Tactical Intelligence

Alerts

Timely tactical analysis connecting breaking developments to tracked threat campaigns and intelligence context.

May 8, 2026 HIGH

Palo Alto Captive Portal Zero-Day Under Active Chinese-Linked Exploitation, First Patches May 13

CVE-2026-0300 (CVSS 9.3) is an unauthenticated, root-level RCE in the PAN-OS User-ID Authentication Portal of PA-Series and VM-Series firewalls, under active exploitation by a likely China-aligned cluster Unit 42 tracks as CL-STA-1132. First hotfixes ship May 13. Anything with the Captive Portal exposed to untrusted networks needs immediate mitigation.

breaking-news active-exploitation palo-alto-networks pan-os zero-day china-state cve-2026-0300 edge-devices cl-sta-1132

May 2, 2026 HIGH

Copy Fail Gives Root on Every Linux Kernel Since 2017, No Race Condition Required

CVE-2026-31431 is a deterministic local privilege escalation in the Linux kernel's authencesn crypto template, with a public exploit and no race condition, making it the most reliable Linux LPE since Dirty Pipe.

alerts linux-kernel privilege-escalation cve-2026-31431 cloud-security

April 28, 2026

When the Security Tool IS the Supply Chain Attack

TeamPCP's supply-chain campaign has propagated from Trivy to Checkmarx KICS, Checkmarx GitHub Actions, two Open VSX plugins, and now Bitwarden CLI. Lapsus$ is handling the extortion. The blast radius now reaches a password manager with 10M+ users.

breaking-news supply-chain trust-exploitation trivy checkmarx bitwarden lapsus active-exploitation

April 26, 2026

Three Critical Exploits Hit Management Planes and Endpoints

Three critical vulnerabilities under active exploitation target FortiClient EMS, Adobe Acrobat Reader, and nginx-ui, collectively exposing enterprise management planes and endpoints to unauthenticated remote code execution.

breaking-news active-exploitation fortinet adobe nginx-ui remote-code-execution zero-day