Critical Zero-Day Exploits Hit Palo Alto and Ivanti

Palo Alto Networks has confirmed active exploitation of a critical buffer overflow vulnerability in its PAN-OS software, specifically affecting the User-ID Authentication Portal service. Tracked as CVE-2026-0300, this flaw allows unauthenticated attackers to execute arbitrary code with root privileges on affected PA-Series firewalls. As The Record reported, the vulnerability has been added to the CISA Known Exploited Vulnerabilities catalog due to its use in targeted attacks. Security teams should prioritize patching immediately, as the exploit provides attackers with a foothold for deep network espionage. Further technical analysis from Rapid7 highlights the severity of the root-level access granted by this flaw.

Ivanti has released patches for a critical remote code execution vulnerability in its Endpoint Manager Mobile (EPMM) platform, identified as CVE-2026-6973. The flaw stems from improper input validation, which allows a remotely authenticated administrator to achieve remote code execution on the underlying system. As The Hacker News noted, the vulnerability is already being exploited in the wild, leading CISA to mandate its remediation for federal agencies. Organizations using EPMM versions prior to 12.6.1.1, 12.7.0.1, or 12.8.0.1 must upgrade immediately to mitigate the risk of unauthorized system compromise, as detailed by SecurityWeek.

A significant batch of critical vulnerabilities has been disclosed across various Linux kernel subsystems, necessitating urgent attention for infrastructure security. These include CVE-2026-43208, CVE-2026-43198, CVE-2026-43186, CVE-2026-43185, CVE-2026-43067, CVE-2026-43011, CVE-2026-31463, and CVE-2026-31444. The flaws cover a wide range of issues, including heap buffer overflows in IOAM, signedness bugs in ksmbd, and various race conditions and memory management errors in the networking and file system layers. Given the potential for local privilege escalation or system crashes, administrators should ensure their kernel versions are updated to the latest stable releases provided by their distribution vendors.

Multiple critical vulnerabilities have been identified in specialized industrial and consumer hardware, including Universal Robots PolyScope, Yarbo firmware, and Remote Spark SparkView. CVE-2026-8153 allows unauthenticated OS command injection in the Universal Robots Dashboard Server, while Yarbo firmware is impacted by CVE-2026-7414 and CVE-2026-7415, which involve hardcoded credentials and insecure MQTT broker configurations. Additionally, CVE-2026-6213 in Remote Spark SparkView enables root-level code execution via a local connection bypass. These vulnerabilities highlight the persistent risk posed by insecure configurations and weak authentication mechanisms in embedded and industrial control systems.

Several application-layer vulnerabilities have been disclosed, posing risks of remote code execution through command injection and template injection. LibreNMS is affected by CVE-2024-51092, which allows OS command injection via multiple controllers. Open Notebook is vulnerable to CVE-2026-33587 due to a lack of input sanitization leading to Server-Side Template Injection. Furthermore, the math-codegen library is impacted by CVE-2026-41507, which allows arbitrary code execution via unsafe string literal parsing. Finally, CoreDNS is susceptible to CVE-2026-35579, involving incorrect TSIG authentication handling across multiple transport protocols, and MiCode FileExplorer contains an authentication bypass in its FTP component via CVE-2026-29515.