Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs
TL;DR - Multiple high-impact threats landed at once, including active exploitation alerts, critical infrastructure targeting, and several CVSS 9.8-9.9 flaws. - Defenders should prioritize internet-exposed systems, router fleets, Linux and Android assets, and OpenStack deployments. - Urgency is high for exposed edge services and operational technology environments.
Top Stories
1. Chinese-speaking threat actors deploy Atlas RAT in Europe
BleepingComputer reports that a Chinese-speaking cybercrime group expanded operations into Europe and is using previously undocumented malware alongside Atlas RAT in recent campaigns (source).
Why this matters:
New RAT tooling in regional campaigns usually means defenders will have weak signature coverage at first. If your detections lean heavily on known malware families, initial access and post-compromise persistence may be missed.
What to do now: - Review EDR telemetry for unusual child processes spawned from document viewers, scripting hosts, or remote admin tools. - Hunt for outbound connections from user workstations to infrastructure not previously seen in your environment. - Validate whether your email and web security stack is flagging new payload families or just known commodity malware.
Technical Notes
Example host triage on Linux endpoints or servers suspected of staging payloads:
ps auxf
ss -pant
lsof -i -P -n
find /tmp /var/tmp /dev/shm -type f -mtime -7 2>/dev/null
journalctl --since "7 days ago" | grep -Ei "curl|wget|python|bash -c|chmod|base64"
Windows hunting ideas in EDR/SIEM:
process_name IN ("powershell.exe","cmd.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe")
AND parent_process_name IN ("winword.exe","excel.exe","outlook.exe","acrord32.exe","chrome.exe")
2. U.S. sanctions Nobitex over ransomware-linked activity
The U.S. Treasury sanctioned Nobitex, described by BleepingComputer as Iran’s largest cryptocurrency exchange, over activity tied to terrorist financing and ransomware-related payment facilitation (source).
Why this matters:
This is operationally relevant for IR, legal, finance, and compliance teams. If your ransomware playbooks or crypto tracing workflows interact with sanctioned entities, the compliance risk is immediate.
What to do now: - Ensure incident response retainers and ransomware negotiation procedures include sanctions screening. - Update wallet screening and blockchain intelligence watchlists. - Brief legal and executive stakeholders that payment paths may now carry added regulatory exposure.
3. CISA warns of attacks on fuel tank monitoring systems
CISA and U.S. government partners warned that threat actors are targeting internet-exposed automatic tank gauge systems used to monitor fuel and liquid storage tanks across critical infrastructure sectors (source).
Why this matters:
These are operational technology and industrial control environments where compromise can affect availability, safety, and inventory integrity, not just IT confidentiality.
What to do now: - Identify all internet-exposed ATG or tank monitoring systems. - Remove direct internet exposure wherever possible. - Restrict access with VPN, IP allowlisting, and MFA. - Audit vendor default credentials and remote support pathways. - Coordinate between IT, OT, facilities, and physical operations teams.
Technical Notes
Quick exposure validation from an internal asset inventory perspective:
nmap -sV -Pn -p 80,443,502,8080,47808,1911,4911 <subnet_or_host>
Firewall review goals:
- No direct inbound internet access to ATG management interfaces
- Remote vendor access only through controlled jump hosts or VPN
- Logging enabled for authentication attempts and configuration changes
4. HTTP/2 Bomb can crash web servers rapidly
A new denial-of-service technique dubbed “HTTP/2 Bomb” can reportedly take down web servers in under a minute from a single machine, according to BleepingComputer (source).
Why this matters:
This shifts DoS risk for HTTP/2-enabled services, especially where edge rate limiting, request normalization, or reverse proxy protections are weak.
What to do now: - Confirm whether internet-facing applications require HTTP/2. - Review reverse proxy, CDN, WAF, and load balancer protections. - Test graceful degradation and autoscaling behavior. - Tune concurrent stream, header, and request-body limits.
Technical Notes
Useful checks on Linux web infrastructure:
nginx -T 2>/dev/null | grep -Ei "http2|max_conns|limit_req|limit_conn|client_header_buffer_size|large_client_header_buffers"
apachectl -M 2>/dev/null | grep -i http2
Potential log indicators:
- Spikes in HTTP/2 connection counts from a single source
- Elevated 499/502/503/504 responses
- Worker exhaustion or upstream timeout bursts
- Sudden CPU and memory pressure without normal request volume patterns
Example NGINX hardening concepts:
limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s;
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
server {
listen 443 ssl http2;
limit_req zone=req_limit burst=20 nodelay;
limit_conn conn_limit 20;
}
5. CISA flags active exploitation of Android and Linux bugs
CISA warned of active attacks exploiting vulnerabilities in Android and the Linux kernel, per BleepingComputer (source).
Why this matters:
Active exploitation changes patch priority. Mobile fleets, developer workstations, exposed Linux servers, and appliance-like systems should move to emergency review status.
What to do now: - Map vulnerable assets by OS version and exposure level. - Prioritize externally exposed Linux systems and privileged mobile users first. - Check for out-of-band vendor advisories and emergency updates. - Watch for post-exploitation behavior, not just exploit indicators.
Technical Notes
Linux patch state checks:
uname -a
cat /etc/os-release
apt list --upgradable 2>/dev/null
yum check-update 2>/dev/null
dnf check-update 2>/dev/null
Linux persistence hunting:
systemctl list-unit-files --state=enabled
crontab -l
ls -la /etc/cron* /var/spool/cron 2>/dev/null
find /etc/systemd /usr/lib/systemd -type f -mtime -14 2>/dev/null
6. Acer works on fixes for two Wave 7 router zero-days
Acer warned of two maximum-severity zero-day vulnerabilities affecting Wave 7 mesh routers and said patches are in progress, according to BleepingComputer (source).
Why this matters:
Edge devices are attractive targets because they are persistent, often under-monitored, and can provide footholds for lateral movement or traffic interception.
What to do now: - Inventory any Acer Wave 7 devices in branch, SMB, and home-office deployments. - Restrict administration interfaces to trusted networks only. - Disable remote management if not strictly required. - Monitor DNS, DHCP, and configuration changes until patches are available.
Technical Notes
Router and edge device audit checklist:
- Remote admin disabled or IP-restricted
- Strong unique admin password applied
- Latest available firmware installed
- Config backups stored securely
- Syslog forwarding enabled where supported
7. CISA adds exploited Magento RCE flaw to KEV
Google News surfaced reporting from The Hacker News that CISA added Magento remote code execution flaw CVE-2026-45247 to the Known Exploited Vulnerabilities catalog (source).
Why this matters:
KEV inclusion is a strong operational prioritization signal. If you run Magento or inherited e-commerce infrastructure, treat this as urgent.
What to do now: - Confirm version exposure and compensating controls. - Review web logs for exploit attempts against admin, API, and deserialization-related paths. - Patch or isolate affected systems immediately. - Rotate credentials accessible from the application if compromise is suspected.
Note: The underlying report indicates KEV inclusion, but defenders should validate vendor-specific remediation guidance directly before making production changes.
8. AI-powered worm discussion gets attention, but focus on present risk
A Fortune article highlighted concerns around AI-powered worm scenarios (source).
Why this matters:
The story is worth watching, but for today, defenders should stay anchored on confirmed exploitation, exposed services, and patchable defects rather than speculative future threats.
What to do now: - Keep AI risk discussions tied to actual threat modeling. - Focus on identity, privilege boundaries, egress control, and monitoring. - Avoid deprioritizing current exploited vulnerabilities for hypothetical scenarios.
Critical Vulnerabilities
CVE-2026-41283 - OpenStack Mistral RCE
- CVSS: 9.9
- Affected: OpenStack Mistral through 22.0.0
- Issue: The API can allow arbitrary remote code execution when exposed, and successful exploitation may lead to service credential exfiltration (Openwall advisory, tags).
Why it matters:
If Mistral API exposure exists, this is a top-tier cloud control-plane risk. Exposure could enable workflow abuse, credential theft, and broader cloud pivoting.
What to do now: - Determine whether Mistral is deployed and whether its API is internet-accessible. - Restrict access to trusted management networks immediately. - Review service accounts and rotate credentials if exposure is confirmed. - Update to a fixed release once available from your distribution or OpenStack packaging source.
Technical Notes
Find likely listeners:
ss -lntp | grep -E "8989|mistral"
Inventory containers/services:
docker ps --format 'table {{.Names}} {{.Image}} {{.Ports}}' | grep -i mistral
podman ps --format 'table {{.Names}} {{.Image}} {{.Ports}}' | grep -i mistral
systemctl | grep -i mistral
Web server or API log review ideas:
- Requests to workflow execution endpoints from unusual IPs
- Spikes in 200 responses for API methods not used in normal operations
- New or unexpected workflow definitions
- Sudden use of service credentials from atypical hosts
CVE-2025-14771 - ABB T-MAC Plus external file or directory access
- CVSS: 9.9
- Affected: ABB T-MAC Plus 4.0-24
- Issue: Files or directories may be accessible to external parties (ABB advisory).
Why it matters:
In industrial and building management contexts, exposed files or directories can leak credentials, configurations, or operational data that materially reduce attacker effort.
What to do now: - Identify ABB T-MAC Plus deployments and verify version. - Restrict access to management interfaces. - Review whether directory listings, backups, logs, or exported configs are publicly reachable. - Segment affected systems from general-purpose networks.
Technical Notes
Basic web exposure checks:
curl -k -I https://<host>/
curl -k https://<host>/robots.txt
curl -k https://<host>/backup/
curl -k https://<host>/logs/
CVE-2026-47065 - Java deserialization filter bypass and static initializer risk
- CVSS: 9.8
- Issue: Advisory text describes issues involving
java.lang.reflect.Proxyhandling and static initializer execution in allow-listed classes during deserialization, both reported as fixed (Apache advisory thread).
Why it matters:
Even where deserialization is “restricted,” filter bypasses and class initialization side effects can undermine assumptions and reopen exploitation paths.
What to do now:
- Identify Java services performing object deserialization on untrusted input.
- Tighten or remove deserialization where possible.
- Apply the relevant upstream fix once the affected component is confirmed in your environment.
- Add detections for unexpected ObjectInputStream usage in internet-facing services.
Technical Notes
Code review grep ideas:
grep -R "ObjectInputStream\|readObject\|resolveClass\|resolveProxyClass" -n ./src
Safer engineering direction:
// Prefer schema-validated formats like JSON with strict typing
// Avoid deserializing attacker-controlled Java objects
CVE-2026-35075 - Hard-coded password recoverable from firmware
- CVSS: 9.8
- Issue: An unauthenticated remote attacker can recover a default hard-coded password from firmware and gain full access to affected devices (CERT@VDE advisory).
Why it matters:
This is especially dangerous in appliances and OT environments where firmware is widely reused and credentials remain unchanged across fleets.
What to do now: - Identify affected device models from the vendor advisory. - Remove internet exposure and restrict management paths. - Change credentials immediately if supported. - Monitor for logins from unknown IP space or unusual admin sessions.
CVE-2026-36576 - Command injection in openlabs docker-wkhtmltopdf-aas
- CVSS: 9.8
- Affected:
openlabs/docker-wkhtmltopdf-aasup to commit9f50579 - Issue:
app.pycontains an OS command injection vulnerability reachable via crafted POST requests (GitHub repo, vulnerable code reference, issue).
Why it matters:
HTML-to-PDF microservices are commonly embedded inside internal business workflows and may be trusted more than they should be. If exposed, they can become a fast path to server-side command execution.
What to do now: - Search container registries and manifests for this image. - Remove public exposure immediately. - Rebuild from a patched commit or disable the service until fixed. - Inspect for suspicious POST requests and unexpected child processes from the container.
Technical Notes
Find deployments:
docker images | grep -i wkhtmltopdf
docker ps --format 'table {{.Names}} {{.Image}} {{.Ports}}' | grep -i wkhtmltopdf
kubectl get pods -A -o wide | grep -i wkhtmltopdf
Container runtime review:
docker logs <container_name> --since 168h
docker exec -it <container_name> ps aux
docker exec -it <container_name> sh -c 'ls -la /tmp && env'
Example suspicious patterns:
- POST requests with shell metacharacters ; && | ` $
- Child processes such as sh, bash, curl, wget, nc spawned by app workers
- Unexpected outbound connections from PDF service containers
What Defenders Should Do Today
1. Prioritize exposed systems over internal-only assets
Start with: - OpenStack APIs - Router and edge management interfaces - Web applications using HTTP/2 - OT and monitoring systems exposed to the internet - Public-facing e-commerce systems
2. Patch based on exploitation status and blast radius
Use this order: 1. Actively exploited or KEV-listed issues 2. Internet-exposed RCEs 3. Edge and appliance flaws with weak monitoring 4. Internal service flaws with lateral movement potential
3. Run focused threat hunts
Hunt for: - New admin sessions on edge devices - Unusual API execution in OpenStack environments - Unexpected child processes in web or container services - OT asset access from non-approved IP ranges - DoS precursors in HTTP/2 traffic
4. Recheck segmentation and remote access
Today is a good day to validate: - No direct internet exposure for OT management - VPN plus MFA for remote admin - IP allowlisting for control planes and dashboards - Logging from appliances, routers, and cloud management nodes
5. Prepare for vendor lag
Some issues, especially zero-days on appliances and routers, may not have immediate patches. In those cases: - Disable remote management - Restrict source IPs - Add temporary WAF or reverse proxy controls - Increase logging retention and alerting - Document compensating controls for audit and incident response
Technical Deep Dive
Technical Notes: Fast asset triage checklist
Use these commands and questions to identify immediate exposure:
# Public listeners
ss -lntp
# External attack surface from known inventories
nmap -Pn -sV <public_ip_range>
# Recent auth and service changes
journalctl --since "72 hours ago"
last -ai
grep -R "PermitRootLogin\|PasswordAuthentication" /etc/ssh/sshd_config /etc/ssh/sshd_config.d 2>/dev/null
Questions to answer: - Which assets are internet-exposed? - Which of those run recently disclosed vulnerable services? - Which have weak logging or no EDR coverage? - Which hold credentials that could enable broad lateral movement?
Technical Notes: SIEM queries worth running
(index=web OR index=proxy)
(
"HTTP/2" OR "h2"
)
| stats count by src_ip, dest, status
(index=edr OR index=sysmon)
(process_name IN ("bash","sh","cmd.exe","powershell.exe","curl","wget","nc"))
AND parent_process_name IN ("python","gunicorn","uwsgi","java","node","php-fpm","httpd","nginx")
(index=auth OR index=vpn OR index=firewall)
(action=success AND user IN ("admin","root","administrator"))
| stats count by user, src_ip, dest
Bottom Line
Today’s cybersecurity threats are not theoretical. The highest-risk items are exposed management planes, appliance and router weaknesses, actively exploited mobile and Linux vulnerabilities, and web infrastructure susceptible to new denial-of-service methods.
If you only have time for a short list today, do these first: 1. Identify and restrict internet-exposed admin and API endpoints. 2. Review CISA-related alerts and KEV-driven priorities. 3. Hunt for suspicious activity in edge devices, containers, and cloud control services. 4. Apply patches or compensating controls on high-severity flaws immediately.
For source reporting, see BleepingComputer coverage on Atlas RAT (link), Nobitex sanctions (link), ATG targeting (link), HTTP/2 Bomb (link), active Android and Linux exploitation (link), and Acer Wave 7 router zero-days (link).
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.