Welcome to Threat Thursday, Galactic’s weekly threat intelligence roundup.
Every Thursday, we cover the cybersecurity stories that matter most for protecting organizations from emerging threats. Each item is broken down into what happened, what it could mean for your organization, and what to do about it.
Whether you’re overseeing risk management decisions, running security operations, or just trying to stay current, this update is designed to provide the information you need to keep yourself and your organization cyber safe.
This Cycle's Stories
1. Progress MOVEit Automation Pre-Authentication Bypass — CVE-2026-4670
Progress disclosed a critical flaw in MOVEit Automation, a system many businesses use to move sensitive files between their own systems and outside partners. The flaw lets an attacker bypass the login screen, copy or delete files, and take administrator-level control of the server. About 1,400 of these systems are reachable online today. Severity is critical: 9.8 out of 10. There’s no confirmed exploitation in the wild yet, but this is the same family of products at the center of the 2023 Cl0p ransomware campaign that affected thousands of businesses.
Potential impact: An attacker who exploits this flaw can quietly access whatever files are moving through your file-transfer system. For most organizations, that means contracts, invoices, financial reports, and customer records. The 2023 version of this story drove regulatory disclosures, customer notifications, and significant incident-response costs at affected organizations. Treat the lack of confirmed exploitation as a window, not a reason to wait.
What to do: Inventory MOVEit Automation deployments and patch to version 2025.1.5, 2025.0.9, or 2024.1.8. While patching is in progress, restrict administrator access to internal IP addresses. Review login activity from the past two weeks for anything unexplained.
Source: Bleeping Computer
2. Microsoft Defender Flagged DigiCert Root Certificates as Malware
A faulty update to Microsoft Defender on April 30 began incorrectly identifying two trusted internet certificates as malicious. Affected systems removed those certificates from the list of trusted sources, which broke the secure connection (HTTPS) to any website or app that depended on them. Microsoft and DigiCert (the company that issues the certificates) confirmed the mistake within days, and a corrected update has shipped. Most systems will recover automatically; some that had the certificates removed by company policy may need them restored manually.
Potential impact: This wasn’t a cyberattack, but the operational hit was real. Organizations affected by the false positive saw payment processors, business apps, and internal tools throw security errors and stop working. The deeper risk is the bad habit it creates. Incidents like this train staff to click through “this site isn’t secure” warnings, which is exactly what real phishing attackers count on later.
What to do: Confirm the corrected Defender update is installed across managed endpoints. Audit the Windows certificate store for both affected DigiCert root certificates and restore them where company policy removed them. Pull error logs from the April 30 to May 3 window to identify any business application that broke and may need re-validation.
Source: Bleeping Computer
3. Bluekit Phishing-as-a-Service Ships With AI Assistant
Researchers at Varonis surfaced a new phishing toolkit, “Bluekit”, sold as a service to attackers. It ships with an AI assistant that helps craft convincing fake login pages for common business apps (Microsoft 365, Google Workspace, payroll systems, and others). The kit captures the user’s full active login session, not just their password, which lets the attacker walk past multi-factor authentication. Bluekit hasn’t been seen in active attacks yet, but toolkits with this much built-in evasion typically reach the wild within weeks of being publicized.
Potential impact: A successful Bluekit-style attack gives an outsider the same access to your business systems that the legitimate user has, including email, file shares, and connected tools. The most expensive breaches we see start with a single user being convinced to log in to a fake page that looked exactly like the real one. AI-generated variants make those fake pages almost impossible to spot visually, which means the long-standing “does this look right?” check no longer protects your team on its own.
What to do: Move toward phishing-resistant multi-factor authentication (FIDO2 keys, passkeys) for accounts that handle sensitive data; these are not bypassed by session-stealing attacks. Use conditional access policies to require company-managed devices for high-value applications. Tune email gateways to flag newly-registered lookalike domains. Update user training to address the AI-generated variant reality directly.
Source: Security Week
4. Palo Alto Networks PAN-OS Zero-Day Under Active Exploitation — CVE-2026-0300
Palo Alto Networks confirmed that attackers are actively exploiting a new flaw in PAN-OS, the operating system that runs its firewalls (specifically PA-Series and VM-Series models). The flaw is in the User-ID Authentication Portal, the interface used to log in to certain firewall services from outside the network. By sending a specially crafted request, an attacker can take complete control of the firewall without needing a password. Patches are scheduled to start rolling out May 13. The flaw is currently unpatched.
Potential impact: A firewall is the front door to your entire network. If an attacker controls it, they can read traffic flowing in and out, redirect connections, and reach anything sitting behind it. Detection is also difficult, because the firewall logs are managed by the same compromised system. Recovery costs for an undetected firewall compromise tend to be substantial once data theft, incident response, and downstream customer notifications are accounted for.
What to do: Identify any PA-Series or VM-Series firewalls running the User-ID Authentication Portal and check whether the portal is reachable from the public internet. The interim mitigation is to restrict portal access to trusted internal IP addresses. Apply this now, even though it may temporarily inconvenience users who normally access the portal from outside. Apply the official patch as soon as it ships on or after May 13. Treat any internet-exposed portal as potentially already compromised until firewall logs from the affected window have been reviewed.
Source: The Hacker News
5. cPanel/WHM Authentication Bypass Exploited as Zero-Day — CVE-2026-41940
Researchers at watchTowr Labs disclosed a flaw in cPanel and WHM, the most widely-used software for managing web hosting servers. Through a specific manipulation of how cPanel handles login sessions, an attacker can gain full administrative control of any cPanel server without needing any credentials. Severity: 9.8 out of 10. WebPros (the cPanel parent company) released patches on April 28. The notable detail: multiple hosting providers confirmed the flaw was being exploited as an unknown vulnerability since late February, meaning some servers were compromised for two months before the fix was available.
Potential impact: For any organization running websites on cPanel, this is the kind of incident that demands more than just patching. If the system was compromised before the fix shipped, an attacker could have planted malware on customer-facing pages, stolen visitor data, or used the server as a launching point for further attacks. Compliance reporting often kicks in if regulated data was affected. Hosting customers in the Philippines and Laos, including government and military networks, have already been confirmed targets.
What to do: Apply the WebPros patch on every cPanel and WHM server. Separately, pull session logs from late February forward and look for evidence of unauthorized administrator access. The patch closes the door, but it doesn’t tell you whether anyone walked through it first. watchTowr has published a detection tool on GitHub that can help.
Source: Hackread
6. Instructure / Canvas Breach — ShinyHunters Claims 275M Records
Instructure, the company behind the Canvas learning platform used by many schools and training organizations, disclosed a data breach on April 30. Service was restored by May 3. The cybercriminal group ShinyHunters publicly claimed responsibility, claiming they stole 3.65 terabytes covering 275 million records and roughly 9,000 institutions. Instructure has confirmed the breach but not the scope of those numbers. The data reportedly includes names, email addresses, student identifiers, and user messages. Passwords and financial data are not (so far) confirmed to be in scope. This is the second confirmed Canvas breach in eight months. Both incidents trace back to a compromised Salesforce account at Instructure that an attacker obtained through social engineering of an administrator.
Potential impact: For organizations using Canvas, the realistic worst case is that personal information about students, parents, employees, or other platform users has been published and is now circulating among other criminal groups. That triggers parent and student notifications, regulatory reporting in many jurisdictions, and reputational damage that’s difficult to undo. The bigger pattern matters more than this one breach. Attackers are systematically targeting administrators of major SaaS platforms (especially Salesforce) and stealing customer data through them. Any organization that depends on a major SaaS vendor is on the same risk surface.
What to do: For Canvas users, rotate the platform password as a precaution and watch for unusual emails referencing it. More broadly, audit the SaaS vendors your organization depends on, especially those that store customer data. For any Salesforce-integrated tools, harden administrator multi-factor authentication and review session-token policies. The recurring vector is social engineering of SaaS administrators; that’s where the durable hardening work needs to happen.
Source: Bleeping Computer
The Through Line
Two themes tie this cycle together. The first is the gap between vulnerability disclosure and active exploitation, and how quickly that gap is closing. MOVEit Automation has the gap with no active exploitations seen yet, take advantage of this. cPanel had no gap at all, with exploitations dating back to February. Palo Alto Networks sits in the middle, with limited exploitation already observed before patches ship. Organizations working from the same advisory data face very different decisions depending on which side of the gap they sit on.
The second theme is SaaS supplier risk. Canvas, Instructure, and the recurring Salesforce social-engineering pattern increasingly define where customer data lives. Patching faster matters. So does knowing which vendors hold the data that would matter most if they fell, and what the controls around those vendors actually do under pressure.
Make sure to check back here each week for another Threat Thursday update. See you then.
