InfoSec.Watch - Issue #137

Palo Alto Networks PAN-OS Zero-Day Exploited Against Exposed Authentication Portals

Palo Alto Networks disclosed CVE-2026-0300, a critical PAN-OS buffer overflow affecting User-ID Authentication Portal configurations on PA-Series and VM-Series firewalls. The company says limited exploitation has been observed against portals exposed to untrusted networks, with initial fixes expected beginning May 13.

Source: Palo Alto Networks • Rapid7

💡 Key Takeaway: Identify affected PAN-OS systems now, restrict or disable exposed User-ID Authentication Portals, and hunt firewall/admin logs for low-noise access patterns before patch windows close.

Trellix Confirms Unauthorized Access to Part of Its Source-Code Repository

Trellix said it recently identified unauthorized access to a portion of its source-code repository and brought in forensic experts. The company says it has not found evidence that its source-code release or distribution process was affected, while RansomHouse later claimed responsibility for the incident.

Source: Trellix • SecurityWeek

💡 Key Takeaway: Treat security-vendor and developer-tool incidents as supply-chain triggers: review update trust paths, verify vendor attestations, and watch for emergency guidance that could require token or package validation.

Iran-Linked MuddyWater Intrusion Masquerades as Chaos Ransomware Activity

Rapid7 reported an intrusion consistent with MuddyWater activity in which attackers used social engineering, Microsoft Teams screen sharing, credential theft, remote-access tooling, and extortion elements to make the operation look like a Chaos ransomware incident rather than espionage.

Source: SecurityWeek • Rapid7

💡 Key Takeaway: Do not let an extortion note define the investigation. Validate remote-access tools, Teams support workflows, persistence paths, and credential theft indicators before assuming the incident is only ransomware.

Ivanti EPMM CVE-2026-6973 Exploited in Limited Attacks

Ivanti warned that CVE-2026-6973 affects on-prem Endpoint Manager Mobile and can allow an authenticated administrator to achieve remote code execution. CISA added the issue to KEV and set a May 10 federal remediation deadline.

Source: The Hacker News • CISA KEV

💡 Key Takeaway: Patch on-prem EPMM immediately, review admin account activity, confirm prior Ivanti credential rotations, and treat exposed mobile-management systems as high-value identity infrastructure.

Apache HTTP Server CVE-2026-23918 Raises HTTP/2 DoS and Possible RCE Risk

Apache released HTTP Server 2.4.67 to address multiple issues, including CVE-2026-23918, a double-free condition in HTTP/2 handling that researchers warn could lead to denial-of-service and possible remote code execution.

Source: The Hacker News • Apache Advisory

💡 Key Takeaway: Prioritize externally reachable Apache HTTP/2 services, upgrade to fixed builds, and temporarily reduce HTTP/2 exposure where patch timing depends on platform or appliance vendors.

Ollama Bleeding Llama Flaw Can Leak Process Memory From Exposed AI Servers

Researchers disclosed CVE-2026-7482, a critical out-of-bounds read in Ollama before 0.17.1 that can leak process memory through crafted GGUF model handling. Potentially exposed data includes API keys, environment variables, prompts, and other sensitive inference context.

Source: The Hacker News • Cyera

💡 Key Takeaway: Find shadow Ollama instances, upgrade quickly, remove direct internet exposure, and put authentication, network controls, and logging in front of local AI inference APIs.

The Exploit Window for Control-Plane Software Is Collapsing

This week reinforced the same operational pattern across firewalls, hosting panels, mobile-management platforms, AI services, and file-transfer automation: once a flaw hits public disclosure or patch-diff territory, attackers move fast against reachable management surfaces.

Source: Dark Reading • Palo Alto Networks

💡 Key Takeaway: Build a 24- to 48-hour emergency lane for internet-facing management software: asset lookup, exposure reduction, owner assignment, version verification, and post-patch log review.

CISA CI Fortify Pushes Critical Infrastructure Toward Isolation and Recovery Readiness

CISA launched CI Fortify guidance focused on helping critical infrastructure operators prepare for disruption by improving isolation and recovery planning, including operational workarounds, dependency mapping, backups, and practicing manual or replacement processes.

Source: CISA • Cybersecurity Dive

💡 Key Takeaway: Use the guidance as a tabletop agenda: identify systems that must keep running, map third-party dependencies, test isolation steps, and rehearse recovery before a geopolitical or ransomware event forces the issue.

cPanel and WHM Patch Three New Vulnerabilities

cPanel released fixes for three vulnerabilities, including two CVSS 8.8 issues that could enable code execution or privilege escalation under authenticated conditions.

Source: The Hacker News

💡 Key Takeaway: Do not let the older cPanel zero-day consume all attention; update supported branches and verify hosted-control-plane patch status across providers.

Progress Patches Critical MOVEit Automation Authentication Bypass

Progress disclosed fixes for MOVEit Automation vulnerabilities that could allow authentication bypass, privilege escalation, unauthorized access, administrative control, and data exposure.

Source: Progress • The Hacker News

💡 Key Takeaway: Inventory MOVEit Automation separately from MOVEit Transfer, patch exposed systems, and review automation workflows that move payroll, finance, customer, or partner data.

Microsoft Warns of Code-of-Conduct Phishing Campaign Targeting 35,000 Users

Microsoft reported a multi-stage phishing campaign using fake code-of-conduct review lures, PDFs, CAPTCHA pages, and adversary-in-the-middle flows to steal credentials and tokens across more than 13,000 organizations.

Source: Microsoft

💡 Key Takeaway: Move high-risk users toward phishing-resistant MFA, monitor for token replay, and add HR/compliance-themed lures to awareness and detection content.

DAEMON Tools Installers Compromised in Supply-Chain Attack

Kaspersky reported that attackers compromised official DAEMON Tools installers, signed malicious files with the vendor certificate, and used the campaign to deliver stealer and backdoor payloads to selected targets.

Source: Kaspersky • The Record

💡 Key Takeaway: Block or review DAEMON Tools versions distributed after April 8, validate installer hashes, and treat signed software as trustworthy only when source, version, and integrity checks line up.

Canvas/Instructure Attack Claims Escalate Around Education Data

Reporting on the Instructure incident expanded this week as ShinyHunters claimed broad Canvas-related data theft and later claimed additional portal defacement activity affecting education organizations.

Source: BleepingComputer • Dark Reading

💡 Key Takeaway: SaaS incident response needs tenant-level evidence: validate what was accessed, confirm portal integrity, rotate integrations, and prepare communications before school communities learn from leak sites.

Run a 48-Hour Control-Plane Exposure Sprint

Most teams assume the systems used to manage security, identity, files, infrastructure, and endpoints are already known and protected. This week is a reminder that firewalls, MDM/EMM, hosting panels, CI/CD, MFT automation, AI inference services, and remote-access tooling can create immediate blast radius when exposed or lagging on patches. For each control plane, confirm internet exposure, version, owner, authentication strength, logging coverage, and whether emergency mitigation exists before the next patch cycle.

💡 Key Takeaway: A patched control plane is not automatically safe. The win is version evidence plus reduced exposure plus 14 days of reviewed admin, authentication, and configuration logs.

Final Word

This week is not about one vendor or one CVE. It is about the systems that sit closest to privilege: firewalls, mobile-management platforms, source-code repositories, AI servers, and file-transfer automation. Attackers are moving through the places defenders trust to manage everything else.

💡 Key Takeaway: Treat trusted management paths as active attack surfaces. Reduce exposure, verify patch state, and investigate as if exploitation may have happened before the ticket was opened.