2026, affecting Palo Alto PAN-OS firewalls. The flaw exists within the User-ID Authentication Portal (Captive Portal) and allows attackers to execute arbitrary code remotely as root without authentication.

Palo Alto linked exploitation activity to a suspected state-sponsored threat cluster identified as CL-STA-1132.

Why it matters:

• Targets internet-facing firewall infrastructure

• Enables full perimeter compromise

• Allows credential harvesting and lateral movement

• Attackers can deploy tunneling tools and destroy logs

• Security boundaries themselves become compromised

Recommended Actions:

• Patch affected PAN-OS systems immediately

• Disable exposed captive portals if not required

• Review logs for:

  • ReverseSocks5 activity

  • EarthWorm tunnels

  • suspicious nginx worker crashes

• Monitor for unusual outbound traffic patterns

2. Microsoft Exchange OWA XSS Zero-Day (CVE-2026-42897)

Impact: Session Hijacking and Mailbox Compromise
 Severity: High/Critical operational impact
 Status: Actively exploited

CVE-2026-42897 is a cross-site scripting (XSS) vulnerability affecting Microsoft Exchange Server Outlook Web Access (OWA). The flaw allows attackers to send specially crafted emails that execute malicious JavaScript when opened in OWA sessions.

The vulnerability was rapidly added to CISA’s Known Exploited Vulnerabilities (KEV) catalog due to active exploitation activity.

Why it matters:

• Exchange remains a top enterprise attack target

• Enables credential theft and mailbox compromise

• Can facilitate phishing pivoting and persistence

• Email remains a primary ransomware initial-access vector

• Exploitation can spread rapidly across organizations

Recommended Actions:

• Enable Exchange Emergency Mitigation Service (EMS)

• Restrict public OWA exposure where possible

• Run Microsoft EOMT mitigation scripts

• Monitor mailbox activity for anomalies

• Review suspicious login and forwarding rule activity

3. Azure DevOps Information Disclosure (CVE-2026-42826)

Impact: Exposure of Secrets, Tokens, and Pipeline Data
 Severity: Critical (CVSS 10.0)
 Status: Patched in May 2026 Patch Tuesday

CVE-2026-42826 is a critical information disclosure vulnerability affecting Azure DevOps. The flaw drew major attention due to its maximum CVSS score and the sensitive nature of DevOps environments.

Azure DevOps systems frequently store deployment credentials, cloud secrets, CI/CD tokens, infrastructure configurations, and source code — making them highly valuable targets.

Why it matters:

• Potential exposure of sensitive cloud credentials

• Increased software supply chain compromise risk

• Could enable malicious CI/CD pipeline injections

• May facilitate broader cloud environment takeover

• Impacts a core enterprise DevOps platform

Recommended Actions:

• Patch affected systems immediately

• Rotate potentially exposed tokens and secrets

• Audit build pipelines for unauthorized modifications

• Review access logs for abnormal retrieval activity

• Validate least-privilege access policies

4. Android System RCE (CVE-2026-0073)

Impact: Remote Code Execution on Mobile Devices
 Severity: Critical
 Status: Included in Google May 2026 Android Security Bulletin

CVE-2026-0073 affects the Android System component and allows remote code execution under certain conditions across Android 14, 15, and 16 devices.

As mobile devices continue to serve as critical identity and access points for enterprise environments, Android vulnerabilities carry growing operational and security implications.

Why it matters:

• BYOD environments expand exposure

• Mobile devices often store corporate credentials

• MFA apps can become interception targets

• Compromised devices can act as enterprise footholds

• Enterprise mobile risk continues to increase

Recommended Actions:

• Enforce the May 2026 Android patch level

• Block outdated devices through MDM policies

• Require device compliance validation

• Review mobile EDR and authentication alerts

• Restrict access from non-compliant devices

5. “NGINX Rift” Heap Buffer Overflow (CVE-2026-42945)

Impact: Potential Remote Compromise of Web Infrastructure
 Severity: Critical
 Status: Newly disclosed; exploit-chain concerns growing

CVE-2026-42945, dubbed “NGINX Rift,” is a heap buffer overflow vulnerability affecting nginx builds dating back to 2008. Researchers warned the flaw may be chainable with other Linux vulnerabilities to achieve stealthy root-level compromise.

Because nginx powers a massive portion of modern web infrastructure, the disclosure immediately raised concerns across cloud-native environments.

Why it matters:

• Affects one of the world’s most deployed web servers

• May enable stealthy persistence and root access

• Creates potential reverse proxy takeover scenarios

• Impacts Kubernetes ingress and cloud-native stacks

• Long-standing flaws increase exposure uncertainty

Recommended Actions:

• Patch nginx deployments immediately once fixes are available

• Review reverse proxy configurations and exposure

• Monitor for suspicious memory and process activity

• Audit Kubernetes ingress environments

• Conduct forensic reviews for persistence indicators

Final Thoughts

May 2026 reinforced a growing trend in cybersecurity: attackers are increasingly targeting the platforms organizations trust most to secure, manage, and operate their environments. Firewalls, email infrastructure, DevOps pipelines, mobile devices, and reverse proxies all became focal points this month, demonstrating how a single exploited vulnerability can rapidly cascade into enterprise-wide compromise.

The combination of actively exploited flaws, supply chain exposure, and internet-facing infrastructure risks highlights the need for organizations to prioritize:

• Rapid patch management for critical systems

• Visibility across cloud, mobile, and hybrid environments

• Monitoring for exploitation activity and persistence

• Strong segmentation and least-privilege access controls

• Continuous validation of security infrastructure itself

As threat actors continue to weaponize vulnerabilities faster than ever, organizations need defenders who can identify, prioritize, and respond to emerging threats in real time.

👉 Train with INE to build hands-on cybersecurity expertise in vulnerability management, threat detection, cloud security, penetration testing, and incident response — helping your team stay prepared for today’s evolving threat landscape.