RCE in PAN-OS and Ivanti EPMM Exploited: Check Exposure and Patch; DAEMON Tools Lite Supply Chain Compromised

Palo Alto Networks (PAN) has published a security advisory disclosing a critical flaw in PAN-OS that is under active exploitation but will not be patched until May 13, 2026 at the earliest. CVE-2026-0300, CVSS score 9.3, allows an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets, due to a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal, affecting PA-Series and VM-Series firewalls. Devices are vulnerable only if both of the following conditions are true: the User-ID portal has been configured, and there is "an interface management profile with response pages enabled and associated with an external/internet-accessible interface." Prisma Access, Cloud NGFW, and Panorama appliances are unaffected. PAN states that "this issue will be fixed in upcoming releases of PAN-OS," versions 10.2, 11.1, 11.2, and 12.1, which are anticipated on May 13 or May 28 depending on the version. While awaiting patches, PAN strongly recommends users disable User-ID Authentication Portal if not required, and otherwise "Restrict User-ID™ Authentication Portal access to only trusted zones ... disable Response Pages in the Interface Management Profile attached to every L3 interface in any zone where untrusted/internet traffic can ingress ... [and] keep Response Pages enabled only on interfaces in trust/internal zones where legitimate users' browsers ingress." PAN's Unit 42 reports unsuccessful exploitation attempts starting April 9, but a week later attackers achieved RCE and injected shellcode; by April 29, the attackers were able to achieve RCE on a second device and download network tunneling and proxy tools. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on May 6, with a remediation deadline of May 9.

On Thursday, May 7, Ivanti released updates to address five high-severity vulnerabilities in on-premises Ivanti Endpoint Manager Mobile (EPMM). Ivanti says that one of the flaws, CVE-2026-6973, is being actively exploited. The vulnerability is due to improper input validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1, which allows a remotely authenticated user with administrative access to achieve remote code execution. Users are urged to update to a fixed version of Ivanti EPMM. Ivanti also recommends that users review accounts with Admin rights and rotate associated credentials. The other four vulnerabilities addressed in the updates are two improper access control issues: CVE-2026-5786 and CVE-2026-5788; and two improper certificate validation issues: CVE-2026-5787 and CVE-2026-7821.

The developer of DAEMON Tools, a virtual drive and disk image shareware program, has confirmed that its supply chain experienced "unauthorized interference" resulting in the release of compromised installation packages for DAEMON Tools Lite version 12.5.1. Disc Soft Ltd. credits Kaspersky for identifying and analyzing the compromise. Disc Soft "received notification" of the issue around 7:00 GMT on May 5, 2026, and within 12 hours had isolated and secured affected systems, removed unsafe files from distribution, audited the build and release pipeline, rebuilt and validated installation packages, and strengthened security controls and monitoring. DAEMON Tools Lite version 12.6.0.2445 is the latest release, which "no longer exhibits the behavior" discovered by Kaspersky. No other products were affected, including DAEMON Tools Ultra and DAEMON Tools Pro. Disc Soft recommends that any users who downloaded DAEMON Tools Lite 12.5.1 during the affected period uninstall the application, run a full system antivirus scan, and then download version 12.6.0.2445 or later. Kaspersky reports that the supply chain had been compromised since April 8, delivering a multi-stage infection: the initial payload collects and relays network and device information to the attacker's server, and the secondary payload is backdoor malware. While the reconnaissance stage reached over 100 organizations across Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China, Kaspersky only observed the backdoor stage reaching about a dozen organizations profiled by the first stage, mainly government, science, manufacturing, and retail sector systems in Russia, Belarus, and Thailand. Disc Soft is continuing to investigate the root cause of the attack, and has not verified any attribution claims.

This week, Cisco published nine security advisories to address 14 CVEs across its product line. Five of the CVEs are rated high-severity: a remote code execution vulnerability (CVE-2026-20034) and a server-side request forgery vulnerability (CVE-2026-20035) in Cisco Unity Connection; a SNMP denial-of-service vulnerability (CVE-2026-20185) in Cisco SG350 and SG350X Series Managed Switches; a remote device denial-of-service vulnerability (CVE-2026-20167) in Cisco IoT Field Network Director; and a connection exhaustion denial-of-service vulnerability (CVE-2026-20188) in Cisco Crosswork Network Controller and Cisco Network Services Orchestrator, which requires a manual reboot for system recovery. The advisories also address medium-severity vulnerabilities in Cisco Slido, Cisco Prime Infrastructure, Cisco Identity Services Engine, and Cisco Enterprise Chat and Email Lite Agent.

Operators of US critical infrastructure (CI) must take proactive steps to ensure they are ready to sustain essential operations under the conditions of a geopolitical crisis, says new guidance from the US Cybersecurity and Infrastructure Security Agency (CISA). The "CI Fortify" initiative urges owners and operators to focus immediately on isolation and recovery capabilities. "Operators should assume that in a conflict scenario third-party connections–such as telecommunications, internet, vendors, service providers, and upstream dependencies–will be unreliable and that threat actors will have some access to the OT network." Preparing for isolation ensures service does not shut down during an emergency as a result of cyberattacks or degraded communications via third-party connections. Operators should set a service delivery target for critical customers, determine the infrastructure needed to meet that target while isolated, update business continuity plans and engineering processes to anticipate weeks or months of isolation while still maintaining safe operations, and track isolation information from CISA and the Sector Risk Management Agency (SRMA). Preparing for recovery includes "documenting systems, backing up critical files, and practicing the replacement of systems or the transition to manual in case isolation fails and components are rendered inoperable," as well as addressing communications dependencies and workarounds with managed service providers, system integrators, and vendors. CISA notes that this emergency planning and documentation will aid in isolating compromised systems from unauthorized access and will yield better overall continuity across all disruptions. The CI Fortify page also includes a call to action for non-operators, describing the roles of vendors and suppliers, managed service providers and integrators, and volunteers in protecting critical infrastructure.

The Australian government has announced the appointment of the country's Cyber Incident Review Board, as established under the Cyber Security Act 2024. The review process will take place after a cyber incident has occurred and the initial investigation and response are complete. The purpose of the Board is to "identify the contributing factors to cyber incidents to help sectors prepare for future cyber attacks ... [and] provide recommendations to government and industry on its findings." The Board will not make any determinations as to who is at fault for a cyber incident. The Board may request information from entities involved in the cyber incidents they investigate; if the entities are not forthcoming with the requested information, the Board Chair will have "limited information gathering powers to compel relevant information from entities involved." Narelle Devine, Telstra Global Chief Information Security Officer, will chair the Board, which will have six additional standing members. The Board will also solicit applications for and select members of an Expert Panel with expertise in cyber security, legal matters, and other relevant sector‑specific fields to support Board in the review process.

The US Federal Trade Commission (FTC) has reached a proposed settlement with Kochava, an Idaho-based data broker, and its subsidiary Collective Data Solutions, over the company's sale of geolocation data. Among the data Kochava sells is geolocation data that can pinpoint a device's location to within 10 meters. An FTC investigation prompted a 2022 lawsuit that alleged Kochava was selling this information without consumers' knowledge or consent. The settlement "prohibit[s] ... Kochava and its subsidiary from selling, sharing or disclosing sensitive location data without consumers’ affirmative express consent." The settlement also requires Kochava and Collective Data Solutions to develop and implement a program to ensure that they do not disclose sensitive location data; implement a program to ensure that consumers have provided consent for any and all location data obtained by the company; notify the FTC if they become aware that a third-party has shared sensitive data in violation of the requirements; allow consumers to request the names of businesses or individuals to whom their data were sold, providing consumers with a clear and simple way to withdraw consent for the sale of device location data; and develop "a data retention schedule that will require the deletion of data on an established timeframe."

Instructure, the company which maintains the Canvas learning management system (LMS) platform, has released its final status page update responding to a data breach disclosed on May 1, 2026. The company states that Canvas is fully operational, and recommends users enforce MFA on privileged accounts, review admin access, and rotate API tokens or keys. CISO Steve Proud stated in previous announcements that an unauthorized threat actor accessed names, email addresses, student ID numbers, and messages among users, also causing service outages and prompting security measures that included revoking credentials and rotating application keys. Affected institutions are publishing their own notices and communicating with students and faculty about the impact of the breach, including encouraging vigilance for phishing attempts due to the data theft. Harvard University, Rutgers University, Duke University, the University of Minnesota, and others have reported unauthorized posts appearing on Canvas allegedly by the threat actor. Instructure has not disclosed the nature or scope of the breach, and has not yet communicated through other channels nor commented to news sources.

Matthew Issac Knoot, of Nashville, Tennessee, and Erick Ntekereze Prince, of New York, have each been sentenced to 18 months in prison for their roles in schemes enabling North Korean citizens to pose as legitimate US IT workers. Knoot and Prince both hosted laptop farms at their homes, installing remote desktop applications on the machines to make it appear that people in North Korea were working from US residences. The fraudulent employment of the workers affected nearly 70 US companies. Knoot was sentenced in Tennessee on May 1; the judge ordered him to pay $15,100 in restitution to the companies that hired the fraudulent workers, and to forfeit an additional $15,100. Prince was sentenced in Florida on May 6; the judge also ordered him to forfeit $89,000, the amount he was paid to assist with the scheme.

A US federal judge in Ohio has sentenced Deniss Zolotarjovs to 102 months (8.5 years) in prison for his role as a negotiator for several ransomware groups. Zolotarjovs, who is from Latvia, was arrested in the country of Georgia in 2023 and extradited to the US in 2024. In July 2025, he pleaded guilty to charges of money laundering and wire fraud. While he was not involved in launching the ransomware attacks, Zolotarjovs analyzed data stolen from ransomware victims to determine what level of ransom should be demanded and whether the data should be published if the victims refused to pay.