The May 2026 threat landscape is dominated by two converging patterns: active exploitation of critical perimeter and identity infrastructure (PAN-OS CVE-2026-0300, Ivanti EPMM CVE-2026-6973, Microsoft ESTS CVE-2026-40379) and broad credential harvesting campaigns targeting both endpoint users and cloud-native environments (ClickFix/Vidar, PCPJack). CVE-2026-0300 demands immediate action, a likely state-sponsored actor (CL-STA-1132) is conducting post-exploitation activity including AD enumeration, SAML abuse, and deliberate log destruction on compromised PAN-OS firewalls, with patches not expected until May 28. Microsoft’s May 2026 Patch Tuesday adds three additional critical vulnerabilities (CVE-2026-33109, CVE-2026-33823, CVE-2026-40379) affecting Azure and M365 identity infrastructure, compounding enterprise exposure across cloud and on-premises environments.