Palo Alto PAN-OS Zero-Day Exploited Amid 30 Breach Claims

Summary

The day's signal split between an exploited firewall zero-day on enterprise edges and an unusually heavy forum cycle of breach claims against household financial, telecoms and consumer brands. Defenders running PAN-OS or relying on free-tool installers should treat both vectors as immediate priorities.

Today's developments

Palo Alto Networks confirmed active exploitation of CVE-2026-0300, an unauthenticated remote code execution flaw in the Captive Portal service of PAN-OS on PA-series and VM-series firewalls, with a CVSS score of 9.3, while the vendor finalises a patch. Industry researchers also disclosed a separate intrusion in which the CloudZ remote access tool weaponised Windows Phone Link to harvest credentials and one-time passcodes, paired with a previously undocumented plugin dubbed Pheno. SecurityWeek and others traced a Daemon Tools supply chain compromise that distributed trojanised installers worldwide while dropping a sophisticated backdoor only on a dozen government and scientific-entity systems. A Quasar Linux RAT campaign was reported as targeting software developers with persistent, evasive credential-exfiltration capabilities. CISA issued isolation-and-recovery guidance for critical infrastructure operators preparing for foreign-actor cyberattacks, and Google announced expanded Binary Transparency for Android via a public ledger to harden first-party apps against supply chain tampering. Oracle moved its critical security patches to a monthly cadence, narrowing the window between disclosure and rollout.

The libaisec event stream logged 106 alleged incidents on the day, including 21 Data Breach and 9 Data Leak listings across consumer, government, education and finance verticals.

• Caradao claims user-lead data tied to Binance (Global, Financial Services); Xyph0rix claims a breach of Western Digital My Cloud customer data (Global, Computer Networking); test_mobi claims a breach against Wolters Kluwer (Netherlands, Information Services).
• Citizen posted four parallel listings -- alleged exposure of the United States Chamber of Commerce; an Indian Education Portal; an Indonesian QRIS payment-rail database; and the Meriah4D online-gaming platform's member set.
• momo78 claims data taken from Punjab National Bank (India, Banking); ant lists a BMW Registry leak (US, Automotive); NormalLeVrai offers data attributed to Burger King Russia; AAB20 lists com23.ru, a Russian delivery service.
• The BlackH4t MD-Ghost claims a breach of Taiwan's Insurance Bureau; S-Root lists Iqraa American School (Kuwait, Education); Mr.ZeroPhx100 claims SMK Nusantara Batang (Indonesia, Education); Theblueanonymouse claims insurance broker ALBROK in Spain; KARAWANG ERROR SYSTEM lists Seahorse Magazine in the United Kingdom.
• bobbyaxelrod99 advertises a French private database; remarose772 lists a Portuguese high-income-individuals dataset; attackercompany offers an unidentified UAE real-estate firm; TheAnonymousShipper claims the social platform TomodachiShare; punk lists two cryptocurrency-related platforms; zixy11 lists a database labelled "DCBANK".

Threat landscape signals

Bavacai dominates the event count with 19 listings, almost entirely DDoS attacks; together with NoName057(16) at 10 and DieNet at 6, the top three actors account for roughly a third of the 106 events on the day, sustaining the hacktivist-DDoS baseline that has pinned the daily curve for weeks. United States (17), Israel (10), Austria (7) and Ukraine (6) lead the targeted-country list, with Thailand (5) and France (4) close behind, reflecting persistent pressure on Western and frontline-state public-sector and telecoms targets. Government Administration leads verticals with 19 mentions and Education trails with 8; the financial breach listings -- Binance, Punjab National Bank, ALBROK and Wolters Kluwer -- push consumer-data risk back to the top of the feed for incident responders. Operationally, the Palo Alto and Daemon Tools events together argue that the immediate exposure window sits at the perimeter and at the supply chain that delivers software to it: patch PAN-OS Captive Portal hosts now, audit recent installer provenance for Daemon Tools and similar free utilities, and watch for outbound activity from any developer endpoint that may have run a Quasar-bearing Linux package.