IT News Roundup: Cisco Zero-Day, Pwn2Own Chaos, OpenAI vs Apple, Orbital Data Centers — May 15, 2026

Cisco SD-WAN Zero-Day Actively Exploited (CVE-2026-20182)

Cisco has confirmed that a critical vulnerability in its Catalyst SD-WAN Controller is being actively exploited in limited cyberattacks. The flaw, tracked as CVE-2026-20182, carries a maximum CVSS score of 10.0 and allows unauthenticated attackers to bypass authentication on the SD-WAN vdaemon service via DTLS on UDP port 12346, gaining full administrative access.

CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 14, mandating that federal agencies patch by May 17. This marks the sixth SD-WAN zero-day exploited in 2026 — the same product line has been under sustained attack this year. Rapid7 researchers noted the vulnerability resembles previously exploited CVE-2026-20127, affecting a similar part of the networking stack.

Source: The Hacker News, Dark Reading, CISA

Pwn2Own Berlin 2026 Shatters Records with 39 Zero-Days

The ZDI's Pwn2Own Berlin hacking competition delivered an unprecedented opening weekend. On Day One alone, security researchers demonstrated 24 unique zero-day vulnerabilities across browsers, operating systems, AI platforms, and developer infrastructure — earning $523,000 in rewards. Day Two added another 15 zero-days and $385,750, bringing the total to $908,750 and 39 unique vulnerabilities.

Notable targets breached included Microsoft Windows 11 (exploited three times in 24 hours), Microsoft Edge, SharePoint, Exchange, Safari, LiteLLM, and NVIDIA platforms. The density of zero-day exploits in a single event signals growing structural weaknesses in widely deployed software. Researchers warned that modern systems are accumulating hidden vulnerabilities faster than vendors can patch them.

Source: Zero Day Initiative, Forbes, Security Affairs

OpenAI Considers Legal Action Against Apple Over Siri Partnership

OpenAI is reportedly preparing to take legal action against Apple as their two-year-old partnership becomes increasingly strained. According to Bloomberg, OpenAI has not seen the expected subscriber growth or visibility from the ChatGPT integration into Siri and Apple Intelligence. The AI startup is particularly frustrated that Apple has not sufficiently promoted ChatGPT to drive paid subscriptions.

The relationship has deteriorated further as Apple shifts toward integrating Google's Gemini and Anthropic's Claude alongside ChatGPT, reducing OpenAI's exclusive position. Apple is also reported to be frustrated with OpenAI talent poaching for Jony Ive's AI hardware project. This would not be the first time an OpenAI partner has felt burned — Meta and Microsoft have both experienced similar friction.

Source: Bloomberg, TechCrunch, New York Times

Google and SpaceX Explore Orbital Data Centers for AI

Google is in advanced discussions with SpaceX to launch data centers into orbit, marking a bold new frontier in AI infrastructure. According to The Wall Street Journal, Google's Project Suncatcher aims to harness unlimited solar power in space to power AI computing workloads, with prototype satellites targeted for launch by 2027.

The initiative addresses growing constraints on Earth-based data centers: power grid limitations, water cooling requirements, and physical space shortages. SpaceX has already filed with the FCC seeking permission to launch up to a million satellites for AI data center deployments. The endeavor is expected to be highly capital-intensive and is cited as a major driver behind SpaceX's planned IPO.

Source: Reuters, Forbes, Interesting Engineering

Microsoft May Patch Tuesday: 120 Flaws Fixed, First Zero-Day-Free Release in 21 Months

Microsoft's May 2026 Patch Tuesday addressed 120 vulnerabilities across Windows, Office, SharePoint, Hyper-V, .NET, and other enterprise components — including 17 critical flaws (14 remote code execution, 2 elevation of privilege, and 1 information disclosure). Notably, this was Microsoft's first zero-day-free Patch Tuesday since June 2024.

Of particular interest: 16 of the vulnerabilities were discovered by Microsoft's new MDASH (Multi-model Detection And Scanning Hub) AI security system — a sign that AI-driven vulnerability discovery is becoming a mainstream part of vendor security programs. Key critical fixes included Word preview-pane RCE vulnerabilities, DNS Client remote code execution (CVE-2026-41096), and a Netlogon wormable flaw.

Source: Infosecurity Magazine, SecPod, Talos Intelligence

US Judge Reviews Anthropic's $1.5 Billion Authors Settlement

A federal judge in San Francisco pressed lawyers for more information on Anthropic's proposed $1.5 billion settlement with authors who accused the company of using their books to train Claude without permission. The case — the largest US copyright settlement involving an AI company — remains under scrutiny as the judge delays final approval.

More than 25 authors, including Dave Eggers and Vendela Vida, have opted out of the settlement and filed a new complaint in California, citing insufficient individual payouts and excessive attorney fees. Meanwhile, Anthropic launched a separate $200 million partnership with the Gates Foundation focused on AI applications in health and education, including predicting drug candidates for HPV treatment.

Source: Reuters, The Hindu