Weekly Threat Roundup: Critical PAN-OS Flaw Exploited (May 4-10)

This Week at a Glance

This week saw active exploitation of critical vulnerabilities in Palo Alto Networks PAN-OS and LiteLLM AI gateways, alongside a new Ivanti EPMM RCE. Data breaches impacted major brands including Zara and Vimeo, while CISA announced a new initiative to harden critical infrastructure.

Top Vulnerabilities

• CVE-2026-42208 (CVSS 9.8, Critical, Actively Exploited): SQL injection in LiteLLM proxy server allowing attackers to call LLM APIs.
• CVE-2026-0300 (CVSS 9.3, Critical, Actively Exploited): Buffer overflow in Palo Alto Networks PAN-OS Captive Portal enabling unauthenticated RCE.
• CVE-2026-6973 (CVSS 7.2, High, Actively Exploited): Improper input validation in Ivanti EPMM allowing remote authenticated admin-level RCE.
• CVE-2026-42298 (CVSS 10.0, Critical): “Pwn Request” vulnerability in Postiz AI social media scheduler enabling unauthenticated RCE via PR builds.
• CVE-2026-41070 (CVSS 10.0, Critical): SSO bypass in openvpn-auth-oauth2 plugin for OpenVPN.
• CVE-2026-40281 (CVSS 10.0, Critical): Unauthenticated file overwrite in Gotenberg PDF API.
• CVE-2026-33587 (CVSS 10.0, Critical): Server-Side Template Injection (SSTI) leading to RCE in Open Notebook v1.8.3.
• CVE-2026-42826 (CVSS 10.0, Critical): Credential leak in Azure DevOps via unauthorized disclosure.
• CVE-2026-42812 (CVSS 9.9, Critical): Apache Polaris writes Iceberg metadata to attacker-chosen paths.
• CVE-2026-41512 (CVSS 9.9, Critical): JavaScript injection in NVIDIA garak-based AI scanner leading to RCE.

Data Breaches

• Woflow: 448,000 accounts exposed, including emails and addresses. Full report.
• Zara: 197,000 accounts compromised, exposing emails and order details. Full report.
• Vimeo: 119,000 accounts leaked, exposing emails and names. Full report.
• LegionProxy: 10,000 accounts exposed, including hashed passwords. Full report.
• Reborn Gaming: 126 accounts exposed. Full report.

Threat Intelligence

• Ivanti EPMM RCE Exploited: Threat actors are actively exploiting CVE-2026-6973 to gain admin-level access. Full report.
• Palo Alto PAN-OS Flaw in the Wild: The critical PAN-OS Captive Portal RCE (CVE-2026-0300) is under active exploitation. Full report.
• CISA Critical Infrastructure Initiative: CISA announced a new program to bolster cybersecurity for America’s critical infrastructure. Full report.
• Dark Web Claims: Genesis ransomware group claimed a breach of the American Board of Preventive Medicine. ShinyHunters claimed Houghton Mifflin Harcourt. LeakBazaar claimed 9MB of data from Marlborough Partners. Intel | Intel | Intel.

Key Takeaway

The convergence of AI tooling vulnerabilities with critical infrastructure threats is accelerating. This week, we saw CVSS 10.0 bugs in AI scheduling tools (Postiz), AI model scanners (ai-scanner), and LLM proxies (LiteLLM), while CISA simultaneously announced new infrastructure hardening efforts. Security teams should prioritize patching AI/ML pipeline tools with the same urgency as traditional network infrastructure.