A (0:00)

From the CISO series. It's Cybersecurity Headlines

B (0:06)

these are the cybersecurity headlines for Friday, May 8, 2026. I'm Steve Prentiss Panos RCE exploit under Active use enabling root access and espionage this is a recently disclosed CVE numbered flaw that researchers at Palo Alto Networks are warning may have been exploited by threat actors, if only successfully for the time being. The bug carries the new dual CVSS score of 9.3 and 8.7 and is a buffer overflow vulnerability in the User ID authentication portal service of Palo Alto Network's Panos software. Fixes are expected to be released May 13 and customers are advised to secure access to the Panos User ID authentication portal by restricting access to trusted zones or by disabling it entirely if it is not used. The company also said it was likely a state sponsored threat group behind all of this, stopping short of naming a country, but indications tend to point towards Chinese origin. Polish intelligence says hackers attacked water treatment control systems the country's internal security agency, ABW said water treatment stations in six towns were targeted last year, with attackers gaining access in some cases to industrial control systems, posing a direct risk to the continuity of of water supply operations. While not identifying any specific groups, the agency acknowledged intensified hostile cyber activity from the Russian Federation. Ivanti warns of new EPMM flaw exploited in zero day attacks Ivanti issued a warning to customers yesterday to patch a high severity remote code execution vulnerability in Endpoint Manager Mobile that is epmm, which is being exploited in zero day attacks. This CVE numbered flaw stems from an improper input validation weakness that allows remote attackers with administrative privileges to execute arbitrary code on targeted systems running EPMM 12 and earlier. Ivanti is advising customers to review accounts with admin rights and rotate credentials where necessary. Internet Security Watchdog Shadow Server currently tracks over 850 IP addresses with Ivanti EPMM fingerprints exposed online, most of them from Europe and North America. DoD contractors API flaw exposed Military data, User records and military training materials were exposed through API endpoints that lacked meaningful authorization checks, according to a report from Strix, an open source autonomous security testing project. The platform at the center of this is called schemata, I.e. s C H E M A T A. It is an AI powered virtual training platform used in military and defense settings. According to Strix, an ordinary low privilege account was able to access data across multiple tenants, including user listings, organization records, course information, training metadata and direct links to documents hosted on the Schemata's Amazon Web Services instances. The exposed information included names, email addresses, enrollment details and the military bases where US Service members were stationed. Huge thanks to our sponsor Vanta. Risk and regulation ramping up and customers expect proof of security just to do business. Vanta's automation brings compliance, risk and customer trust together on one AI powered platform. So whether you're prepping for a SoC2 or running an enterprise GRC program, Vanta keeps you secure and keeps your details moving. Learn more@vanta.com CISO that is v a n t a.com CISO PyPi packages deliver Zai chatbot malware via APIs on Windows and Linux Cybersecurity researchers at Kaspersky have discovered three packages on the Python package index at its PYPY repository that are designed to stealthily deliver a previously unknown malware family called zaichatbot I.e. zi chatbot on Windows and Linux systems. Unlike traditional malware, Zai Chatbot does not communicate with a dedicated command and control server, but instead uses a series of REST APIs from the public team chat app Zulip as its C2 infrastructure. The researchers also said that the dropper shares a 64% similarity to another dropper used by a Vietnam aligned hacking group named Ocean Lotus. Microsoft Edge loads stored passwords in clear text, says researcher According to Norwegian security researcher Tom Joran sonstebejsetterrunning, Microsoft's Edge Internet browser will load saved passwords into memory in plain text even when they are not being used. This is due to the fact that when a user saves passwords in Microsoft Edge, the browser decrypts each credential at startup, storing them in process memory memory even when users visit sites that do not require those credentials. Yet the browser will prompt users to re authenticate before showing the same passwords in Password Manager ui, even though the process already stores them in clear text. Running pointed out in a blog post, if an attacker gains administrative access on a terminal server, they can access the memory of all logged on. User processes when running reported this behavior to Microsoft. He was told this behavior was by design. New PCP jack worm steals credentials, cleans team PCP infections A new malware framework called PCP Jack is stealing credentials from exposed cloud infrastructure while actively removing Team PCP's access to the systems it targets services such as Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications by moving laterally on the network. According to Sentinel Labs, a PCP jack is designed for large scale credential theft in order to leverage financial fraud, spam operations, credential resale or extortion Sentinel Labs also believes that PCP Jack may have been developed by a former team, PCP affiliate or member who started their own operation. World Password Day Passes into Potential Obscurity Yesterday was World Password Day. An article from Security magazine argues that it might be the last, and recognizing the day might actually signal the beginning of the end for traditional passwords. Cybersecurity leaders interviewed in the piece say passwords echo a common refrain that they remain one of the weakest points in digital security because people often reuse them, share them, or fall victim to increasingly sophisticated AI driven phishing attacks. Experts from companies such as Orca Security, Appfire, Improvata and Ping Identify used the day to confirm the future lies in passwordless authentication using biometrics, passkeys, trusted devices and cryptographic identity systems. Remember to join us later today for Super Cyber Friday. Our topic is Hacking the End of Compliance and we're going to be digging into the impacts of continuous monitoring on the compliance landscape. This all starts at 1pm Eastern, so head on over to the events page@cisoseries.com to register and we want you to share this event. If you share the registration link on LinkedIn and tag the CISO series, we will put you in a drawing to win some awesome CISO series swag. We hope to see you Friday at 1, and if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO Series.