Two zero-days in the same PAN-OS User-ID Authentication Portal component in two weeks. That is not a coincidence — it is a signal that state-sponsored actors have identified this attack surface as a reliable entry point and are systematically mining it for vulnerabilities. Today also covers CISA’s new CI Fortify initiative for disconnected infrastructure operations, MuddyWater’s use of ransomware as espionage camouflage, and an intrusion where attackers used a commercial AI assistant to navigate an OT environment in real time.

In the News

Second PAN-OS User-ID Zero-Day Exploited Since April 9

CVE-2026-0300 is an unauthenticated remote code execution vulnerability in the Palo Alto Networks PAN-OS User-ID Authentication Portal, carrying a CVSS score of 9.3. The root cause is a buffer overflow that allows an unauthenticated attacker to execute arbitrary code on affected firewalls — no credentials required, no user interaction needed.

Suspected state-sponsored threat actors have exploited this vulnerability in the wild since at least April 9, 2026 — nearly a month before public disclosure. This is the second zero-day in the User-ID Authentication Portal in two weeks. The previous vulnerability, disclosed last week, targeted the same component. The repeated exploitation pattern indicates that this portal surface is under active, systematic research by advanced threat actors.

No patch is currently available. Palo Alto Networks has committed to releasing a fix within two weeks. In the interim, the primary mitigation is restricting User-ID Authentication Portal access to trusted networks — it should not be internet-exposed. Organizations should also monitor for indicators of post-exploitation activity including unexpected administrator accounts, configuration changes, and lateral movement from the firewall management plane.

What defenders should do: Confirm whether the User-ID Authentication Portal is internet-exposed. If it is, restrict access to trusted source IPs immediately. Monitor firewall logs for anomalous authentication events and configuration modifications dating back to April 9. Treat this as an assumed-compromise scenario for any internet-exposed portal and hunt accordingly.

MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter)

Source: BleepingComputer, Palo Alto Security Advisory

CISA Launches CI Fortify — Disconnected Operations for Critical Infrastructure

CISA has launched CI Fortify, an initiative directing critical infrastructure operators to prepare for sustained operations without internet or telecommunications connectivity during a prolonged cyberattack. The program targets operators in energy, water, wastewater, and transportation sectors — the same sectors that have seen escalating attacks from state-sponsored groups including Volt Typhoon and CyberAv3ngers over the past two years.

The strategic shift here is significant. CI Fortify moves the conversation from “detect and respond” to “operate through.” The assumption is no longer that connectivity can be restored quickly — it is that connectivity may be deliberately destroyed or degraded for an extended period, and the infrastructure must continue to function. This means network segmentation that actually isolates OT from IT, out-of-band management paths that do not depend on the same networks being attacked, and recovery architectures that can rebuild from air-gapped backups without cloud dependencies.

For operators accustomed to cloud-first orchestration and remote management, this is a fundamental architecture question: what still works when the internet is gone?

What defenders should do: Identify which operational functions depend on internet connectivity and map the failure cascade if that connectivity is severed for 72+ hours. Test out-of-band management paths. Verify that backup restoration procedures work without cloud access. Expect sector-specific guidance from ISACs within weeks.

Source: The Record (Recorded Future)

MuddyWater Deploys Chaos Ransomware as Espionage False Flag

MuddyWater, the Iranian state-sponsored group tracked by Microsoft as Mango Sandstorm, has been observed deploying Chaos ransomware during intrusions that are actually espionage operations. The ransomware is a decoy — designed to trigger the victim’s ransomware incident response playbook while the real objective, data exfiltration, continues in parallel.

Initial access in observed campaigns was achieved through Microsoft Teams social engineering — a vector that bypasses email security controls entirely and exploits the implicit trust users place in internal collaboration platforms. Once inside, MuddyWater operators staged data for exfiltration while simultaneously deploying Chaos ransomware to create noise, urgency, and misdirection.

The false-flag tactic is operationally effective because it exploits a gap in most incident response programs: ransomware and espionage have different playbooks, different escalation paths, and different remediation priorities. If the IR team locks onto ransomware containment, the exfiltration channel may go unexamined until forensic analysis — days or weeks later.

What defenders should do: When responding to ransomware, always investigate for concurrent data exfiltration. Correlate ransomware deployment timing with DNS queries, outbound data volumes, and staging activity. If ransomware appears alongside data exfiltration indicators, treat the ransomware as secondary to the espionage objective. Restrict external Microsoft Teams access and enable external access controls in Teams admin settings.

MITRE ATT&CK: T1566 (Phishing), T1486 (Data Encrypted for Impact), T1041 (Exfiltration Over C2 Channel), T1036 (Masquerading)

Source: BleepingComputer

Attackers Used Claude AI to Navigate OT Environment During Water Utility Intrusion

Threat actors who breached an unnamed Mexican water and drainage utility used Anthropic’s Claude AI during the live intrusion to help navigate the operational technology environment. The AI was used as a real-time operational guide — helping the attackers understand industrial control system interfaces, protocols, and network topology they were encountering for the first time.

This is not an AI vulnerability story. The AI did not create the initial access, did not exploit a vulnerability, and did not write the malware. What it did was lower the skill barrier for OT targeting. An attacker who has never operated in an ICS/SCADA environment can now use a general-purpose AI assistant to interpret HMI screens, identify PLCs, and understand process control logic — capabilities that previously required specialized industrial knowledge.

The fundamental defensive question remains unchanged: why could the attacker reach the OT environment at all? If IT/OT segmentation had prevented traversal from the compromised IT network to the OT network, the AI’s knowledge would have been irrelevant. The tool the attacker uses to navigate is secondary to the access control failure that allowed navigation in the first place.

What defenders should do: Verify IT/OT segmentation is enforced — not just designed, but tested. Confirm that no IT-sourced traffic can reach OT networks without passing through a monitored chokepoint. Deploy OT asset visibility tooling to detect anomalous access patterns. The mitigation for AI-assisted OT intrusion is the same as for any OT intrusion: prevent the access.

MITRE ATT&CK: T1078 (Valid Accounts), T1021 (Remote Services), T1570 (Lateral Tool Transfer)

Source: SecurityWeek

Today’s Deep Dive — Repeated Zero-Days in the Same Component: What It Signals

When two zero-day vulnerabilities appear in the same software component within two weeks, the operational implications extend beyond “patch and move on.” The PAN-OS User-ID Authentication Portal situation illustrates a pattern that defenders should recognize: once an advanced threat actor identifies a productive attack surface, they do not stop at one vulnerability. They systematically audit the component for additional flaws, sometimes stockpiling exploits for sequential deployment.

This pattern has historical precedent. Microsoft Exchange’s ProxyLogon (CVE-2021-26855) was followed by ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) within months — all targeting the same Client Access Services component. The Fortinet FortiOS SSL-VPN saw CVE-2018-13379, CVE-2022-42475, and CVE-2023-27997 in the same VPN portal surface. In each case, the pattern was the same: initial zero-day exploitation, patch, then a second (or third) zero-day in the same component as the attacker’s research pipeline continued producing results.

The defensive response to this pattern is not to wait for each individual patch. It is to treat the component itself as a high-risk attack surface requiring compensating controls regardless of the specific CVE. For the PAN-OS User-ID Authentication Portal, that means:

  1. Restrict exposure — The portal should not be internet-facing unless operationally required. If it must be exposed, restrict to known source IP ranges via access control lists.
  2. Monitor for post-exploitation — Even after patching CVE-2026-0300, assume a third vulnerability may exist. Monitor for anomalous activity from the firewall management plane: unexpected admin sessions, configuration exports, new user accounts.
  3. Segment the management plane — Firewall management interfaces should be on a dedicated management VLAN with strict access controls. Compromise of the User-ID portal should not grant access to the full management plane.
  4. Hunt retroactively — The exploitation window extends back to April 9. Any organization with an internet-exposed User-ID portal during that period should treat this as an assumed-compromise scenario and conduct a forensic review.

MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1098 (Account Manipulation)

Detection Spotlight

For organizations monitoring PAN-OS environments, the following Splunk SPL query identifies anomalous authentication events on the User-ID Authentication Portal — specifically, successful authentication events from source IPs that have not been seen in the previous 30 days. This is a high-signal indicator of credential use following exploitation.

index=pan_logs sourcetype=pan:system log_subtype="auth"
action="success" description="*User-ID*"
| stats earliest(_time) as first_seen count by src_ip, user
| where first_seen > relative_time(now(), "-24h@h")
| lookup previously_seen_auth_ips src_ip OUTPUT seen_before
| where isnull(seen_before) OR seen_before="false"
| table src_ip, user, first_seen, count
| sort -count

This query requires a lookup table (previously_seen_auth_ips) populated with source IPs that have successfully authenticated in the previous 30 days. Build the lookup with a scheduled search running daily. New source IPs authenticating to the User-ID portal — especially from unexpected geographies or ASNs — warrant immediate investigation, particularly for any activity dating back to April 9.

For organizations without Splunk, the equivalent logic applies in any SIEM: baseline normal authentication source IPs for the User-ID portal, then alert on new ones. The false positive rate is low for internet-exposed portals with a stable user population.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.