CISA gave federal agencies until 9 May to fix a Palo Alto firewall flaw. The patch ships on 13 May. State-nexus attackers have been inside the same firewalls since 16 April. Trellix, cPanel and Ivanti round out a week in which the perimeter device stopped pretending to hold.
State and criminal actors have converged on managing-infrastructure as the primary attack surface, not endpoints.
CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities catalogue on 6 May with a 9 May federal deadline. Palo Alto Networks will not ship a patch until 13 May, the first documented instance of a KEV deadline arriving before the vendor fix exists.
The US government's cyber agency added a critical Palo Alto Networks firewall flaw to its federal patch list on 6 May. The deadline was 9 May. Palo Alto will not ship the fix until 13 May, four days after that. This is the first documented case of a federal deadline arriving before the vendor patch exists.
Federal IT Teams cannot comply through patching. They can only apply a workaround and document the gap.
Unit 42 confirmed state-sponsored cluster CL-STA-1132 has been inside PAN-OS firewalls since 16 April, running the same service-account enumeration and forensic-log destruction doctrine that CISA and the NCSC named against Cisco two weeks ago.
Unit 42 confirmed a state-sponsored group had been inside Palo Alto Networks firewalls from 16 April, three weeks before the public advisory. The group deleted forensic logs and used the firewall's own user accounts to move through internal networks.
The same log-deletion pattern has now appeared in attacks on three different firewall vendors in two weeks. Security researchers say the technique has spread across multiple state offensive programmes.
Trellix confirmed on 8 May that ransomware-as-a-service group RansomHouse accessed part of its source-code repository on 17 April. The 21-day disclosure gap is twenty days past the initial-notification window the UK Cyber Security and Resilience Bill proposes.
Trellix is a cybersecurity company formed from the McAfee and FireEye merger. It confirmed on 8 May that ransomware group RansomHouse accessed part of its source code on 17 April. The company took 21 days to disclose. No data has been published.
A UK bill moving through the Lords would require companies to report breaches within 24 hours. Trellix would have missed that window by 20 days.
WatchTowr Labs confirmed CVE-2026-41940 in cPanel ran as a true zero-day from 23 February until WebPros shipped a patch on 28 April, with roughly 1.5 million internet-exposed instances. A novel actor calling itself 'Sorry' ransomware is deploying a Go-language Linux encryptor on compromised hosts.
A critical flaw in cPanel, which powers most shared web hosting, was exploited from 23 February with no patch until 28 April, a 65-day gap. Roughly 1.5 million cPanel servers are exposed on the internet, each hosting dozens of customer sites and databases.
A ransomware group calling itself 'Sorry' is now encrypting files on compromised cPanel hosts, working through the target list the 65-day window created.
CISA added CVE-2026-6973 in Ivanti Endpoint Manager Mobile to KEV on 7 May, the fourth zero-day in the same on-premises MDM product to reach the federal catalogue since 2023. Ivanti confirms limited exploitation; on-premises deployments are affected, Ivanti Neurons cloud is not.
The US Cybersecurity and Infrastructure Security Agency listed a fourth security flaw in Ivanti's Endpoint Manager Mobile on 7 May. The same product has had four such flaws listed since 2023. The Norwegian Security and Service Organisation lost data to an earlier version of the same flaw.
NHS trusts and European government departments run the software. Each flaw on the management server lets attackers reach every device it manages.
Google Threat Intelligence Group and Mandiant disclosed on 5 May that North Korea-nexus actor UNC1069 phished an Axios npm package maintainer on 31 March, planting the WAVESHAPER.V2 backdoor in two versions with a combined 183 million weekly downloads.
North Korea-linked hackers tricked an authorised maintainer of the axios JavaScript library into handing over publish access. They slipped a backdoor into two versions during a three-hour window on 31 March. The two versions together see 183 million weekly downloads. Google and Mandiant named the group, UNC1069, on 5 May.
Any software build that ran during those three hours may have installed the backdoor. The attack bypassed security checks because a trusted developer published it.
Center for Strategic and International Studies published a paper on 7 May arguing the US-ROK cyber relationship must move from communique to operational joint response, six days after the Axios compromise and two days after GTIG named UNC1069.
The Center for Strategic and International Studies, a Washington think tank, published a paper on 7 May. It called for the US and South Korea to build a working joint cyber-response system. The paper appeared two days after Google confirmed North Korea was behind the Axios library backdoor.
The current US-South Korea arrangement requires diplomatic clearance at each incident. The paper calls for pre-authorised joint responses that skip that clearance cycle.
Microsoft's 19 April emergency KB5091157 fixed LSASS reboot loops on PAM domain controllers. Separately, Check Point Research turned a Gentlemen ransomware SystemBC C2 server into victim intelligence on 1,570 targets, and ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May.
Microsoft issued an emergency patch on 19 April for Windows Server domain controllers crashing in Privileged Access Management environments. Check Point Research infiltrated a server used by The Gentlemen ransomware group and found 1,570 victims. DragonForce confirmed using SimpleHelp remote-access flaws from 2024 to break into targets.
Palo Alto Networks acquired AI-gateway startup Portkey for around $130 million. Europe's cybersecurity agency added four new bodies to its vulnerability-tracking network on 6 May.
The trajectory is upward on two vectors simultaneously. On infrastructure targeting: CL-STA-1132 running a shared doctrine with UAT-4356 (confirmed against Cisco) and FIRESTARTER means the same playbook is now deployed across PAN-OS, Cisco ASA, and Cisco Firepower concurrently; if a fourth firewall vendor joins that list before the CISA deadline, the advisory from the 16-agency coalition will need to expand its perimeter-device guidance. On supply-chain: four developer-toolchain compromises in five weeks is an escalation from the two-to-three-per-quarter pace of 2025; a fifth event, particularly one targeting a registry at higher privilege (npm registry infrastructure itself rather than individual packages), would indicate the adversary has moved from opportunistic to systematic. The tipping mechanism is concrete: whether the npm Security Response Team or CISA issues supply-chain-specific emergency guidance before a fifth toolchain event would be the clearest indicator of institutional catch-up.
