# Today's Top Stories

Palo Alto Networks confirmed active exploitation of CVE-2026-0300 (CVSS 9.3), a critical buffer overflow in the PAN-OS User-ID Authentication Portal that allows unauthenticated RCE with root-level access. Exploitation attempts were observed as early as April 9, 2026, and the campaign bears hallmarks of Chinese state-sponsored actors. Security teams running affected PAN-OS versions should treat this as an emergency patching priority given the unauthenticated attack vector and active in-the-wild exploitation.

Ivanti disclosed CVE-2026-6973 (CVSS 7.2), an improper input validation flaw in Endpoint Manager Mobile (EPMM) affecting versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 that allows a remotely authenticated admin-level user to achieve RCE. CISA issued a four-day remediation deadline for federal agencies, underscoring active zero-day exploitation. Ivanti's recurring pattern of actively exploited edge-device vulnerabilities makes this a high-priority patch for any enterprise running EPMM.

The ShinyHunters cybercrime group breached Instructure's Canvas platform — used by nearly 9,000 educational institutions — and defaced login pages with a ransom demand threatening to leak data from 275 million students and faculty. The attack disrupted classes and coursework nationwide during finals season. This incident reinforces the systemic risk of single-vendor LMS dependencies across the entire U.S. education sector.

A new unpatched Linux kernel local privilege escalation vulnerability dubbed 'Dirty Frag' has been disclosed, described as a successor to CVE-2026-31431 (CVSS 7.8), which was already under active exploitation in the wild. Dirty Frag enables root access on all major Linux distributions via a single command and has been reported to kernel maintainers but remains unpatched. Security teams should monitor for exploitation and apply mitigations as kernel patches are developed.

A new credential-theft framework called PCPJack exploits five CVEs to spread worm-like across exposed cloud infrastructure, harvesting credentials from AWS, Docker, Kubernetes, and other developer and financial services before exfiltrating data through attacker-controlled infrastructure. The toolset actively evicts competing TeamPCP malware from compromised systems and uses parquet files for stealthy target discovery. The supply chain–targeting behavior and multi-cloud credential harvesting make this a significant threat to DevOps and cloud-native environments.

Poland's security agency reported ICS breaches at five water treatment plants in which attackers gained the ability to modify operational parameters of equipment, creating a direct risk to the public water supply. The agency linked the broader pattern of hostile cyber activity against Polish critical infrastructure to Russian intelligence services, with intensified operations noted in 2024–2025. This represents a concrete, confirmed OT compromise of drinking water infrastructure — a scenario long discussed theoretically by ICS security practitioners.

Rapid7 incident responders uncovered that a ransomware attack initially attributed to Chaos ransomware was actually an intrusion by MuddyWater, an Iranian APT group tied to Iran's Ministry of Intelligence and Security (MOIS). The use of ransomware as operational cover marks a deceptive TTPs evolution for this threat actor, complicating attribution and incident response triage. Defenders encountering Chaos ransomware artifacts should consider nation-state involvement as part of their analysis.

A critical sandbox escape vulnerability in vm2, the widely-used Node.js sandboxing library, allows attackers to break out of the sandbox and execute arbitrary code directly on the host system. Twelve critical vulnerabilities were disclosed in total, with vm2 used across many applications to isolate untrusted JavaScript execution. Any Node.js application relying on vm2 for security boundaries should treat this as an urgent remediation or architectural review item.

Disc Soft Limited confirmed that DAEMON Tools Lite was trojanized in a supply chain attack and has released a malware-free replacement version. The company identified impacted systems, removed compromised files, and validated clean installation packages. Users who downloaded affected versions should update immediately and audit systems for post-compromise indicators.

A new banking trojan dubbed TCLBanker — delivered via a trojanized MSI installer disguised as the Logitech AI Prompt Builder — targets 59 banking, fintech, and cryptocurrency platforms and self-propagates through WhatsApp and Outlook. The use of a legitimate software installer as a lure and self-spreading via enterprise communication tools gives this malware significant reach in corporate environments. Security teams should add TCLBanker IOCs to detection rules and scrutinize MSI installer downloads from unofficial sources.