Cybersecurity Radar — 2026-05-07
A critical zero-day vulnerability in Palo Alto Networks PAN-OS firewalls (CVE-2026-0300) is being actively exploited in the wild, enabling root-level remote code execution — demanding immediate attention from network administrators worldwide. Meanwhile, Iranian state-sponsored group MuddyWater was caught using Microsoft Teams phishing to steal credentials in a sophisticated false-flag ransomware operation, and a supply chain attack on DAEMON Tools has been quietly compromising signed software installers since early April. April 2026 also saw ransomware attack volumes dip nearly 22% — but security experts warn the threat landscape is reshaping, not retreating.
Cybersecurity Radar — 2026-05-07
🔴 Critical Alerts
Palo Alto Networks PAN-OS Zero-Day (CVE-2026-0300) — Root-Level RCE Under Active Exploitation
Palo Alto Networks has warned customers of a critical unpatched vulnerability in the PAN-OS User-ID Authentication Portal (Captive Portal service) affecting PA and VM series firewalls. CVE-2026-0300 enables attackers to achieve root-level remote code execution and is being actively exploited in the wild. No patch is available yet; organizations running affected PA and VM series firewalls should consult Palo Alto's mitigations immediately and monitor for suspicious authentication portal activity.
Apache HTTP/2 Critical Flaw (CVE-2026-23918) — DoS and Potential RCE
Apache has issued a fix in version 2.4.67 for a critical double-free vulnerability in the mod_http2 module of Apache httpd 2.4.66, specifically in the stream cleanup path of h2_mplx.c. CVE-2026-23918 can be exploited to cause denial-of-service and may enable remote code execution. All organizations running Apache httpd 2.4.66 should upgrade to 2.4.67 immediately.
Threat Landscape
MuddyWater (Iranian APT) Deploys Microsoft Teams Phishing in False-Flag Ransomware Campaign
Iranian state-sponsored group MuddyWater has been observed (by Rapid7 in early 2026) leveraging Microsoft Teams as a social engineering vector to steal credentials. The campaign initiates infection through Teams, enabling stealthy data exfiltration and persistence — all without deploying encryption, making it a false-flag ransomware operation designed to obscure the attacker's true intent. Targeted sectors and specific victim organizations were not disclosed. Organizations should audit Teams external access policies and monitor for anomalous authentication events.
DAEMON Tools Supply Chain Attack — Signed Installers Backdoored Since April 8
Official DAEMON Tools installers have been compromised since at least April 8, 2026, in an ongoing supply chain attack. Malicious code was embedded in cryptographically signed installation packages, enabling targeted malware delivery to users worldwide who downloaded what appeared to be legitimate software. Organizations and individuals who installed DAEMON Tools software since early April should treat their systems as potentially compromised and investigate immediately.
April 2026 Ransomware: 22% Drop, But Experts Warn of a Reshaping Threat Baseline
Comparitech's ransomware roundup for April 2026 recorded 628 attacks — a nearly 22% decline from March's peak of 801 incidents, the lowest total in six months. However, analysts caution this dip reflects volatility, not a sustained retreat. The elevated "new normal" of ransomware activity established earlier in 2026 continues to reshape baseline risk expectations across industries.
Vulnerabilities & Patches
CVE-2026-0300 — Palo Alto PAN-OS Captive Portal RCE (No Patch Yet)
- Affected: PA and VM series firewalls running vulnerable PAN-OS versions
- CVSS: Critical (exact score pending)
- Status: Actively exploited; patch not yet released. Apply vendor-recommended workarounds immediately.
CVE-2026-23918 — Apache HTTP/2 Double-Free (DoS + Potential RCE)
- Affected: Apache httpd 2.4.66 (
mod_http2, stream cleanup path inh2_mplx.c) - Status: Patched in Apache httpd 2.4.67. Upgrade immediately.
'Copy Fail' Linux Vulnerability — Exploitation Begins, Added to CISA KEV
SecurityWeek reports that exploitation of a Linux vulnerability nicknamed "Copy Fail" has commenced. CISA has added the bug to its Known Exploited Vulnerabilities (KEV) catalog. Microsoft has observed limited exploitation activity, mainly associated with proof-of-concept testing, but the KEV listing signals that federal agencies and critical infrastructure operators must act urgently. All Linux system administrators should check vendor advisories for patches.
Breaches & Incidents
Instructure (Canvas) Data Breach Exposes Student Private Data
Education technology giant Instructure — the company behind the widely used Canvas learning management platform — suffered a data breach that exposed students' private data. TechCrunch reviewed a sample of the allegedly stolen data and confirmed it includes sensitive student information. The breach affects an unspecified number of students across institutions that rely on Instructure's platform. Instructure's incident response status has not been publicly disclosed; affected institutions should notify students and review their data-sharing agreements.
Industry & Policy
CISA Known Exploited Vulnerabilities Catalog Expands
CISA added the "Copy Fail" Linux vulnerability to its KEV catalog, reflecting ongoing exploitation activity observed by Microsoft and others. The KEV listing triggers mandatory patch deadlines for federal agencies under Binding Operational Directive 22-01. Private sector organizations should treat KEV entries as high-priority patching targets regardless of regulatory obligations.
What to Watch
- Palo Alto patch timeline: No fix yet exists for CVE-2026-0300. Monitor Palo Alto's security advisories closely — a patch release could trigger a rush to exploit unpatched systems before administrators update.
- MuddyWater TTPs spreading: The Microsoft Teams-based phishing vector represents a shift in nation-state initial access tactics. Expect similar techniques to proliferate among other threat actors as this method proves effective.
- Supply chain trust erosion: The DAEMON Tools compromise — embedding malware into signed installers — is a reminder that code signing is not a guarantee of safety. Software composition analysis (SCA) and runtime behavioral monitoring are increasingly essential, even for signed packages.
Reader Action Items
-
Immediately apply mitigations for CVE-2026-0300: If you operate Palo Alto PA or VM series firewalls, consult Palo Alto's advisory for available workarounds. Do not wait for a patch — exploitation is active. Restrict Captive Portal/User-ID Authentication Portal access from untrusted networks where possible.
-
Upgrade Apache to 2.4.67: Any system running Apache httpd 2.4.66 with HTTP/2 enabled is vulnerable to denial-of-service and potential remote code execution. Upgrade to 2.4.67 immediately and verify the update in production.
-
Audit Microsoft Teams external access and review DAEMON Tools installs: Block or restrict external users from initiating Teams chats if your organization has no business need (mitigates MuddyWater-style phishing). Separately, investigate any DAEMON Tools installations performed since April 8, 2026, and treat affected endpoints as potentially compromised — isolate, scan, and rebuild if necessary.
This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.
Powered by
