NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.
Limited active exploitation of CVE-2026-0300 documented; Unit 42 tracks CL-STA-1132, a likely state-sponsored cluster exploiting the vulnerability for unauthenticated RCE in PAN-OS and injecting shellcode into nginx worker processes.
The exploit leverages the combination of nf_tables and unprivileged user namespaces to escalate from a low-privilege shell or container context to host root,a common attack pattern following initial compromise.
The vulnerability allows privileged actors to perform arbitrary administrative actions through policies or widgets without requiring network access or infrastructure-level code execution.
The vulnerability requires existing privileged access (policy/view/widget creation) and is therefore primarily an insider risk for internal virtualization infrastructure administration.
The vulnerability requires existing administrative privileges (policy, view, or text-widget creation) and is therefore an insider-threat or compromised-admin risk rather than a vector for unauthenticated external attackers.
A weakness in certificate validation logic of the deprecated IKEv1 key exchange allows man-in-the-middle attackers to bypass authentication and intercept or modify VPN tunnel traffic.
Missing UDP packet validation in the WINS protocol allows unauthenticated attackers to crash the WINS service of an Active Directory Domain Controller.
An active worm-based supply-chain attack on central Microsoft repositories on Github indicates targeted compromise of open-source dependencies that could be consumed by thousands of organizations worldwide.
Critical
NEW VerdantBamboo (aka Clay Typhoon, UNC5221, Warp Panda) C3
A China-nexus APT group (VerdantBamboo/Clay Typhoon) deploys specialized malware variants on Linux systems, including a BSD-variant backdoor with customized persistence mechanisms for appliances; this signals targeted adaptation to critical infrastructure targets.
State-sponsored adversaries exploit legitimate access and internal tools rather than direct breaches; their reconnaissance phase can span months and often leaves no detectable log artifacts , standard ransomware incident response procedures are ineffective against them.
NSO Group is conducting active spear-phishing campaigns via WhatsApp, demonstrating that commercial spyware developers continue to be deployed as state-sponsored tools against individuals and organizations.
Critical
NEW Iran (Iranian state-sponsored cyber actors) C3
The article reveals that Iranian cyber operations continue independently of diplomatic ceasefires, indicating a structural risk to Western and European infrastructure.
A critical unauthenticated vulnerability in UniFi OS allows attackers to gain root access to network infrastructure without credentials, requiring immediate attention.
An actively exploited zero-day vulnerability in Check Point VPN gateways is being weaponized by the Qilin ransomware gang to establish unauthorized remote access, beginning in May 2026.
The vulnerability enables unauthenticated remote access without valid credentials by bypassing certificate validation in deprecated IKEv1 protocols,critical for organizations operating legacy VPN infrastructure.
Multiple XSS vulnerabilities in VMware Cloud Foundation, Aria Operations, and vSphere require authentication but can enable administrative actions via session hijacking or privilege escalation.
The BSI advisory on multiple OpenSSL vulnerabilities without specific CVE identification and without detailed exploitation status indicates a general warning that likely aggregates multiple known vulnerabilities without describing an active targeted campaign.
The vulnerability affects the ProxyPassReverseCookie directive and requires an update to version 2.4.68; there is no evidence of active exploitation or specific attack campaigns.
The vulnerability affects Apache HTTP Server 2.4.17,2.4.67 and enables denial-of-service attacks via specially crafted HTTP requests, which is critical if Apache is deployed as a reverse proxy or web server in production environments.
Active cryptojacking campaign exploits AI chatbots alongside traditional search poisoning to distribute counterfeit system utilities and abuse ScreenConnect, targeting high-performance GPU owners via social engineering.
TeamPCP campaign now publicly available in Mini Shai-Hulud framework; threat expands from original supply-chain target to broader attacker community with focus on build-pipeline access and credential exfiltration.
AD CS abuse techniques enable attackers to compromise the public key infrastructure and forge or steal authentication certificates, representing a critical escalation method in Windows environments.
BSI advisory on GNU libc vulnerability without specific CVE reference; detailed information (exploitation mechanism, affected versions, PoC status) is necessary for risk assessment.
The BSI advisory describes multiple vulnerabilities in Microsoft Edge without specific CVE numbers; exploitation in some cases requires only clicking a malicious link.