Back to Intelligence

CISA KEV Flash: Critical PAN-OS Auth Bypass & Linux Kernel Flaws Under Active Attack

SA
Security Arsenal Team
June 2, 2026
5 min read

CISA has added 8 vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog between May 26 and June 2, 2026. This batch indicates a disturbing trend towards supply chain compromises and critical infrastructure perimeter bypasses.

CVE-2026-0257 | Palo Alto Networks PAN-OS | CRITICAL

  • Vulnerability: Authentication Bypass.
  • Exploitation Method: Attackers can bypass security restrictions to establish a foothold on the firewall interface.
  • Threat Actors: Nation-state actors targeting edge devices.
  • CVSS: 9.8 (Critical).
  • Action: Update to fixed releases immediately. Disable management access from untrusted networks.

CVE-2022-0492 | Linux Kernel | HIGH

  • Vulnerability: Improper authentication in cgroups v1 release_agent feature.
  • Exploitation Method: Privilege Escalation (LPE) and Container Escape.
  • Threat Actors: Ransomware gangs leveraging container breakouts to pivot to host nodes.
  • PoC: Public.
  • Action: Patch kernel or restrict cgroups v1 usage.

CVE-2024-21182 | Oracle WebLogic Server | HIGH

  • Vulnerability: Unspecified RCE via T3/IIOP protocols.
  • Exploitation Method: Remote Code Execution (RCE) over network.
  • Threat Actors: Typical initial access brokers for ransomware operations.
  • Action: Block T3/IIOP at the network perimeter; apply patches.

CVE-2026-48027 (Nx Nx Console) & CVE-2026-45321 (TanStack) | SUPPLY CHAIN

  • Vulnerability: Embedded malicious code in published packages.
  • Exploitation Method: Supply chain poisoning executing code on developer machines.
  • Ransomware: Known association.
  • Action: Audit build environments; verify package hashes immediately.

CVE-2025-48595 | Android Framework

  • Vulnerability: Integer overflow allowing Local Privilege Escalation.
  • Action: Apply Android security updates.

CVE-2026-8398 | Daemon Daemon Tools Lite

  • Vulnerability: Unspecified high-impact flaw.
  • Action: Update to latest version.

CVE-2026-48172 | LiteSpeed cPanel Plugin

  • Vulnerability: Privilege Escalation via user-end plugin.
  • Action: Patch cPanel plugins immediately.

Affected Organizations Assessment

  1. Perimeter-Facing Enterprises (PAN-OS): Organizations exposing PAN-OS management interfaces to the internet are at immediate risk of total perimeter compromise. This is a primary target for sophisticated threat actors.
  2. Cloud-Native & SaaS Providers (Linux Kernel): Environments heavily reliant on containerized workloads (Kubernetes, Docker) are susceptible to container escapes using CVE-2022-0492. The prevalence of cgroups v1 in legacy configurations makes this a high-exposure risk.
  3. Financial Services & Legacy Java (WebLogic): Historically the fastest sector to exploit WebLogic flaws. Any unpatched WebLogic server facing the internet is likely already compromised.
  4. DevOps Teams (Supply Chain): Engineering teams utilizing Nx Console or TanStack libraries are at risk of lateral movement from developer workstations into production CI/CD pipelines.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Linux Cgroups v1 Release_agent Container Escape
description: Detects suspicious writes to the release_agent file in cgroups, indicative of CVE-2022-0492 exploitation.
author: Security Arsenal
status: stable
date: 2026/06/02
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'PATH'
        name: '/sys/fs/cgroup/*/release_agent'
    condition: selection
falsepositives:
    - Legitimate administrative container orchestration
level: critical
---
title: Palo Alto PAN-OS Authentication Bypass Indicator
description: Detects potential successful management login without standard pre-authentication events or from impossible locations, indicative of CVE-2026-0257.
author: Security Arsenal
status: stable
date: 2026/06/02
logsource:
    product: firewall
    service: pan-os
detection:
    selection:
        action|startswith: 'commit'
        admin: 'admin'
    filter:
        client_ip|startswith: '10.'
    condition: selection and not filter
falsepositives:
    - Legitimate admin commits from internal networks (if filter needs tuning)
level: high
---
title: WebLogic T3 Protocol Exploitation Attempt
description: Detects network traffic indicative of WebLogic deserialization attacks via T3 protocol (CVE-2024-21182).
author: Security Arsenal
status: stable
date: 2026/06/01
logsource:
    product: zeek
    service: conn
detection:
    selection:
        service: 'oracle-t3'
    condition: selection
falsepositives:
    - Legitimate internal Java application communication
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Linux cgroups release_agent modification (CVE-2022-0492)
Syslog
| where ProcessName contains "release_agent" or SyslogMessage contains "release_agent"
| extend FileDetail = extract(@'release_agent\s*(.*?)\s*', 1, SyslogMessage)
| project TimeGenerated, HostName, ProcessName, FileDetail, SeverityLevel
| where TimeGenerated > ago(7d)

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Security Arsenal - CVE-2022-0492 Linux Kernel Exposure Check
# This script checks if the system is vulnerable to the cgroups release_agent escape.

KERNEL_VERSION=$(uname -r)
CGROUPS_MOUNT=$(mount | grep cgroup | grep v1 | wc -l)

echo "[+] Checking Linux Kernel Version: $KERNEL_VERSION"
echo "[+] Checking for cgroups v1 mounts..."

if [ "$CGROUPS_MOUNT" -gt 0 ]; then
    echo "[!] WARNING: cgroups v1 is mounted. This system may be vulnerable to CVE-2022-0492."
    echo "[!] Action: Patch kernel or disable/migrate to cgroups v2."
    exit 1
else
    echo "[+] No cgroups v1 mounts detected."
    exit 0
fi


---

Patch & Remediation Priorities

  1. CVE-2026-0257 (Palo Alto PAN-OS)

    • Priority: 1 (Immediate).
    • Action: Upgrade to PAN-OS 10.2.9-h1, 11.0.5-h1, 11.1.3-h1, or later.
    • Deadline: CISA BOD 22-01 Deadline: 2026-06-23.

  2. CVE-2024-21182 (Oracle WebLogic)

    • Priority: 2.
    • Action: Apply patches for October 2024 CPU or later.
    • Workaround: Disable T3 and IIOP protocols if not required.
    • Deadline: 2026-06-22.

  3. CVE-2022-0492 (Linux Kernel)

    • Priority: 3.
    • Action: Update kernel to versions where cgroup v1 release_agent is restricted or disabled.
    • Deadline: 2026-06-23.

  4. CVE-2026-48027 & CVE-2026-45321 (Supply Chain)

    • Priority: 4.
    • Action: Force re-installation of Nx Console and TanStack from verified sources. Check npm/yarn lockfiles for specific malicious hashes (refer to vendor advisories).

Related Resources

Security Arsenal Penetration Testing Managed SOC & MDR AlertMonitor Platform From The Dark Side Intel Hub

darkwebcisa-kevactively-exploitedransomwarepan-oslinux-kerneloracle-weblogicsupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action