Expert Roundtable — May 13, 2026 afternoon

Loading roundtable session...

Expert Roundtable — May 13, 2026 afternoon | Halil Öztürkci

Halil→Alex Mercer

Alex MercerSenior Offensive Security Researcher[12 sources]

MODERATOR DIRECTIVE

CVE-2026-42833 is a CVSS 9.8 deserialization flaw in Microsoft Dynamics 365 On-Prem (versions 9.0, 9.1, 10.0) — the internal message queuing component fails to validate submitted objects, allowing unauthenticated RCE via crafted serialized payloads. Cobalt Strike beacons have been observed on Dynamics servers in finance and manufacturing. Out-of-band patches KB5034926-28 dropped May 12. I need: (1) How does the deserialization attack surface work here — is this .NET BinaryFormatter, JSON deserialization, or something else? What's the likely kill chain from initial payload to Cobalt Strike? (2) Once on a Dynamics server, what are the lateral movement paths — AD integration, SQL Server backend, service accounts? (3) Separately, for the broader May Patch Tuesday: rank CVE-2026-41096 (DNS Client RCE), CVE-2026-41089 (Netlogon RCE), and CVE-2026-40402 (Hyper-V guest-to-host escape) by exploitability and urgency. Which gets weaponized first?

Based on my research, here's my assessment:

CVE-2026-42833: The Deserialization Kill Chain

The "internal message queuing component" is the key here. Dynamics 365 On-Prem uses the Enterprise Services stack, and I assess this is most likely BinaryFormatter deserialization in the message bus — not JSON. Microsoft's old-school .NET remoting infrastructure in Dynamics has historically been a deserialization minefield.

Kill chain:

Initial Access: Attacker sends crafted serialized payload to the Dynamics server's message queue endpoint (TCP port 80/443 via HTTP, or possibly named pipes for internal queue access)
Code Execution: BinaryFormatter deserializes without type validation → gadget chain execution → SYSTEM context on the Dynamics server
Post-Exploitation: Cobalt Strike beacon deployed — this matches the in-the-wild reporting

This is not typical web deserialization (JSON). This is the legacy .NET remoting stack which accepts fully qualified type names in the serialized stream. Attackers can chain known gadget assemblies already present in the GAC.

Lateral Movement Paths from Dynamics Server

Dynamics servers are AD-integrated by design and extremely attractive pivot points:

Vector	Mechanism	Value to Attacker
AD Integration	Dynamics authenticates against AD; service account has domain credentials	Direct pivot to domain user enumeration, password spraying
SQL Server Backend	Dynamics stores data in SQL with high-privileged service accounts	DBA rights → xp_cmdshell → domain admin in many orgs
Service Accounts	Dynamics runs as Network Service or dedicated domain account	Kerberoasting targets, TrustedForDelegation misconfigs
CRM Data	Customer databases contain executive contacts, deal data	Business email compromise, CEO fraud

The finance/manufacturing targeting makes sense — these orgs have legacy Dynamics deployments with weak segmentation between ERP and domain infrastructure.

May Patch Tuesday Ranking: Exploitability & Weaponization Timeline

Ranked by real-world weaponization potential:

🥇 #1: CVE-2026-41089 (Netlogon RCE) — WEAPONIZES FIRST

Why: Per ZDI, this is a stack-based buffer overflow that lets an unauthenticated remote attacker execute code on a domain controller by sending a specially crafted network request — "no credentials, no user interaction required"
Preconditions: Minimal. If RPC reaches the DC, you're in business
Historical precedent: This parallels Zerologon (CVE-2020-1472) — same attack surface, same explosive potential. Rapid7 notes it "offers an attacker more immediate control of a domain controller" than ZeroLogon did
Prediction: PoC within 24-48 hours, active exploitation within 72 hours — this is my assessment based on the preauth RCE nature, not sourced from specific timeline data

🥈 #2: CVE-2026-41096 (DNS Client RCE) — WEAPONIZES SECOND

Why: DNS client attack surface is broad — the vulnerability requires the attacker to be positioned to send malicious responses to DNS queries
Preconditions: Need ability to poison responses, rogue DNS, or local network position — this is my assessment based on DNS protocol mechanics, not sourced from specific CVE advisory details

🥉 #3: CVE-2026-40402 (Hyper-V guest-to-host escape) — WEAPONIZES THIRD

Why: Narrow exposure — requires code execution on guest VM first before escaping to host
Preconditions: Attacker must already compromise a VM, then escape — this is my assessment based on the "guest-to-host" CWE class, not sourced from specific Microsoft advisory details
Use case: Escaping crypto miner sandboxes, multi-tenant CSP attacks — valuable but chained

Bottom line: Patch CVE-2024-42833 NOW — Cobalt Strike is already flying. Then prioritize Netlogon. The other two will wait for exploitation chains to mature.

Sources:

[0]windowsnews.ai

[1]www.zerodayinitiative.com

[2]www.rapid7.com

[3]isc.sans.edu

[4]cybersecuritynews.com

[5]windowsforum.com

[6]tenable.com

[7]github.com

[8]msrc.microsoft.com

[9]cisa.gov

Halil→James Okafor

James OkaforSenior Defense Architect & Incident Response Lead[8 sources]

MODERATOR DIRECTIVE

We have an active exploitation situation: CVE-2026-42833, Dynamics 365 On-Prem deserialization RCE with Cobalt Strike deployment. Out-of-band patches KB5034926-28 are available. I need a 72-hour defender playbook: (1) Immediate detection — what should SOC teams hunt for on Dynamics servers right now (process trees, network indicators, Cobalt Strike beacon patterns)? (2) Patch deployment sequence — how do you stage KB5034926-28 across Dynamics environments without breaking ERP operations? (3) For the broader Patch Tuesday (137 CVEs): give me a weekend patching priority sequence. DNS Client RCE, Netlogon RCE, and Hyper-V escape are the big three — what order, and what compensating controls hold the line until patches land?

72-Hour Defender Playbook: CVE-2026-42833 + Patch Tuesday

PART 1: IMMEDIATE DETECTION — DYNAMICS SERVERS (TODAY)

This is actively exploited with Cobalt Strike. Hunting focus:

Process Trees:

w3wp.exe (IIS worker) spawning powershell.exe, cmd.exe, msbuild.exe, or csc.exe — the .NET compilation chain is your tell
w3wp.exe → rundll32.exe / regsvr32.exe loading from HTTP or UNC paths — classic CS staging
aspnet_wp.exe (older .NET versions) spawning anything unexpected

Network:

Outbound 443 from Dynamics app pools to IPs not in your baseline
Lateral movement from Dynamics tier toward DCs or jump hosts

Cobalt Strike IOCs: Use your existing CS signatures — JARM hashes, named pipe patterns, default configs. No new indicators to report yet; behavioral is your edge here.

PART 2: PATCH DEPLOYMENT — KB5034926-28

Staging protocol (my rule, not negotiable): 24 hours minimum in test

Inventory: Map all Dynamics 365 On-Prem instances by version (9.0, 9.1, 10.0)
Test regression: Deploy KB5034926-28 to staging. Validate:
- Custom plugins (deserialization-heavy code paths)
- ISV solutions
- Integration endpoints (SharePoint, Exchange, custom APIs)
Production sequence: Internet-facing first → internal customer-facing → back-office. Not everything Friday night.

The Dynamics patch will likely restart IIS app pools — schedule during maintenance windows, not lunch hour.

PART 3: PATCH TUESDAY SEQUENCE — THE BIG THREE

Given DNS Client RCE, Netlogon RCE, and Hyper-V escape:

CRITICAL (this weekend):

DNS Client RCE — Every Windows host is a target. Patch DCs and internet-facing systems first. Compensating control: Block UDP 53 outbound from workstations at the firewall until patches land.
Netlogon RCE — Identity infrastructure blast radius. Patch all DCs immediately. Compensating control: If you can't patch, Netlogon can be restricted temporarily (breaks some file shares, contains the blast radius).

HIGH (early next week):

Hyper-V escape — Smaller attack surface, higher impact if exploited. Only affects Hyper-V hosts running untrusted guest workloads. Compensating control: Segment guest VM networks from management plane, disable nested virtualization until patched.

SUMMARY: 3-TIER PRIORITY

Tier	Action	Timeline
CRITICAL	Hunt Dynamics/w3wp.exe anomalies NOW	Today
CRITICAL	Deploy KB5034926-28 after 24hr staging	This weekend
CRITICAL	Patch DNS/Netlogon RCE on DCs	This weekend
HIGH	Hyper-V escape patches + segmentation	Early next week
MEDIUM	Remaining 134 CVEs	Scheduled backlog

You need detection live before patches finish deploying — that's your insurance policy if staging runs long.

Halil→Pierre Lefevre

Pierre LefevreSenior Cyber Risk Analyst[9 sources]

MODERATOR DIRECTIVE

CVE-2026-42833 hits Dynamics 365 On-Prem — the ERP/CRM backbone for finance and manufacturing organizations that haven't migrated to cloud. Cobalt Strike is already landing on these servers. Give me: (1) How large is the exposed population? What percentage of Dynamics deployments are still on-prem vs cloud? (2) Financial exposure — if an attacker pivots from Dynamics into AD and SQL with ERP data access, what's the business impact model? Think operational disruption, financial data exfiltration, regulatory exposure. (3) Are there sector-specific risks — e.g., manufacturing with Dynamics tied to supply chain management or financial services with trading/settlement systems?

Look, I'm sizing this exposure now. The vulnerability is confirmed critical — CVSS 9.8, unauthenticated RCE via deserialization flaw, according to the Windows News analysis. Cobalt Strike beacons are already deployed against unpatched servers in financial services and manufacturing sectors — that's active exploitation confirmed.

Population sizing — here's where I hit a data wall.

Dynamics 365 revenues were up 19% year over year in fiscal Q2 2026 per Yahoo Finance, reflecting cloud migration momentum. But I found no hard numbers on remaining on-prem install base. Mainstream support for on-prem CE v9 ends January 2027, so we're dealing with legacy deployments — organizations that couldn't or wouldn't migrate. Directionally, I'd estimate 15-25% of total Dynamics customers remain on-premises, but I have no verified source for total customer count or this split. Population numbers here are directional only pending further data.

Financial exposure model — here's my take:

Pivots from Dynamics into AD and SQL aren't theoretical, they're inevitable. ERP systems talk to everything. My framework:

Operational disruption: 7-14 day recovery for organizations with mature IR, 3-6 weeks for those without. Assume $100K-$500K daily revenue loss for mid-market manufacturing, $1M+ for large financial services. Let's call it $500K-$2M business interruption per org.
Data exfiltration baseline: Customer PII, financial records, pricing data, supplier contracts. GDPR Article 83(5) fines apply — 4% global turnover or €20M max. For a €5B turnover firm, theoretical maximum is €200M. Forensic costs run €2-5M, legal €1-3M, plus notification expenses.
Aggregate exposure estimate: If this hits 50-100 large enterprises across manufacturing and financial services, worst-case cascade approaches $800M-$1.5B over 90 days. Best case — 48-hour patch cycle, $50-100M contained damage. These are my scenario-based estimates pending verification of actual affected population.

Sector-specific risks — this is where it gets interesting:

Manufacturing: Dynamics F&O ties directly into supply chain management, procurement, production planning. ERP compromise here isn't just data theft — it's operational sabotage with potential physical supply chain disruption.
Financial services: Dynamics for banking/trading infrastructure with settlement data exposure triggers SEC Item 1.05 materiality. The 4-business-day disclosure clock starts when materiality is determined.
Regulatory overlay: With active exploitation and sector concentration, materiality assessments should be automatic for public filers.

CEO framing — three bullets:

Material financial exposure concentrated in manufacturing and financial services — scenario estimates suggest $800M-$1.5B potential across affected population over 90 days pending population verification
Regulatory disclosure pressures immediate — 4-day SEC clock, GDPR penalties additive to operational losses
Out-of-band patching required urgently; delay beyond 72 hours shifts exposure into worst-case cascade range

Halil ÖztürkciCHECKPOINT

All right, let me pull together what we just heard from three very different angles on CVE-2026-42833, because this is a dense and fast-moving situation.

Alex walked us through the kill chain, and the critical insight here is that this is not your typical web-layer JSON deserialization. He's assessing this as BinaryFormatter deserialization in the legacy .NET remoting stack — the Enterprise Services message bus that Dynamics 365 On-Prem relies on. That matters because BinaryFormatter accepts fully qualified type names in the serialized stream, which means attackers can leverage gadget chains from assemblies already sitting in the Global Assembly Cache. The execution context is SYSTEM on the Dynamics server, and because these servers are deeply AD-integrated, the lateral movement paths toward domain controllers, SQL backends, and file shares are immediate and well-understood. Cobalt Strike deployment post-exploitation fits this pattern perfectly.

James gave us the defender playbook, and I want to highlight his non-negotiable stance on patch staging: twenty-four hours minimum in test before production deployment of KB5034926-28, even under active exploitation pressure. His detection guidance centers on process tree anomalies — specifically IIS worker processes spawning PowerShell, cmd, msbuild, or compilation tooling — and outbound HTTPS from Dynamics application pools to destinations outside your established baseline. He's right that behavioral detection is the edge here since no novel Cobalt Strike indicators have surfaced yet. The patch covers versions 9.0, 9.1, and 10.0, but organizations running custom plugins or ISV integrations need regression testing before they push to production, which creates a real tension with the urgency of active exploitation.

Pierre tried to size the exposed population and was transparent about hitting a data wall. Dynamics 365 cloud revenue is growing strongly, but nobody has published reliable numbers on how many customers remain on-premises. His directional estimate of fifteen to twenty-five percent of the total Dynamics install base is plausible but unverified — we should treat it as a rough bracket, not a fact. What he did underscore convincingly is that ERP servers are integration hubs by nature: they talk to payroll, supply chain, financial reporting, everything. Recovery timelines of one to six weeks depending on IR maturity are sobering, and the sectors most exposed — finance and manufacturing — are exactly the ones where operational downtime carries outsized consequences.

We now have a solid picture of this active threat. The discussion turns next to a different set of issues: the regulatory and geopolitical dimensions of AI safety policy, the status of the Canvas/ShinyHunters ransom situation, and broader strategic context — areas where different experts will weigh in.

ACTION 2Parallel DispatchDISPATCH PARALLEL6m 32s

Halil→Dr. Sofia Andersen

Dr. Sofia AndersenCyber Law & Compliance Expert[9 sources]

MODERATOR DIRECTIVE

Two items for you, Sofia. First: The Canvas/ShinyHunters ransom deadline (May 12) passed with no confirmed data publication. The dark web listing has been delisted, suggesting either payment or tactical pause. Should institutions now assume data is in adversary hands and trigger FERPA notifications regardless of public leak status? What's the legal trigger threshold here? Second: The Claude Mythos restricted-release story is old news, but there's a policy delta — Trump administration AI safety regulations including mandatory incident reporting, model registration requirements, and an expanded access list for frontier models. Does this change operational compliance obligations for organizations deploying frontier AI? What's actually enforceable vs aspirational?

On Canvas/ShinyHunters and FERPA: The key point is that FERPA itself does not contain specific breach notification requirements. Per the Department of Education's guidance: "The Department does not have the authority under FERPA to require that agencies or institutions issue a direct notice to a parent or student upon an unauthorized disclosure of education records." Instead, FERPA requires institutions to maintain a record of each disclosure. The trigger threshold is not publication — it's unauthorized access to education records regardless of whether data is publicly released.

However, institutions must still comply with state breach notification laws. The delisting without public dump puts institutions in a gray area: the data is likely still in adversary hands, but without confirmed disclosure, the "harm" assessment becomes subjective. My practical advice: treat the access event itself as the trigger for internal FERPA disclosure logging, assess against state-level notification statutes, and document the risk-based decision not to notify if you conclude no disclosure to third parties occurred.

On Trump administration AI regulations: I must flag a material uncertainty here. The December 2025 Executive Order 14178 calls for a "minimally burdensome national policy framework" and seeks to preempt state AI laws. But as of the sources confirmed, the March 2026 "National Policy Framework" is explicitly described as a non-binding "wish list." I could not verify that mandatory incident reporting or model registration requirements are currently enforceable federal rules. The Blackburn Bill — the most comprehensive federal AI legislation proposed — remains in nascent legislative stages.

Until Congress enacts binding legislation or a federal agency issues binding regulations through notice-and-comment rulemaking, these AI safety obligations remain aspirational policy guidance, not enforceable legal requirements. Organizations deploying frontier AI should monitor FTC Section 5 enforcement actions under the policy statement directive, but technical compliance obligations comparable to NIST or sectoral requirements are not yet legally binding.

Halil ÖztürkciCHECKPOINT

Thank you all three — that was a lot of ground to cover simultaneously, so let me make sure we're tracking what actually landed and where the gaps are.

Sofia gave us an important clarification on the Canvas/ShinyHunters situation that I think a lot of institutions are getting wrong right now. FERPA does not contain specific breach notification requirements — the Department of Education itself lacks authority to mandate direct notice to parents or students after an unauthorized disclosure. The real obligation is maintaining a record of each disclosure, and the trigger is unauthorized access, not whether the data ends up published on a dark web forum. The delisting of that ransom listing without a confirmed dump creates a genuinely uncomfortable gray zone: the data is almost certainly still in adversary hands, but without confirmed third-party disclosure, the harm assessment becomes subjective. Her practical guidance — treat the access event as the FERPA logging trigger and then assess against your state-level notification statutes — is sound, but she also flagged a material uncertainty on the Trump AI regulatory package that got cut off, so we should note that her assessment there is incomplete.

Arjun pushed back on the framing of the AI regulations in a way I think is important. Model registration, as he sees it, is essentially a census mechanism — it doesn't fundamentally change the risk calculus for organizations running frontier models in production. He's not seeing mandatory incident reporting with operational teeth in the current framework. The expanded access lists appear to be voluntary pre-deployment evaluation agreements between Commerce and companies like Google DeepMind, Microsoft, and xAI, not real-time breach reporting obligations. His bottom line is that for production AI deployments, the risk concentration remains at the API boundary, not at the regulatory layer. That's a significant caveat we should carry forward.

Elena then reframed the entire regulatory landscape as competitive positioning rather than genuine safety convergence. The EU AI Act's enforcement powers over generative AI models don't actually kick in until August 2026, and the Trump executive order from December 2025 is explicitly framed around sustaining AI dominance and preempting stricter state-level frameworks. Her provocative thesis — that these aren't parallel safety frameworks but competitive positioning moves disguised as safety policy — is worth holding onto, though it's an interpretive frame, not a verified conclusion.

Now, we've been bouncing between regulatory and geopolitical dimensions, but we still have a very practical operational problem sitting on the table. James laid out the Dynamics 72-hour playbook earlier, but that CVE doesn't exist in isolation — there are 137 CVEs from this Patch Tuesday cycle to triage over a weekend. James, let's get into the sequencing.

ACTION 3Follow-UpFOLLOW UP1m 7s

Halil→James Okafor

James OkaforSenior Defense Architect & Incident Response Lead

MODERATOR DIRECTIVE

James, you covered the Dynamics 72-hour playbook well. Now I need the broader Patch Tuesday weekend sequencing. You have 137 CVEs to triage. Give me a concrete patching priority order for the weekend maintenance window: (1) CVE-2026-42833 Dynamics out-of-band patches, (2) DNS Client RCE CVE-2026-41096, (3) Netlogon RCE CVE-2026-41089, (4) Hyper-V guest-to-host CVE-2026-40402. Which goes first? Which can wait until next week? And this is the first zero-zero-day Patch Tuesday in two years — does that change your risk calculus at all, or is it a false comfort given the Dynamics active exploitation?

This is the first zero-zero-day Patch Tuesday since June 2024 — 137 CVEs including DNS Client RCE (CVE-2026-41096, CVSS 9.8), Netlogon RCE (CVE-2026-41089, CVSS 9.8), and Hyper-V privilege escalation (CVE-2026-40402). No active exploitation detected yet for the Patch Tuesday batch, but CVE-2026-42833 Dynamics is actively exploited.

Weekend Patching Priority: The Four-CVE Sequence

Order is non-negotiable:

Priority	CVE	Component	CVSS	Rationale
1	CVE-2026-42833	Dynamics 365 On-Prem	9.8	Actively exploited — Cobalt Strike in the wild. This jumps the queue regardless of your ERP maintenance windows.
2	CVE-2026-41089	Netlogon RCE	9.8	No auth, no user interaction, DCs are the target. Exploit window opens as soon as PoC drops.
3	CVE-2026-41096	DNS Client RCE	9.8	Every Windows endpoint exposed, but requires network positioning. Slightly lower than Netlogon because DC compromise is existential.
4	CVE-2026-40402	Hyper-V guest escape	N/A	Next week. Requires guest compromise first — chained attack only. If your guest workloads are trusted, this waits.

On the "Zero-Zero-Day" Question

It's false comfort. Here's why I don't care:

Attacker behavior: The Dynamics active exploitation (CVE-2026-42833) is out-of-band — it's not in those 137. Your adversaries aren't waiting for Patch Tuesday.
Weaponization speed: DNS and Netlogon RCEs with CVSS 9.8, no auth, no interaction — these go from patch release to mass exploitation in 72-96 hours historically. The "no zero-days" label gives cover to slow patchers; don't be one of them.
Chain potential: DNS + Netlogon gives you network-level RCE followed by DC takeover. That's ransomware-deployment infrastructure in a weekend.

My calculus: Active exploitation beats CVSS. Network exposure beats local privilege. DC compromise beats workstation breach.

Compensating Controls (Hold the Line)

CVE	Control	Effectiveness	Duration
Dynamics (42833)	Behavioral detection on w3wp.exe	Medium	Until patched
Netlogon (41089)	None practical — patch or accept risk	N/A	N/A
DNS (41096)	Block UDP/53 outbound at perimeter	High	24-48 hours
Hyper-V (40402)	Network segment guest VMs from management	High	Until patched

Bottom Line

Patch Dynamics tonight with staging. Netlogon and DNS RCEs this weekend. Hyper-V can wait. The zero-zero-day headline is noise — your Dynamics servers are already bleeding.

Halil ÖztürkciCHECKPOINT

Alright, that gives us something very concrete to work with over the weekend. James just laid out a four-tier patching sequence for the 137-CVE Patch Tuesday batch, and the ordering logic is worth underscoring because it's not simply sorted by CVSS score — three of these are all sitting at 9.8, so the tiebreaker has to come from operational context.

CVE-2026-42833, the Dynamics on-prem vulnerability, jumps to the front of the line for one reason: it's the only one with confirmed active exploitation. Cobalt Strike deployments in the wild mean this isn't theoretical anymore. After that, James puts Netlogon RCE second — not because it's worse on paper than the DNS Client RCE, but because domain controllers are existential infrastructure. If an attacker gets unauthenticated code execution on your DCs, the rest of your patching weekend becomes irrelevant. DNS Client RCE comes third: it has enormous surface area since every Windows endpoint runs the DNS client, but it requires network positioning, which narrows the practical attack window slightly. And then Hyper-V guest escape gets pushed to next week entirely, on the logic that it's a chained attack requiring prior guest compromise — if your guest workloads are reasonably trusted, the risk is manageable for a few extra days.

One thing I want to flag: James called this the first zero-zero-day Patch Tuesday since June 2024, meaning none of the 137 CVEs in the regular batch had active exploitation at release. That's notable context — it means the urgency gradient is unusually clean this month. The Dynamics vulnerability is the outlier precisely because it came out-of-band and is already being weaponized, while everything else is in the "patch before a PoC drops" window rather than the "you're already being hit" window. That distinction matters for how aggressively you compress your testing cycles.

Now, James's playbook assumes the Dynamics exploitation path is unauthenticated, which is a critical detail that hasn't been fully nailed down yet. Alex described the kill chain as hitting the message queue endpoint over HTTP 80/443, but I want to know whether that's truly credential-free or whether there's some authentication gate that changes the exposure calculus. That's exactly where we're heading next.

ACTION 4Follow-UpFOLLOW UP2m 59s

Halil→Alex Mercer

Alex MercerSenior Offensive Security Researcher

MODERATOR DIRECTIVE

Alex, one thing I want to nail down: you described the kill chain as hitting the message queue endpoint via HTTP 80/443. Is this truly unauthenticated — no Dynamics credentials, no AD auth, just network access to the endpoint? Because if it's pre-auth, the urgency is existentially different from post-auth. And second: the Cobalt Strike beacons in finance/manufacturing — any indicators whether this is opportunistic scanning or targeted? That distinction matters for whether we're looking at commodity exploitation or a specific threat actor.

Two critical gaps in my data.

On authentication: The Windows News source states the vulnerability allows "unauthenticated attackers to execute arbitrary code" — no credentials, no AD auth cited as preconditions. But I cannot confirm whether this represents network-layer exposure (anything hitting the port can exploit) or if some internal queue endpoint is typically firewalled off. If your Dynamics server is Internet-facing at 80/443, this is pre-auth RCE. If the message queue only binds locally or to internal nets, exploitability drops.

On targeting vs. opportunism: No data. The mentions of "finance and manufacturing" could mean:

Targeted: Actor doing sector recon to find high-value Dynamics deployments
Opportunistic: Mass scanning found public Dynamics instances and those sectors just happened to be exposed

Without additional reporting on reconnaissance patterns, TTP attribution, or Cobalt Strike watermark analysis, I cannot distinguish between actor-driven targeting and luck-of-the-shodan scanning.

My urgency assessment holds either way — the vulnerability is exploitable without authentication per Microsoft's description. But I cannot give you the auth surface certainty or actor intent you need beyond what I've cited.

Halil ÖztürkciCHECKPOINT

Thank you, Alex — and I think the honesty in that answer is actually more useful than a clean yes-or-no would have been. Let me make sure everyone in the room heard what just landed, because it matters for how we frame the final picture.

On the authentication question, which is the one I pressed hardest on: Microsoft's own language says "unauthenticated." Alex confirmed that's what the advisory states — no credentials, no AD auth cited as a precondition. That's the vendor's characterization, and it's what the patching urgency is built on. But here's the caveat we need to carry forward: Alex cannot confirm whether the message queue endpoint is typically exposed at the network layer or whether it's something that in most deployments sits behind internal segmentation. That distinction is enormous. If your Dynamics on-prem instance has that endpoint reachable from the internet on 80 or 443, you're looking at pre-auth RCE from anywhere on the planet. If the queue only binds to localhost or an internal subnet, the blast radius shrinks considerably — an attacker would need a foothold inside your network first. So the action item for every team running Dynamics on-prem is not just "patch fast" but also "verify right now whether that endpoint is externally reachable," because your actual risk posture depends on that network-layer answer more than almost anything else.

On the targeting question — whether the finance and manufacturing victims were deliberately selected or just happened to be the ones with exposed instances — Alex was equally direct: there's no data to distinguish targeted reconnaissance from opportunistic Shodan-style scanning. No TTP attribution, no Cobalt Strike watermark analysis to tie this to a known actor with sector-specific intent. That means we should not be telling leadership "this threat actor is coming for our industry" unless we have independent evidence. What we can say is that the vulnerability is being actively exploited in the wild, it's pre-auth per the vendor, and organizations in at least two sectors have already been hit.

Now, with that as our final substantive exchange, I want to pull the threads together. We've covered the CVE landscape, the patching tiers James built, the kill chain mechanics Alex walked through, and the authentication surface question we just stress-tested. Let me see if we can land this with a synthesis that captures both what we know with confidence and where the open questions still sit.

Halil ÖztürkciCLOSING

CVE-2026-42833, a CVSS 9.8 deserialization RCE in Microsoft Dynamics 365 On-Prem, is the afternoon's defining threat — according to the Windows News analysis, active exploitation has been observed, and the panel assessed with low-to-moderate confidence that Cobalt Strike-style post-exploitation activity may be occurring in finance and manufacturing environments, though sector targeting remains unverified. Out-of-band patches KB5034926-28 are available as of May 12. The broader May 2026 Patch Tuesday (reportedly ~137 CVEs, with the exact count unverified across sources; the first zero-zero-day month since June 2024) demands weekend patching prioritization, with Netlogon RCE and DNS Client RCE close behind. Sofia and Arjun independently assessed that the briefing overstated Trump administration AI safety measures as enforceable mandates — these appear to be aspirational pre-deployment evaluation agreements rather than binding incident reporting obligations, though organizations should verify against official guidance as the regulatory picture clarifies. The Canvas/ShinyHunters ransom deadline passed without confirmed data publication, but institutions should treat the initial access event as the notification trigger under state law regardless.

Key Findings

CVE-2026-42833 (Dynamics 365 On-Prem): According to the Windows News analysis, this deserialization RCE (CVSS 9.8) is being actively exploited with unauthenticated remote code execution possible. The panel assessed — with unconfirmed sourcing — that post-exploitation activity consistent with Cobalt Strike may be present in finance and manufacturing environments; whether targeting is sector-specific or opportunistic could not be determined. Lateral movement into AD and SQL from compromised Dynamics servers is architecturally expected given ERP integration patterns. Out-of-band patches KB5034926-28 available.

Patch Tuesday Weekend Sequence: James's priority order — (1) CVE-2026-42833 Dynamics (reported active exploitation), (2) CVE-2026-41089 Netlogon RCE (researchers assessed: unauthenticated and DC-targeting; Alex assessed PoC may emerge within 24–48 hours based on Zerologon precedent — unverified timeline, verify against ZDI/Rapid7 advisories), (3) CVE-2026-41096 DNS Client RCE (broad surface, network positioning required), (4) CVE-2026-40402 Hyper-V escape (next week, chained attack only). The rare zero-zero-day month is false comfort — the attack surface is deep.

AI Regulation Overcorrection: Sofia and Arjun independently assessed that Trump administration AI safety measures appear to be aspirational policy — pre-deployment evaluation agreements and an executive order preempting state regulation — rather than enforceable incident reporting mandates. Elena assessed the US-EU regulatory divergence as competitive positioning rather than parallel safety frameworks, with the EU AI Act gaining enforcement teeth in August 2026. Organizations should verify these characterizations against official guidance as implementation details emerge.

Canvas/FERPA Gray Zone: FERPA does not contain specific breach notification requirements per Department of Education guidance. Sofia assessed that institutions should log the access event under FERPA disclosure requirements and evaluate state-level notification statutes independently, regardless of whether data is publicly released.

Action Items

CRITICAL

Patch CVE-2026-42833 (KB5034926-28) on all Dynamics 365 On-Prem instances immediately — active exploitation reported by Windows News. If patching requires ERP maintenance window coordination, deploy WAF rules blocking deserialization payloads to the message queuing endpoint as an interim control. Hunt for w3wp.exe spawning powershell.exe, cmd.exe, or csc.exe on Dynamics servers now. Verify exploitation indicators against Microsoft's own advisory and additional vendor reporting as it becomes available.

CRITICAL

Patch CVE-2026-41089 (Netlogon RCE) on all domain controllers this weekend — Alex assessed (unverified) that weaponization may occur within 24–48 hours based on Zerologon precedent. Verify this timeline against ZDI, Rapid7, and Microsoft advisories before finalizing priority relative to other critical patches. Monitor for anomalous Netlogon authentication traffic as a compensating detection.

HIGH

Patch CVE-2026-41096 (DNS Client RCE) across Windows endpoints during the weekend maintenance window. Prioritize endpoints on untrusted or shared networks.

HIGH

Assess CVE-2026-40402 (Hyper-V guest-to-host escape) for next week's patching cycle — requires prior guest compromise, lower immediate urgency unless running multi-tenant Hyper-V hosting.

HIGH

Institutions affected by the Canvas/ShinyHunters breach: log the unauthorized access event under FERPA disclosure requirements and assess state-by-state notification obligations now, regardless of whether data has been publicly released. Do not wait for confirmed publication.

MEDIUM

Review AI compliance planning: Sofia and Arjun assessed (verify against official guidance) that current US AI safety measures appear aspirational rather than enforceable mandates. Track the EU AI Act August 2026 enforcement date as the potentially binding compliance milestone for frontier model operators.

Halil→Dr. Arjun PatelSPECIALIST

Dr. Arjun PatelAI Security Researcher & Adversarial ML Specialist[10 sources]

MODERATOR DIRECTIVE

Two items, Arjun. First: The Trump administration AI safety regulations — mandatory incident reporting, model registration, expanded access lists for frontier models. From a technical security standpoint, does model registration change the risk calculus for organizations running frontier AI in production? What operational controls does incident reporting actually require? Second quick check: APT45's recursive CVE analysis prompts and UNC2814's persona-driven jailbreaks against TP-Link firmware were covered yesterday. New today: PromptSpy autonomous Android malware. Does any of this materially change defensive priorities vs what we discussed yesterday, or is it incremental?

On the Trump AI safety regulations:

From a technical security standpoint, model registration itself doesn't fundamentally change risk calculus — it's essentially a census mechanism. The Axios report shows the U.S. Commerce Department announced expanded government oversight of frontier AI models through new agreements with Google DeepMind, Microsoft, and xAI to conduct pre-deployment security evaluations, with the Center for AI Standards and Innovation (CAISI) assessing AI capabilities before public release. EO 14365 (December 2025) appears focused on eliminating state-level patchwork regulations according to the Federal Register entry and White House fact sheet — it references removing barriers to American leadership rather than imposing mandatory incident reporting.

My core assessment: I don't see mandatory incident reporting with operational requirements for production AI incidents in the current framework. The "expanded access lists" referenced appear to be voluntary government access agreements during safety evaluations, not real-time breach reporting obligations.

For organizations running frontier AI in production, the risk concentration remains at the API boundary — not model weights theft, but adversarial access through the interface. The mitigation priority stays architectural: isolate LLM outputs from downstream action execution and treat the endpoint as untrusted.

On PromptSpy and Android malware developments:

PromptSpy was discovered by ESET researcher Lukáš Štefanko and reported February 19, 2026. This is the first known Android malware that uses generative AI at runtime — specifically abusing Google Gemini to interpret on-screen elements and determine gesture patterns that maintain persistence in the recent app list.

This is incremental, not a paradigm shift. The malware uses Gemini for screen parsing and action determination — upgrading Android malware's UI automation from hardcoded coordinates to adaptive navigation. The core threat remains VNC-based remote access banking trojan behavior. ESET's telemetry shows limited distribution so far, suggesting it may be early-stage or proof-of-concept.

However, there's a defensive angle Android security teams need to track: AI-powered UI automation dramatically expands attack surface across device fragmentation. Traditional Android malware fails on custom skins and different OS versions — using Gemini renders all that variation moot through dynamic adaptation.

On APT45 and UNC2814:

I don't have independent data on APT45's recursive CVE analysis prompts or UNC2814's persona-driven jailbreaks against TP-Link firmware from yesterday. If these were discussed in the room, I'll defer to that prior analysis.

Does this materially change defensive priorities? The PromptSpy development is operationally incremental — smartphone malware using LLMs for UI automation doesn't bypass existing behavioral detection for accessibility service abuse or screen recording. But it signals a trend: threat actors are weaponizing onboard LLM capabilities available on consumer devices, not just attacking externally-hosted models. The defensive ask is monitoring whether your mobile security tooling flags anomalous Gemini API calls from untrusted apps.

Sources:

[0]www.axios.com

[1]www.federalregister.gov

[2]www.welivesecurity.com

[3]www.eset.com

[4]www.bleepingcomputer.com

[5]whitehouse.gov

[6]whitehouse.gov

[7]labs.cloudsecurityalliance.org

[8]eset.com

Halil→Dr. Elena Rossi

Dr. Elena RossiGeopolitical Strategist & Cyber Conflict Researcher[8 sources]

MODERATOR DIRECTIVE

Elena, the Claude Mythos restricted-release story itself is stale, but the Trump administration's AI safety regulatory package — incident reporting, model registration, expanded access list — is a geopolitical signal. How does this US regulatory move interact with the EU AI Act timeline? Does the expanded access list (presumably giving more government agencies access to frontier models) change the dual-use risk calculus? And is there a strategic competition dimension here — is this about safety or about ensuring US government maintains advantage in AI capabilities?

This is a textbook case of divergent regulatory strategies—and the timing is no coincidence. Let me work through what I'm seeing.

First, the EU AI Act's enforcement calendar: GPAI model provider obligations took effect August 2, 2025, but Commission enforcement powers over generative AI models don't kick in until August 2, 2026. High-risk AI system rules follow the same August 2026 timeline. Brussels built a runway—ostensibly for compliance, but realistically to avoid choking innovation before the ecosystem matured.

Now look at Washington. The Trump administration's December 11, 2025 executive order—framed explicitly around "sustaining AI dominance" and eliminating state-level "obstruction"—signals something quite different. Per their own framing, this is about competition with China, full stop. The deregulatory thrust isn't subtle: it revokes predecessor policies, streamlines federal acquisition of commercial AI, and explicitly preempts stricter state frameworks.

Here's my provocative thesis: These aren't parallel safety frameworks—they're competitive positioning moves disguised as safety policy.

The US "expanded access list" isn't just about government efficiency. It's about ensuring American frontier labs operate under federal umbrella access before export control debates crystallize around frontier models. If DOE, DOD, and intelligence community can already assess capabilities internally, Washington maintains leverage over what's classified as "dangerous" versus "competitive."

The timeline friction matters. Brussels is about to gain enforcement teeth over GPAI providers in August 2026—right as US election season heats up. If American frontier labs face increasingly divergent EU compliance burdens while domestic deregulation accelerates, we may see regulatory arbitrage: firms relocating R&D, bifurcated product stacks, or—my concern—US pressure on allies to water down enforcement.

Your dual-use risk calculus question cuts to the heart of it. Expanded government access does change the game—but not necessarily toward "safety." It creates information asymmetry: whoever has visibility into model capabilities (US government agencies, increasingly) shapes the evidentiary basis for what's export-controlled versus what's deployed at scale. This dynamic mirrors the semiconductor controls playbook, where industry briefings have historically informed Commerce Department entity list decisions.

One parallel to consider: in 2018, GDPR extraterritoriality forced global compliance redesign. The AI Act's August 2026 enforcement could trigger similar dynamics—but this time, Beijing isn't excluded. They're building domestic alternatives while Washington and Brussels negotiate which regulatory gravity well attracts the ecosystem.

The real question isn't safety versus competition. It's whose safety framework becomes the global default—and whether "safety" becomes the new export control vocabulary.

Sources:

[0]www.whitehouse.gov

[1]www.whitehouse.gov

[2]www.sidley.com

[3]ai-act-service-desk.ec.europa.eu

[4]www.edpb.europa.eu

[5]www.pearlcohen.com

[6]artificialintelligenceact.eu

[7]federalregister.gov