PAN-OS Zero-Day & Storm-1175 Threat Analysis May 2026 | SBCSG

Hello, Mauven here.

This is your Daily Threat Analysis for 7th May 2026.

Three items today. Two of them have direct operational implications for UK SMBs right now. The third is a slow-burn problem that the developer community keeps rediscovering the hard way.

CVE-2026-0300: The PAN-OS Zero-Day That Had a Month’s Head Start

Palo Alto Networks published an advisory today for a critical-severity remote code execution vulnerability in PAN-OS, tracked as CVE-2026-0300. The vulnerability affects the firewall management interface and has been under active exploitation since at least 9th April 2026, nearly a month before today’s public disclosure.

The attribution points to suspected state-sponsored actors. Palo Alto has not named the group publicly at time of writing.

What the advisory does not say, and what matters operationally, is that a month of exploitation before disclosure means the window for undetected access is substantial. Organisations running vulnerable PAN-OS versions during that period should not simply patch and consider themselves done. They should treat this as a potential breach and investigate accordingly.

For UK SMBs, the direct exposure depends on whether you are running Palo Alto firewalls. Many organisations in professional services and healthcare have Palo Alto kit deployed, often managed through an MSP. If that description fits you, the questions to ask your IT provider today are:

Which PAN-OS version are we running?
Has the patch been applied?
Has anyone reviewed firewall logs for anomalous activity since 9th April?

If the answer to the third question is no, the patch alone is not sufficient. State-sponsored actors who exploited this during the disclosure window will not have left obvious footprints.

What to do: Apply the PAN-OS patch immediately. Do not wait for your scheduled patching window. If you have been running a vulnerable version since early April, log review is not optional, it is the minimum.

Storm-1175 and the Medusa Ransomware Tempo Problem

Microsoft Threat Intelligence published detailed research on Storm-1175 in April, and it deserves more attention than it received. Storm-1175 is a financially motivated actor running Medusa ransomware campaigns at what Microsoft describes as “high velocity.” Their method is straightforward and effective: they scan for vulnerable, web-facing systems, exploit known vulnerabilities in the window between public disclosure and widespread patch adoption, and move rapidly from initial access to data exfiltration.

The CVE list associated with Storm-1175 is instructive. It includes vulnerabilities in Exchange, PaperCut, Ivanti Connect Secure, ConnectWise ScreenConnect, and SAP NetWeaver, a roster of products that appear frequently in UK SMB and mid-market environments. Several of these CVEs date back to 2023 and 2024. Storm-1175 is not relying on novel techniques. They are relying on the fact that a significant portion of organisations patch slowly.

The advisory attributes this to a financially motivated criminal actor. What it does not say is that the TTPs, rapid exploitation of N-days, use of PsExec for lateral movement, fast pivot to exfiltration, are well-documented across multiple ransomware families. The actor is Storm-1175 today. The playbook will outlast the label.

For UK SMBs, the relevant question is not whether you have heard of Storm-1175. It is whether your patching cycle creates the window they exploit. If your IT provider patches monthly on a scheduled basis, you are, by definition, in the exposure window for every vulnerability disclosed between patch cycles.

The NCSC has published guidance on vulnerability management that is clear on this point. The fact that organisations are still running unpatched Exchange and PaperCut instances in 2026 tells you how seriously that guidance is being applied.

What to do: Review your patching SLA with your IT provider. Critical and high-severity vulnerabilities affecting internet-facing systems should be patched within days, not weeks. If your provider cannot commit to that, you should understand why.

The npm Supply Chain Problem Is Not Going Away

Two separate incidents in the intelligence today involve malicious packages in the npm ecosystem targeting developer credentials and environment files.

First: a fake “tanstack” package was published to npm on 29th April 2026. Four versions appeared within 27 minutes. Each contained a postinstall hook that automatically exfiltrated .env files, the configuration files that typically contain database credentials, API keys, and authentication tokens, when a developer ran npm install. The attacker exploited name confusion with the legitimate @tanstack organisation, which uses a scoped package name. The unscoped tanstack name was available, and someone took it.

Second: legitimate versions of the axios HTTP client (versions 1.14.1 and 0.30.4) were found to contain a malicious transitive dependency, plain-crypto-js@4.2.1, that executed during installation. The attack deployed cross-platform payloads across Linux, Windows, and macOS, using Node.js to spawn OS-native shells and retrieve remote payloads.

These are not isolated incidents. The pattern, name squatting, typosquatting, or compromise of legitimate packages, has been used repeatedly to target developers. The common thread is that npm install is trusted implicitly, and postinstall hooks execute automatically.

For UK businesses with development teams or agencies working on web applications, this is a supply chain risk that sits in a blind spot. Most endpoint security tools do not inspect what happens during a package installation. Most developers do not audit transitive dependencies.

What to do: If your development environment uses npm, implement the following as a minimum:

Audit package.json and package-lock.json for unexpected or recently added packages
Use npm audit and supplement it with a software composition analysis tool
Treat any unexpected network activity during npm install as an incident
Check whether .env files are scoped appropriately and whether any credentials in them have been rotated recently

If you use an external development agency, ask them what supply chain controls they apply to their build environments. If they cannot answer the question, that is your answer.

In Brief

The NCSC advisory on APT28 DNS hijacking via router exploitation (CVE-2023-50224) remains active background noise. If you have consumer-grade or unmanaged routers anywhere in your estate, remote worker locations, satellite offices, older branch infrastructure, the advisory is worth reviewing. APT28 is overwriting DHCP/DNS settings to redirect traffic through attacker-controlled servers, harvesting OAuth tokens and passwords in transit. The NCSC published guidance on this. Most organisations with home-worker infrastructure have not acted on it.

Sources

Source	Title	URL
BleepingComputer	Palo Alto Networks firewall zero-day exploited for nearly a month	https://www.bleepingcomputer.com/news/security/pan-os-firewall-rce-zero-day-exploited-in-attacks-since-april-9/
Microsoft Threat Intelligence	Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations	https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/
Aikido Security	Four published versions of a fake tanstack package uploaded in 27 minutes that want to steal your .env files	https://www.aikido.dev/blog/fake-tanstack-packages-steal-env-files
Elastic Security Labs	Detections for the Axios supply chain compromise	https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
NCSC	APT28 exploit routers to enable DNS hijacking operations	https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations