In today’s cybersecurity news…
PAN-OS RCE exploit under active use enabling root access and espionage
This is a recently disclosed CVE-numbered flaw that researchers at Palo Alto Networks are warning may have exploited by threat actors, if only unsuccessfully for the time being. The bug carries the new dual CVSS score of 9.3/8.7, and is “a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software.” Fixes are expected to be released May 13, and customers are “advised to secure access to the PAN-OS User-ID Authentication Portal by restricting access to trusted zones, or by disabling it entirely if it’s not used.” The company also said it was likely a state-sponsored threat group, stopping short of naming a country but indications tend to point to Chinese origin.
(The Hacker News and Security Week)
Polish intelligence says hackers attacked water treatment control systems
Poland’s domestic intelligence service said, “attackers breached water treatment facilities in five towns in 2025, in some cases gaining access to industrial control systems that could have disrupted water supplies.” The country’s Internal Security ABW said water treatment stations in six towns were targeted, with attackers, gaining access in some cases to industrial control systems, posing “a direct risk” to the continuity of water supply operations. While not identifying any specific groups, the agency acknowledged intensified hostile cyber activity from the Russian Federation.
Ivanti warns of new EPMM flaw exploited in zero-day attacks
Ivanti issued a warning to customers yesterday to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) which is being exploited in zero-day attacks. This CVE-numbered flaw CVE-2026-6973, “stems from an Improper Input Validation weakness that allows remote attackers with administrative privileges to execute arbitrary code on targeted systems running EPMM 12.8.0.0 and earlier. Ivanti is advising customers to review accounts with Admin rights and rotate credentials where necessary. Internet security watchdog Shadowserver currently tracks over 850 IP addresses with Ivanti EPMM fingerprints exposed online, most of them from Europe (508) and North America (182).
DOD contractors API flaw exposed military data
User records and military training materials were exposed through API endpoints that lacked meaningful authorization checks, according to a report from Strix, an open-source autonomous security testing project. The platform at the center of this is called Schemata. It is an AI-powered virtual training platform used in military and defense settings. According to Strix, “an ordinary low-privilege account was able to access data across multiple tenants, including user listings, organization records, course information, training metadata, and direct links to documents hosted on the Schemata’s Amazon Web Services instances.” The exposed information included names, email addresses, enrollment details and the military bases where U.S. service members were stationed.
Huge thanks to our sponsor, Vanta
PyPI packages deliver ZiChatBot malware via APIs on Windows and Linux
Cybersecurity researchers at Kaspersky have discovered three packages on the Python Package Index (PyPI) repository “that are designed to stealthily deliver a previously unknown malware family called ZiChatBot on Windows and Linux systems.” Unlike traditional malware, “ZiChatBot does not communicate with a dedicated command-and-control (C2) server, but instead uses a series of REST APIs from the public team chat app Zulip as its C2 infrastructure.” The researchers said, adding that the dropper shares a “64% similarity” to another dropper used by a Vietnam-aligned hacking group named OceanLotus.
Microsoft Edge loads stored passwords in cleartext, says researcher
According to Norwegian security researcher Tom Jøran Sønstebyseter Rønning, Microsoft’s Edge internet browser “will load saved passwords into memory in plaintext, even when they are not being used.” This is due to the fact that “when a user saves passwords in Microsoft Edge, the browser decrypts each credential at startup, storing them in process memory…even when users visit sites that do not require those credentials, yet, the browser will prompt users to re‑authenticate before showing the same passwords in Password Manager UI — even though the process already stores them in cleartext.” Rønning pointed out in a blog post, “if an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes.” When Rønning reported this behavior to Microsoft, he was told this behavior was “by design.”
New PCPJack worm steals credentials, cleans TeamPCP infections
A new malware framework called PCPJack is “stealing credentials from exposed cloud infrastructure while actively removing TeamPCP’s access to the systems.” It targets services such as Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications, by moving laterally on the network. According to SentinelLabs, PCPJack is designed for large-scale credential theft, in order to leverage financial fraud, spam operations, credential resale, or extortion. SentinelLabs also believes that PCPJack may have been developed by a former TeamPCP affiliate or member that started their own operation.
World Password Day passes into potential obscurity
Yesterday was World Password Day. An article from Security Magazine argues that it might be the last, and recognizing the day might actually signal the beginning of the end for traditional passwords. Cybersecurity leaders interviewed in the piece say passwords echo a common refrain that passwords remain one of the weakest points in digital security because people often reuse them, share them, or fall victim to increasingly sophisticated AI-driven phishing attacks. Experts from companies such as Orca Security, Appfire, Imprivata, and Ping Identity used the day to confirm the future lies in “passwordless” authentication using biometrics, passkeys, trusted devices, and cryptographic identity systems.