π¨ ZERO DAY INTEL - May 6, 2026 π¨
π’ Sponsorship Spotlight
ZERODAYLABS.TECH
CRACK THE CERT. ADAPT. PASS.
ZeroDay Labs trains you for Security+ and CISSP the smart way β with adaptive practice tests that learn your weak spots and drill them until they're strengths. No wasted reps. No generic quizzes. Just targeted prep that levels you up fast.
Start training today at www.zerodaylabs.tech
Study Smarter. Certify Faster.
# Zero Day Intelligence
### Wednesday, May 6, 2026 Β· Issue: Mid-Week Sweep
[www.zerodayintel.tech](https://www.zerodayintel.tech) Β· Published Mon / Wed / Fri Β· By Garett Mattingly
---
Good morning, defenders. β
If Monday's issue felt like the calendar was loading up for a fight β Defender 0-days, a fresh Linux KEV, cPanel still on fire β Wednesday is the bell ringing for round two. Three of the five stories in this issue are "drop everything" CVEs, and the one that *isn't* a CVE (the Instructure / Canvas LMS breach) is the kind of identity-adjacent disclosure that probably matters to anyone whose users ever touched a school portal. β°
This issue: a pre-auth root RCE on Palo Alto firewalls being exploited *before* the patch window opens, the cPanel auth bypass that has now gone multi-actor and started wiping backups, ShinyHunters claiming 280 million records out of Canvas LMS, the Linux "Copy Fail" kernel LPE riding the KEV catalog into in-the-wild exploitation, and Securonix's mapping of a dual-RMM phishing campaign that's quietly chewed through 80+ U.S. orgs. Plus a watch list with the Tuesday CAISI / Big-Tech AI security testing announcement and a fresh CISA critical-infrastructure resilience push. π₯
Let's go. π«‘
---
π£ SPONSOR β
Zerodaylabs.tech
Study Smarter. Pass Faster
---
𧱠1. Palo Alto PAN-OS Captive Portal: pre-auth root RCE under active exploitation, no patch until May 13 (CVE-2026-0300)
If you run PA-Series or VM-Series firewalls with the User-ID Authentication (Captive) Portal enabled, this is your Wednesday. Palo Alto Networks confirmed this week that CVE-2026-0300, an unauthenticated buffer overflow in the Captive Portal service, is being exploited in the wild for βarbitrary code execution as rootβ on the firewall itself. CVSS sits at 9.3 when the portal is reachable from the internet or untrusted networks, and 8.7 when it's restricted to trusted internal IPs.
The wrinkle that makes this story Wednesday-urgent rather than next-Tuesday-urgent: Palo Alto has stated patches will not begin shipping until May 13. That leaves a hard week of "mitigation only" for a security-vendor product that, by definition, sits at the network edge. Prisma Access, Cloud NGFW, and Panorama appliances are not affected β only PA-Series and VM-Series firewalls configured to use the User-ID Authentication Portal.
Attribution is open. Reporting to date describes "in-the-wild exploitation" without naming a specific actor or campaign β treat anyone who tells you otherwise with skepticism until a primary source confirms.
π§ What to do this week
If you can disable the User-ID Authentication Portal entirely, do. It's the cleanest mitigation.
> -If you can't: restrict portal access to trusted zones / known-good IPs only. Pull the portal off any internet-facing interface today.
> - Pull a fresh inventory of PA / VM firewalls and confirm which have the Captive Portal enabled β many shops have it on by default and forget.
> - Watch Palo Alto's advisory page for the May 13 patch drop and bake a same-day patch window into your change calendar now, not on the 12th.
> - Hunt for anomalous root-level processes or outbound connections from firewall management plane logs over the last 30 days.
**Sources:** Palo Alto Networks advisory ([CVE-2026-0300](https://security.paloaltonetworks.com/CVE-2026-0300)), [SecurityWeek](https://www.securityweek.com/palo-alto-networks-to-patch-zero-day-exploited-to-hack-firewalls/), [The Hacker News](https://thehackernews.com/2026/05/palo-alto-pan-os-flaw-under-active.html).
---
π 2. cPanel/WHM auth bypass goes multi-actor β defacements, ".sorry" wipes, and 7,000+ visibly compromised hosts (CVE-2026-41940)
When we covered CVE-2026-41940 Monday, it was effectively a one-actor event riding a months-long zero-day that predated the patch. Forty-eight hours later it has graduated into something messier: multiple distinct threat-actor clusters now exploiting the same bug, with confirmed destructive impact.
A quick refresher on the vulnerability: it's a CRLF injection in cPanel/WHM's login and session-loading process that lets a remote attacker manipulate the `whostmgrsession` cookie, write an arbitrary session file, and inject `user=root` to bypass authentication entirely. CVSS 9.8. cPanel runs roughly 70 million domains, which is the part of this story that should keep you up at night even if you don't run cPanel yourself β your hosting provider, your clients' hosting providers, and a depressing fraction of the internet's static-content layer probably do.
The new developments since Monday: π©Ή
- The Hacker News reports targeted exploitation against government and MSP networks, not just the opportunistic mass-scanning attackers seen earlier.
- Help Net Security confirmed multiple threat actors are now exploiting the bug in parallel, with overlapping but distinct tradecraft.
- Censys has counted ~7,135 cPanel/WHM hosts showing the ".sorry" file-extension wipe artifact β strong evidence of large-scale automated exploitation including, in some cases, deliberate deletion of backups to prevent recovery.
Patched in cPanel & WHM 11.136.0.5; everything from v11.40 forward is in scope.
> π§ What to do this week
> - Patch to 11.136.0.5 or later immediately. If you're an MSP, this needs to go out to every customer fleet you manage with documented sign-off.
> - Hunt: scan internet-facing cPanel hosts for files ending in `.sorry` (Censys signature). Also check `whostmgrsession` files for unexpected `user=root` properties.
> - Check WHM access logs for anomalous Basic Auth headers containing raw `\r\n`.
> - Verify backup integrity β the actor groups are wiping recovery options, so if you have *only* a cPanel-hosted backup target, treat it as untrusted.
> - Rotate any credentials that touched cPanel-managed servers in the last 90 days.
Sources:[The Hacker News](https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html), [Help Net Security β multiple actors (May 4)](https://www.helpnetsecurity.com/2026/05/04/multiple-threat-actors-actively-exploit-cpanel-vulnerability-cve-2026-41940/), [watchTowr Labs](https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/), [Rapid7 ETR](https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/).
---
π 3. Instructure / Canvas LMS confirms breach; ShinyHunters lists 280M student & staff records
Instructure β the company behind Canvas, the learning-management system used by a meaningful fraction of K-12 districts and higher-ed institutions worldwide β confirmed a data-theft breach this week. The ShinyHunters extortion crew is claiming responsibility and listing roughly 280 million records spanning approximately 8,800 institutions including colleges, school districts, and online education platforms.
What was taken: names, email addresses, student ID numbers, and internal user-to-user messages. What does not appear to have been taken (per Instructure): passwords, dates of birth, government identifiers, or financial data. That's a meaningful guardrail β but the messaging-content disclosure is its own headache for any institution that used Canvas as a quasi-private comms channel for grading disputes, accommodations conversations, or anything else students and staff assumed was institutional-only.
The IR detail worth flagging is how the data left: the threat actor claims it was exfiltrated using legitimate Canvas data-export features β DAP queries, provisioning reports, and user APIs. Not a zero-day, not an unpatched server: API abuse against features Canvas tenants legitimately turn on every day. Instructure's response so far includes patching, increased monitoring, and forced rotation of application keys, with customers required to re-authorize API access before new keys issue. π
Attribution caveat β and this is the second time in two weeks the brand has come up: ShinyHunters has had a messy attribution profile lately. Some actors close to the persona publicly distanced themselves from the recent Vercel claim. Instructure has confirmed the breach itself; the actor identity is self-attributed.
> π§ What to do this week
> - If your org integrates with Canvas, inventory every API key issued against your tenant and prepare to re-authorize cleanly.
> - Audit which third-party apps had Canvas DAP / provisioning / user-API scopes β and whether they still need them.
> - Communications: get ahead of staff and student questions about what messaging content was on Canvas. Treat past Canvas DMs as potentially compromised.
> - Watch for downstream phishing β student email + ID numbers are a classic financial-aid impersonation kit.
Sources: [BleepingComputer β Instructure confirms breach](https://www.bleepingcomputer.com/news/security/instructure-confirms-data-breach-shinyhunters-claims-attack/), [BleepingComputer β 8,800 institutions](https://www.bleepingcomputer.com/news/security/instructure-hacker-claims-data-theft-from-8-800-schools-universities/), [TechCrunch (May 5)](https://techcrunch.com/2026/05/05/hackers-steal-students-data-during-breach-at-education-tech-giant-instructure/), [SecurityWeek](https://www.securityweek.com/edtech-firm-instructure-discloses-data-breach/).
---
> π£ Sponsor inquiries:
https://www.zerodayintel.tech
---
π§ 4. Linux "Copy Fail" kernel LPE: PoC-to-KEV in 24 hours, now exploited in the wild (CVE-2026-31431)
We flagged CVE-2026-31431β the Linux kernel `algif_aead` flaw nicknamed "Copy Fail" β on Monday as a CISA KEV addition. The development worth a Wednesday update: CISA now confirms in-the-wild exploitation, less than a week after Theori dropped the public proof-of-concept.
Mechanically, Copy Fail is an unprivileged-local-user β root LPE built on a four-byte controlled write into the page cache of any readable file. CVSS 7.8 (High), CWE-699. That CVSS feels modest until you remember the attacker profile: any code path that reaches an unprivileged user β a malicious dependency, a captured CI runner, a compromised container's foothold, an SSH'd developer with a poisoned shell history β gets root on the host. Containers and multi-tenant cloud workloads are the obvious blast-radius story.
CISA's KEV deadline for FCEB agencies is May 15 under BOD 22-01. Patches have been pushed by major distributions; the timeline from PoC publication to in-the-wild exploitation was approximately one day. π
> ### π§ What to do this week
> - Patch all Linux fleets. Verify kernel versions across servers, containers, and cloud VMs.
> - For container-heavy environments, double-check base-image kernel versions in your registry and rebuild downstream images.
> - Validate that runtime container security (AppArmor / SELinux profiles, seccomp filters) is actually denying `algif_aead` operations where you don't need them.
> - Hunt: review auth logs and process trees for unexpected `setuid` transitions and `algif_aead` socket usage in the last 14 days.
Sources:[The Hacker News β KEV addition](https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html), [Cybersecurity News β CISA Linux 0-day](https://cybersecuritynews.com/linux-kernel-0-day-vulnerability-exploited/), [Security Boulevard β Copy Fail explainer](https://securityboulevard.com/2026/05/cisa-says-copy-fail-flaw-now-exploited-to-root-linux-systems/), [CISA KEV catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog).
---
## π Watch List
Items we're tracking but didn't surface to a top slot:
- CISA "CI Fortify" initiative. Released Monday, May 5: new guidance puing critical-infrastructure operators toward isolation and recovery as core resilience objectives β the assumption being that telecom, vendor, and upstream-provider dependencies will fail during a sustained cyber conflict. Worth a read if you're in CI sectors; light on technical specifics. ([Nextgov](https://www.nextgov.com/cybersecurity/2026/05/cisa-unveils-ci-fortify-help-secure-critical-infrastructure-during-conflicts/413333/) Β· [CISA release](https://www.cisa.gov/news-events/news/cisa-unveils-new-initiative-fortify-americas-critical-infrastructure))
- **UAT-8302 (China-nexus APT) targets governments in South America and southeastern Europe.** Cisco Talos attributes a custom .NET backdoor (`NetDraft` / `NosyDoor`) and shared tooling overlap with other Chinese-speaking actors. Mostly geopolitical; defenders in those regions should review.
The Hacker News
https://thehackernews.com/2026/05/china-linked-uat-8302-targets.html
- Mini Shai-Hulud expands beyond SAP. The TeamPCP campaign we covered Monday β four poisoned SAP npm packages β has now been seen using identical tradecraft against a `lightning` PyPI package and an Intercom npm package. The supply-chain story is broadening. Re-audit dev credentials and CI tokens. https://www.wiz.io/blog/mini-shai-hulud-supply-chain-sap-npm
Β· The Hacker News
https://thehackernews.com/2026/04/sap-npm-packages-compromised-by-mini.html πͺ±
---
π£ SPONSOR
Study Smarter. Pass Faster
---
π― Closing
Three patches, one breach, one campaign β and a quiet through-line that's worth naming. The PAN-OS, cPanel, and Linux Copy Fail stories all share the same fingerprint: public exploitation kicked in within hours-to-days of disclosure, and in two of the three cases the bad guys were already there before the public got the news. That is the new tempo. The window between "we know about it" and "everyone is exploiting it" has effectively closed.
Practical implications: π¦
- Treat any KEV-added CVE with a federal patch deadline as already in-the-wild and prioritize accordingly.
- Bake same-day patch windows for security-vendor products into your change calendar β not next-Tuesday windows.
- Detection-engineering work pays back faster than ever right now: the VENOMOUS#HELPER dual-RMM detection logic is reusable across many IAB campaigns.
Friday's issue will follow up on whether Palo Alto's May 13 patches land cleanly, the Microsoft May Patch Tuesday set (May 12), and any movement on the Mythos / CAISI AI-policy story. π©Ή
Stay sharp. β π«‘
---
About Zero Day Intelligence
Zero Day Intelligence is a thrice-weekly cybersecurity and AI-security briefing for technical defenders, blue/red teamers, IT pros, and cert students. Signal, not summary. Published Monday, Wednesday, Friday at https://www.zerodayintel.tech
βββ
π’ Sponsorship Spotlight
Zerodaylabs.tech
Study Smarter. Pass Faster
Want to advertise with Zero Day Intel? Email us at contact@zerodayintel.tech if you'd like a spot in the newsletter.
