Limited active exploitation of CVE-2026-0300 documented; Unit 42 tracks CL-STA-1132, a likely state-sponsored cluster exploiting the vulnerability for unauthenticated RCE in PAN-OS and injecting shellcode into nginx worker processes.
The exploit leverages the combination of nf_tables and unprivileged user namespaces to escalate from a low-privilege shell or container context to host root,a common attack pattern following initial compromise.
The vulnerability allows privileged actors to perform arbitrary administrative actions through policies or widgets without requiring network access or infrastructure-level code execution.
The vulnerability requires existing privileged access (policy/view/widget creation) and is therefore primarily an insider risk for internal virtualization infrastructure administration.
The vulnerability requires existing administrative privileges (policy, view, or text-widget creation) and is therefore an insider-threat or compromised-admin risk rather than a vector for unauthenticated external attackers.
A weakness in certificate validation logic of the deprecated IKEv1 key exchange allows man-in-the-middle attackers to bypass authentication and intercept or modify VPN tunnel traffic.
Missing UDP packet validation in the WINS protocol allows unauthenticated attackers to crash the WINS service of an Active Directory Domain Controller.
An active worm-based supply-chain attack on central Microsoft repositories on Github indicates targeted compromise of open-source dependencies that could be consumed by thousands of organizations worldwide.
Critical
NEW VerdantBamboo (aka Clay Typhoon, UNC5221, Warp Panda) C3
A China-nexus APT group (VerdantBamboo/Clay Typhoon) deploys specialized malware variants on Linux systems, including a BSD-variant backdoor with customized persistence mechanisms for appliances; this signals targeted adaptation to critical infrastructure targets.
State-sponsored adversaries exploit legitimate access and internal tools rather than direct breaches; their reconnaissance phase can span months and often leaves no detectable log artifacts , standard ransomware incident response procedures are ineffective against them.
NSO Group is conducting active spear-phishing campaigns via WhatsApp, demonstrating that commercial spyware developers continue to be deployed as state-sponsored tools against individuals and organizations.
Critical
NEW Iran (Iranian state-sponsored cyber actors) C3
The article reveals that Iranian cyber operations continue independently of diplomatic ceasefires, indicating a structural risk to Western and European infrastructure.
A critical unauthenticated vulnerability in UniFi OS allows attackers to gain root access to network infrastructure without credentials, requiring immediate attention.
An actively exploited zero-day vulnerability in Check Point VPN gateways is being weaponized by the Qilin ransomware gang to establish unauthorized remote access, beginning in May 2026.
The vulnerability enables unauthenticated remote access without valid credentials by bypassing certificate validation in deprecated IKEv1 protocols,critical for organizations operating legacy VPN infrastructure.
Multiple XSS vulnerabilities in VMware Cloud Foundation, Aria Operations, and vSphere require authentication but can enable administrative actions via session hijacking or privilege escalation.
The BSI advisory on multiple OpenSSL vulnerabilities without specific CVE identification and without detailed exploitation status indicates a general warning that likely aggregates multiple known vulnerabilities without describing an active targeted campaign.
The vulnerability affects the ProxyPassReverseCookie directive and requires an update to version 2.4.68; there is no evidence of active exploitation or specific attack campaigns.
The vulnerability affects Apache HTTP Server 2.4.17,2.4.67 and enables denial-of-service attacks via specially crafted HTTP requests, which is critical if Apache is deployed as a reverse proxy or web server in production environments.
Active cryptojacking campaign exploits AI chatbots alongside traditional search poisoning to distribute counterfeit system utilities and abuse ScreenConnect, targeting high-performance GPU owners via social engineering.
TeamPCP campaign now publicly available in Mini Shai-Hulud framework; threat expands from original supply-chain target to broader attacker community with focus on build-pipeline access and credential exfiltration.
AD CS abuse techniques enable attackers to compromise the public key infrastructure and forge or steal authentication certificates, representing a critical escalation method in Windows environments.
BSI advisory on GNU libc vulnerability without specific CVE reference; detailed information (exploitation mechanism, affected versions, PoC status) is necessary for risk assessment.
The BSI advisory describes multiple vulnerabilities in Microsoft Edge without specific CVE numbers; exploitation in some cases requires only clicking a malicious link.
Attackers are actively exploiting CVE-2026-0257 in PAN-OS just four days after public disclosure, indicating targeted attacks on firewall products in critical enterprise networks.
Threat actors are actively exploiting the vulnerability; the Centre for Cybersecurity Belgium warns of ongoing exploitation, although Microsoft has not yet confirmed active abuse in the wild.
A state-sponsored Chinese campaign is deliberately targeting European and Taiwanese government and technology institutions, signaling heightened espionage activity against Western targets in critical sectors.
APT group TeamPCP compromised Checkmarx KICS via Docker Hub repository poisoning to steal Kubernetes secrets , demonstrates multi-stage supply-chain attacks on container infrastructure as an established threat pattern.
Active exploitation of a critical Netlogon RCE in Windows servers requires immediate patching, as the vulnerability is already being weaponized in attacks.
The vulnerability is already actively exploited in the wild, even though the public PoC only demonstrates a crash , code execution is possible according to Microsoft and CVSS 9.8 warrants immediate action.
A memory-safety bug (double-free) in the Windows IKEv2 service enables unauthenticated remote attackers to achieve code execution by sending specially crafted packets.
An authentication bypass vulnerability in Palo Alto PAN-OS GlobalProtect VPN already being exploited in two attack waves since mid-May represents an immediate VPN security threat.
A systemic design flaw in Node.js module resolution on Windows enables privilege escalation through local filesystem manipulation, yet remains unpatched by both Discord and Node.js maintainers.
SmartApeSG ClickFix campaign employs multi-stage infection chains: unidentified RAT delivers NetSupport Manager RAT with C2 communication over TCP 443 and daily-changing indicators.
BSI warning for multiple critical vulnerabilities in widely-deployed browsers without specific CVE identifiers or PoC status , requires immediate patch-deployment planning.
Publicly available proof-of-concept code for a 19-year-old kernel vulnerability enables immediate practical exploitation and requires rapid patch verification in Ubuntu systems.
A deprecated but still-signed driver from a product discontinued in 2013 enables attackers with local access to perform privileged kernel operations and credential theft via BYOVD techniques.
BSI alerts to multiple vulnerabilities in both leading browsers without specific CVE numbers; immediate patch management and update prioritization required.