Palo Alto Networks Firewall Zero-Day Exploited for Nearly a Month
A critical-severity remote code execution zero-day vulnerability, tracked as CVE-2026-0300, has been actively exploited for nearly a month by suspected state-sponsored threat actors (CL-STA-1132) targeting Palo Alto Networks PAN-OS User-ID Authentication Portal (Captive Portal). This buffer overflow flaw allows unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls. Exploitation attempts began on April 9, 2026, with successful RCE achieved a week later, followed by log cleanup and the deployment of Earthworm and ReverseSocks5 tunneling tools for covert communication and network bypass. Over 5,400 PAN-OS VM-series firewalls are exposed online, primarily in Asia and North America. While Cloud NGFW and Panorama appliances are not affected, patches are anticipated to be released starting May 13, 2026. Until then, customers are strongly advised to mitigate the risk by restricting access to the User-ID Authentication Portal to trusted zones or disabling it entirely. The U.S. CISA has added CVE-2026-0300 to its KEV Catalog, mandating federal agencies to secure vulnerable firewalls by May 9, highlighting a broader trend of threat groups targeting edge network devices.
Severity: Critical
Threat Details and IOCs
| Malware: | ABCDoor, Cerberus, Earthworm, EarthWorm, EW, Termite, ValleyRAT, Winos 4.0 |
|---|---|
| CVEs: | CVE-2026-0300 |
| Technologies: | Microsoft Entra ID, Microsoft Windows Active Directory, Microsoft Windows Server, Palo Alto Networks, Palo Alto Networks VM-Series |
| Threat Actors: | APT41, ClSta0046, CL-STA-1132, Uat8302, VoltTyphoon |
| Attacker Countries: | China |
| Attacker IPs: | 136[.]0[.]8[.]48, 146[.]70[.]100[.]69, 149[.]104[.]66[.]84, 67[.]206[.]213[.]86 |
| Attacker Domains: | github[.]com |
| Attacker URLs: | hxxps[://]github[.]com/0xBlackash/CVE-2026-0300, hxxps[://]github[.]com/bannned-bit/CVE-2026-0300-PANOS, hxxps[://]github[.]com/Hex0rc1st/CVE_POC_monitor/tree/main/article/uploads/demo_1778060007/【在野利用】PaloAltoNetworksPAN-OS缓冲区溢出漏洞(CVE-2026-0300)安全风险通告, hxxps[://]github[.]com/mr-r3b00t/CVE-2026-0300, hxxps[://]github[.]com/qassam-315/PAN-OS-User-ID-Buffer-Overflow-PoC, hxxps[://]github[.]com/TailwindRG/cve-2026-0300-audit, hxxps[://]tinyurl[.]com/yjpk44ps, hxxp[:]//146.70.100.69:8000/php_sess, hxxps[:]//github.com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar.gz |
| Attacker Hashes: | e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 |
| Victim Industries: | Automotive, Cloud Infrastructure, Defense Industrial Base, Education, Energy, Financial Services, Government, Healthcare, Hospitality, Industrial Control Systems, Logistics, Manufacturing, Multimedia, Oil & Gas, Public Sector, Retail, Service Providers, Technology Hardware, Telecommunications, Transportation, Travel, Utilities |
| Victim Countries: | Australia, Austria, Belgium, Bulgaria, Canada, China, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hong Kong, Hungary, India, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Singapore, Slovakia, Slovenia, Spain, Sweden, United Kingdom, United States |
Mitigation Advice
- Identify all internet-facing Palo Alto Networks PA-Series and VM-Series firewalls and immediately apply access control rules to restrict the User-ID Authentication Portal to trusted, internal-only IP addresses.
- If restricting access to the User-ID Authentication Portal is not feasible, disable the portal entirely on vulnerable firewalls by navigating to Device > User Identification > Authentication Portal Settings and unchecking 'Enable Authentication Portal'.
- Initiate a threat hunt on all Palo Alto Networks firewalls for indicators of compromise, specifically looking for evidence of log deletion, removed crash files, and the presence of network traffic or files related to the 'Earthworm' and 'ReverseSocks5' tools.
- Identify the specific PAN-OS versions of all deployed firewalls and schedule emergency change windows to apply the CVE-2026-0300 patches as soon as they are released by the vendor.
Compliance Best Practices
- Develop and implement a formal security hardening policy for all internet-facing network devices that mandates disabling all non-essential services and restricting all management interfaces to a secure, internal-only management network.
- Integrate logs from all edge network devices, including firewalls, into the company's SIEM and develop specific detection rules to alert on suspicious activities like log tampering, unexpected outbound connections from the device itself, or the creation of unauthorized user accounts.
- Implement a formal asset lifecycle management program for all network infrastructure to track and plan for the replacement of devices before they reach their end-of-life (EOL) or end-of-support (EOS) dates.
https://arcticwolf.com/resources/blog/cve-2026-0300/
https://buaq.net/go-414764.html
https://buaq.net/go-414931.html
https://buaq.net/go-414983.html
https://cybelangel.com/blog/cve-2026-0300-enterprise-firewalls/
https://cyberpress.org/critical-palo-alto-firewall-flaw-exploited-to-gain-root-access/
https://cyberpress.org/palo-alto-networks-pan-os-vulnerability-2/
https://cyberscoop.com/palo-alto-networks-pan-os-firewall-zero-day-vulnerability-exploited/
https://cyberveille.esante.gouv.fr/alertes/palo-alto-networks-cve-2026-0300-2026-05-06
https://exploit-intel.com/vuln/CVE-2026-0300
https://gbhackers.com/critical-palo-alto-firewall-vulnerability/
https://gridinsoft.com/blogs/palo-alto-pan-os-cve-2026-0300-root-rce/
https://securityonline.info/palo-alto-networks-cve-2026-0300-active-exploitation-captive-portal-rce/
https://securityonline.info/palo-alto-networks-cve-2026-0300-pan-os-root-rce-zero-day/
https://security.paloaltonetworks.com/CVE-2026-0300
https://socprime.com/blog/latest-threats/cve-2026-0300-analysis/
https://socradar.io/blog/cve-2026-0300-root-rce-pan-os-captive-portal/
https://sploitus.com/exploit?id=9F0DBB5B-905B-52CD-BAB3-87DA736462AF
https://sploitus.com/exploit?id=A2CCBEC9-9390-5686-8A6D-E687A82055D2
https://thecyberexpress.com/cve-2026-0300-buffer-overflow-vulnerability/
https://thehackernews.com/2026/05/palo-alto-pan-os-flaw-under-active.html
https://thehackernews.com/2026/05/pan-os-rce-exploit-under-active-use.html
https://www.cyberkendra.com/2026/05/palo-alto-pan-os-zero-day-under-active.html
https://www.securityweek.com/palo-alto-networks-to-patch-zero-day-exploited-to-hack-firewalls/
https://www.wiz.io/blog/critical-vulnerability-in-pan-os-exploited-in-the-wild-cve-2026-0300
Ivanti Warns of New EPMM Flaw Exploited in Zero-Day Attacks
Ivanti has issued a warning regarding a high-severity remote code execution (RCE) vulnerability, tracked as CVE-2026-6973, in its Endpoint Manager Mobile (EPMM) product, which is actively being exploited in zero-day attacks. This flaw, stemming from improper input validation, allows remote attackers with administrative privileges to execute arbitrary code on systems running EPMM 12.8.0.0 and earlier. To mitigate this, customers must install Ivanti EPMM versions 12.6.1.1, 12.7.0.1, or 12.8.0.1, and are advised to review and rotate administrative credentials. While exploitation of CVE-2026-6973 is currently limited and requires admin authentication, over 850 Ivanti EPMM instances are exposed online, primarily in Europe and North America. Ivanti also patched four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821), though no evidence of their exploitation in the wild exists, with CVE-2026-7821 specifically affecting Apple Device Enrollment users. This follows previous critical EPMM code-injection zero-days (CVE-2026-1281 and CVE-2026-1340) exploited earlier this year, for which CISA mandated patching for U.S. government agencies, and prior credential rotation for these older flaws can reduce the risk for the newly disclosed CVE-2026-6973. CISA has identified 33 Ivanti vulnerabilities exploited in the wild, with 12 also abused by ransomware operations.
Severity: Critical
Threat Details and IOCs
| Malware: | MAVERICK, PCPJack, SORVEPOTEL, TCLBanker |
|---|---|
| CVEs: | CVE-2023-35078, CVE-2023-35082, CVE-2026-1281, CVE-2026-1340, CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, CVE-2026-6973, CVE-2026-7821 |
| Technologies: | Apple iOS, Apple macOS, Google Android, Ivanti, Ivanti Endpoint Manager Mobile, Microsoft Windows |
| Threat Actors: | ShinyHunters, TeamPCP, Unc5221, UNC5337 |
| Attacker Countries: | China, Iran |
| Attacker Domains: | arquivos-omie[.]com, campanha1-api[.]ef971a42[.]workers[.]dev, mxtestacionamentos[.]com |
| Attacker Hashes: | 701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626, 8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059 |
| Victim Industries: | Aerospace & Transportation, Business Services, Cloud Infrastructure, Education, Energy, Financial Services, Government, Healthcare, Legal Services, Logistics, Manufacturing, Professional Services, Public Administration, Public Sector, Real Estate, Retail, Technology Hardware, Telecommunications, Transportation, Transportation & Logistics |
| Victim Countries: | Australia, Belgium, Canada, China, Finland, France, Germany, Hong Kong, Mexico, Netherlands, Poland, Saudi Arabia, Spain, Sweden, Switzerland, United Kingdom, United States |
Mitigation Advice
- Immediately patch all on-premise Ivanti Endpoint Manager Mobile (EPMM) instances to version 12.6.1.1, 12.7.0.1, or 12.8.0.1 to mitigate CVE-2026-6973.
- Review all accounts with administrative privileges on Ivanti EPMM and immediately rotate their credentials.
- Scan the network perimeter to identify any internet-exposed Ivanti EPMM instances and confirm their patch status.
Compliance Best Practices
- Develop and implement a plan to restrict network access to the Ivanti EPMM administrative interface, allowing connections only from trusted IP addresses or a dedicated management network.
- Enhance the vulnerability management program to prioritize patching for internet-facing, critical infrastructure like Ivanti EPMM, with defined Service Level Agreements (SLAs) for emergency and zero-day patches.
- Implement a recurring quarterly review cycle for all privileged accounts on critical systems like Ivanti EPMM to enforce the principle of least privilege.
- Evaluate the feasibility and security benefits of migrating from on-premise Ivanti EPMM to a cloud-based unified endpoint management (UEM) solution.
- Implement network segmentation to isolate the Ivanti EPMM server from other critical internal network segments, restricting its communication to only essential services and endpoints.
https://cyberscoop.com/ivanti-epmm-zero-day-vulnerability-exploited/
https://cyberveille.esante.gouv.fr/alertes/ivanti-cve-2026-6973-2026-05-11
https://exploit-intel.com/vuln/CVE-2026-5786
https://exploit-intel.com/vuln/CVE-2026-5788
https://securereading.com/newly-patched-ivanti-endpoint/
https://securityonline.info/ivanti-epmm-exploited-in-the-wild-cve-2026-6973-zero-day/
https://socradar.io/blog/cve-2026-6973-rce-ivanti-epmm-cisa-kev/
https://thehackernews.com/2026/05/ivanti-epmm-cve-2026-6973-rce-under.html
https://www.scworld.com/news/federal-agencies-ordered-to-patch-ivanti-epmm-zero-day-in-3-days
https://www.securitylab.ru/news/572555.php
https://www.securityweek.com/ivanti-patches-epmm-zero-day-exploited-in-targeted-attacks/
copy.fail Exploit
A proof-of-concept demonstrates a Kubernetes container escape vulnerability, CVE-2026-31431, dubbed "Copy Fail," which allows a fully unprivileged container to achieve node-level code execution with a CVSS score of 7.8. This Linux kernel vulnerability resides in the page-cache Copy-on-Write (CoW) path, specifically an `AF_ALG` splice race that enables an unprivileged process to corrupt the in-memory page-cache pages of a read-only file, such as `/usr/sbin/ipset`, without altering the file on disk. The attack chain involves three stages: first, page-cache corruption via the `AF_ALG` splice race; second, cross-container propagation where container runtimes' shared image layers (e.g., `kube-proxy`'s base layer) make the corrupted page cache visible to other containers; and third, privileged execution, as the `kube-proxy` DaemonSet, running with high privileges, subsequently executes the corrupted `/usr/sbin/ipset`, thereby running the attacker's payload with root access on the host. This exploit targets `kube-proxy` due to its ubiquitous presence, high privileges, inclusion of `ipset`, and `IfNotPresent` image pull policy. The vulnerability affects Linux kernels prior to the CVE-2026-31431 patch and any Kubernetes version utilizing such kernels. Mitigation strategies include patching the Linux kernel, enabling image layer isolation, implementing read-only root filesystems for privileged containers, and restricting pod scheduling.
Severity: Critical
Threat Details and IOCs
| Malware: | fast16, FIRESTARTER, GoGra, Graphon, Mini Shai-Hulud, Ransomware Evil, REvil, Sha1-Hulud: The Second Coming, Shai-Hulud, Shai-Hulud 2.0, Shai-Hulud 3.0, Sodinokibi, WanaCrypt0r 2.0, WannaCry, WannaCrypt, WCry |
|---|---|
| CVEs: | CVE-2016-5195, CVE-2022-0847, CVE-2026-31431, CVE-2026-43284, CVE-2026-43500 |
| Technologies: | Alpine Linux, Amazon Linux, Arch Linux, CloudLinux OS, containerd, CRI-O, Debian, Docker, EuroLinux, Fedora, Gentoo, GitHub Actions, GitLab, Jenkins, Kubernetes, KylinSoft Kylin, Linux, LXC, Microsoft Entra ID, NixOS, openEuler, openSUSE, Pluggable Authentication Modules, Podman, Red Hat Enterprise Linux, Red Hat OpenShift Container Platform, Rocky Enterprise Software Foundation Rocky Linux, Rocky Linux, Slackware Linux, SUSE Linux Enterprise, Tizen, Turbolinux, Ubuntu, UnionTech UOS, Univention Corporate Server |
| Threat Actors: | APT41, BanishedKitten, FlaxTyphoon, HandalaHack, HomelandJustice, RedSandstorm, SaltTyphoon, Storm-0842, VoidManticore, VoltTyphoon |
| Attacker Domains: | audit[.]checkmarx[.]cx, copy[.]fail, github[.]com, git[.]kernel[.]org, lore[.]kernel[.]org, nvd[.]nist[.]gov, raw[.]githubusercontent[.]com, sploitus[.]com, xint[.]io |
| Attacker URLs: | audit[.]checkmarx[.]cx/v1/telemetry, github[.]com/0xlane/pagecache-guard, hxxps[://]copy[.]fail, hxxps[://]copy[.]fail/, hxxps[://]copy[.]fail/#contact, hxxps[://]copy[.]fail/exp, hxxps[://]copy[.]fail/public/demo.mp4, hxxps[://]gist[.]github[.]com/blasty/d7b5d0599b154c9ec83c182acbd56e8b, hxxps[://]github[.]com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo/, hxxps[://]github[.]com/mhdgning131/CVE-2026-31431_poc.git, hxxps[://]github[.]com/Percivalll/Copy-Fail-CVE-2026-31431-Kubernetes-PoC, hxxps[://]github[.]com/rootsecdev/cve_2026_31431, hxxps[://]github[.]com/rootsecdev/cve_2026_31431/blob/f288952034d0d1b21c035d178c7a485dcf6a3618/exploit_cve_2026_31431.py#L183-L187, hxxps[://]github[.]com/theori-io/copy-fail-CVE-2026-31431, hxxps[://]github[.]com/theori-io/copy-fail-CVE-2026-31431/blob/main/copy_fail_exp.py, hxxps[://]github[.]com/user-attachments/assets/27e0f28e-0cb8-438d-9fe4-ebd56035adad, hxxps[://]github[.]com/V4bel/dirtyfrag/tree/master, hxxps[://]git[.]kernel[.]org/pub/scm/linux/kernel/git/stable/linux.git/about/, hxxps[://]lore[.]kernel[.]org/linux-cve-announce/2026042214-CVE-2026-31431-3d65@gregkh/, hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-31431, hxxps[://]raw[.]githubusercontent[.]com/theori-io/copy-fail-CVE-2026-31431/main/copy_fail_exp.py, hxxps[://]securityaffairs[.]com/191629/hacking/u-s-cisa-adds-a-flaw-in-linux-kernel-to-its-known-exploited-vulnerabilities-catalog.html, hxxps[://]sploitus[.]com/exploit?id=A310CBC4-CE91-509B-ADDF-881523045AF1, hxxps[://]sploitus[.]com/exploit?id=MSF:EXPLOIT-LINUX-LOCAL-CVE_2026_31431_COPY_FAIL-, hxxps[://]www[.]openwall[.]com/lists/oss-security/2026/04/29/23, hxxps[://]xint[.]io/blog/copy-fail-linux-distributions, hxxps[://]xint[.]io/blog/copy-fail-linux-distributions#the-fix-6 |
| Attacker Hashes: | 0533cff5831152a2f6499b1c708a4344336b35b369151c64122335332a09b0a9, 100262da02453c33f4a4a6916423966b, 1111111111111111111111111111111111111111111111111111111111111111, 11596758ecc621a946c4f262a6d49ff3b45887c9, 1343309df1351265351b3c6053b53d340443151e, 1913180e3039f339580742b4980b80a34403193a, 19991118784b8969881432414811418151851111, 299c53293f32a67311514f5338125338, 39e8878922b183047d9be0da04402b23da289405, 3be49c5ddb11ad62610bdc9f2389f842b753cd53, 3c5ec61632d0699e048d8428461c4d65f89988a370396db2f070f63ebbf9dbae, 690691c6a03b84534484809601385a3c0970a42c0171f670998762c5e1b9438a, 72548b093ee38a6d4f2a19e6ef1948ae05c181f7, 83194d178f4b9c6fcdfaed0ea4ae3ec2ca3db6f4, 84f44c4a699e025ceff588028c9e041b213d6198fc7fa40b7d24ca6ebbf9b305, 87915e67782ebd34d91a2b557b22eccf0f6e3de1, 9454dbdde0ac2d1a8981c06db89f24a4753ec3b7, 985614541dd1239c773049335738d50c, 9b0f16503767336bc8a821482933c1111aafa23a, a4d4c899a00f948016279448356c49e8454a09f7, a567d09b15f6e4440e70c9f2aa8edec8ed59f53301952df05c719aa3911687f9, a79c6ab7e9d14e60af8d7dfc1c102e3bc93a910b, b35ddf2ecd035faf9b38af62779502b7fa19037115054a00ed8d5327a3f2ec03, d401e7d1c00605749d6c617ace73ab20a762b72e41c2e1590331596e38219a61, de824c48ca8e2d41dcbb99468148370b1f2c1497, e097ce64b1bf0933e69c9d342038fb52f4b278da62b265daa3adf22c00658a9c, ed0018054d8e7058b299b7591bc32364dbc439c25be4067450189b1a73033c67 |
| Victim Industries: | Aerospace, Cloud Infrastructure, Data Centers, Financials, Government, Healthcare, Health Care Technology, Information Technology, Internet & Cloud Services, Internet of Things (IoT), Manufacturing, Public Sector, Semiconductors, Software, Technology Hardware, Telecommunications, Web Hosting |
| Victim Countries: | Austria, Belgium, Bulgaria, China, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Singapore, Slovakia, Slovenia, South Korea, Spain, Sweden, United Kingdom, United States |
Mitigation Advice
- Apply the vendor-supplied kernel patch for CVE-2026-31431 to all Linux nodes, especially those within Kubernetes clusters.
- As an interim mitigation, blacklist the `algif_aead` kernel module on all Linux hosts to prevent the vulnerable code from being loaded. Verify that no critical applications depend on this module before implementation.
- Deploy and enable detection rules in your runtime security tool, such as Falco, to monitor for and alert on the creation of `AF_ALG` sockets, which is a key indicator of an attempt to exploit CVE-2026-31431.
Compliance Best Practices
- Implement Kubernetes scheduling policies using taints and tolerations to create dedicated node pools for untrusted workloads, isolating them from nodes running critical, privileged DaemonSets like kube-proxy.
- Develop and roll out `seccomp` profiles for your container workloads that block the `socket` syscall for the `AF_ALG` address family, unless explicitly required by the application.
- Implement and enforce AppArmor or SELinux policies to prevent containers from creating `AF_ALG` sockets, thereby blocking the initial step of the exploit chain.
- Evaluate and enable features in your container runtime, such as per-container filesystem snapshots, that prevent page-cache sharing across different containers on the same node.
- Modify the manifests for all privileged pods, including system DaemonSets, to enforce a read-only root filesystem by setting `securityContext.readOnlyRootFilesystem` to `true`.
- For high-risk, multi-tenant, or untrusted workloads, evaluate and plan a migration to sandboxed container technologies like gVisor or Kata Containers to provide stronger kernel isolation.
https://blog.cloudflare.com/copy-fail-linux-vulnerability-mitigation/
https://buaq.net/go-413697.html
https://buaq.net/go-414275.html
https://buaq.net/go-414387.html
https://buaq.net/go-414388.html
https://buaq.net/go-414730.html
https://cyberinsider.com/cisa-warns-copy-fail-linux-flaw-is-already-actively-exploited/
https://cyberinsider.com/copy-fail-gives-root-access-to-all-linux-systems-via-732-byte-exploit/
https://cyberpress.org/linux-kernel-0-day-copy-fail/
https://cyberpress.org/linux-kernel-zero-day-vulnerability/
https://cyberscoop.com/copy-fail-linux-vulnerability-artificial-intelligence/
https://cyberveille.esante.gouv.fr/alertes/linux-cve-2026-31431-2026-04-30
https://gbhackers.com/linux-kernel-0-day-copy-fail-grants-root-access-major-distros/
https://github.com/NorskHelsenett/copy-fail-destroyer
https://github.com/rootsecdev/cve_2026_31431
https://hackread.com/linux-kernel-vulnerability-copy-fail-full-root-access/
https://kb.cert.org/vuls/id/260001
https://linuxiac.com/copy-fail-linux-kernel-flaw-allows-local-users-to-gain-root/
https://orca.security/resources/blog/cve-2026-31431-linux-kernel-copy-fail-privilege-escalation/
https://securityonline.info/linux-kernel-copy-fail-root-exploit-poc-public-disclosure/
https://socradar.io/blog/cve-2026-31431-copy-fail-nine-year-linux-bug/
https://solcyber.com/copy-fail-hype-versus-reality-the-full-story/
https://sploitus.com/exploit?id=2701B38E-308B-578E-A22D-1538782B2A0C
https://sploitus.com/exploit?id=29D90A9C-E8E8-5B0B-A9DA-F15DBC31723E
https://sploitus.com/exploit?id=3F882040-3B4C-56F7-AD9F-6959A61D9F05
https://sploitus.com/exploit?id=A310CBC4-CE91-509B-ADDF-881523045AF1
https://sploitus.com/exploit?id=A6500AE2-6D3D-5689-B049-BFCE1470ED76
https://sploitus.com/exploit?id=CA39883F-A7DF-5D7F-8669-6377C8FE3DA1
https://sploitus.com/exploit?id=FC69D23B-11A0-5C50-8340-942AD0802BB6
https://sploitus.com/exploit?id=MSF:EXPLOIT-LINUX-LOCAL-CVE_2026_31431_COPY_FAIL-
https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html
https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html
https://www.ctfiot.com/306860.html
https://www.ctfiot.com/306909.html
https://www.ctfiot.com/306923.html
https://www.ctfiot.com/307687.html
https://www.ctfiot.com/307700.html
https://www.cyberkendra.com/2026/04/a-732-byte-python-script-can-get-root.html
https://www.dragonsreach.it/2026/05/04/cve-2026-31431-copy-fail-rootless-containers/
https://www.hackthebox.com/blog/CVE-2026-31431
https://www.helpnetsecurity.com/2026/04/30/copyfail-linux-lpe-vulnerability-cve-2026-31431/
https://www.hendryadrian.com/cisa-says-copy-fail-flaw-now-exploited-to-root-linux-systems/
https://www.hendryadrian.com/copy-fail-and-dirtyfrag-linux-page-cache-bugs-in-the-wild/
https://www.hendryadrian.com/exploitation-of-copy-fail-linux-vulnerability-begins/
https://www.hkcert.org/security-bulletin/debian-linux-kernel-multiple-vulnerabilities_20260506
https://www.hkcert.org/security-bulletin/linux-kernel-elevation-of-privilege-vulnerability_20260504
https://www.infosecurity-magazine.com/news/zero-day-2017-linux-kernel/
https://www.mend.io/blog/linux-copy-fail-lpe-cve-2026-31431/
https://www.openwall.com/lists/oss-security/2026/04/30/10
https://www.reversinglabs.com/blog/copy-fail-5-yara-rules
https://www.securityweek.com/copy-fail-logic-flaw-in-linux-kernel-enables-system-takeover/
https://www.theregister.com/2026/04/30/linux_cryptographic_code_flaw/
https://www.theregister.com/2026/05/05/cisa_sounds_the_alarm_on/
https://www.wiz.io/blog/copyfail-cve-2026-31431-linux-privilege-escalation-vulnerability
CloudZ Malware Abuses Phone Link to Steal SMS OTPs
A Windows malware toolkit, active since at least January 2026, has been observed stealing SMS messages and one-time passwords (OTPs) by exploiting Microsoft's Phone Link application on victim machines, thereby bypassing direct mobile device compromise. This operation involves the CloudZ remote access tool (RAT) and a previously undocumented Pheno plugin, which together harvest credentials and intercept authentication codes synced from paired smartphones. Pheno continuously scans for Phone Link processes (e.g., YourPhone, PhoneExperienceHost) and, upon detecting an active session indicated by the "proxy" string, flags the system for data collection from local SQLite database files like PhoneExperiences-*.db. The infection typically begins with a fake ScreenConnect update, deploying a Rust-compiled loader that drops a .NET loader, which then uses `regasm.exe` to deploy the ConfuserEx-obfuscated CloudZ RAT. CloudZ incorporates anti-analysis techniques, including timing-based sleep checks, security tool enumeration, and virtual machine detection, while pulling configurations from attacker-controlled servers and Pastebin. This technique effectively shifts the risk surface for SMS-based multi-factor authentication from mobile devices to enterprise-managed Windows endpoints, with indicators of compromise and ClamAV signatures published to aid detection and blocking.
Severity: Critical
Threat Details and IOCs
| Malware: | CloudZ, CloudZ RAT, Pheno |
|---|---|
| Technologies: | Apple iOS, ConnectWise ScreenConnect, Google Android, Microsoft .NET Framework, Microsoft Phone Link, Microsoft Windows, SQLite |
| Attacker IPs: | 185[.]196[.]10[.]136 |
| Attacker Domains: | calm-wildflower-1349[.]hellohiall[.]workers[.]dev, orange-cell-1353[.]hellohiall[.]workers[.]dev, pastebin[.]com, round-cherry-4418[.]hellohiall[.]workers[.]dev |
| Attacker URLs: | hxxps[://]pastebin[.]com/raw/8pYAgF0Z?t=1771833517, hxxps[:]//calm-wildflower-1349.hellohiall.workers.dev, hxxps[:]//calm-wildflower-1349.hellohiall.workers.dev/, hxxps[:]//orange-cell-1353.hellohiall.workers.dev/pheno.exe, hxxps[:]//pastebin.com/3jKbe7rN, hxxps[:]//pastebin.com/EBrpRiFi, hxxps[:]//pastebin.com/ikjGHALD, hxxps[:]//pastebin.com/NUrZTmDn, hxxps[:]//pastebin.com/raw/8pYAgF0Z?t=1771833517, hxxps[:]//pastebin.com/RKJcXMAm, hxxps[:]//pastebin.com/yUkbaBH3, hxxps[:]//round-cherry-4418.hellohiall.workers.dev/?t=1769729309, hxxps[:]//round-cherry-4418.hellohiall.workers.dev/?t=1773406370 |
| Attacker Hashes: | 24398b75be2645e6c695e529e62e60deb418143a4bbea13c561d3c361419eb54, 33af554562176eff34598a839051b8e91692b0305edfdbb4d8eb9df0103ffd98, 5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321, 65fcd965040fabeb6f092df0a4b6856125018bb3b6a1876342da458139f77dac, ed5de036edbbda52ab0049d2163607038d38a49404a46b6bcfc4bac26b743832 |
| Victim Industries: | Financial Services |
Mitigation Advice
- Ingest the file hashes provided by Cisco Talos for the CloudZ malware and its components into your Endpoint Detection and Response (EDR) and antivirus (AV) solutions to scan for and block these specific files.
- Add the domains and IP addresses associated with CloudZ command and control (C2) servers, as published by Cisco Talos, to your firewall, DNS sinkhole, and web proxy blocklists.
- Create a detection rule in your SIEM or EDR to generate an alert when a process enumerates other running processes and specifically searches for 'YourPhone', 'PhoneExperienceHost', or 'Link to Windows'.
- Configure file integrity monitoring (FIM) or EDR rules to alert on any unauthorized or unusual processes accessing SQLite database files located in the Microsoft Phone Link application data folder (e.g., `...\LocalState\PhoneExperiences-*.db`).
- In your SIEM or EDR, create a detection rule to monitor for suspicious executions of the .NET Assembly Registration utility (regasm.exe), particularly when it is launched by an unusual parent process or used to register untrusted or unsigned DLLs.
- Ensure your network intrusion detection systems (IDS/IPS) and antivirus platforms are updated with the latest signatures from their vendors, specifically including the ClamAV and Snort rules released by Cisco Talos for CloudZ.
Compliance Best Practices
- Prioritize migrating users away from SMS-based MFA to more phishing-resistant and secure alternatives, such as FIDO2/WebAuthn security keys or number-matching push notifications from authenticator apps.
- Use Group Policy (GPO) or a Mobile Device Management (MDM) solution to disable or uninstall the Microsoft Phone Link application on all corporate Windows endpoints where it is not required for a valid business purpose, thereby reducing the attack surface.
- Implement an application control solution, such as Windows Defender Application Control (WDAC) or AppLocker, to restrict the execution of commonly abused system utilities and scripts to only authorized users and from expected file paths.
- Develop and implement a continuous security awareness training program that includes phishing simulations and educates users on how to identify and report suspicious software, unsolicited update prompts, and other social engineering tactics.
- Ensure your Endpoint Detection and Response (EDR) solution has anti-tampering features enabled and is configured to detect and alert on process enumeration and other reconnaissance activities targeting security monitoring tools.
https://blog.talosintelligence.com/cloudz-pheno-infostealer/
https://gbhackers.com/cloudz-rat-exploits-microsoft-phone-link/
https://gridinsoft.com/blogs/cloudz-malware-phone-link-otp-theft/
https://thehackernews.com/2026/05/windows-phone-link-exploited-by-cloudz.html
https://www.infosecurity-magazine.com/news/cloudz-rat-pheno-phone-link-otp/
Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
A critical out-of-bounds read vulnerability (CVE-2026-7482, CVSS 9.1), codenamed Bleeding Llama, has been identified in Ollama versions prior to 0.17.1, potentially affecting over 300,000 servers globally. This flaw, residing in the GGUF model loader's `WriteTo()` function, allows a remote, unauthenticated attacker to send a specially crafted GGUF file to the `/api/create` endpoint, triggering a heap out-of-bounds read and enabling the leakage of sensitive process memory data, including API keys and conversation content, which can then be exfiltrated via the `/api/push` endpoint. To mitigate, users must upgrade to Ollama 0.17.1 or later, limit network exposure, and implement authentication proxies. Additionally, two unpatched vulnerabilities (CVE-2026-42248 and CVE-2026-42249, CVSS 7.7 each) in Ollama's Windows update mechanism (versions 0.12.10 through 0.17.5) allow persistent code execution. These flaws, a missing signature verification and a path traversal vulnerability, can be chained by an attacker controlling an update server to write arbitrary executables to the Windows Startup folder, executing malicious code at every login. Interim mitigations for Windows users include disabling automatic updates and removing Ollama shortcuts from the Startup folder.
Severity: Critical
Threat Details and IOCs
| CVEs: | CVE-2026-42248, CVE-2026-42249, CVE-2026-7482 |
|---|---|
| Technologies: | Microsoft Windows, Ollama |
| Attacker URLs: | /api/blobs/sha256:sha256-digest, /api/create, /api/push, /api/update |
| Victim Industries: | Automation, Defense, Education, Financial Services, Healthcare, Health Care Technology, Information Technology, Legal Services, Manufacturing, Marketing & Advertising, Telecommunications, Utilities & Energy |
| Victim Countries: | Brazil, Canada, China, Finland, France, Germany, Hong Kong, India, Japan, Russia, Singapore, South Korea, United Kingdom, United States |
Mitigation Advice
- Upgrade all Ollama instances to version 0.17.1 or later to remediate the memory leak vulnerability (CVE-2026-7482).
- Conduct a network-wide scan to identify all running Ollama instances and audit their configurations to determine if any are accessible from the internet.
- Configure network firewalls to block all inbound internet traffic to Ollama API endpoints, such as '/api/create' and '/api/push'.
- On all Windows endpoints running Ollama, disable the automatic update feature to prevent the vulnerable update mechanism from being triggered.
- Inspect the Windows Startup folder on all systems with Ollama installed and remove any unauthorized executables or shortcuts to break potential persistence.
Compliance Best Practices
- Implement an API gateway or an authentication reverse proxy for all Ollama deployments to enforce mandatory authentication and authorization for all API requests.
- Implement network segmentation to isolate servers running AI/ML workloads like Ollama into a dedicated security zone, restricting traffic to and from the corporate and production networks.
- Develop and enforce a corporate policy for the secure lifecycle management of AI/ML models and tools, including mandatory security reviews, data classification, and access control standards for all new deployments.
- Establish a software supply chain security program that includes vetting the update mechanisms of third-party applications to ensure they implement security best practices like digital signature verification.
