The Lyceum: Cyber Intelligence Daily — May 07, 2026

Your firewall is the story today, and the punchline is that it has a zero-day, it has a public exploit, and it does not have a patch — three sentences that should not be true at the same time. Underneath the noise around CVE-2026-0300, two quieter threads are pulling: the Trivy supply-chain compromise from March is still spitting out secondary intrusions, and a Windows NTLM credential-leak linked to activity attributed to APT28 is now formally on CISA's KEV list. This is a perimeter-and-pipeline day — the things that are supposed to protect you, and the things that build what you ship.

• CVE-2026-0300 — Palo Alto Networks PAN-OS User-ID Authentication Portal: actively exploited, no patch until May 13, on CISA KEV (added May 5). Unauthenticated remote code execution as root on internet-exposed PA-Series and VM-Series firewalls; a public PoC dropped overnight.
• CVE-2026-31431 — Linux Kernel "Copy Fail": actively exploited, on CISA KEV, federal patch deadline May 15. Major distributions still shipping interim mitigations rather than a clean fix on every branch.
• CVE-2026-4670 — Progress MOVEit Automation: authentication bypass, CVSS 9.8, no public exploitation confirmed yet. Same product family as the 2023 Cl0p mass-breach campaign — patch-on-sight when Progress ships.
• CVE-2026-5174 — Progress MOVEit Automation: improper input validation enabling privilege escalation, CVSS 7.7. Two flaws disclosed in the same product in the same window suggests focused research.
• Exploit-DB 52546 — Windows 11 24H2 local privilege escalation: functional public exploit, no CVE attached to the entry yet. Lowers the cost of post-compromise SYSTEM access on the current Windows release.
• vm2 sandbox escape — Node.js sandbox library: critical escape with maintainer-published PoC abusing WebAssembly exception handling. Upgrade to vm2 ≥ 3.10.5; treat any product running customer-supplied JavaScript as elevated risk.
• Trivy supply-chain compromise — secondary activity — March's poisoned scanner is still producing downstream intrusions weeks later via credentials stolen from CI/CD pipelines. Palo Alto's Cortex team says the campaign is "not completely over."

The thing about a firewall zero-day is that the firewall is the last line of defense. When the firewall itself is the breach point, the perimeter is gone before the attacker tries the door.

CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities catalog on Tuesday, confirming attackers are actively exploiting an out-of-bounds write in the PAN-OS User-ID Authentication Portal — also called the Captive Portal — to achieve remote code execution as root. In plain terms: an attacker on the internet sends specially crafted packets to an exposed Palo Alto firewall and gets full administrative control. No username. No password.

Palo Alto's advisory pegs the CVSS at 9.3 when the portal is reachable from the internet or any untrusted network, dropping to 8.7 when access is restricted to trusted internal IPs. The flaw affects certain PA-Series and VM-Series firewalls; Prisma Access, Cloud NGFW, and Panorama are not impacted. Shadowserver scans cataloged more than 5,800 publicly exposed VM-Series firewalls running PAN-OS as of Tuesday — though it's unknown how many had already restricted the portal — per CyberScoop.

Palo Alto Networks said "limited exploitation has been observed targeting User-ID Authentication Portals that are exposed to untrusted IP addresses and/or the public internet," per SecurityWeek. Some analysts interpret vendor phrasing like "limited and targeted" as consistent with state-grade tradecraft. Unit 42's threat brief tracks the cluster as CL-STA-1132 and describes operational discipline — open-source tooling instead of bespoke malware, intermittent interactive sessions deliberately tuned below behavioral alerting thresholds — that reads as state-grade tradecraft, not opportunistic scanning.

No patch until May 13 at the earliest, with a second wave of fixes targeted for May 28. Until then, the only mitigation is restricting the Authentication Portal to trusted internal IPs or disabling it entirely. A public proof-of-concept dropped overnight, increasing the risk that "limited targeted exploitation" could shift to mass scanning as PoC availability spreads.

What changes if this fails to be contained: the historical pattern for unauthenticated perimeter-device RCEs runs 24–72 hours from disclosure to mass scanning, and within seven days initial-access-broker listings appear on dark-web markets — meaning by next week your firewall could be a commodity. The signal that tells you which path we're on: whether Shadowserver's exposure count drops sharply by the weekend (defenders are mitigating) or holds steady (the vulnerable surface is becoming a market).

There is a particular kind of horror in discovering that the tool you used to check for malware was itself delivering malware. That is the Trivy story — and Russian outlet Xakep published a detailed new post-mortem this morning arguing the full blast radius still is not visible.

On March 19, 2026, a threat actor known as TeamPCP compromised Aqua Security's Trivy — the most widely adopted open-source vulnerability scanner in the cloud-native ecosystem — poisoning GitHub Actions, release binaries, and Docker Hub images simultaneously. Legit Security puts the exposure window between three and twelve hours depending on the component. Trivy runs in thousands of CI/CD pipelines on every pull request and every deployment, with access to pipeline secrets by design — cloud credentials, SSH keys, Kubernetes tokens.

The cruelty was in the design. The malware executed before the legitimate scanning logic, so workflows showed green while exfiltrating data to attacker-controlled infrastructure, per Aqua Security. Your pipeline reported success. Your secrets were already gone.

Xakep's reconstruction adds operational detail Western coverage has under-emphasized: attackers abused a risky GitHub Actions configuration, stole a personal access token tied to Aqua's automation, and in some cases rewired existing tags rather than creating obviously malicious new releases — a subtle method that lets poisoned artifacts flow downstream without dramatic signals. The outlet also flags identical stealer behavior later appearing in Checkmarx GitHub Actions, which lines up with Palo Alto Networks' Cortex team saying the campaign is "not completely over" and the Trivy compromise appears to be a root from which additional attacks are emerging.

What changes if this keeps unfolding: organizations that thought they contained a March incident will discover in May that credentials stolen during those three-to-twelve hour windows are being used in fresh intrusions now. The signal: watch GitHub's advisory for any organization-level repository named tpcp-docs — the fallback exfiltration path. Its presence means your secrets walked. Pin every GitHub Action to a full commit SHA going forward; mutable tags can be force-pushed, and this attack proved it at scale.

If the name MOVEit makes your stomach drop, that is the correct response. The managed file transfer platform was ground zero for the largest breach wave of 2023, when the Cl0p ransomware gang exploited a single SQL injection flaw to hit more than 2,700 organizations including the U.S. Department of Energy, Shell, and British Airways.

CVE-2026-4670 landed in the National Vulnerability Database this week — an authentication bypass in Progress MOVEit Automation, the workflow component of the MOVEit suite, carrying a CVSS score of 9.8. That score means unauthenticated, network-reachable, low complexity, no user interaction. In practice: an attacker who can reach your MOVEit Automation instance over the network may bypass login entirely.

A companion flaw landed in the same window — CVE-2026-5174, an improper input validation issue in the same product, CVSS 7.7, allowing privilege escalation. Two critical flaws in the same product in the same disclosure window is a pattern worth watching: it suggests someone was looking hard at MOVEit Automation specifically.

No exploitation has been confirmed yet, and there is no KEV listing as of this writing. But MOVEit's history compresses the window between "disclosed" and "mass-exploited" to days. The signal that tells you which path this takes: whether Cl0p's leak site adds new Progress-customer victims in the next two weeks, and whether Progress publishes mitigations before exploitation telemetry surfaces. If you run MOVEit Automation and it is internet-facing, restrict access to trusted IPs now while you wait for the patch.

Not every ransomware note is really about ransom anymore. Rapid7's reporting, carried by BleepingComputer overnight, says an intrusion they examined looked like a Chaos ransomware attack on the surface — leak-site post, extortion pressure, the usual theater — but the underlying infrastructure and tradecraft pointed instead to MuddyWater, the Iranian state-linked espionage group also tracked as Mango Sandstorm and Seedworm.

That distinction reorders how you read the incident. A criminal gang wants money fast; a state operator may want persistence, intelligence, and confusion. Rapid7 says the attackers used Microsoft Teams social engineering to talk employees into screen sharing, harvested credentials, tampered with multi-factor authentication, and established access via remote tools like AnyDesk and DWAgent. The ransomware branding was cover — something loud and familiar to make defenders misclassify the operation as criminal noise while a quieter intelligence campaign ran underneath.

What changes if this becomes a pattern: the standard incident-response playbook for ransomware — restore from backups, negotiate or do not, move on — fails badly when the real objective was persistence. The signal to watch: more incidents pairing Teams-based social engineering with off-the-shelf ransomware branding, especially against organizations with no obvious extortion-economy value but clear intelligence value. If you see a Chaos note inside a defense contractor or a regional government and the financial logic does not add up, the financial logic probably is not the point.

A firewall with a public exploit and no patch, a vulnerability scanner that turned out to be the burglar, and an Iranian intelligence service cosplaying as a ransomware crew — Thursday's perimeter is mostly suggestion. Somewhere in a SOC right now, an analyst is staring at a green CI/CD pipeline and trying to remember whether anything good has ever come from a tool that says everything is fine.

Stay paranoid.

If you know someone who runs a firewall, a build pipeline, or a Windows fleet — that is everyone — forward this.