STORIES THIS WEEK
Palo Alto firewall zero-day gave attackers root access
Attackers exploited CVE-2026-0300 against exposed PAN-OS User-ID Authentication Portals, gaining unauthenticated root code execution on PA-Series and VM-Series firewalls. Edge teams should restrict portal exposure before patches arrive. CyberScoop, May 6, 2026
Copy Fail put Linux cloud hosts at risk of root takeover
Theori disclosed CVE-2026-31431, a Linux kernel flaw allowing local users or escaped containers to gain root across mainstream distributions. Cloud and Kubernetes operators need kernel patch validation across mixed fleets. The Record, May 1, 2026
CISA ordered emergency patching for exploited cPanel flaw
CVE-2026-41940 affects cPanel and WHM systems used to manage hosting servers and websites. Successful exploitation can give attackers control over host configurations, databases, and managed sites. The Record, May 1, 2026
Cisco orchestration flaw could leave NSO and Crosswork offline
CVE-2026-20188 lets unauthenticated attackers exhaust connections on Cisco Network Services Orchestrator and Crosswork Network Controller. A successful attack requires a manual reboot, raising availability risk for service provider automation. BleepingComputer, May 6, 2026
Ivanti EPMM zero-day was exploited in limited attacks
Ivanti patched CVE-2026-6973, an Endpoint Manager Mobile flaw that allows an attacker with stolen admin credentials to execute remote code on the server. Patching closes the vulnerability, but any already-compromised admin account remains a risk, and credential rotation is required to complete remediation. Ivanti, May 7, 2026
MOVEit Automation bugs threatened managed file-transfer workflows
Progress fixed CVE-2026-4670 and CVE-2026-5174 in MOVEit Automation. The flaws could allow unauthorized access, administrative control, and data exposure in automated file-transfer environments. Help Net Security, May 4, 2026
PCPJack worm stole credentials from exposed cloud services
SentinelLABS found PCPJack spreading across exposed cloud infrastructure while removing TeamPCP artifacts. The framework targets credentials from cloud, container, developer, productivity, and financial services. SentinelOne, May 7, 2026
CloudZ RAT abused Phone Link to target SMS codes
Cisco Talos found CloudZ using the Pheno plugin to inspect Microsoft Phone Link data from compromised PCs. The technique can expose SMS messages and one-time passwords. Cisco Talos, May 5, 2026
Trellix breach reached part of its source code repository
Trellix said an unauthorized party accessed a portion of its source code repository. Though investigators found no evidence of code release or distribution impact, the incident highlights the near-term impacts on the software supply chain. Cybersecurity Dive, May 5, 2026
Instructure breach exposed Canvas user data at affected schools
Instructure disclosed theft of names, emails, student IDs, and messages from affected Canvas institutions. The incident underscores SaaS vendor dependence for schools and the need to scope downstream data exposure quickly. Dark Reading, May 6, 2026
Ollama memory leak exposed secrets on AI servers
Cyera disclosed Bleeding Llama, CVE-2026-7482, an unauthenticated Ollama memory leak that could expose prompts, system prompts, and environment variables from internet-facing deployments. The leaked memory contains user messages (prompts), system prompts, and environment variables. Cyera, May 5, 2026
Gemini CLI flaw showed prompt injection risk in CI workflows
A Gemini CLI flaw could have let threat actors carry out a supply chain attack via indirect prompts hidden in a GitHub issue. Because Gemini CLI in –yolo mode automatically approves tool calls, a hacker could take over the AI agent designed to automatically triage the user-submitted issue. SecurityWeek, May 7, 2026
Cisco showed hidden image changes can manipulate AI vision models
Cisco researchers showed attackers can craft visual inputs that carry instructions AI models follow while remaining unreadable to humans. The finding matters for organizations adding vision-language models to security and workflow automation. SecurityWeek, May 7, 2026
RMM phishing campaign hit more than 80 organizations
VENOMOUS#HELPER used Social Security-themed lures and legitimate SimpleHelp and ScreenConnect tools for persistent remote access. The campaign blends into normal IT support traffic, complicating detection. Dark Reading, May 4, 2026
vm2 sandbox escape put untrusted JavaScript execution at risk
CVE-2026-26956 lets attackers escape the vm2 Node.js sandbox and execute code on the host under specific Node.js conditions. Developer platforms running user scripts should update immediately. BleepingComputer, May 6, 2026
More cybersecurity news
- Last week’s news roundup
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
