CISA Orders Emergency Drupal Patch | Microsoft Server Bug | Google Fights Canada Surveillance Bill - Cybersecurity Today

Summary4 min read

Cybersecurity Today – May 27, 2026

Host: David Shipley (filling in for Jim Love)
Episode Title: CISA Orders Emergency Drupal Patch | Microsoft Server Bug | Google Fights Canada Surveillance Bill

Episode Overview

This episode dives into urgent cybersecurity threats and policy debates impacting organizations globally. Notable topics include a major Drupal SQL injection flaw triggering a CISA emergency patch mandate, serious Microsoft Windows Server patching issues, Google's opposition to Canada’s surveillance legislation, and new reports of Iran-linked threat actors leveraging AI in malware development.

Key Discussion Points

1. Drupal SQL Injection Vulnerability – CISA Emergency Patch Order

Timestamps: [00:15]–[03:20]
Essence:
- Vulnerability: CVE-2026-9082 (affecting Drupal sites on PostgreSQL).
- CISA Directive: US federal civilian departments ordered to patch by midnight, five days after vulnerability was added to the CISA catalog.
- Exploitation: Over 15,000 attack attempts observed against 6,000+ sites in 65 countries—disproportionately affecting gaming and financial services.
- Critical Guidance:
  
  "If you can't [patch], follow Drupal's mitigation guidance and assume any unpatched Internet-exposed installation has already been probed and likely compromised." (David Shipley, [02:55])
- Larger Trend: Surge in critical CMS platform exploits, as seen in the recent Ghost CMS breach.

2. Microsoft Windows Server Patch Quality Issues

Timestamps: [03:21]–[05:10]
Essence:
- Recent Bug: May 2026 security update (KB 5087537) for Windows Server 2016 breaks domain controller discovery on 15-character hostnames.
- Accumulating Issues: Ongoing patch quality problems—server reboot loops, BitLocker and EFI issues, and servers auto-upgrading to incorrect versions.
- Broader Challenge:
  
  "It's going to be more patches with more possible breakage versus fewer patches with more exploitation. That's not a good news story." ([05:06])
- Outlook: Accelerated patch cycles (driven by AI in vulnerability discovery) alter the risk assessment for IT teams.

3. Google Joins Opposition to Canada’s Surveillance Bill (Bill C22)

Timestamps: [05:11]–[09:25]
Essence:
- Key Provisions: Lawful access mechanisms, ministerial secrecy, metadata retention mandates.
- Google’s Core Concerns:
  - Secret Compliance Orders:
    
    "The definition of electronic service provider is broad enough that almost any company operating in Canada could receive one." ([07:12])
  - Encryption Risks:
    
    "Google...has never built a backdoor into any of its products and that a Canadian law that effectively forced it to would create exploitable weaknesses with global consequences." ([07:38])
  - Metadata Retention: Widens attack surface for state and non-state hackers.
- Precedent Warning: Cites the US "SALT Typhoon" incident—where lawful intercept systems themselves became targets for nation-state hackers.
- Policy Outlook: Opposition parties promise strong amendments but uncertain impact given majority government.

4. Iran-Linked Threat Actors Leverage AI in Malware Development

Timestamps: [09:26]–[12:10]
Essence:
- Actor: "Nimbus Manticore" / Screening Serpens (UNC 1549), linked to Iran IRGC.
- Recent Campaigns: Feb–Apr 2026, including the US, Israel, Gulf states, Australia, Europe; targeted major sectors—named victim: US Oil and gas firm Check Point.
- AI-Generated Malware: New backdoor ("minifast") shows signs of large language model (LLM) assistance: verbose code, over-engineered structure, distinctive error handling.
  
  "The group built and deployed a brand new backdoor mid conflict while operations were actively underway and AI tools helped them."
  — Sergey Shakovich, Checkpoint Threat Intelligence ([10:51])
- Evolving Tactics:
  - Phishing: Fake job postings, career lures, trojanized Zoom installers.
  - Supply Chain Trick: April saw fake Oracle SQL dev download pages manipulated to rank high on Bing & DuckDuckGo, enabling drive-by compromise—no phishing needed.
- Big Picture:
  
  "Even if the physical war winds down… it's clear the cyber war hasn't taken a break. There's been no ceasefire and it likely won't end anytime soon." ([12:07])

Notable Quotes & Memorable Moments

On patching urgency:

"If you're on a vulnerable version with a PostgreSQL backend, patch immediately." ([02:41])
On Microsoft patch fatigue:

"Microsoft has already said publicly that its monthly patch volume will continue trending larger." ([04:33])
On backdoor mandates:

"A Canadian law that effectively forced [a backdoor] would create exploitable weaknesses with global consequences." ([07:43])
On the cyber war landscape:

"There's been no ceasefire and it likely won't end anytime soon or even if the physical conflict ends." ([12:07])

Important Segment Timestamps

Drupal Patch/CISA Advisory: [00:15]–[03:20]
Microsoft Patch Issues: [03:21]–[05:10]
Google & Canadian Bill C22: [05:11]–[09:25]
Iran-Linked AI-Enabled Malware: [09:26]–[12:10]

Tone & Language

David Shipley delivers the analysis with a direct, urgent, and pragmatic tone—reflecting the rising anxiety among security professionals as patching and threat landscapes intensify.

Summary Takeaways

Immediate action is needed for organizations using the affected Drupal stack—patching cannot be delayed.
Patch management challenges are growing, with Microsoft patches frequently introducing critical disruptions.
Global tech companies warn Canada's new surveillance laws could undermine user security far beyond Canada’s borders.
Adversaries are adopting AI tools to rapidly develop and deploy advanced malware—even while conflicts are in active flux.

For cybersecurity teams, this episode is a must-listen primer on today's top threats and policy risks.

Loading summary

Transcript1 lines

[00:00]
A
CISA orders Feds to patch Drupal Microsoft patch break Some Windows Server 2016 deployments Google joins growing opposition to Canada's cyber spying bill and Iran linked hackers now writing malware with the help of AI this is Cybersecurity Today and I'm your host David Shipley. Let's get started. If your organization runs a Drupal powered website on postgres SQL, today is the day to patch it. The US Cybersecurity and Infrastructure Security Agency gave US Federal civilian departments until midnight tonight to patch a critical SQL injection vulnerability in Drupal that's already being exploited in the wild. CISA added the flaw to its known exploited vulnerabilities catalog on Friday, triggering a roughly five day federal patching clock. According to Bleeping Computer, the vulnerability is CVE 2000, 26, 9082. Successful exploitation can lead to information disclosure, privilege escalation and remote code execution. Cybersecurity firm Impervia has observed more than 15,000 attack attempts against nearly 6,000 individual sites across 65 countries since the vulnerability was disclosed, with about half of those attacks targeting gaming and financial services sites. This is the second major CMS SQL injection story we've covered this week. On Monday we talked about the ghost CMS flaw compromising sites including Harvard and Oxford. The economics of CMS exploitation are clearly hot right now, and Drupal is heavily used by exactly the kinds of large institutions that often take long times to patch governments, universities, major media outlets, some financial institutions for administrators. If you're on a vulnerable version with a PostgreSQL backend patch immediately. If you can't follow Drupal's mitigation guidance and assume any unpatched Internet exposed installation has already been probed and likely compromised, the next story is well worth keeping in mind. Microsoft has confirmed that the May 2026 security update for Windows Server 2016, tracked as KB 5087537, breaks domain controller discovery on servers whose host names are exactly 15 characters long, according to Bleeping Computer. Microsoft is investigating and has not committed to a fixed timeline. That's the kind of bug that normally wouldn't make headlines on its own, but it's a canary in the coal mine. Microsoft has been racking up patch quality issues over the past few months server reboot loops, BitLocker recovery, boot prompts, Windows 11 update failures on systems short on EFI partition space, and and a bug that for almost two years was causing Server 2019 and 2022 instances to unexpectedly upgrade themselves to Server 2025 before Microsoft finally patched it in April. This is what happens when you ship more patches faster. As we discussed on Monday, the volume is only going to continue to go up as AI driven vulnerability, discovery and exploitation accelerates. Microsoft has already said publicly that its monthly patch volume will continue trending larger. The trade off facing every IT shop seems awfully familiar. It's going to be more patches with more possible breakage versus fewer patches with more exploitation. That's not a good news story. Google has formally joined opposition to the Canadian federal government's lawful access bill, warning that key provisions could create cybersecurity vulnerabilities that weaken security for all Canadian users and could create new attack surfaces for foreign threat actors. According to the Globe and Mail, Google filed a submission with the House of Commons Public Safety committee studying Bill C22, the lawful access legislation that would require electronic service providers operating in Canada to adjust their systems to give surveillance and monitoring capabilities to police and the Canadian Security Intelligence Service. The bill would also require those providers to retain customer metadata for up to one year. CSIS and law enforcement have long argued that Canada is behind its Five Eyes intelligence partners in not having such a regime. Numerous past attempts at similar laws have failed. Google joins Meta, Apple Signal, the Canadian Chamber of Commerce, the Canadian Telecommunications association and various privacy and civil liberties groups in opposing major elements of the bill. Google submission flags three specific cybersecurity concerns. First, secret ministerial orders, sweeping powers for the Minister of Public Safety to issue compliance directives, and that companies cannot disclose to their users. Google argues the definition of electronic service provider is broad enough that almost any company operating in Canada could receive one. Second, encryption. The bill includes a carve out saying that companies aren't obliged to introduce a systemic vulnerability, but Google argues that definition is too narrow to actually protect end to end encryption. The company says on the record that it has never built a backdoor into any of its products and that a Canadian law that effectively forced it to would create exploitable weaknesses with global consequences. Third, the metadata retention requirement. Storing one year of metadata on every Canadian customer of every covered company creates an enticing target for hackers, including state sponsored attackers. The concerns outlined by Google aren't theoretical. The most consequential cybersecurity event of the last five years, the SALT Typhoon campaign, was Chinese state sponsored hackers compromising the lawful intercept systems that the US Telecommunications carriers built to comply with the American equivalence of some of this legislation. The systems government require for security and law enforcement purposes do not stay solely in the hands of the intended lawful users. They get found, they get exploited, and the architecture put in place for one purpose becomes an open door for adversaries. The official opposition in Canada has signaled they intend to push for significant amendments. Alberta MP Dane Lloyd, a conservative on the committee, said the party will put forward strong amendments to limit government power. With the governing Liberals now in majority status, it's unclear if they will truly accept opposition feedback or if they'll ram the bill through before the end of the spring session. We'll close today with a major update to the last episode's Iran linked spearfishing story and our overall coverage of Iran war cyber activity. According to the Hacker News, the same group, Nimbus Manticore, also known as Screening Serpens or UNC 1549, affiliated with Iran's Islamic Revolutionary Guard Corps, has been running three distinct campaign waves. From February through April, the group has deployed a new backdoor called minifast, deployed alongside an updated version of the existing tool called mini junk v2. The campaigns they launched hit organizations in the United States, Israel, the United Arab Emirates, Saudi Arabia, Australia and across Europe as well as the broader Middle East. Among the named victims, the US Oil and gas firm Checkpoint. Researchers found strong technical indicators that the minifast backdoor was written with significant AI assistance. The fingerprints are patterns large language models leave when generating code, excessive error handling, verbose and repetitive function naming, debug style status messages, modular organization that exceeds what the malware's actual complexity requires. Sergey Shakovich, Checkpoints Threat Intelligence Group manager, said the group built and deployed a brand new backdoor mid conflict while operations were actively underway and AI tools helped them. The February and March campaigns used what Iran linked groups have done for years. Career themed phishing lures, fake job postings and so called Iranian dream job playbooks borrowed from North Korean state hackers. March added Trojanized zoom installers delivered through fake meeting invitations. But the April campaign stands out. Check Point found that Nimbus Manticore set up a fake Oracle SQL developer download page, registered dozens of supporting domains to boost its search rankings and managed to get it rank highly on Bing and DuckDuckGo. No spear phishing required. They just waited for developers to search for Oracle SQL tools and click on the top result. Even if the physical war winds down, which at this point is by no means given, it's clear the cyber war hasn't taken a break. There's been no ceasefire and it likely won't end anytime soon or even if the physical conflict ends. That's cybersecurity today for Wednesday, May 27, 2026. We appreciate all of your feedback. Feel free to leave a comment under the YouTube video or to drop by technewsday.com or CA and send us a note. Jim Love will be back on the news desk on Friday with more of the latest cybersecurity headlines.