Here are today’s top cybersecurity stories for Wednesday, May 6, 2026.
Palo Alto Networks Warns of Actively Exploited PAN-OS Zero-Day CVE-2026-0300
Palo Alto Networks disclosed a critical buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal, tracked as CVE-2026-0300 (CVSS 9.3). Unauthenticated attackers execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets to an internet-exposed captive portal. Exploitation is confirmed as active and automatable, with no patch available until May 13, 2026 at the earliest. Organizations are advised to restrict captive portal access to trusted zones or disable it immediately. BleepingComputer
DAEMON Tools Supply Chain Attack Delivers Backdoor via Official Installers
Kaspersky researchers identified a supply chain attack targeting Disc Soft Limited’s DAEMON Tools software. Trojanized installers (versions 12.5.0.2421–12.5.0.2434) have been distributed from the legitimate website since April 8, 2026, signed with valid developer certificates. Several thousand infection attempts were recorded across more than 100 countries. Secondary payloads were deployed to a targeted subset of retail, scientific, government, and manufacturing organizations. Attribution points to a Chinese-speaking adversary. Version 12.6.0.2445 removes the malicious code. BleepingComputer
MuddyWater Runs False Flag Ransomware Attack via Microsoft Teams Social Engineering
Rapid7 attributed a false flag intrusion campaign to Iranian state-sponsored group MuddyWater (Mango Sandstorm), active in early 2026. Attackers used Microsoft Teams to conduct interactive screen-sharing sessions, harvesting credentials and manipulating MFA. Chaos ransomware artifacts were planted as a decoy — no encryption ever deployed. The operation prioritized persistent access and data exfiltration over extortion. Attribution ties to a code-signing certificate previously used by MuddyWater’s CastleLoader malware family. The Hacker News
CloudZ RAT Uses Pheno Plugin to Steal SMS OTPs via Microsoft Phone Link
Cisco Talos disclosed a novel intrusion active since at least January 2026. Attackers deploy the CloudZ RAT alongside a previously undocumented plugin called Pheno, which abuses the Microsoft Phone Link application to monitor and intercept SMS messages and OTP notifications without touching the victim’s phone. Initial access uses a fake ConnectWise ScreenConnect executable. A scheduled task provides persistence. The attack effectively bypasses SMS-based MFA without requiring mobile device access. The Hacker News
Microsoft Edge Stores All Saved Passwords in Plaintext RAM — By Design
Security researcher @L1v1ng0ffTh3L4N disclosed Microsoft Edge decrypts every stored password into process memory at startup and retains them in cleartext for the entire session. Microsoft confirmed the behavior is intentional, placing memory-read scenarios outside the browser’s threat model. In enterprise environments with shared devices, VDI, or terminal server deployments, a single foothold can expose credentials for all logged-on users. Recommendations include moving to dedicated managed password solutions and tightening local admin privileges and endpoint monitoring. Dark Reading
House Appropriations Sets CISA Budget Cut at $135M — Far Below Trump’s $495M Proposal
The House Appropriations Subcommittee on Homeland Security approved $2.7 billion in FY2026 funding for CISA, a $135 million reduction from FY2025. The figure is substantially lower than the administration’s proposed $495 million cut. Democrats warned the reduction still leaves critical infrastructure security underfunded. The vote follows months of workforce reductions and organizational uncertainty at the agency. CyberScoop
NIST and MITRE Launch $20M AI Research Partnership to Protect Critical Infrastructure
NIST announced a $20 million partnership with MITRE to establish two AI research centers. One center will focus specifically on protecting US critical infrastructure from AI-enabled cyberthreats through real-time threat detection, automated incident response, and predictive analytics. MITRE will operate both centers in partnership with industry and academic participants over a three-year mandate covering water, electricity, and internet infrastructure sectors. CyberScoop
Romanian Cybercriminal Extradited to US After 17 Years for VoIP Hacking and ATM Fraud
Gavril Sandu, 53, a Romanian national originally indicted by a US federal grand jury in 2017, was arrested in Romania in January 2026 and extradited to the United States. Sandu allegedly participated in a vishing scheme from 2009 to 2010, compromising small business VoIP systems to steal debit card credentials from financial institution customers and conduct ATM cash-out fraud. He faces up to 30 years in prison if convicted. SecurityWeek
MetInfo CMS CVE-2026-29014 Exploitation Surges With China-Linked IP Activity
Active exploitation of CVE-2026-29014, a CVSS 9.8 unauthenticated PHP code injection flaw in MetInfo CMS versions 7.9, 8.0, and 8.1, surged after May 1, 2026. Despite a patch issued on April 7, approximately 2,000 instances remain publicly exposed. VulnCheck honeypot data shows concentrated exploitation activity from China and Hong Kong IP addresses. The flaw allows unauthenticated remote code execution through the WeChat plugin handler. The Hacker News
Stay tuned for today’s in-depth analysis posts.
