This morning’s pattern is ugly and consistent: attackers are winning by abusing the trusted layer around the system — the firewall portal, the sandbox wrapper, the collaboration workflow, and the sign-in flow users think they recognize.
Top line: lock down PAN-OS Captive Portal exposure, patch vm2 immediately anywhere untrusted code runs, review Teams-driven remote access and extortion incidents for espionage tradecraft, and treat cloud-hosted compliance-themed phishing as token theft, not just password theft.
Palo Alto says CVE-2026-0300 is a critical buffer overflow in the User-ID Authentication Portal that allows unauthenticated root-level code execution on exposed PA-Series and VM-Series firewalls. Limited exploitation is already underway, and both vendor guidance and outside reporting point to one immediate truth: if Captive Portal is reachable from untrusted IP space, the risk is live now.
The vm2 bug tracked as CVE-2026-26956 lets attackers escape the sandbox and execute code on the host, with a public proof of concept already available. The issue hits Node.js 25 environments using specific runtime features, but the bigger lesson is broader: if your product runs customer-supplied JavaScript, the wrapper is part of the blast radius.
Rapid7-linked reporting says the Iranian group MuddyWater used Microsoft Teams social engineering, screen sharing, credential capture, AnyDesk, DWAgent, and extortion messaging while never actually deploying file-encrypting ransomware. Chaos branding was the costume, but the underlying operation looked like access, persistence, and data theft.
Microsoft observed more than 35,000 attempts across roughly 13,000 organizations using fake internal conduct notices, PDF lures, Cloudflare CAPTCHA gates, and adversary-in-the-middle pages that proxy Microsoft sign-in. That matters because AiTM phishing beats weak MFA by capturing session tokens, not just passwords.
Bottom line: the pattern today is trust inversion. Internet-facing portals, sandbox runtimes, collaboration tools, and familiar sign-in pages all become attack surfaces when teams assume the wrapper is the control.
KENSAI helps teams find exposed portals, fragile execution sandboxes, risky remote-access paths, and identity flows that collapse under real-world phishing pressure.
Start Free Scan →Stay sharp.
🗡️ KENSAI Security Team