260524-1200z – MAGNET

MAGNET S2 WEEKLY OSINT INTELLIGENCE SNAPSHOT DTG: 260524-1200Z | Reporting Period: 17–23 May 2026 | United States Focus www.magnethf.com

Download PDF version of this report

MAGCON STATUS

MAGCON LEVEL 3 ELEVATED

MAGCON holds at Level 3 – ELEVATED. The dominant development this week is a third armed incident at or near White House security infrastructure in 30 days: on 23 May, Nasire Best (21, Maryland) approached the 17th St/Pennsylvania Ave checkpoint, pulled a firearm from a bag, and fired dozens of rounds at Secret Service officers before being fatally shot. A bystander remains in critical condition. Best had prior Secret Service contacts, documented mental health history, and social media posts threatening President Trump. This is the third gunfire incident near the president in 30 days (WHCA Dinner attack 25 Apr; Washington Monument shooting 4 May; checkpoint attack 23 May). Separately, Iran-US peace talks reached a potential inflection point: Trump declared a deal to reopen the Strait of Hormuz “largely negotiated” on 23 May; CNN sources report a two-phase MOU framework — Hormuz reopening first, nuclear issue second. Markets reacted: Brent crude fell to ~$103.94/bbl (22 May) from $109.24 the prior week, down ~4.9% WoW on deal optimism. National gas average edged up to $4.55/gal (21 May) from $4.528. New KEV additions include Microsoft Defender CVE-2026-41091 (EoP, CVSS 7.8) and CVE-2026-45498 (DoS), plus Trend Micro Apex One and Langflow flaws. Linux CVE-2026-31431 exploitation surge now confirmed active. TREND VS LAST WEEK: WORSENING – DOMESTIC SECURITY / DIPLOMATIC / ENERGY / CYBER SECTORS

PRIMARY RISK DRIVERS

Trump declared Iran deal ‘largely negotiated’ on 23 May; CNN sources confirm two-phase MOU framework: Phase 1 = Hormuz reopening, Phase 2 = nuclear negotiations; Iran’s foreign ministry confirmed MOU as first phase with broader talks within 30–60 days; details still being finalized
Third armed incident near White House in 30 days: Nasire Best (21, MD) opened fire at Secret Service checkpoint at 17th St/Pennsylvania Ave on 23 May at ~1810 EDT; fired dozens of rounds; fatally shot by Secret Service; one bystander in critical condition; prior SS contacts, involuntary psych commitment, social media threats to Trump
Best had multiple prior encounters with Secret Service including June 2025 detention for threats and July 2025 unlawful entry arrest; described as ‘known to the Secret Service’; no confirmed political motive — mental health history prominent in court records and law enforcement statements
Pattern of concern: Cole Tomas Allen (WHCA Dinner, 25 Apr), unnamed suspect near Washington Monument (4 May, charged as Michael Marx), and now Best on 23 May — three distinct incidents in 30 days targeting or near presidential security perimeter
Brent crude ~$103.94/bbl on 22 May, down ~4.9% WoW from $109.24 on deal optimism; Iran also reportedly exploring a permanent Hormuz toll system — rejected by Trump; market remains highly sensitive to mixed signals from both sides
National gas average $4.55/gal as of 21 May (up from $4.528); EIA weekly retail $4.621/gal (wk of 18 May); US gasoline stockpiles fell for 13th consecutive week; Memorial Day weekend travel demand adding upward pressure
CISA added Microsoft Defender CVE-2026-41091 (EoP, CVSS 7.8) and CVE-2026-45498 (DoS) to KEV on 20 May — both confirmed actively exploited; Canada’s CCCS issued parallel guidance; affects Defender versions prior to 4.18.26040.7
CISA added Trend Micro Apex One CVE-2026-34926 (directory traversal) and Langflow CVE-2025-34291 (origin validation) on 21 May; federal deadline imminent
Linux CVE-2026-31431 exploitation surge confirmed active — federal deadline passed 15 May; Microsoft Defender telemetry detecting mass exploitation attempts against unpatched container/cloud environments; patch immediately
Cisco SD-WAN CVE-2026-20182 (CVSS 10.0) federal deadline passed 17 May; UAT-8616 clusters remain active; no indication exploitation tempo has decreased
Iran internet conditions reported as partially restored, improving OSINT visibility slightly; Iranian internal division between hardliners and pragmatists remains the key deal-breaking variable even as MOU framework advances
IEA global undersupply warning through October remains in effect despite deal optimism; US crude inventories down 7.9M barrels week of 15 May; SPR drawdown status not yet announced

DELTA SUMMARY – CHANGES FROM LAST REPORT (260517-1200Z)

TOPIC	DELTA FROM 260517-1200Z
White House Area Shooting (23 May)	NEW — CRITICAL DOMESTIC SECURITY. Nasire Best (21, MD) opened fire at Secret Service checkpoint, 17th St/Pennsylvania Ave, at ~1810 EDT 23 May. Fired dozens of rounds; fatally shot by Secret Service. One bystander critical. Prior SS contacts (June/July 2025), involuntary psych commitment, social media Trump threats. Third armed incident near White House in 30 days. No political motive confirmed; mental health history dominant in early reporting.
Iran-US Deal / Hormuz	MAJOR DEVELOPMENT — IMPROVING. Trump declared deal ‘largely negotiated’ 23 May. CNN: two-phase MOU — Phase 1 Hormuz reopening, Phase 2 nuclear talks. Iran FM confirmed MOU framework with 30–60 day follow-on negotiations. Deal details still being finalized; Iranian internal split remains risk. Iran separately floated Hormuz toll system — rejected by Trump. Assessment: highest probability of deal since conflict began, but not signed.
Oil / Energy	IMPROVING (conditional). Brent ~$103.94/bbl (22 May), down ~4.9% WoW on deal optimism; WTI ~$99.85. Gas $4.55/gal nationally (21 May), up $0.022 from last week. EIA weekly $4.621/gal. US crude inventories -7.9M bbl. Gasoline stocks fell 13th consecutive week. Memorial Day demand pressure beginning. Deal uncertainty means price volatility remains high.
Microsoft Defender KEV	NEW this week. CVE-2026-41091 (EoP, CVSS 7.8) and CVE-2026-45498 (DoS) added to CISA KEV 20 May. Both actively exploited. Canada CCCS issued parallel guidance. Patch to Defender 4.18.26040.7 / MMP Engine 1.1.26040.8 immediately.
Trend Micro / Langflow KEV	NEW this week. CVE-2026-34926 (Trend Micro Apex One directory traversal) and CVE-2025-34291 (Langflow origin validation error) added to KEV 21 May. Apply vendor patches immediately.
Linux ‘Copy Fail’ CVE-2026-31431	WORSENING. Exploitation surge now confirmed active per Microsoft Defender telemetry. Federal deadline passed 15 May. Mass exploitation of unpatched container/cloud environments underway. Patch to kernel 6.18.22 / 6.19.12 / 7.0 immediately — no further delay tolerable.
Cisco SD-WAN CVE-2026-20182	ONGOING. Federal deadline passed 17 May. UAT-8616 and 10+ clusters remain active. Organizations that missed deadline are exposed. No change to threat tempo observed.
Canvas LMS Breach	STABLE/ELEVATED. No new developments. Phishing risk from 275M records continues 90+ day window. Canvas-themed spear-phishing campaigns expected to peak in coming weeks.
Converse Reservoir IED	ONGOING — NO ARREST. FBI investigation continues. No suspect or motive established. Water utility underwater physical security protocols remain an open national gap.

NO CHANGE:

MAGCON level holds at 3 – ELEVATED
Iranian APT cyber targeting of U.S. ICS/OT remains active
Bab el-Mandeb / Red Sea threat stable at ELEVATED
Civil Unrest remains ROUTINE
CIRCIA mandatory cyber incident reporting rule finalization still pending
CISA CI Fortify initiative ongoing; Converse Reservoir IED directly validates CI Fortify threat model
Microsoft Exchange CVE-2026-42897 (XSS/OWA) — patch still required

SECTOR THREAT LEVELS

SECTOR	LEVEL	NOTES
Terrorism / Extremism	ELEVATED	Third armed incident near White House in 30 days (23 May); pattern of lone-actor/mentally ill individuals targeting presidential security perimeter
Cyber Activity	ELEVATED	Linux CVE-2026-31431 exploitation surge confirmed; MS Defender KEV additions; Cisco SD-WAN deadline passed
Critical Infrastructure	ELEVATED	Converse Reservoir IED investigation ongoing; CI Fortify assessments continuing; SD-WAN overdue patches expose CI networks
Energy / Fuel Sector	CRITICAL	Brent ~$104; gas $4.55/gal; deal optimism driving prices down; Memorial Day demand upward pressure; IEA undersupply warning unchanged
Education Sector	ELEVATED	Canvas ransom resolved; phishing risk from 275M records continues 90+ days
Civil Unrest	ROUTINE	No significant developments
Transportation Systems	ELEVATED	Hormuz deal ‘largely negotiated’; reopening not yet confirmed; commercial maritime still at reduced transit
Supply Chain / Logistics	ELEVATED	Hormuz closure impact on global supply chains; anticipatory market movements on deal news
Food / Fertilizer Security	ELEVATED	Gulf shipping disruption continues to impact fertilizer/ag trade lanes

GLOBAL CHOKEPOINT WATCH

CHOKEPOINT	STATUS	ASSESSMENT
Strait of Hormuz	CRITICAL → IMPROVING	Deal ‘largely negotiated’ per Trump (23 May); MOU framework: Phase 1 Hormuz reopening, Phase 2 nuclear. Iran FM confirmed framework. Not yet signed or implemented. Toll system proposal rejected by Trump. Treat as CLOSED until confirmed open.
Bab el-Mandeb / Red Sea	ELEVATED	Stable. Houthi threat posture unchanged.
Panama Canal	ROUTINE	Stable. Normal operations.
Strait of Malacca	ELEVATED	Stable. SE Asia energy stress from Hormuz persists; anticipatory easing on deal news.

KEY INCIDENTS

UNITED STATES — White House Checkpoint Shooting, Washington D.C. [CRITICAL DOMESTIC SECURITY]

Nasire Best, 21, of Maryland, approached the Secret Service checkpoint at 17th Street and Pennsylvania Avenue at approximately 1810 EDT on 23 May 2026, removed a firearm from a bag, and fired dozens of rounds at posted officers. Secret Service returned fire and fatally wounded Best, who died at George Washington University Hospital. One bystander was struck and remains in critical condition. President Trump was in the White House at the time and was unharmed. No Secret Service officers were reported injured.

Best was documented as “known to the Secret Service.” Court records show two prior SS contacts in summer 2025: a June 2025 detention for flagging down agents and making threats, and a July 2025 unlawful entry arrest during which Best claimed to be Jesus Christ. He was involuntarily committed to a psychiatric hospital on at least one occasion. Social media belonging to Best included a post appearing to threaten violence against President Trump and another post stating “I’m actually the son of God.”

The analytical significance is pattern, not isolated incident: three distinct gunfire events at or near presidential security in 30 days. Allen (WHCA Dinner, 25 Apr) had a political manifesto. Marx (Washington Monument area, 4 May) is charged and in custody. Best appears to present as a mentally ill individual with prior fixation on the White House complex rather than an organized political actor. However, the clustering of three events in 30 days warrants elevated monitoring regardless of individual actor profiles — the convergence of ideological, political, and mentally ill threat actors targeting the same geographic security zone is analytically significant.

IRAN–U.S. — Deal ‘Largely Negotiated’; Two-Phase MOU Framework

Trump’s 23 May statement that a deal is “largely negotiated” represents the most optimistic public US framing since negotiations began. CNN sources report the deal unfolds in two phases: Phase 1 declares end of hostilities and Hormuz reopening; Phase 2 addresses nuclear issues including Iran committing to not seek nuclear weapons, entering negotiations on its enriched uranium stockpile, and pausing new enrichment. Iran’s foreign ministry confirmed the MOU as a first-phase framework with broader talks within 30–60 days.

Critical analytical caveats: (1) The deal is not signed. US officials have touted optimism at multiple prior points without reaching agreement — including after the first round of talks collapsed when the Iranian team had to return to Tehran for authorization to sign. (2) Iran’s internal division between hardliners and pragmatists remains the structural obstacle. (3) Trump’s prior uranium concession (“not necessary” to recover stockpile) weakens the US negotiating position entering Phase 2. (4) Iran’s floated Hormuz toll system, rejected by Trump, suggests Iranian negotiators are still testing US redlines. Secretary Rubio’s statement that “we don’t have to have the actual agreement written in one day” signals continued US patience but also continued uncertainty. Assessment: probability of MOU signing within 7 days is higher than any prior point in the conflict, but remains below 50% until confirmed.

UNITED STATES / CYBER — Microsoft Defender Actively Exploited; Linux Exploitation Surge Confirmed

Two Microsoft Defender vulnerabilities added to CISA KEV on 20 May confirm active exploitation: CVE-2026-41091 (elevation of privilege, CVSS 7.8) allows a local attacker with limited access to gain SYSTEM-level permissions via Defender abuse; CVE-2026-45498 (denial of service, CVSS 4.0) affects the same product. The Canadian Centre for Cyber Security issued parallel guidance, elevating this from routine patching to cross-agency active exploitation priority. Affected: Microsoft Defender versions prior to 4.18.26040.7 and Microsoft Malware Protection Engine versions prior to 1.1.26040.8.

Separately, Microsoft Defender telemetry has confirmed the Linux CVE-2026-31431 exploitation surge is now active. The federal deadline passed 15 May. Mass exploitation of unpatched container and cloud environments is underway. Any organization running Linux kernel versions below 6.18.22, 6.19.12, or 7.0 in cloud or container environments should treat this as an active incident response priority, not a patch scheduling item.

CYBER / INFRASTRUCTURE BULLETIN

KEV Bulletin — Patch Immediately

CVE / SYSTEM	SEVERITY	ACTION REQUIRED
CVE-2026-41091 Microsoft Defender	CVSS 7.8	NEW — Added to KEV 20 May. Elevation of privilege to SYSTEM via Defender abuse. Patch to Defender 4.18.26040.7 / MMP Engine 1.1.26040.8. Actively exploited; Canada CCCS issued parallel guidance.
CVE-2026-45498 Microsoft Defender	CVSS 4.0	NEW — Added to KEV 20 May. Denial of service. Same patch target as CVE-2026-41091.
CVE-2026-34926 Trend Micro Apex One	HIGH	NEW — Added to KEV 21 May. Directory traversal vulnerability on-premise. Apply Trend Micro patches immediately.
CVE-2025-34291 Langflow	HIGH	NEW — Added to KEV 21 May. Origin validation error. Patch or discontinue immediately.
CVE-2026-31431 Linux Kernel ‘Copy Fail’	CVSS 7.8	EXPLOITATION SURGE CONFIRMED ACTIVE. Federal deadline PASSED 15 May. Mass exploitation of unpatched containers/cloud underway. Patch to kernel 6.18.22 / 6.19.12 / 7.0 — treat as active incident response.
CVE-2026-20182 Cisco Catalyst SD-WAN	CVSS 10.0	Federal deadline PASSED 17 May. UAT-8616 and 10+ clusters active. Unauthenticated remote auth bypass. Apply ED-26-03 or discontinue immediately.
CVE-2026-42897 Microsoft Exchange Server	HIGH	ONGOING. XSS in Outlook Web Access. Apply MSRC mitigations. Confirmed active exploitation.

EMERGING INDICATORS

Watch: FBI investigation update on White House checkpoint shooter (Best) — specifically whether any connection exists to the prior two incidents; determine if mentally ill fixation on White House complex is an emerging lone-actor pattern
Watch: Formal signing or collapse of Iran-US MOU — this is the primary trigger for energy price movement; positive confirmation drops Brent toward $85–90; collapse reverses gains and raises military resumption probability
Watch: Iran’s Phase 2 nuclear negotiating posture — specifically whether hardliners accept ‘no nuclear weapon’ commitment or insist on enrichment rights before signing
Watch: Hormuz toll system concept resurfacing — Iran floated permanent toll system; Trump rejected it; this could become a Phase 1 deal-breaker if Iran reintroduces it at signing
Watch: Memorial Day weekend gas prices (24–26 May) — national average $4.55/gal trending upward; consumer impact at the pump this weekend may drive political pressure on Iran deal timeline
Watch: SPR drawdown announcement — IEA undersupply warning unchanged; if deal stalls, emergency reserve release becomes likely policy response
Watch: Linux CVE-2026-31431 mass exploitation — telemetry shows surge underway; cloud/container-heavy organizations should be monitoring for unauthorized privilege escalation now
Watch: Microsoft Defender CVE-2026-41091 exploitation in enterprise environments — EoP to SYSTEM is a high-value post-access pivot; monitor for lateral movement following initial compromise
Watch: Converse Reservoir IED investigation — any FBI attribution or arrest changes the threat posture for water utility operators nationally
Watch: Additional lone-actor incidents at White House security perimeter — three in 30 days represents an anomalous cluster; Secret Service procedural response and any known-subject watchlist changes are key indicators

VERIFIED STATUS

✓ CONFIRMED Nasire Best (21, MD) opened fire at Secret Service checkpoint at 17th St/Pennsylvania Ave on 23 May 2026 at ~1810 EDT; fatally shot by Secret Service; one bystander critical; Trump unharmed; no SS officers injured. (NPR, CNN, NBC News, AP, Fox5DC, Wikipedia — 23–24 May 2026)

✓ CONFIRMED Best had prior SS contacts (June/July 2025), involuntary psychiatric commitment, and social media posts threatening President Trump. (CNN, NBC News, Fox5DC — 23–24 May 2026)

✓ CONFIRMED This is the third gunfire incident at or near White House/presidential security in 30 days. (NPR, WYSO — 23 May 2026)

✓ CONFIRMED Trump stated Iran deal is ‘largely negotiated’ on 23 May 2026. (CNBC, CNN — 23 May 2026)

✓ CONFIRMED CNN sources: two-phase MOU framework — Phase 1 Hormuz reopening, Phase 2 nuclear negotiations. Iran FM confirmed MOU as first phase with 30–60 day follow-on talks. (CNN — 24 May 2026)

✓ CONFIRMED Brent crude ~$103.94/bbl on 22 May 2026, down from $109.24 prior week. (Trading Economics — 22 May 2026)

✓ CONFIRMED National gas average $4.55/gal as of 21 May 2026; EIA weekly $4.621/gal (wk of 18 May). (Finder.com/EIA; YCharts — 21–22 May 2026)

✓ CONFIRMED CISA added CVE-2026-41091 and CVE-2026-45498 (Microsoft Defender) to KEV on 20 May 2026; active exploitation confirmed; Canada CCCS issued parallel guidance. (Malwarebytes, CyberNewsCenter — 20–21 May 2026)

✓ CONFIRMED CISA added CVE-2026-34926 (Trend Micro Apex One) and CVE-2025-34291 (Langflow) to KEV on 21 May 2026. (CISA.gov — 21 May 2026)

✓ CONFIRMED Linux CVE-2026-31431 exploitation surge now active per Microsoft Defender telemetry; federal deadline passed 15 May. (Malwarebytes — 21 May 2026)

✗ NOT CONFIRMED Iran-US MOU formally signed. Trump and Iran FM statements indicate ‘largely negotiated’ but no signing confirmed as of DTG.

✗ NOT CONFIRMED Political or organized motive established for Nasire Best; current evidence indicates mentally ill lone actor.

OPERATOR GUIDANCE

PATCH MICROSOFT DEFENDER NOW — CVE-2026-41091 (EoP) and CVE-2026-45498 (DoS) actively exploited; update to Defender 4.18.26040.7 / MMP Engine 1.1.26040.8; treat as active incident response priority
PATCH LINUX KERNEL NOW — CVE-2026-31431 exploitation surge confirmed active; federal deadline PASSED 15 May; patch to 6.18.22 / 6.19.12 / 7.0; audit all cloud/container environments for unauthorized privilege escalation
CISCO SD-WAN — CVE-2026-20182 CVSS 10.0 federal deadline PASSED 17 May; if not patched, assume compromise and begin incident response procedures; apply ED-26-03 or discontinue
Trend Micro Apex One — CVE-2026-34926 directory traversal on KEV; apply vendor patches immediately
Langflow deployments — CVE-2025-34291 on KEV; patch or discontinue; review for unauthorized DB access or credential theft
Microsoft Exchange — CVE-2026-42897 XSS/OWA remains actively exploited; apply MSRC mitigations if not yet done
Canvas institutions — maintain elevated phishing awareness through mid-August; verify any Canvas-branded communication through official channels; expect personalized spear-phishing using course names and private message context
Water utility / dam operators — Converse Reservoir IED investigation ongoing with no arrest; maintain enhanced underwater physical security protocols; report anomalies to FBI and DHS
Do not use unofficial Hormuz transit guidance — strait effectively closed until MOU signing confirmed; verify through TRANSCOM for any operational requirements; monitor for formal reopening announcement
Secret Service and federal facility security — note three-incident cluster in 30 days at White House perimeter; review known-subject watchlist protocols and checkpoint response procedures
Monitor Iran deal developments this week — formal MOU signing is the primary trigger for energy price normalization and military resumption risk reduction
Report cyber incidents to cisa.gov or IC3.gov; CI Fortify guidance at cisa.gov

SOURCE LIST

[1] NPR – Secret Service Fatally Shoots Suspect Outside White House Checkpoint, 23–24 May 2026 https://www.npr.org/2026/05/23/g-s1-124148/secret-service-shooting-white-house

[2] CNN – Man Killed Outside White House Had Previous Secret Service Arrest, Mental Health Concerns, 23 May 2026 https://www.cnn.com/2026/05/23/us/white-house-shooting-nasire-best-invs

[3] NBC News – Secret Service Kills Man Who Opened Fire at White House Security Checkpoint, 23 May 2026 https://www.nbcnews.com/politics/politics-news/gunshots-reported-near-white-house-rcna346671

[4] Fox5DC – What We Know About Nasire Best, Maryland Man Accused of White House Shooting, 24 May 2026 https://www.fox5dc.com/news/nasire-best-white-house-shooting-suspect-secret-service

[5] Wikipedia – May 2026 White House Shooting (live, updated 24 May 2026) https://en.wikipedia.org/wiki/May_2026_White_House_shooting

[6] WYSO/NPR – Secret Service Fatally Shoots Suspect; Third Incident Near Trump in One Month, 23 May 2026 https://www.wyso.org/npr-news/2026-05-23/secret-service-shoots-person-near-white-house-bystander-also-shot-law-enforcement-says

[7] CNBC – Trump Says Iran Deal Reopening Strait of Hormuz ‘Largely Negotiated,’ Will Be Announced Soon, 23 May 2026 https://www.cnbc.com/2026/05/23/us-iran-war-talks.html

[8] CNN Live Updates – US Touts ‘Significant Progress,’ Uncertainty Remains Over Iran Deal, updated 24 May 2026 https://www.cnn.com/2026/05/24/world/live-news/iran-war-news

[9] Axios – US, Iran Closing in on One-Page Memo to End War, 6 May 2026 https://www.axios.com/2026/05/06/iran-us-deal-one-page-memo

[10] Time – US and Iran Offer Mixed Messages on Deal to End War, 7 May 2026 https://time.com/article/2026/05/07/us-iran-war-deals-mou

[11] Trading Economics – Brent Crude Oil Price, 22 May 2026 https://tradingeconomics.com/commodity/brent-crude-oil

[12] Finder.com – US Gas Prices 2018 to May 2026, updated 21 May 2026 https://www.finder.com/economics/gas-prices

[13] YCharts / EIA – US Retail Gas Price, Week of 18 May 2026 https://ycharts.com/indicators/us_gas_price

[14] Malwarebytes – Microsoft Defender Vulnerabilities Being Exploited in the Wild, 21 May 2026 https://www.malwarebytes.com/blog/bugs/2026/05/microsoft-defender-vulnerabilities-are-being-exploited-in-the-wild

[15] CyberNewsCenter – 21 May 2026 Cyber Update: CISA KEV Batch Includes MS Defender Flaws, 21 May 2026 https://www.cybernewscentre.com/21st-may-2026-cisa-kev-old-bugs-microsoft-defender/

[16] CISA – Known Exploited Vulnerabilities Catalog (current) https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[17] House of Commons Library – US-Iran Ceasefire and Nuclear Talks in 2026, updated 22 May 2026 https://commonslibrary.parliament.uk/research-briefings/cbp-10637/

[18] Capital.com – Crude Oil Price Forecast / Hormuz Closure Analysis, 18–19 May 2026 https://capital.com/en-int/market-updates/crude-oil-price-forecast-19-05-2026

Submit reports through established MAGNET situational awareness channels. To Learn More About MAGNET, Visit www.MAGNETHF.COM