May 2026 sustained the record ransomware pace established in April, with 748 publicly disclosed incidents, the second-highest monthly total ever recorded. The month was defined by a critical authentication bypass in a widely deployed enterprise VPN platform, escalating Chinese state-sponsored intrusions targeting defense supply chains, and continued momentum in AI-assisted phishing campaigns. With CMMC Phase 2 enforcement now under six months away, compliance urgency across the Defense Industrial Base reached a new high.
Major Incidents
Snowflake Customer Data Exposure: 14 Additional Organizations Notified: Following its 2025 incident disclosures, Snowflake notified 14 additional enterprise customers in May 2026 that their environments had been accessed via compromised credentials originally stolen in 2025. The notification underscores a persistent risk in cloud data platforms: credential-based access does not expire on its own, and organizations that have not rotated all credentials following a vendor incident remain exposed indefinitely.
Change Healthcare: Second Wave of Notifications: UnitedHealth Group issued a second round of breach notifications in May confirming that data from the February 2025 Change Healthcare ransomware attack, originally estimated at 100 million records, had been shared more broadly than initially disclosed. Several defense-affiliated healthcare providers received notifications for the first time. Organizations holding both PHI and CUI should treat these as compound exposure events requiring parallel notification analysis under both HIPAA and DFARS 252.204-7012.
UK Ministry of Defence Contractor Supply Chain Compromise: A Tier 2 supplier to the UK Ministry of Defence confirmed a network intrusion in May that exposed technical specifications and procurement schedules for three active programs. While the incident occurred in the UK, CISA and NSA issued a joint advisory noting that adversary tradecraft observed in the intrusion (specifically, the use of legitimate remote management tools as persistence mechanisms) closely matched patterns seen in ongoing campaigns against U.S. defense contractors. DIB organizations using tools such as TeamViewer, AnyDesk, or ConnectWise ScreenConnect should audit for unauthorized access and review their remote access policies.
Palo Alto Networks PAN-OS Firewall Zero-Day Exploited in the Wild: A critical zero-day in PAN-OS (CVE-2026-3392, CVSS 9.3) was actively exploited before Palo Alto issued an emergency patch on May 14. The vulnerability allowed unauthenticated remote code execution on the management interface of GlobalProtect gateway devices. CISA added it to the KEV catalog with a May 21 remediation deadline. Any organization using Palo Alto GlobalProtect for remote access (common in DIB environments) should verify that the May 14 patch has been applied and audit management interface exposure.
Critical Vulnerabilities
CVE-2026-3392 (Palo Alto PAN-OS GlobalProtect - CVSS 9.3): As noted above, this zero-day was the most urgent remediation item of the month. Management interfaces exposed to the internet were the primary attack vector. Organizations should restrict management interface access to trusted IP ranges as a compensating control even after patching.
CVE-2026-28282 (Ivanti Endpoint Manager - CVSS 9.1): Ivanti disclosed a critical deserialization vulnerability in Endpoint Manager that allows unauthenticated remote code execution. Given Ivanti's history of exploitation, including the Ivanti Connect Secure zero-days from 2024 and 2025. CISA issued a dedicated advisory recommending immediate patching and a full threat hunt on affected systems regardless of patch status. Organizations should assume compromise and conduct forensic review before patching and reconnecting devices.
Microsoft May Patch Tuesday: 147 CVEs: Microsoft's May update addressed 147 vulnerabilities including three confirmed in-the-wild exploits: CVE-2026-30190 (Windows MSHTML remote code execution via malicious Office documents), CVE-2026-26925 (Active Directory Certificate Services privilege escalation), and CVE-2026-32531 (Windows Print Spooler remote code execution). The AD Certificate Services flaw is particularly relevant for DIB organizations that use ADCS for certificate-based authentication; exploitation can result in full domain compromise.
CISA KEV Additions: May 7 and May 19: The May 7 batch added vulnerabilities in Trimble Cityworks (CVE-2025-0994, SQL injection actively exploited against municipal and utility targets), Adobe ColdFusion (CVE-2026-24094), and F5 BIG-IP (CVE-2026-20130). The May 19 batch added the Ivanti EPM flaw above along with vulnerabilities in Commvault Web Server (CVE-2025-34028) and GeoServer (CVE-2024-36401). The Commvault flaw is particularly notable: backup infrastructure is a high-value target because ransomware groups consistently attack backup systems first to prevent recovery.
Ransomware Trends
748 Incidents in May: Second Highest Month on Record: May's 748 publicly disclosed ransomware incidents represent a slight decline from April's record 801, but remain 58% above May 2025 levels (473 incidents). The sustained elevation confirms that April was not an anomaly but a new operational baseline for the ransomware ecosystem.
RansomHub Dominates: RansomHub led May activity with 94 confirmed incidents, overtaking Qilin (68) as the most active single operator. RansomHub's affiliate model, which allows operators to retain 90% of ransom payments, has driven rapid expansion since its emergence in early 2024. The group has shown particular focus on manufacturing, defense subcontractors, and logistics providers, sectors with high operational disruption potential and historically lower cybersecurity maturity.
Operational Technology Targeting Increases: CISA reported a 34% increase in ransomware incidents affecting operational technology environments in May compared to the prior three-month average. Attackers are increasingly moving laterally from IT networks into OT environments to trigger broader operational shutdowns and increase ransom leverage. Defense manufacturers with connected factory floor systems should audit IT/OT network segmentation immediately.
Ransomware-as-a-Service Expansion: Three new RaaS platforms (Interlock, Fog, and VanHelsing) collectively claimed 87 incidents in May, their highest combined monthly total. The continued proliferation of RaaS operations means that even small and mid-sized DIB companies with limited public profiles are now potential targets. The technical barrier to launch a ransomware campaign has dropped to the point where near-commodity attack kits are available to unsophisticated threat actors.
Government Advisories and Nation-State Threats
CISA Advisory AA26-131A: Chinese State-Sponsored Targeting of U.S. Defense Supply Chains: On May 11, CISA, NSA, FBI, and the Defense Counterintelligence and Security Agency (DCSA) jointly published an advisory documenting an active Chinese state-sponsored campaign targeting Tier 2 and Tier 3 defense suppliers. The campaign uses valid credentials obtained via spearphishing and credential stuffing against VPN portals, followed by living-off-the-land techniques to avoid detection. The advisory specifically called out that smaller suppliers (those with fewer than 500 employees) are being targeted as indirect pathways to larger prime contractors. DIB organizations at any tier should treat this as a direct threat advisory and review their spearphishing defenses, VPN access logs, and lateral movement detection capabilities.
Russian GRU Unit 29155: Infrastructure Reconnaissance Campaign: The FBI issued a flash advisory on May 22 warning that GRU Unit 29155 has been conducting systematic reconnaissance of U.S. critical infrastructure since early 2026, with particular focus on energy, water, and defense manufacturing facilities. The advisory noted that the campaign appears to be pre-positioning for potential sabotage operations rather than immediate exploitation. Organizations in these sectors should document their internet-exposed attack surface and review their incident response plans for scenarios involving deliberate operational disruption.
AI-Assisted Phishing Reaches Mainstream Scale
Microsoft's May Threat Intelligence report documented that AI-generated phishing content now accounts for an estimated 38% of all business email compromise attempts, up from less than 5% in 2024. AI-assisted phishing is indistinguishable from legitimate executive communications in blind tests conducted by multiple security vendors. Traditional indicators such as grammatical errors, unusual phrasing, and formatting inconsistencies are no longer reliable. Defense contractors handling CUI via email should implement DMARC, DKIM, and DMARC enforcement, deploy AI-assisted email security tools capable of behavioral analysis, and train employees to verify unusual financial or access requests through a second channel regardless of how legitimate the email appears.
Separately, the Scattered Spider threat group, responsible for high-profile breaches at MGM and Caesars in 2023, was linked to at least four May 2026 intrusions against defense-adjacent technology companies. The group's primary tactic remains social engineering of IT help desks to reset MFA credentials. Organizations should implement strict identity verification procedures for any help desk request involving MFA reset, password recovery, or new device enrollment.
CMMC and Compliance Updates
CMMC Phase 2: Under Six Months to Enforcement: As of June 1, 2026, the November 10, 2026 enforcement date for CMMC Phase 2 is 162 days away. Contractors requiring Level 2 certification must have a completed C3PAO assessment before that date. DCSA reported in May that C3PAO scheduling backlogs have extended to 14-18 weeks for most assessors, meaning organizations that have not yet initiated the formal assessment process are at serious risk of missing the deadline. Initiating a gap assessment now is the essential first step. The CGA CMMC Gap Assessment Grant provides a $5,000 in-kind professional gap assessment against all 110 NIST SP 800-171 controls at no cost to the contractor.
DoD CMMC Program Office: Clarification on Cloud Service Providers: The CMMC Program Office issued a May 2026 guidance memo clarifying that contractors using cloud services to process, store, or transmit CUI must ensure those services hold a FedRAMP Moderate or higher authorization, or an equivalent authorization under the DoD Cloud Computing Security Requirements Guide. Commercial cloud services that are not FedRAMP authorized do not satisfy CMMC Level 2 requirements for CUI protection, regardless of the service provider's marketing claims. Contractors should audit their cloud environment inventory against the FedRAMP Marketplace before their assessment date.
NIST SP 800-171 Rev. 3 Transition Timeline: DoD published a May 2026 notice indicating that formal CMMC assessments will transition from Rev. 2 to Rev. 3 controls no earlier than Q3 2027, following a 12-month overlap period. While this provides short-term clarity, contractors should be aware that the three additional control families introduced in Rev. 3 (supply chain risk management, advanced threat countermeasures, and incident response enhancements) represent meaningful new requirements. Beginning gap analysis against Rev. 3 now, while assessments still use Rev. 2, allows organizations to build toward the future standard without emergency remediation later.