Global threats decoded for Indian defenders: a perimeter firewall under live attack, a one-command root flaw in nearly every Linux box, and an extortion crew turning a global SaaS platform against its own users.
1CriticalCVSS 9.3
Palo Alto PAN-OS firewalls under active exploitation — CVE-2026-0300 (CVSS 9.3)
An unauthenticated buffer-overflow in the PAN-OS User-ID Authentication Portal (Captive Portal) lets a remote attacker run code as root on the firewall itself by sending crafted packets to an internet-facing portal. CISA added it to its Known Exploited Vulnerabilities catalog on 6 May 2026 on evidence of limited, real-world exploitation against publicly accessible portals; Palo Alto's Unit 42 separately attributed observed activity to CL-STA-1132, a likely state-sponsored cluster running open-source tunnelling tools and Active Directory enumeration post-compromise.
India exposurePalo Alto gateways are widely deployed across Indian government, BFSI and large-enterprise perimeters; an internet-reachable Authentication Portal turns the security device into the attacker's foothold.
ActionInventory PAN-OS appliances, confirm whether the User-ID Authentication Portal is enabled and internet-facing, restrict it to trusted internal IPs immediately, and apply vendor fixes as they ship. Hunt for unexpected tunnelling tools and AD enumeration.
SourceThe Hacker News, "Palo Alto PAN-OS Flaw Under Active Exploitation" (6 May 2026); Rapid7 ETR blog on CVE-2026-0300 (6 May 2026).
2
"Dirty Frag" — one-command root on nearly every Linux distro (CVE-2026-43284, CVE-2026-43500)
A chained pair of Linux kernel flaws in the IPsec ESP (xfrm-ESP) and RxRPC subsystems lets any unprivileged local user corrupt the page cache and escalate to root. The research was disclosed early — on 7 May 2026, ahead of patches — after an embargo was broken by a third party, and a public proof-of-concept appeared within a day, raising the risk to any system where an attacker already has a low-privilege foothold.
India exposureLinux underpins the bulk of Indian data-centre, cloud, government and BFSI server estates; this converts a contained web-app or container compromise into full host takeover.
ActionTrack distro advisories (Red Hat, Ubuntu, Debian, AlmaLinux, Rocky and others) and patch as fixes land; where patches lag, apply vendor mitigations and tighten controls on local/container workloads and shared multi-tenant hosts.
SourceAlmaLinux advisory, "Dirty Frag (CVE-2026-43284, CVE-2026-43500) Patches Released" (7 May 2026); Wiz Research disclosure (May 2026).
3
ShinyHunters defaces a global learning platform in an escalating extortion campaign
On 7 May 2026 the ShinyHunters extortion crew defaced Canvas (Instructure) login portals at roughly 330 institutions for about half an hour before the platform was taken offline, displaying ransom-negotiation messaging tied to a claimed earlier data theft and a deadline for affected schools. The campaign illustrates a recurring pattern: compromise a widely used SaaS provider, then leverage that single foothold to pressure thousands of downstream customers.
India exposureIndian universities, ed-tech firms and enterprises that rely on shared cloud platforms inherit the provider's breach; the lesson generalises to any single-vendor SaaS dependency, not just learning systems.
ActionIdentify critical SaaS dependencies, demand breach-notification and incident-response commitments contractually, enforce SSO with phishing-resistant MFA, and rehearse a "our provider was breached" response runbook.
SourceSecurity Boulevard, "ShinyHunters Defaces Canvas Login Portals at 330 Schools" (7 May 2026); TechRepublic reporting on the Instructure Canvas defacement (May 2026).
4
Edge and end-of-life gear: federal remediation deadline lands this week
A federal remediation deadline of 8 May 2026 falls due this week for already-cataloged in-the-wild abuse of internet-exposed and end-of-life appliances, including a command-injection flaw in end-of-life D-Link DIR-823X routers (CVE-2025-29635) and a Samsung MagicINFO 9 Server path-traversal (CVE-2024-7399), both added to CISA's exploited-vulnerability list in late April 2026. The theme is consistent: attackers are prioritising exposed perimeter and unmaintained kit over hardened internal systems.
India exposureUnmanaged routers, signage servers and other "set-and-forget" edge devices are common in Indian branch offices, retail, and SME networks, and end-of-life hardware will not receive fixes.
ActionAudit internet-exposed devices, retire end-of-life hardware (no patch is coming for EOL routers), and segment remaining edge appliances away from core networks.
SourceThe Hacker News, "CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline" (25 April 2026; deadline 8 May 2026); CISA KEV catalog entries (April 2026).
The takeaway: This week's pattern is unambiguous — the soft targets are the perimeter and the unmaintained. A state-grade actor is taking over firewalls through a single exposed portal, a public exploit can root almost any Linux host once an attacker is inside, a SaaS breach radiates to hundreds of customers at once, and end-of-life gear is being swept up for exploitation. For Indian defenders, the priorities write themselves: shrink the internet-facing footprint, patch kernels and gateways on the vendors' timeline, treat every SaaS provider as part of your own attack surface, and decommission what can no longer be patched.
Nirad Bharat Threat Feed | Bharat-first threat intelligence
