Cyber Threat Brief — May 6 2026
⚠️ This report is AI-generated. Always validate findings.
1. PAN-OS Captive Portal Pre-Auth Root RCE — CVE-2026-0300
TL;DR: Unauthenticated heap buffer overflow in PAN-OS User-ID Authentication Portal gives root RCE on PA-Series and VM-Series firewalls. Actively exploited against internet-exposed portals; patches roll out May 13–28.
What’s New:
- CVSS 9.3 (CVSS-BT 4.0) — pre-auth, network-reachable, root-level code execution
- Affects PAN-OS 10.2, 11.1, 11.2, 12.1 across PA-Series and VM-Series; Prisma Access and Cloud NGFW not impacted
- Limited exploitation confirmed against internet-exposed User-ID Authentication Portals
- Palo Alto released Threat Prevention signature (PAN-OS 11.1+) on May 5 to detect exploitation attempts
- Patched releases staggered May 13–28 depending on branch (12.1.4-h5, 11.2.4-h17, 11.1.4-h33, 10.2.7-h34, etc.)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST to /php/uid.cgi with oversized payload | Exploit attempt | T1190 | PAN-OS Threat logs / URL filtering | Enable Threat Prevention signature; monitor for signature hits |
Anomalous mgmtsrvr or pan_authd child processes | Post-exploitation | T1059 | PAN-OS system logs | Hunt for unexpected shell spawns from auth portal processes |
| Outbound connections from management plane to unknown IPs | C2 | T1071 | PAN-OS traffic logs / firewall egress | Alert on mgmt-plane-initiated outbound connections |
| User-ID Auth Portal exposed to 0.0.0.0/0 | Attack surface | T1190 | Shodan / config audit | Restrict portal access to trusted IPs immediately |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No PAN-OS Captive Portal–specific exploit detection; rely on Threat Prevention sig + generic web server shell spawn |
| Elastic | None | No coverage; custom rule needed for PAN-OS system log anomalies |
| Sigma | None | No rule; community contribution needed for PAN-OS auth portal exploitation patterns |
Sources: Palo Alto Advisory · The Hacker News · SOCRadar · Help Net Security
2. Weaver E-cology Debug API Unauthenticated RCE — CVE-2026-22679
TL;DR: Unauthenticated RCE via exposed Dubbo debug endpoint in Weaver E-cology 10.0 (CVSS 9.8). Exploited in the wild since March 17 with PowerShell cradles, MSI payloads, and Goby-linked C2 at 152.32.173.138.
What’s New:
- Exploit hits
POST /papi/esearch/data/devops/dubboApi/debug/method— attacker-controlledinterfaceName/methodNameparams reach OS command execution with no auth - Vega Research traced earliest exploitation to March 17, five days after patch shipped (build 20260312)
- Payloads observed:
vsgbt.exe,hjchhb.exevia PowerShell download cradle;nvm.exevia encoded PS;fanwei0324.msivia msiexec - Defense evasion: attacker copied signed
powershell.exeto2.txtto bypass process-name detections - All attacker processes parented by
java.exe(Weaver’s Tomcat JVM) with no preceding authentication
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST /papi/esearch/data/devops/dubboApi/debug/method | Exploit URI | T1190 | WAF / web access logs | Block or alert on requests to this endpoint |
152.32.173.138 (Goby C2) | C2 IP | T1071 | Firewall / proxy logs | Block at perimeter |
vsgbt.exe, hjchhb.exe, nvm.exe | Dropped payloads | T1059.001 | EDR / Sysmon | Hunt for these filenames; collect hashes if present |
fanwei0324.msi | MSI payload | T1218.007 | Sysmon EventID 1 / EDR | Alert on msiexec.exe loading unknown MSI from temp paths |
java.exe → cmd.exe → whoami/ipconfig/tasklist | Discovery chain | T1057, T1016 | Sysmon / EDR process tree | Alert on Java spawning shell with recon commands |
powershell.exe copied to 2.txt | Evasion | T1036.003 | Sysmon FileCreate / EDR | Alert on PE files written with non-exe extensions |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web or Application Server Spawning a Shell (generic) | No Weaver-specific rule; generic Java→shell rule partially covers post-exploitation |
| Elastic | None | No coverage for Weaver E-cology; custom web log rule needed for debug endpoint |
| Sigma | Suspicious Java Process Spawning Shell (generic) | Covers java.exe → shell chain; no URI-specific rule for the Dubbo debug path |
Sources: The Hacker News · Vega Research · BleepingComputer · GitHub PoC
Status Updates
- CVE-2026-31431 (Linux kernel — Copy Fail): CISA KEV deadline May 15 approaching; Kubernetes container-escape PoC now public (Percivalll/Copy-Fail-Kubernetes-PoC); Go and Rust reimplementations detected in the wild. Patch or disable
algif_aeadmodule. Original brief. - CVE-2024-1708/1709 (ScreenConnect): Storm-1175/Medusa campaigns ongoing; federal deadline May 12. Original brief.