May 2026 Cybersecurity Roundup: Pharma, Social Engineering, and Critical CVEs

By Editorial Team | June 10, 2026

The May 2026 Cybersecurity Roundup covers a month where attackers targeted pharmaceutical supply chains, municipal finances, retail franchise networks, and advanced electronics manufacturing. The victims differed significantly in sector and geography, but the underlying patterns were consistent: ransomware operators, financially motivated groups, and state-linked actors all pursued access to trusted systems — and found it.

What stands out in May’s incidents is not technical sophistication but impact. A pharmaceutical components manufacturer, a European automotive brand, a mid-sized American city, a South Korean technology firm, and a global retail chain — all disrupted or compromised through methods that exploit systemic weaknesses rather than novel attack techniques. May also brought five critical CVEs across core enterprise platforms, several of which were actively exploited before patches were available.

May 2026 Cybersecurity Roundup — cyberattacks targeting supply chains and public sector in May 2026

Cyberattacks in May 2026

West Pharmaceutical Services

In mid-May, West Pharmaceutical Services confirmed a ransomware attack that forced it to shut down parts of its IT infrastructure, disrupting operations across its global manufacturing environment. Attackers both encrypted systems and exfiltrated data, triggering operational delays while recovery efforts were underway. A SEC 8-K filing confirmed that portions of the company’s network had to be taken offline.

West Pharmaceutical produces critical components used in injectable drugs and biologics — meaning disruption here carries downstream implications for pharmaceutical production. Even short-term outages can ripple into delayed drug manufacturing timelines, supply chain bottlenecks, and contractual and regulatory knock-on effects. The company, headquartered in Pennsylvania and in operation since 1923, is a significant node in global drug delivery infrastructure.

Škoda Auto

In early May 2026, Škoda Auto disclosed a breach affecting its online shop customers after attackers exploited a vulnerability in a third-party e-commerce component. The compromised data included names, addresses, emails, phone numbers, order and account data, and hashed credentials. No payment data was exposed.

What attackers gained here is arguably more operationally useful than card numbers. This is high-context customer data — grounded in real purchase history and account activity. With this dataset, attackers can run highly targeted phishing campaigns referencing real purchases, fake delivery or order confirmation messages tied to actual transactions, and credential harvesting attacks that feel legitimate because they are. Traditional phishing relies on volume. This kind of data allows attackers to operate with higher credibility and significantly higher success probability.

City of Aurora, Illinois

The City of Aurora, Illinois lost approximately $1.1 million from city bank accounts after an employee was targeted in a phone-based scam. The attacker impersonated a legitimate contact and convinced the employee to take actions that enabled unauthorised transfers from municipal financial accounts.

This incident highlights a persistent gap in security awareness programmes. Most training focuses on recognising suspicious emails or links. It is far less effective at preparing staff for high-pressure, real-time voice interactions where the attacker sounds credible, the request fits within normal duties, and hesitation carries its own perceived risk. Social engineering via voice remains one of the most reliable and underdefended attack vectors in both public and private sector environments.

South Korean Electronics Manufacturer

An Iranian state-linked group commonly tracked as Seedworm — also known as MuddyWater — was observed targeting an unnamed South Korean electronics manufacturer in a campaign focused on long-term access and data exfiltration. The operation relied on DLL sideloading using legitimate, signed software: by placing a malicious DLL alongside a trusted executable, the attackers were able to execute code without triggering many traditional security controls. Data was then exfiltrated using legitimate file transfer tools, allowing activity to blend into normal operations.

South Korea is a critical supplier of advanced technology, semiconductors, and electronics, and increasingly intertwined with Western supply chains. The Iranian targeting of a South Korean technology manufacturer is another example of how modern geopolitical conflicts play out in cyberspace — with commercial technology firms in allied countries becoming targets because they sit at the intersection of intellectual property, strategic supply chains, and economic influence.

7-Eleven

Towards the end of the month, 7-Eleven disclosed a breach affecting individuals connected to its franchise operations, with data later appearing in listings associated with the ShinyHunters group. The breach reportedly occurred in April but only came to light in May 2026. The exposed dataset included names, addresses, and other undisclosed data elements.

7-Eleven operates as a highly distributed retail network — approximately 13,000 US stores and around 85,000 locations worldwide — spanning point-of-sale environments, supplier and logistics systems, and franchise management platforms. That creates a very particular attack surface. The attribution to ShinyHunters is significant: this group consistently focuses on data acquisition and monetisation rather than disruption. Their model relies on identifying large, structured datasets, extracting them quickly, and monetising through sale, exposure, or follow-on exploitation. In retail, that model works particularly well because the data holds immediate value for phishing, identity fraud, and account takeover across reused credentials.

May 2026 Cybersecurity Roundup — critical CVEs in Microsoft and enterprise platforms

Key CVEs in May 2026

May’s critical vulnerabilities were concentrated across core Microsoft infrastructure and widely deployed enterprise platforms — several already under active exploitation.

  • Azure DevOps (CVE-2026-42826) — CVSS 10: A critical remote code execution vulnerability allowing attackers to execute arbitrary code on Azure DevOps Server instances via crafted requests. Azure DevOps sits at the heart of modern software delivery pipelines. Exploitation here can expose source code, inject malicious builds, or tamper with release processes — turning a single compromise into trusted distribution of malicious code across downstream environments.
  • Netlogon (CVE-2026-41089): A remote code execution vulnerability in the Netlogon protocol allowing attackers to execute code on domain controllers under certain conditions. Netlogon underpins Windows domain authentication. A flaw here targets the mechanism that establishes trust across an entire network — enabling domain-wide compromise and instant privilege escalation across identity infrastructure rather than incremental lateral movement.
  • Microsoft SSO Plugin for Jira (CVE-2026-41103): An authentication bypass vulnerability in a Microsoft SSO plugin for Jira, potentially allowing attackers to gain unauthorised access to Jira instances. Jira often contains high-value operational data — tickets, vulnerabilities, internal discussions, and sometimes credentials or API references. When SSO breaks, the trust boundary collapses, potentially handing attackers the organisational context needed to accelerate lateral movement and targeted attacks.
  • Microsoft Exchange Server (CVE-2026-42897): An actively exploited zero-day in Exchange Server allowing attackers to execute code or gain elevated access on vulnerable systems. Exchange remains one of the most targeted enterprise platforms, sitting at the intersection of identity, communication, and external exposure. Zero-days here are typically leveraged rapidly for initial access campaigns at scale — by both state and financially motivated actors — and serve as a reliable launchpad into the wider environment.
  • KnowledgeDeliver (CVE-2026-5426): A zero-day exploited in the wild to deploy web shells on vulnerable servers, enabling persistent remote access. Web shell deployment is less visible than ransomware, but often more strategically valuable — providing quiet, persistent control over web infrastructure that allows attackers to return, pivot, and exfiltrate data over extended periods.

May 2026 Cybersecurity Roundup — DIESEC cybersecurity services and resilience advisory

Conclusion

The May 2026 Cybersecurity Roundup illustrates how varied the entry points and impacts can be within a single month. Ransomware disrupted a pharmaceutical manufacturer. A voice call emptied a city’s bank account. A third-party component exposed an automotive brand’s customer base. A state actor quietly embedded itself in a technology firm. A data broker group extracted franchise records from one of the world’s largest retail chains.

What connects these incidents is not the technique but the consequence: each exploited a gap that existed before the attacker arrived — in patch management, in supplier oversight, in awareness training, or in governance clarity.

DIESEC helps organisations identify and close those gaps through SOC-as-a-Service, targeted Phishing Simulations that address voice and email-based social engineering, and structured Penetration Testing across IT and OT environments.
Contact us to learn more.

Posted in DIESEC™ and tagged , , , , , , , , ,