Palo Alto Networks disclosed CVE-2026-0300 — a CVSS 9.3 unauthenticated RCE in the PAN-OS User-ID Authentication Portal — the second User-ID zero-day in days, exploited in the wild since April 9 by a group Unit 42 ties to Chinese state-sponsored operations. Meanwhile, Polish intelligence confirmed ICS breaches at five water treatment plants with the ability to modify SCADA parameters, and a new unpatched Linux kernel root exploit — Dirty Frag — has a public proof-of-concept with no fix from any major distribution. This issue covers all three, along with a wave of Linux-targeted malware, AI agent framework vulnerabilities, and a major retail breach at Zara.

In the News

PAN-OS User-ID Zero-Day Exploited Since April 9 by Suspected State Actors

Palo Alto Networks published an advisory for CVE-2026-0300, a critical unauthenticated remote code execution vulnerability in the PAN-OS User-ID Authentication Portal. The flaw is a buffer overflow that requires no credentials — an attacker with network access to the portal gains full control of the firewall appliance.

This is the second PAN-OS User-ID zero-day disclosed in recent days, and the exploitation timeline is significant: Unit 42 confirms in-the-wild exploitation dating back to April 9, 2026 — nearly a month of undetected activity before public disclosure. The threat activity carries what Unit 42 describes as “hallmarks of Chinese state hacking,” consistent with espionage-focused intrusions that target perimeter network devices for persistent access and traffic interception.

The operational consequence is straightforward. Organizations running PAN-OS with the User-ID Authentication Portal exposed to the internet have been vulnerable to unauthenticated takeover of their firewall infrastructure for approximately 29 days. Firewall compromise is particularly severe because it positions the attacker on the most privileged network device — capable of intercepting traffic, modifying routing, and disabling security controls for the entire environment.

What defenders should do: Patch immediately. If patching requires a maintenance window, disable the User-ID Authentication Portal’s internet exposure now. Audit PAN-OS management plane logs for anomalous process execution, unexpected outbound connections from management interfaces, and any authentication portal activity from unusual source IPs since April 9. Treat any firewall that was running an exposed User-ID portal as potentially compromised and scope a forensic review.

Polish Intelligence Warns of ICS Breaches at Five Water Treatment Plants

Poland’s security agency confirmed that threat actors breached industrial control systems at five water treatment facilities and gained the ability to modify SCADA equipment operational parameters — the settings that control water treatment processes. The agency attributed the activity to “intensified hostile cyber activity” from Russian intelligence services.

The significance is in the depth of access. These were not IT network compromises that stopped at the corporate perimeter. The attackers reached the operational technology layer and had the ability to change process controls — the kind of access that, in a water treatment context, directly impacts public safety. The breach pattern points to insufficient segmentation between enterprise IT and OT networks, a consistently documented gap in critical infrastructure environments.

This incident follows a pattern of ICS-targeting activity against water utilities globally, including the 2021 Oldsmar, Florida incident and the 2023 Municipal Water Authority of Aliquippa breach. In each case, the root enabler was inadequate separation between IT and OT environments.

What defenders should do: For organizations with OT environments, the primary control is enforceable IT/OT segmentation — not just VLANs, but policy-enforced boundaries with protocol-aware inspection. Deploy OT-specific network monitoring capable of detecting anomalous SCADA protocol activity (Modbus writes, DNP3 control commands, S7 parameter modifications) from unexpected sources. Audit all pathways from enterprise IT to OT networks and eliminate any that are not operationally required. MITRE ATT&CK for ICS techniques: T0855 — Unauthorized Command Message, T0831 — Manipulation of Control.

Dirty Frag: Unpatched Linux Kernel Root Exploit With Public PoC

A new Linux kernel local privilege escalation vulnerability — dubbed Dirty Frag — has a public proof-of-concept exploit that grants root privileges on all major distributions with a single command. No CVE has been assigned. No patch is available from upstream or any distribution vendor as of May 8, 2026.

Dirty Frag is a successor to Copy Fail (CVE-2026-31431), which is already under active exploitation. The PoC availability combined with the lack of a patch creates a window of exposure for every Linux system reachable by a local or low-privilege attacker — which includes container escape scenarios, compromised web applications, and any environment where an attacker has achieved initial access with unprivileged credentials.

What defenders should do: Enable kernel exploit mitigations where not already active: SMAP, SMEP, and KASLR. Monitor for anomalous privilege escalation on Linux hosts — setuid calls, unexpected root process creation, and modifications to kernel memory regions. Restrict local user access to production systems. For container environments, ensure that container runtimes are configured with seccomp profiles and that privileged containers are not running unnecessarily. Track upstream kernel mailing lists for patch availability and deploy immediately when released.

Zara Data Breach Exposes 197,000 Customer Records

Zara, the Inditex-owned fast-fashion retailer, disclosed a data breach affecting approximately 197,000 customer records following a database compromise. The specific intrusion vector has not been publicly detailed by Zara or Inditex.

The breach is notable for brand scale — Zara operates in over 90 markets — and for the questions it raises about database-layer security controls. Without a disclosed vector, the defensive takeaway is general but important: database segmentation, access control auditing, and monitoring for anomalous bulk data access patterns remain the primary controls against this class of incident.

What defenders should do: For retail and e-commerce organizations, audit database access controls — specifically, which application service accounts can execute bulk SELECT operations and whether those operations are logged and alerted on. Ensure that web-tier, application-tier, and database-tier traffic is segmented with policy enforcement, not just network separation.

Today’s Deep Dive — Linux Under Siege: PCPJack, Quasar RAT, PamDOORa, and Dirty Frag

The research window for this issue surfaced an unusual concentration of Linux-targeted threats. Beyond the Dirty Frag kernel exploit covered above, three distinct malware families are actively targeting Linux infrastructure — each with a different operational objective.

PCPJack is a credential-theft worm that exploits five CVEs to propagate across cloud infrastructure, targeting AWS credentials, Docker API tokens, and Kubernetes secrets. Its distinguishing behavior: after compromising a host, it identifies and removes competing TeamPCP malware before installing its own persistence — a turf war pattern increasingly common among cloud-targeting criminal groups. PCPJack’s focus on credential harvesting from cloud metadata services and configuration files makes it a direct threat to organizations running self-managed Kubernetes clusters or Docker hosts without secrets management controls. MITRE ATT&CK: T1552.001 — Credentials In Files, T1078.004 — Cloud Accounts.

Quasar Linux RAT (QLNX) is a previously undocumented RAT targeting software developers and DevOps engineers. It includes a rootkit, keylogger, clipboard monitor, and network tunneling capability. The targeting is deliberate — developer workstations are the supply-chain pivot point. Compromising a developer with commit access to production repositories gives the attacker a path to software supply-chain poisoning without needing to breach the build pipeline infrastructure directly. MITRE ATT&CK: T1195.002 — Compromise Software Supply Chain, T1056.001 — Keylogging.

PamDOORa is a new Linux backdoor sold for $1,600 on the Rehub forum. It manipulates Pluggable Authentication Module (PAM) configurations to create persistent SSH access using a “magic password” combined with a specific TCP source port. This bypasses standard SSH monitoring that alerts on failed authentication or unauthorized key additions — the PAM module accepts the magic password as a valid credential, and the login appears legitimate in auth logs. MITRE ATT&CK: T1556.003 — Pluggable Authentication Modules.

The common thread is that Linux endpoint detection coverage in most organizations is dramatically weaker than Windows coverage. EDR agents for Linux exist, but deployment rates are lower, detection rule libraries are thinner, and SOC playbooks for Linux-specific persistence mechanisms (PAM manipulation, LD_PRELOAD hijacking, crontab backdoors) are often absent. The operational takeaway: if your organization runs Linux at scale — in cloud, in containers, in OT — and does not have equivalent detection coverage to its Windows estate, these threats are operating in a visibility gap.

Detection Spotlight

PamDOORa’s PAM module manipulation can be detected by monitoring for unauthorized changes to PAM configuration files. The following Splunk SPL query identifies modifications to PAM configuration and module directories on Linux hosts:

index=linux sourcetype=auditd
(key="pam_config" OR key="pam_modules")
| where action IN ("write", "rename", "unlink", "create")
| eval target=coalesce(name, file)
| search target IN ("/etc/pam.d/*", "/lib/security/*", "/lib64/security/*", "/usr/lib/security/*", "/usr/lib64/security/*")
| stats count earliest(_time) as first_seen latest(_time) as last_seen values(target) as modified_files by host, auid, exe
| where count > 0
| sort - count

This requires auditd rules watching the PAM directories. If you do not have them, add these audit rules:

1# /etc/audit/rules.d/pam-monitor.rules
2-w /etc/pam.d/ -p wa -k pam_config
3-w /lib/security/ -p wa -k pam_modules
4-w /lib64/security/ -p wa -k pam_modules
5-w /usr/lib/security/ -p wa -k pam_modules
6-w /usr/lib64/security/ -p wa -k pam_modules

False positive rate is low — PAM configurations change infrequently outside of system updates. Any modification outside a known patching window or configuration management run warrants investigation. Pay particular attention to new .so files appearing in PAM module directories that do not match packages tracked by your distribution’s package manager.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.