Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools Threat Research Center Threat Research Malware Malware min read Related Products Cortex Cortex Cloud Cortex XDR Cortex XSIAM Unit 42 Incident Response By: Stav Setty Tom Fakterman Shachar Roitman Published: May 11, 2026 Categories: Malware Threat Research Tags: Active Directory AD CS attacks Certificate template Certipy ESC1 Fighting Ursa Microsoft PKI Shadow credentials Executive Summary Active Directory Certificate Services (AD CS) is a foundational component of Windows enterprise infrastructure, responsible for managing public key infrastructure (PKI) and issuing certificates that enable authentication and encryption across networks. Despite its critical role in the enterprise identity infrastructure, AD CS is often undermined by insecure default configurations and design complexities, resulting in exploitable attack surfaces. Due to misconfigured templates and overly permissive enrollment rights, AD CS has emerged as a high-impact, under-monitored vector for privilege escalation and unauthorized identity impersonation in modern environments.

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution Threat Research Center High Profile Threats Vulnerabilities Vulnerabilities min read Related Products Advanced DNS Security Advanced Threat Prevention Advanced URL Filtering Advanced WildFire Cloud-Delivered Security Services Cortex Cortex Cloud Cortex Xpanse Next-Generation Firewall Unit 42 Incident Response By: Justin Moore Unit 42 Published: May 6, 2026 Categories: High Profile Threats Vulnerabilities Tags: CVE-2026-0300 EarthWorm PAN-OS Remote Code Execution ReverseSocks5 Vulnerability Zero-day Executive Summary On May 6, 2026, Palo Alto Networks released a security advisory for CVE-2026-0300 , identifying a buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software. Vulnerable systems allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. We are aware of only limited exploitation of CVE-2026-0300 at this time.

Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years Threat Research Center High Profile Threats Vulnerabilities Vulnerabilities min read Related Products Cortex Cortex Cloud Cortex XDR Cortex XSIAM Unit 42 Incident Response By: Justin Moore Published: May 5, 2026 Categories: High Profile Threats Vulnerabilities Tags: Containers CVE-2026-31431 Kubernetes Linux Local privilege escalation Page cache Vulnerability Executive Summary On April 29, 2026, researchers publicly disclosed a highly reliable local privilege escalation (LPE) vulnerability tracked as CVE-2026-31431 . This vulnerability is commonly referred to as Copy Fail. Discovered in about an hour through an AI-assisted process , this logic flaw allows an unprivileged local attacker to consistently escalate their access to root across virtually all major Linux distributions released since 2017.

A Deep Dive Into Attempted Exploitation of CVE-2023-33538 Threat Research Center Threat Research Vulnerabilities Vulnerabilities min read Related Products Advanced DNS Security Advanced Threat Prevention Advanced URL Filtering Advanced WildFire Cloud-Delivered Security Services Cortex Cortex Xpanse Next-Generation Firewall Unit 42 Incident Response By: Asher Davila Malav Vyas Chris Navarrete Published: April 16, 2026 Categories: Threat Research Vulnerabilities Tags: Botnet Command injection CVE-2023-33538 Mirai WiFi routers Executive Summary We identified active, automated scans and probes attempting to exploit CVE-2023-33538 , a vulnerability in several end-of-life TP-Link Wi-Fi router models: TL-WR940N v2 and v4 TL-WR740N v1 and v2 TL-WR841N v8 and v10 The observed payloads are malicious binaries characteristic of Mirai-like botnet malware, which the exploits attempt to download and execute on vulnerable devices. We observed this activity after the Cybersecurity and Infrastructure Security Agency’s (CISA) June 2025 addition of this CVE (Common Vulnerabilities and Exposures) to its Known Exploited Vulnerabilities (KEV) Catalog . There has been some discussion of how impactful (or not) these active campaigns might have been.