An actively exploited zero-day in Palo Alto Networks firewalls leads today — CVE-2026-0300 is a CVSS 9.3 unauthenticated buffer overflow in the PAN-OS User-ID portal, and the patch does not land until May 8. That same urgency carries through the rest of the brief: a supply-chain attack that trojanized DAEMON Tools installers to backdoor government labs, a 280-million-record breach claim against the Canvas LMS platform used by 8,800 schools, and a new RAT plugin that steals MFA codes through Windows Phone Link without ever touching the phone.

In the News

PAN-OS Zero-Day Exploited in the Wild — Patch Lands May 8

CVE-2026-0300 is an unauthenticated buffer overflow in the User-ID portal component of PAN-OS, affecting PA-Series and VM-Series firewalls. Palo Alto Networks confirmed active exploitation and assigned a CVSS score of 9.3. The vulnerability requires no authentication and no user interaction — an attacker with network access to the User-ID portal can achieve remote code execution on the firewall itself.

The patch is scheduled for May 8. Until then, the mitigation is architectural: disable internet-facing access to the User-ID portal, or disable the User-ID feature entirely if it is not operationally required. Organizations that rely on User-ID for identity-based policy enforcement should restrict portal access to internal management networks only.

This is the second actively exploited PAN-OS zero-day in the past 18 months. Any organization running PA firewalls with User-ID portal exposed to the internet should treat this as a same-day action item.

What defenders should do: Audit firewall management interfaces for internet exposure. Disable or restrict the User-ID portal to internal networks immediately. Apply the patch on May 8 as a priority deployment. Monitor Palo Alto’s advisory for updated IOCs.

DAEMON Tools Supply-Chain Attack Backdoors Government and Scientific Targets

Trojanized DAEMON Tools installers were hosted on the official download site beginning April 8, 2026, according to SecurityWeek. The modified installers carried legitimate code-signing certificates, which means they passed standard allowlist and reputation-based checks without triggering alerts.

The attack was surgical. While the compromised installer was available to all visitors, the final backdoor payload was delivered to only approximately a dozen systems — all belonging to government and scientific organizations. This selective targeting suggests the threat actor used reconnaissance or fingerprinting logic within the installer to determine which victims received the second-stage payload.

From a detection perspective, signature-based and hash-based controls were ineffective because the binary was legitimately signed. Behavioral detection — specifically monitoring for anomalous post-installation network callbacks and unexpected child processes spawned by the installer — was the reliable signal. Network detection and response (NDR) tools monitoring for C2 beaconing from systems that recently installed DAEMON Tools would have surfaced this activity.

What defenders should do: Organizations that downloaded DAEMON Tools since April 8 should verify installer hashes against known-good values from before that date. Deploy behavioral EDR/XDR rules that flag installers spawning unexpected network connections or writing to non-standard directories. Treat supply-chain integrity verification as a continuous process, not a one-time check.

ShinyHunters Claims 280M Records From 8,800 Schools via Canvas LMS

The ShinyHunters extortion group has escalated its claims against Instructure, the company behind the Canvas LMS platform, now stating it has exfiltrated 280 million student and staff records from approximately 8,800 schools and universities. Instructure has not confirmed the scope of the breach or the attack vector.

The education sector is a persistent target for credential theft and extortion. Student and staff records contain PII — names, email addresses, phone numbers, institutional IDs — that fuels credential stuffing, social engineering, and identity fraud at scale. The combination of high data volume, limited security budgets, and endemic credential reuse across student populations makes education institutions disproportionately vulnerable.

ShinyHunters has a documented history of large-scale data theft and extortion. The group’s claims should be treated as credible but unverified until Instructure or an independent investigation confirms the scope. Regardless of the final number, any education institution using Canvas LMS should assume exposed credentials and take action.

What defenders should do: Education institutions on Canvas LMS should force password resets for all users, enable phishing-resistant MFA where supported, and monitor for credential stuffing attempts using known-compromised email addresses. Network segmentation between student, staff, and administrative systems limits lateral movement if stolen credentials are replayed.

Cisco Talos documented a new plugin for the CloudZ remote access trojan called “Pheno” that abuses the Windows Microsoft Phone Link integration to intercept SMS messages and one-time passwords from linked Android devices. The attack compromises only the Windows endpoint. No malware is installed on the phone — the RAT reads OTPs through the legitimate Phone Link bridge that syncs SMS messages to the desktop.

This is a clean bypass of SMS-based multi-factor authentication. The user receives the OTP on their phone, Phone Link mirrors it to the Windows desktop, and the Pheno plugin captures it before the user can act. Mobile endpoint detection does not trigger because the phone is clean. Windows EDR must detect the CloudZ RAT behavioral chain — process injection, Phone Link API abuse, and data exfiltration — before the OTP is captured.

The mitigation is categorical: SMS-based MFA is not phishing-resistant, and this attack demonstrates it is not even endpoint-compromise-resistant when Phone Link is in play. FIDO2 security keys and platform authenticators are immune to this technique because there is no OTP to intercept — the authentication is cryptographically bound to the legitimate service.

What defenders should do: Migrate users from SMS-based MFA to FIDO2 or app-based phishing-resistant authentication. On managed Windows endpoints, evaluate whether Microsoft Phone Link is a required feature — if not, disable it via group policy. Deploy EDR rules that detect Phone Link API access by non-Microsoft processes. MITRE ATT&CK: T1111 — Multi-Factor Authentication Interception, T1557 — Adversary-in-the-Middle.

Today’s Deep Dive — Supply-Chain Attacks Through Signed Binaries

The DAEMON Tools compromise is the latest in a pattern: threat actors who do not need to exploit a vulnerability when they can simply become the software. Trojanizing a legitimate installer on its official distribution site, signed with the vendor’s own code-signing certificate, bypasses every layer of perimeter defense designed to stop unauthorized software.

This technique maps to MITRE ATT&CK T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain. The SolarWinds Orion compromise (2020) remains the reference case, but the pattern has repeated across Codecov (2021), 3CX (2023), and now DAEMON Tools (2026). Each incident shares the same core mechanic: the attacker inserts malicious code upstream of the victim’s trust boundary, so the victim’s own security controls deliver the payload.

What makes the DAEMON Tools attack notable is the precision. The compromised installer was broadly available, but only a dozen targets received the final payload. This is a design choice by the threat actor — broad distribution maximizes access options; selective payload delivery minimizes exposure and detection surface. Defenders scanning for mass infections would find nothing. Only behavioral analysis of the specific systems that received the second stage would surface the compromise.

Detection requires monitoring for post-installation anomalies: unexpected outbound connections from newly installed software, child processes inconsistent with the application’s normal behavior, and file writes to directories outside the application’s expected scope. YARA rules targeting the specific payload are useful after IOCs are published, but the initial detection window depends entirely on behavioral baselines.

The primary mitigation is defense-in-depth applied to software acquisition: verify installer hashes against a known-good source independent of the download site, enforce application allowlisting that includes behavioral constraints (not just binary identity), and deploy XDR or NDR to detect anomalous post-installation activity. A signed binary you trust is an assumption — validate it continuously.

Detection Spotlight

CloudZ RAT’s Pheno plugin accesses the Microsoft Phone Link application data to intercept SMS messages. On managed Windows endpoints, you can detect non-Microsoft processes accessing Phone Link data stores. The following Splunk SPL query identifies processes reading from the Phone Link local data directory that are not the legitimate Phone Link executable:

index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
| where like(TargetFilename, "%\\Microsoft\\PhoneLink\\%")
| where NOT like(Image, "%\\PhoneLink.exe")
| where NOT like(Image, "%\\YourPhone.exe")
| stats count by Image, TargetFilename, ComputerName, _time
| where count > 0
| sort - _time

This query uses Sysmon EventCode 11 (FileCreate) to detect any process writing to or creating files in the PhoneLink directory that is not the legitimate PhoneLink.exe or legacy YourPhone.exe binary. Adjust the exclusion list for your environment. False positive rate is low — very few legitimate applications interact with this directory. Any hit warrants immediate investigation for RAT activity on that endpoint.

For environments not running Sysmon, an equivalent KQL query for Microsoft Defender for Endpoint:

DeviceFileEvents
| where FolderPath has "\\Microsoft\\PhoneLink\\"
| where InitiatingProcessFileName !in~ ("PhoneLink.exe", "YourPhone.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath
| sort by Timestamp desc

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.