# Today's Top Stories

Palo Alto Networks confirmed active exploitation of CVE-2026-0257 (CVSS 7.8), an authentication bypass flaw in PAN-OS GlobalProtect portal and gateway components. An unknown threat actor is leveraging the vulnerability to gain unauthorized access to GlobalProtect portals. Security teams running PAN-OS with GlobalProtect enabled should prioritize patching immediately given confirmed in-the-wild exploitation.

Cisco released patches for CVE-2026-20262, a privilege escalation vulnerability in Catalyst SD-WAN Manager that was actively exploited as a zero-day to gain root privileges. The flaw affects a widely deployed enterprise WAN management platform, making this a high-priority patch for network security teams managing SD-WAN infrastructure.

Google's Threat Intelligence Group exposed UNC6508, a China-nexus espionage actor that breached exposed REDCap research servers at North American medical, academic, and military institutions, deploying the InfiniteRed backdoor to steal credentials. The group operated undetected from at least 2023 into 2025, then abused victims' own Google Workspace email forwarding rules to silently exfiltrate sensitive research and defense communications.

Varonis Threat Labs disclosed 'SearchLeak,' a three-bug chain in Microsoft 365 Copilot Enterprise that allowed a single click on a legitimate microsoft.com URL to exfiltrate emails, OneDrive files, SharePoint content, and MFA codes. The attack exploited trusted domain infrastructure, bypassing standard URL filtering and anti-phishing controls; the vulnerability has since been patched by Microsoft.

The FBI and Google jointly dismantled 'Outsider Enterprise,' a phishing-as-a-service platform that operated more than 9,000 phishing sites, harvested nearly 4 million stolen credit cards, and caused approximately $1.9 billion in financial losses. The takedown represents a significant disruption to the cybercriminal ecosystem supplying phishing infrastructure at scale.

Attackers compromised JavaScript files distributed via the CDN of Awesome Motive, affecting WordPress plugins OptinMonster, TrustPulse, and PushEngage in a supply-chain attack. The malicious code triggered only when a logged-in administrator loaded the page, silently creating a rogue admin account and installing a persistent backdoor plugin — a stealthy, privilege-aware infection vector affecting potentially hundreds of thousands of WordPress sites.

A threat actor identified as 'Misere' breached Tchap, the French government's sovereign encrypted messaging platform, compromising approximately 73,000 government accounts and allegedly stealing user messages and account data. The breach of a platform explicitly designed for secure official communications is a significant intelligence and operational security failure for French authorities.

Oleksii Oleksiyovych Lytvynenko, a Ukrainian national, pleaded guilty in the US to charges related to his role developing a malware loader for the Conti ransomware operation. The conviction advances ongoing US law enforcement efforts to prosecute members of the Conti group, which was responsible for hundreds of millions of dollars in ransomware damages globally.

ShinyHunters stole personal data from over 137,000 school staff accounts by exploiting Salesforce infrastructure belonging to Infinite Campus, a K-12 student information system used widely across the US, with the breach occurring in March 2026. The same group also claims to have stolen 297 GB of data from the Council of Europe, threatening to leak employee personal information.

A ransomware group called 'The Gentlemen' attacked Mackay Sugar, Australia's second-largest sugar producer, shutting down mill operations in a disruptive OT/IT incident. The attack demonstrates continued ransomware pressure on critical agricultural and food supply infrastructure, with physical operational consequences extending beyond data theft.