From Active Exploitation to State-Aligned Espionage: Threat Actors Intensify Operations Against Critical Infrastructure

This week’s threat landscape highlighted the continued convergence of active exploitation, large-scale infrastructure targeting, and state-aligned cyber espionage activity. Cybersecurity and Infrastructure Security Agency added three vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, affecting the Linux kernel, Palo Alto Networks, PAN-OS, and WebPros cPanel & WHM, reflecting the growing operational impact of vulnerabilities targeting critical enterprise infrastructure.  

Active exploitation also emerged against MetInfo CMS platforms, where attackers leveraged PHP code injection flaws to compromise exposed web applications.  

Threat activity further escalated with likely state-sponsored cluster CL-STA-1132 exploiting PAN-OS Captive Portal vulnerabilities to obtain root-level access on enterprise firewalls, followed by tunneling activity and credential-focused operations. Simultaneously, exploitation of cPanel environments evolved into widespread multi-actor campaigns deploying the “Sorry” ransomware and Mirai nuclear.x86 botnet variants, resulting in website defacement, malware deployment, and destructive post-compromise activity. In parallel, Trend Micro disclosed continued cyber espionage operations conducted by the China-aligned SHADOW-EARTH-053 cluster, which exploited multiple Microsoft Exchange vulnerabilities to deploy ShadowPad and maintain long-term persistence within government and defense networks.

Key points:

• 3 vulnerabilities added to the CISA KEV catalog
• Active exploitations observed in MetInfo CMS
• State-Sponsored Cluster CL-STA-1132 exploits PAN-OS vulnerability
• Large scale exploitation of cPanel deploying Ransomware and Mirai botnet variant
• China-Aligned SHADOW-EARTH-053 Exploits Microsoft Exchange Vulnerabilities in Regional Cyber Espionage Campaign

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2026-0300 - Out-of-bounds Write vulnerability in Palo Alto Networks PAN-OS

An Out-of-Bounds Write vulnerability in affecting the User-ID Authentication Portal (Captive Portal) service in Palo Alto Networks PAN-OS, enabling unauthenticated remote attackers to execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls through specially crafted network packets. The flaw originated from improper boundary validation during packet processing, resulting in a buffer overflow condition that required no authentication, user interaction, or special prerequisites, making exploitation highly reliable and fully automatable. Observed limited exploitation activity suggested targeted use by sophisticated threat actors, potentially including state-sponsored groups focused on high-value network infrastructure. Affected versions included PAN-OS 10.2, 11.1, 11.2, and 12.1 releases prior to multiple security hotfix builds. Palo Alto Networks scheduled patches for rollout between May 13 and May 28, 2026, and recommended restricting Captive Portal access to trusted internal IP addresses or disabling the service entirely until remediation was applied; the vulnerability was subsequently added to the CISA KEV catalog due to active exploitation concerns.

CVE-2026-29014 - PHP Code Injection vulnerability in MetInfo

A PHP Code Injection vulnerability affecting MetInfo CMS versions 7.9, 8.0, and 8.1 enabled unauthenticated remote attackers to execute arbitrary code through crafted requests containing malicious PHP payloads, potentially resulting in full compromise of the affected server. MetInfo, widely used in China for enterprise portals, e-commerce platforms, and content-driven web applications, released patches addressing the vulnerability on April 7, 2026. According to Karmainsecurity, the flaw originated from insufficient input neutralization within the /app/system/weixin/include/class/weixinreply.class.php script during Weixin (WeChat) API request handling, where improper sanitization of user-supplied input enabled arbitrary PHP code execution. Egidio Romano identified that successful exploitation on non-Windows systems required the presence of the /cache/weixin/ directory, typically created during installation of the official WeChat plugin. Active exploitation activity was observed beginning April 25, 2026, initially targeting honeypots in the United States and Singapore through automated probing attempts, before significantly increasing on May 1, 2026, with activity largely originating from IP addresses associated with China and Hong Kong, according to Caitlin Condon. Approximately 2,000 internet-accessible MetInfo CMS instances remained exposed online, the majority of which were located in China, increasing the overall risk of exploitation.

CVE-2026-31431 - Incorrect Resource Transfer Between Spheres vulnerability in Linux Kernel

An Incorrect Resource Transfer Between Spheres vulnerability affecting the Linux kernel versions 4.14 through 6.19.12, enabling local privilege escalation through a deterministic logic flaw in the kernel’s cryptographic subsystem. This vulnerability, dubbed as Copy Fail, resided within the algif_aead module of the AF_ALG userspace crypto API, where improper handling of memory during in-place cryptographic operations allowed reuse of source memory as a destination buffer, resulting in out-of-bounds memory modification. By abusing the interaction between AF_ALG sockets and the splice() system call, attackers achieved a controlled 4-byte write primitive in the kernel page cache of any readable file, enabling modification of in-memory privileged binaries such as /usr/bin/su without altering files on disk and ultimately escalating privileges to UID 0. The flaw, publicly disclosed on April 29, 2026, originated from a faulty optimization introduced in 2017 (commit a664bf3d603d) alongside earlier AEAD-related kernel changes, and was exploitable through a compact proof-of-concept script requiring no race conditions, elevated privileges, or network access. The shared kernel page cache further enabled cross-container compromise and container escape scenarios, significantly increasing risk in multi-tenant and cloud environments. The vulnerability was remediated in upstream Linux kernel stable branches by reverting the flawed optimization and was subsequently added to the CISA KEV catalog following the availability of public proof-of-concept exploitation.

CVE-2026-32202 - Protection Mechanism Failure vulnerability Microsoft Windows

A Protection Mechanism Failure vulnerability in Microsoft Windows allows an unauthorized attacker to perform spoofing over a network due to incomplete enforcement of security controls within Windows Shell. The flaw creates gaps in how network-based resources and paths are validated, resulting in limited confidentiality impact through exposure of sensitive information while not affecting integrity or availability. According to Akamai, the issue stems from an incomplete patch for CVE-2026-21510, previously exploited by APT28 alongside CVE-2026-21513 in an LNK-based exploit chain. Although SmartScreen mitigated the initial remote code execution vector, automatic UNC path resolution in Windows Explorer still triggered SMB connections to attacker-controlled servers, exposing Net-NTLMv2 hashes without user interaction. This residual gap enabled a zero-click authentication coercion vector, facilitating credential theft even after partial remediation. Microsoft addressed the vulnerability in its April 2026 Patch Tuesday release, later updating the advisory to confirm active exploitation, and it has now been added to the CISA KEV catalog.

CVE-2026-41940 - Missing Authentication for Critical Function vulnerability in WebPros cPanel & WHM and WP2 (WordPress Squared)

A Missing Authentication for Critical Function vulnerability affecting WebPros cPanel & WHM and WP2 (WordPress Squared) allowed unauthenticated remote attackers to bypass the login flow and gain unauthorized access to the control panel environment. The flaw impacted multiple authentication paths due to weaknesses in authentication logic within cPanel’s multi-tier architecture, which managed access to files, databases, email services, and administrative functionality through WHM integration. Successful exploitation enabled attackers to bypass access controls, compromise hosting management infrastructure, and potentially achieve server-wide control, posing significant risks to data integrity and operational security. According to watchTowr Labs, a public proof-of-concept confirmed active in-the-wild exploitation, indicating that the vulnerability had been weaponized as a zero-day against a broad range of internet-facing systems. Emergency patches were subsequently released for multiple supported versions, including 11.136.0.5, 11.134.0.20, 11.132.0.29, 11.126.0.54, 11.118.0.63, and 11.110.0.97, with administrators advised to immediately apply updates using the /scripts/upcp --force command, while unsupported legacy deployments remained highly exposed. The vulnerability was later added to the CISA KEV catalog following confirmed exploitation activity.

CVE-2026-42208 - Pre-Authentication SQL Injection vulnerability in LiteLLM

A Pre-Authentication SQL Injection vulnerability in BerriAI's LiteLLM allows unauthenticated attackers to read sensitive data from the proxy’s underlying database in versions prior to 1.83.7. The flaw originates from improper handling of the Authorization: Bearer header, where lack of input sanitization enables injection of arbitrary SQL queries into the backend PostgreSQL database. According to Sysdig, attackers leveraged this weakness to execute crafted SELECT statements without valid credentials, performing targeted enumeration of high-value tables containing virtual API keys, provider credentials, and environment configurations. The vulnerability was added to the GitHub Advisory Database on April 24, 2026, with active exploitation observed within 36 hours, demonstrating rapid weaponization and attacker familiarity with LiteLLM’s schema. The availability of a public proof-of-concept further increases the risk of widespread exploitation, making immediate remediation critical. Organizations are strongly advised to upgrade to the patched release, version 1.83.7-stable, to mitigate exposure.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

State-Sponsored Cluster CL-STA-1132 exploits PAN-OS vulnerability

According to Palo Alto Networks, CVE-2026-0300 is a buffer overflow vulnerability affecting the User-ID™ Authentication Portal (Captive Portal) service in PAN-OS, enabling unauthenticated attackers to achieve remote code execution with root privileges on PA-Series and VM-Series firewalls through specially crafted network packets. Limited exploitation activity was observed in the wild, with CL-STA-1132 identified as a likely state-sponsored threat cluster actively exploiting the vulnerability. Successful exploitation enabled injection of shellcode into an nginx worker process, establishing a foothold within the targeted firewall environment. Post-exploitation operations involved deployment of publicly available tunneling utilities such as EarthWorm and ReverseSocks5 to facilitate covert network access and lateral movement. Additional activity included Active Directory enumeration using credentials likely obtained from compromised firewall systems, followed by systematic deletion of logs and forensic artifacts to obstruct incident response and compromise analysis.

Large scale exploitation of cPanel deploying Ransomware and Mirai botnet variant

According to Censys, exploitation of CVE-2026-41940 evolved from exploratory probing into large-scale multi-actor attacks involving website defacement, ransomware deployment, malware installation, and credential-focused intrusions targeting internet-facing cPanel environments. Attackers leveraged the vulnerability to deploy the “Sorry” ransomware, a Go-based Linux encryptor that appended the .sorry extension to encrypted files, dropped Tox-based ransom notes, and reportedly deleted backups to obstruct recovery efforts. Censys identified 8,859 hosts exposing open directories containing .sorry-encrypted files, with 7,135 systems confirmed to be running cPanel or WHM, indicating widespread automated exploitation activity. Concurrently, Shadowserver Foundation observed more than 44,000 cPanel-related IP addresses conducting scanning, exploitation, and brute-force activity against honeypot infrastructure. A parallel campaign documented by HostMyCode involved deployment of the Mirai botnet variant nuclear.x86, which established persistence by creating administrative accounts, disabling security logging, modifying firewall rules, deploying cryptocurrency miners and DDoS clients, and harvesting credentials from hosted accounts. Scan telemetry confirmed that the exploitation campaign remained active and continued targeting exposed cPanel infrastructure.

China-Aligned SHADOW-EARTH-053 Exploits Microsoft Exchange Vulnerabilities in Regional Cyber Espionage Campaign

According to Trend Micro, the China-aligned threat cluster SHADOW-EARTH-053 conducted a cyber espionage campaign targeting government, defense, telecommunications, and transportation organizations across South, East, and Southeast Asia, along with a European NATO member state. The campaign leveraged vulnerabilities in internet-facing Microsoft Exchange servers, including CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, to obtain initial access and deploy web shells for persistent compromise. Post-exploitation activity involved credential dumping, tunneling utilities, lateral movement frameworks, and deployment of the ShadowPad backdoor to maintain long-term access within enterprise environments. Active since at least late 2024, SHADOW-EARTH-053 demonstrated operational overlap with clusters tracked as CL-STA-0049, Earth Alux, and REF7707, indicating potential shared infrastructure, tooling, or operational tradecraft. The overall campaign focused on compromising enterprise infrastructure to facilitate sustained espionage operations and extended post-exploitation activity.

Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

This week’s activity demonstrated how rapidly threat actors transitioned from vulnerability disclosure to active exploitation across firewalls, hosting infrastructure, enterprise applications, and government-facing systems. The combination of ransomware deployment, botnet propagation, and state-aligned espionage operations highlighted the growing need for continuous visibility into emerging threats and exploitation trends. Rapid weaponization of vulnerabilities in PAN-OS, cPanel, Linux Kernel, and Microsoft Exchange environments reinforced the importance of proactive monitoring and accelerated remediation workflows. Platforms such as Loginsoft Vulnerability Intelligence (LOVI) plays a critical role in helping security teams track actively exploited vulnerabilities, monitor threat actor activity, and prioritize defensive actions against evolving cyber threats targeting enterprise infrastructure.

FAQs:

1) What is Palo Alto Networks User-ID™ Authentication Portal?

The Palo Alto Networks User-ID™ Authentication Portal, also known as the Captive Portal, is a PAN-OS feature that identifies and authenticates users accessing a network. It enables firewalls to map user identities to IP addresses, allowing enforcement of user-based security policies. The portal is commonly used in enterprise environments to control access, monitor activity, and apply granular security rules based on authenticated users.

2) What is MetInfo?

MetInfo is a content management system (CMS) platform used for building and managing websites, particularly enterprise portals, e-commerce platforms, and content-driven web applications. The platform provides website administration features such as template management, content publishing, plugin integration, and multilingual support. MetInfo is widely adopted in China for business and organizational web infrastructure.  

3) Does inclusion in the CISA KEV catalog mean exploitation is widespread?

Not necessarily widespread - but confirmed. KEV inclusion indicates verified in-the-wild exploitation. While the scale may vary, the operational reality is that threat actors possess working exploits, making patch prioritization urgent regardless of observed targeting volume.

4) How does LOVI help organizations manage vulnerabilities effectively?

Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

5) What is Cytellite?

Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.