Palo Alto Networks

Operation FlutterBridge is a malvertising campaign targeting macOS users with the new FlutterShell backdoor, which uses malicious desktop applications for adware distribution and provides backdoor capabilities such as command execution and file system manipulation, with some variants using AI summarization for data exfiltration.

This analytic identifies ICMP traffic to external IP addresses with total bytes greater than 1,000 bytes, leveraging the Network_Traffic data model to detect potential information smuggling, covert communication, or command-and-control (C2) activities.

Cyber extortion is increasingly relying on data theft rather than ransomware encryption, with threat actors like Bling Libra and TGR-CRI-1135 leveraging techniques like vishing and software supply chain compromise, fueled by regulatory compliance pressures and the impending weaponization of frontier AI models.

The Gremlin stealer malware has evolved with advanced obfuscation techniques, crypto clipping, and session hijacking capabilities to steal sensitive information from compromised systems.

Multiple vulnerabilities in the Palo Alto Networks GlobalProtect App could allow an attacker to gain administrator privileges, execute arbitrary code with administrator privileges, disclose sensitive information, manipulate data, and cause a denial-of-service condition.

CVE-2026-0259 allows a low-privileged user to read sensitive information and delete arbitrary files on Palo Alto Networks WildFire WF-500 and WF-500-B appliances running in the default non-FIPS configuration.

An unauthenticated, adjacent attacker can disrupt Palo Alto Networks Prisma SD-WAN ION devices by sending a specially crafted IPv6 packet, leading to a denial-of-service condition.

CVE-2026-0245 describes multiple information disclosure vulnerabilities in Palo Alto Networks Prisma Access Agent before version 26.2.1 on macOS and Windows, allowing a local user to access sensitive configuration data and credentials.

An authentication bypass vulnerability exists in Palo Alto Networks PAN-OS GlobalProtect portal and gateway (CVE-2026-0257) when authentication override cookies are enabled, allowing an attacker to establish an unauthorized VPN connection.

CVE-2026-0264 is a heap-based buffer overflow vulnerability in Palo Alto Networks PAN-OS DNS proxy and DNS server features, allowing an unauthenticated attacker with network access to cause denial of service or potentially execute arbitrary code by sending crafted network traffic.

CVE-2026-0265 is an authentication bypass vulnerability in Palo Alto Networks PAN-OS when Cloud Authentication Service (CAS) is enabled, allowing an unauthenticated attacker with network access to bypass authentication controls, impacting confidentiality, integrity, and availability.

CVE-2026-0249 describes multiple improper certificate validation vulnerabilities in the Palo Alto Networks GlobalProtect app that could allow an attacker to intercept encrypted communications and potentially compromise the endpoint, especially on macOS, Android, and ChromeOS.

A buffer overflow vulnerability in Palo Alto Networks PAN-OS IKEv2 processing (CVE-2026-0263) allows unauthenticated network-based attackers to execute arbitrary code with elevated privileges or cause a denial of service, affecting versions 12.1, 11.2, and 11.1 when configured with Post Quantum Cryptography (PQC).

CVE-2026-0239 is an information disclosure vulnerability in Chronosphere Chronocollector versions earlier than v0.116.0, allowing an unauthenticated attacker with network access to retrieve sensitive information.

A stored cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS allows a malicious authenticated administrator to inject a JavaScript payload via the web interface, potentially impacting other administrators.

CVE-2026-0244 is an improper certificate validation vulnerability in Palo Alto Networks Prisma SD-WAN ION that allows a man-in-the-middle (MitM) attacker to impersonate the controller.

CVE-2026-0261 describes multiple command injection vulnerabilities in Palo Alto Networks PAN-OS software that allow an authenticated administrator to bypass system restrictions and execute arbitrary commands as root.

A SQL injection vulnerability in Trust Protection Foundation allows an authenticated attacker to execute arbitrary SQL commands against the product database, potentially leading to sensitive data exposure, data modification, and privilege escalation.

CVE-2026-0241 describes multiple incorrect authorization vulnerabilities in Palo Alto Networks Trust Protection Foundation that allow attackers to bypass access controls and perform unauthorized actions on restricted resources.

CVE-2026-0258 is a medium severity server-side request forgery (SSRF) vulnerability in Palo Alto Networks PAN-OS that allows an unauthenticated attacker to cause the firewall to send network requests to unintended destinations, potentially leading to a denial of service (DoS).

CVE-2026-0250 is a medium severity buffer overflow vulnerability in Palo Alto Networks GlobalProtect App that could allow a man-in-the-middle attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges by intercepting and manipulating requests and responses between the Portal and Gateway.

CVE-2026-0240 is a medium severity information disclosure vulnerability in Palo Alto Networks Trust Protection Foundation, allowing an authenticated attacker to obtain sensitive information from the server's vault, potentially leading to user impersonation and arbitrary modification of configuration settings.

Unauthenticated attackers can cause a denial of service (DoS) condition on Palo Alto Networks PAN-OS firewalls by sending specially crafted network traffic, as described in CVE-2026-0262.

A local privilege escalation vulnerability exists in Palo Alto Networks Prisma Access Agent versions prior to 26.2.1 on Linux, macOS, and Windows, allowing a locally authenticated non-administrative user to gain root or NT AUTHORITY\SYSTEM privileges and execute arbitrary code.

Multiple local privilege escalation vulnerabilities exist in Palo Alto Networks GlobalProtect App, allowing a local user to escalate privileges to NT AUTHORITY\SYSTEM on Windows and root on macOS and Linux, enabling arbitrary command execution with administrative privileges.

CVE-2026-0238 is an improper input validation vulnerability in Palo Alto Networks Broker VM that allows an authenticated administrator to inject arbitrary content into certain fields, affecting versions 30.0 prior to 30.0.24.

CVE-2026-0248 is an improper certificate validation vulnerability in Prisma Access Agent for Android and Chrome OS, enabling a man-in-the-middle (MitM) attack to intercept VPN traffic and capture sensitive device information by presenting a certificate issued by a trusted Certificate Authority.

Multiple authorization bypass vulnerabilities exist in the Endpoint DLP component of Prisma Access Agent, allowing a local attacker to bypass authentication controls and execute privileged operations on macOS and Windows systems with Endpoint DLP enabled; versions prior to 26.2.1 are affected.

An unauthenticated remote code execution vulnerability exists in the PAN-OS Authentication Portal (Captive Portal) service, potentially allowing attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending crafted network packets.

CVE-2026-0300, a Palo Alto Networks PAN-OS out-of-bounds write vulnerability, has been added to CISA's Known Exploited Vulnerabilities Catalog due to evidence of active exploitation.

Threat actors are rapidly exfiltrating data by exploiting blind spots created by an over-reliance on endpoint data, necessitating a comprehensive security approach that incorporates cloud, identity, and network telemetry for effective threat detection and response.

The experimental `hickory-recursor` crate in Hickory DNS is vulnerable to cross-zone cache poisoning due to storing DNS records keyed by record name/type instead of query, enabling an attacker to redirect queries for a victim zone to an attacker-controlled nameserver.

Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.

The Mac Malware of 2019 report details various Mac malware specimens and variants, including CookieMiner, a cryptominer that steals user cookies and passwords, likely to give attackers access to victims' online accounts and wallets; CookieMiner persists via launch agents and exfiltrates browser cookies to a remote C2 server.

This brief outlines a method for generically detecting ransomware on macOS by monitoring file I/O events and identifying the rapid creation of encrypted files by untrusted processes, as proposed by Objective-See.

Detection of unsigned or untrusted DLLs being loaded into the LSASS process, which is indicative of credential access attempts by adversaries aiming to steal sensitive information such as user passwords.