Check Point Weekly Threat Report: Canvas, Zara Breaches and Critical MOVEit, Ivanti, PAN-OS Flaws
Check Point's May 11 threat intelligence bulletin details major breaches at Instructure (Canvas) and Zara, alongside critical vulnerabilities in Progress MOVEit Automation, Ivanti EPMM, and Palo Alto PAN-OS under active exploitation.
Check Point Research has released its weekly threat intelligence bulletin for May 11, 2026, covering a wave of high-impact breaches and critical vulnerabilities. The report highlights a confirmed data breach at Instructure, the company behind the Canvas learning platform, which exposed student and staff records and private messages. The threat actor ShinyHunters escalated the attack by defacing hundreds of school login portals with ransom messages, amplifying the disruption across educational institutions.
In the retail sector, Zara, the flagship brand of Inditex, suffered a data breach tied to a third-party technology provider. Inditex confirmed unauthorized access, and experts verified that 197,400 unique email addresses, order IDs, purchase history, and customer support tickets were exposed. The incident underscores the cascading risks of third-party integrations in global supply chains.
On the vulnerability front, Progress has alerted customers to CVE-2026-4670, a critical authentication bypass in MOVEit Automation managed file transfer software that allows unauthorized access, along with CVE-2026-5174, a privilege escalation flaw. Fixes are available in versions 2025.1.5, 2025.0.9, and 2024.1.8. Ivanti has fixed CVE-2026-6973, a high-severity Endpoint Manager Mobile vulnerability exploited as a zero-day, affecting EPMM 12.8.0.0 and earlier. Hundreds of appliances reportedly remain exposed online.
Palo Alto Networks PAN-OS Authentication Portal is affected by CVE-2026-0300, a critical buffer overflow flaw allowing unauthenticated attackers to run code with root privileges on affected firewalls. Palo Alto Networks observed active exploitation against exposed portals, with no fix available at this time. Additionally, an unpatched Linux kernel flaw dubbed Dirty Frag enables local privilege escalation across Ubuntu, RHEL, Fedora, AlmaLinux, and CentOS Stream by chaining bugs in IPsec and RxRPC, with public proof-of-concept code available.
The report also covers AI-related threats, including a critical WebSocket hijacking vulnerability in Cline’s local Kanban server (CVSS 9.7, patched in version 0.1.66) that allowed any website a developer visited to exfiltrate workspace data and inject arbitrary commands into the AI agent. Researchers also found a flaw in Anthropic’s Claude in Chrome extension that allowed other browser extensions to hijack the AI agent, and detailed an InstallFix campaign using fake Claude AI installer pages promoted through Google Ads to infect Windows and macOS users with multi-stage malware.
Threat intelligence sections link Iran’s MuddyWater to using Chaos ransomware as cover for espionage and data theft, and detail a Silver Fox campaign targeting organizations in India and Russia with tax-themed phishing emails delivering the ABCDoor backdoor and ValleyRAT. A multi-stage phishing campaign using fake code-of-conduct emails and adversary-in-the-middle tactics targeted more than 35,000 users at 13,000 organizations across 26 countries. Researchers also profiled UAT-8302, a China-linked espionage group conducting long-term intrusions against government agencies in South America and southeastern Europe, and revealed a software supply chain campaign on NuGet where five packages impersonating Chinese .NET UI libraries install an infostealer with nearly 65,000 downloads.