Cisco SD-WAN CVSS 10.0 Zero-Day, Palo Alto PAN-OS KEV, Claude Code GitHub Actions Hijacked:
Week of June 4, 2026 — 13 Incidents

This Week’s Pattern: AI Agents Are Now Both Attack Surface and Attack Tool.

Two converging trends defined this week. First, a critical flaw in Claude Code’s GitHub Actions integration showed that AI coding agents embedded in CI/CD pipelines can be weaponized via prompt injection — a single malicious GitHub issue was enough to hijack the entire workflow and steal repository secrets. The AI agent becomes the supply chain attack vector.

Second, attackers are now deploying LLM agents as post-exploitation tools. After CVE-2026-39987 in Marimo (the Python notebook platform) was exploited to gain initial access, researchers observed threat actors running an LLM agent inside the victim environment to automate lateral movement, enumerate credentials, and generate plausible-looking cover traffic. The AI is no longer just helping write the attack. It is running the attack.

Behind those two: Red Hat’s official @redhat-cloud-services npm namespace compromised with a credential-stealing worm targeting Kubernetes and Vault tokens — 32 packages, official namespace, code review bypassed. The HTTP/2 Continuation Flood DoS hitting NGINX, Apache, IIS, Envoy, and Cloudflare simultaneously. Cisco Catalyst SD-WAN with a CVSS 10.0 zero-day under active exploitation. Windows Netlogon RCE on domain controllers confirmed exploited. Frost Bank + Citizens Bank via Everest ransomware. Slim CD 1.7 million credit cards. Zara’s 197,000-customer breach via an Anodot analytics token. DentaQuest 2.6 million healthcare records. And the Cloud Security Alliance’s warning that the enterprise patch gap has reached a structural inflection point. Thirteen incidents. Here are the ones that matter and what stops them.

AI Agent Vulnerability

1 — Claude Code GitHub Actions Flaw Let a Single Malicious Issue Hijack Repositories

This is the CI/CD supply chain attack surface that has been theorized for two years, now concretely demonstrated. Every enterprise that deploys AI coding agents in their CI/CD pipelines is exposed to some variant of this class of attack — because every AI coding agent that reads issues, PRs, commit messages, or external content is operating on data that can be adversarially crafted. The AI coding agent is not a tool. It is a privileged process with repository write access, operating on attacker-controlled input.

Anthropic patched this specific flaw. But the underlying architectural issue — AI agents conflating trusted workflow context with untrusted user input — is not patched by a single fix. It is endemic to how AI coding agents are being deployed today.

Most Advanced AI Security How RuntimeAI Stops This

• Discovery — AI agent CI/CD inventory: RuntimeAI’s KYA module inventories every AI agent with CI/CD pipeline access, the repos it operates on, and the token scopes it holds. Before this flaw was disclosed, every Claude Code deployment in customer CI/CD pipelines was visible and scoped — not a shadow agent with implicit broad permissions.
• Behavioural enforcement — input trust classification: Flow Enforcer enforces a trust boundary between workflow-context inputs (CI configuration, approved tooling) and externally-sourced inputs (issues, PRs, external content). Instructions arriving through untrusted channels cannot modify workflow execution scope — prompt injection has nothing to act on.
• Flow / egress control — agent action scope pinning: Every action an AI coding agent is permitted to take is declared at registration time. A Claude Code agent authorized to run tests cannot push commits, exfiltrate secrets, or call non-allowlisted external endpoints — even if prompt injection convinces the model it should.
• Immutable audit trail — every workflow action logged: Every action taken by an AI agent in CI/CD — file reads, credential accesses, outbound calls, git operations — is recorded in the Audit Black Box with the triggering context. The injected instruction sequence is reconstructed immediately for any affected repository.

AI coding agents are privileged processes. Treat them as such — scoped credentials, input trust enforcement, runtime action constraints, and immutable audit logs for every operation they execute.

AI-Powered Offense

2 — Attackers Use LLM Agent for Post-Exploitation Automation After Marimo CVE-2026-39987

The Marimo CVE is a conventional RCE — the kind patched within the normal vulnerability management cycle. What is not conventional is what happened after exploitation. An LLM agent running inside a compromised environment changes the post-exploitation economics fundamentally: it is consistent, fast, generates cover traffic indistinguishable from legitimate workloads, and can be tasked with complex multi-step objectives that previously required skilled operator time. The window between initial compromise and complete environment enumeration is no longer measured in hours. It is measured in minutes.

Enterprise detection tooling built on behavioral signatures for human attacker patterns will not reliably catch LLM-assisted post-exploitation. The LLM generates novel, contextually-appropriate lateral movement sequences each time.

Most Advanced AI Security How RuntimeAI Stops This

• Discovery — unregistered AI process detection: KYA requires every AI agent operating in the enterprise environment to hold a declared identity with a registered purpose and scope. An LLM agent spawned post-exploitation has no KYA identity — its first credential request or tool call is flagged as an unregistered agent attempting operation, not as a legitimate workload.
• Behavioural enforcement — process-level scope enforcement: Flow Enforcer enforces what each registered process can call and access. A Marimo notebook process has a declared scope; any execution that attempts to enumerate credentials, probe internal APIs beyond its scope, or make calls inconsistent with its registered purpose hits the enforcement boundary — regardless of whether the deviation was generated by a human or an LLM.
• Flow / egress control — lateral movement prevention: Every workload credential is scoped to its declared purpose. Post-exploitation lateral movement requires presenting valid credentials for each new system accessed. An LLM agent operating on stolen or impersonated credentials cannot escalate beyond the scope of whatever it compromised — each hop requires a separately valid KYA identity.
• Immutable audit trail — novel sequence detection: Audit Black Box records every API call, credential use, and process execution. LLM-generated lateral movement produces novel execution sequences that stand out against the established behavioral baseline for the compromised workload — flagged by anomaly detection even without a matching signature for the specific LLM agent variant used.

Post-exploitation is where AI-assisted attacks gain their advantage. RuntimeAI’s enforcement operates at the credential and scope layer — where that advantage disappears.

Infrastructure

3 — HTTP/2 Continuation Flood “Bomb” Enables Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

When the same class of vulnerability hits five different platforms from three different vendors simultaneously, the root cause is the protocol specification itself — not a bug in any particular implementation. Patching NGINX does not fix Apache. Patching Envoy does not fix IIS. An enterprise running heterogeneous infrastructure at its edge — which includes every organization using cloud-native architectures with multiple proxy layers — has multiple unpatched surfaces simultaneously. Protocol-class vulnerabilities require a different response strategy than CVE-by-CVE patching.

Most Advanced AI Security Zero Trust · Defence in Depth

• Discovery — HTTP/2 surface enumeration: RuntimeAI’s Cloud Security module inventories every internet-facing service using HTTP/2 across the enterprise, including which specific server implementations and proxy layers are in the path. When the HTTP/2 Bomb disclosure landed, affected organizations had an immediate impact assessment — not a multi-day infrastructure audit.
• Behavioural enforcement — connection-level anomaly detection: Flow Enforcer monitors inbound connection patterns to HTTP/2 endpoints. A Continuation Flood attack produces a distinctive pattern: single connection, abnormal frame sequence, rapid memory growth. The attack is detectable at the network layer before any single server is taken offline.
• Flow / egress control — HTTP/2 frame budget enforcement: WAF policy enforces maximum CONTINUATION frame sequences per connection before hard reset. An attacker attempting the bomb attack hits the frame budget limit and gets a connection reset — no memory exhaustion, no service disruption.
• Immutable audit trail — protocol-level attack logging: Every unusual protocol sequence is logged with connection context. When a Continuation Flood attempt is detected, the full attack sequence — source, frame count, timing — is captured for threat intelligence enrichment and pattern correlation across the fleet.

Protocol-class vulnerabilities do not have a single patch. They have a compensating control window that may last months across heterogeneous fleets. RuntimeAI ensures that window does not become an open door.

Supply Chain & Third-Party Risk

4 — Zara: 197,000 Customers Exposed via Anodot Analytics Platform Token Compromise

The Anodot vector is the third-party analytics risk pattern that every enterprise with marketing or behavioral analytics tooling carries: a token issued to an analytics provider to read customer data has the same access as your own internal systems — but it is governed by the analytics vendor’s security controls, not yours. When ShinyHunters compromises the analytics vendor, they inherit every customer’s data from every client that granted the token. A third-party analytics token with production database read access is a data breach pre-positioned at a vendor the customer cannot audit.

The same campaign hitting four companies simultaneously via one compromised platform shows how analytics and data integration tokens have become a high-leverage attack vector: compromise one platform, access many.

Most Advanced AI Security Zero Trust · Defence in Depth

• Discovery — third-party token inventory: RuntimeAI’s NHI Security maintains a continuous map of every authentication token issued to third-party platforms — including analytics tools, data integrations, and former technology providers — with the data scope each token can access. Anodot-style tokens are visible, not assumed-expired.
• Behavioural enforcement — analytics access scope minimization: PII Shield enforces that analytics platform tokens can access only aggregated or masked customer data fields — not raw PII, support ticket content, or order history. The specific fields ShinyHunters exfiltrated would not be accessible to an analytics token operating under RuntimeAI policy.
• Flow / egress control — third-party platform egress monitoring: Flow Enforcer monitors outbound data flows to every analytics and third-party integration endpoint. Bulk customer record access via a third-party token triggers anomaly detection regardless of whether the token itself is valid — because the access pattern is anomalous.
• Immutable audit trail — third-party data access logging: Every customer record accessed via third-party tokens is logged with the token identity, scope, and timestamp. When a vendor breach is disclosed, the blast radius — what records were accessed, through which token, during what time window — is immediately determinable.

Your analytics vendor holds a key to your customer data. RuntimeAI ensures that key is scoped, monitored, and revocable — and that it never opens more than you explicitly authorized.

Data Breaches

5 — DentaQuest Data Breach: 2.6 Million Dental Plan Member Records Exposed

Healthcare breaches affecting government program beneficiaries combine the worst aspects of PII breach exposure: high sensitivity data (SSNs, health records), a vulnerable population with limited identity protection resources, complex regulatory notification obligations spanning multiple jurisdictions, and long-term identity theft risk that extends well beyond the breach disclosure date. For Medicaid and Medicare populations, the breach consequence is not inconvenience. It is identity fraud against people with limited means to detect or respond to it.

Most Advanced AI Security Why RuntimeAI Customers Are Protected

• Discovery — PHI and PII data flow mapping: RuntimeAI’s NHI Security and PII Shield maintain a continuous map of where Protected Health Information and Sensitive PII flows within the organization — which systems hold it, which processes access it, which third-party integrations touch it. The “where is the data” question is answered before the breach, not after.
• Behavioural enforcement — bulk health record access controls: Flow Enforcer enforces per-session limits on bulk access to health record fields (SSNs, treatment records, benefit information). Anomalous bulk extraction of member data — whether by a compromised credential or insider — is detected and suspended before 2.6 million records can be exfiltrated.
• Flow / egress control — PHI export tokenization: PII Shield enforces that SSNs and health record identifiers are tokenized at the data layer. Internal processes work with tokens; untokenized values cannot be exported in bulk regardless of the credential or access path used.
• Immutable audit trail — HIPAA-compliant breach evidence: Every access to PHI is logged with the requesting identity, data scope, and timestamp in the Audit Black Box. HIPAA breach notification timelines require demonstrating the scope of what was accessed — RuntimeAI makes that demonstration immediate and cryptographically provable rather than reconstructed from incomplete logs.

Government program beneficiaries deserve the same data protection as enterprise customers. RuntimeAI enforces that protection at the data layer — regardless of how the credential that accessed the data was obtained.

Industry

6 — Cloud Security Alliance: Growing Patch Gap Is Now a Structural Enterprise Risk

The HTTP/2 Bomb and Marimo CVE in this same week’s digest illustrate the CSA finding exactly: multi-platform protocol vulnerability disclosures and AI-assisted post-exploitation are both playing out in the same time window that enterprise patch cycles operate in. The CSA conclusion — that compensating controls independent of patch status are now required, not optional — reflects what attack velocity data has been showing for twelve months. The question is not whether to patch. It is what happens to the systems that are not patched yet, between now and when the patch deploys.

Most Advanced AI Security Zero Trust · Defence in Depth

• Discovery — exploitability-enriched CVE inventory: RuntimeAI’s Cloud Security module maps every CVE against the enterprise’s actual deployed surface — is the vulnerable service internet-facing, what data can it reach, does it hold credentials with lateral movement potential? Patch prioritization reflects actual exploitability, not raw CVSS score, so the highest-risk surface gets patched in hours even when the full fleet takes weeks.
• Behavioural enforcement — assume-breach containment: KYA-issued scoped credentials for every workload mean that exploiting a vulnerability grants access to a bounded execution environment, not the full enterprise. AI-assisted post-exploitation that moves at machine speed hits the KYA credential boundary on every lateral movement attempt.
• Flow / egress control — per-workload egress restriction: An attacker exploiting an unpatched vulnerability cannot pivot to internal systems without presenting a valid scoped credential for each hop. The unpatched window narrows to just the compromised workload’s declared scope — not the enterprise.
• Immutable audit trail — exploitation detection before patch: Behavioral anomalies triggered by exploitation are detected and logged from the first unusual action — before a CVE signature exists for the specific exploit variant. RuntimeAI’s detection does not depend on knowing what the exploit looks like.

The patch gap is structural. The compensating controls exist today. RuntimeAI ensures that “unpatched” does not mean “unprotected.”

Ransomware & Extortion

7 — Frost Bank & Citizens Bank: Everest Ransomware Claims Sensitive Financial Data in Dual Breach

Third-party vendor compromise is now the dominant initial access vector in financial sector breaches. The bank’s own security controls are increasingly irrelevant when a vendor with database access holds a weaker credential posture. Every vendor with authenticated access to customer financial data is an extension of your attack surface — governed by their security controls, not yours.

Everest’s dual-victim posting is a deliberate tactic: two simultaneous disclosures maximize pressure on both institutions to pay before either can assess whether the other will comply, creating a prisoner’s dilemma dynamic that ransomware groups have increasingly weaponized in the financial sector.

Most Advanced AI Security Zero Trust · Defence in Depth

• Discovery — third-party vendor access inventory: RuntimeAI’s NHI Security maps every vendor with authenticated access to banking systems, including the specific data scopes accessible via each vendor credential. Everest-style attacks exploit vendors with broad access; RuntimeAI makes “which vendor has access to what” continuously visible, not discovered post-breach.
• Behavioural enforcement — vendor session anomaly detection: A vendor compromise produces an authenticated session behaving anomalously — accessing record volumes, data types, or system combinations inconsistent with the vendor’s declared purpose. KYA detects the deviation and triggers isolation before exfiltration completes.
• Flow / egress control — financial data export restrictions: PII Shield enforces bulk export restrictions on customer financial data regardless of the credential used. A ransomware group operating through a legitimate vendor token cannot exfiltrate bulk account records — the data layer enforcement is independent of vendor identity.
• Immutable audit trail — vendor access forensics: Every vendor access to customer financial data is logged with the credential identity, data scope, and timestamp. When Everest lists a bank on its leak portal, the specific exfiltrated data set is immediately determinable without waiting for the group’s own disclosure.

The financial sector’s vendor ecosystem is its largest uncontrolled attack surface. RuntimeAI makes it visible and governable.

8 — Slim CD: 1.7 Million Credit Card Holders Exposed in Payment Processor Breach

Payment processor breaches are structurally different from merchant breaches: a single compromised processor carries transaction data from hundreds of merchants and millions of cardholders who have never directly interacted with Slim CD. The attack surface for cardholder data is not just the merchant the customer paid — it is every processing intermediary in the payment chain. Cardholders have no visibility into which payment processors handle their data — and no ability to choose processors with stronger security postures.

Most Advanced AI Security Zero Trust · Defence in Depth

• Discovery — payment data flow mapping: RuntimeAI’s NHI Security maps every system in the payment processing chain that touches card data — including processing intermediaries, tokenization services, and settlement systems. Every system that holds or passes full card numbers is visible as a high-priority attack surface.
• Behavioural enforcement — payment system access controls: KYA enforces that only authorized payment processing workflows can access full card data, with each workflow issued a scoped credential for its specific processing stage. No credential can access bulk card data outside its declared processing purpose.
• Flow / egress control — card data tokenization enforcement: PII Shield enforces PCI DSS tokenization at the data layer: full card numbers are replaced with tokens at ingestion and only detokenized within the authorized processing boundary. Exfiltrating “card numbers” from outside that boundary yields tokens, not usable card data.
• Immutable audit trail — PCI DSS evidence chain: Every access to card data is logged with the processing context, credential identity, and transaction scope in the Audit Black Box. PCI DSS forensic investigation requirements — the specific data accessed, by which system, during what window — are answered immediately from the audit record.

Payment processing intermediaries are an invisible part of every merchant’s attack surface. RuntimeAI ensures that card data in transit through any processing system is tokenized, scoped, and auditable.

Critical CVEs Under Active Exploitation

9 — CVE-2026-41089: Windows Netlogon RCE Now Actively Exploited — Domain Controllers at Risk

Unauthenticated RCE on domain controllers is the category of vulnerability where patch velocity is measured in hours, not weeks. A compromised domain controller means the attacker becomes the identity authority for the entire Windows environment — they can issue credentials, modify group policy, and access every system that trusts Active Directory. There is no compensating control that neutralizes a compromised domain controller. The only defensible position is to have the patch deployed before exploitation or to have zero-trust architecture that limits what domain controller compromise actually yields.

Most Advanced AI Security Zero Trust · Defence in Depth

• Discovery — Netlogon exposure surface mapping: RuntimeAI’s Cloud Security module maps every domain controller with Netlogon exposed to network-adjacent systems, enriched with the specific data and credential scope accessible if the DC is compromised. When CVE-2026-41089 disclosed, affected organizations had an immediate prioritized patch list — not a multi-day infrastructure audit.
• Behavioural enforcement — assume-breach DC containment: KYA-issued scoped credentials for every workload mean that even a compromised domain controller cannot directly grant access to production data or AI systems. Post-exploitation credential issuance from a compromised DC hits the KYA scope boundary — lateral movement to high-value targets requires separately-valid scoped credentials.
• Flow / egress control — Netlogon network restriction: Flow Enforcer can restrict Netlogon traffic to authorized management paths, reducing the attack surface for network-adjacent exploitation. Unauthenticated Netlogon from non-management systems is blocked before it reaches the domain controller.
• Immutable audit trail — credential issuance anomaly detection: Audit Black Box monitors domain controller credential issuance patterns. A compromised DC issuing credentials for systems or users outside the baseline pattern triggers immediate forensic capture — the attack sequence is preserved from the first anomalous issuance.

Domain controller compromise is not a recoverable position without zero-trust architecture beneath it. RuntimeAI ensures it is the beginning of the incident, not the end of your defenses.

10 — CVE-2026-20182 (Cisco SD-WAN CVSS 10.0) + CVE-2026-34926 (Trend Micro Apex One CISA KEV): Zero-Day Week for Enterprise Security Tools

There is a particular operational irony when zero-days land in security tooling: the Cisco SD-WAN Controller managing your network security posture and the Trend Micro Apex One protecting your endpoints are both now the attack vector. The enterprise deployed these products to reduce risk. This week they increased it. Security tool vendors are not a trusted perimeter. They are vendors with privileged network and endpoint access whose own software supply chain and code quality require the same zero-trust treatment as any other vendor.

CISA’s June 4 patch deadline for Apex One reflects the Known Exploited Vulnerabilities catalog’s role as a minimum patch threshold, not a safety guarantee. Organizations that hit the deadline are patched; organizations that miss it are exposed to an exploit that CISA has confirmed is being actively used.

Most Advanced AI Security Zero Trust · Defence in Depth

• Discovery — security tooling attack surface enumeration: RuntimeAI’s Cloud Security module inventories security platforms themselves as attack surfaces — including SD-WAN controllers, endpoint agents, SIEM collectors, and vulnerability scanners. When CVE-2026-20182 and CVE-2026-34926 disclosed, affected deployments were immediately surfaced with their administrative access scope and network exposure.
• Behavioural enforcement — security tool privilege containment: KYA scopes the credentials of security platform management consoles to their declared administrative functions. A compromised SD-WAN controller operating under KYA scope cannot pivot to credential stores or production systems outside its declared management boundary — even with full admin privileges on the platform itself.
• Flow / egress control — security tooling network isolation: Flow Enforcer isolates security platform management traffic to authorized management paths. An attacker exploiting CVE-2026-20182 through the SD-WAN controller management interface hits the egress policy before pivoting to production workloads.
• Immutable audit trail — security platform access logging: Every action taken through security management platforms — policy changes, credential accesses, configuration modifications — is logged in the Audit Black Box. Compromise of the security platform itself is visible through its behavioral deviation from baseline — the attacker’s actions through the compromised platform stand out from legitimate administrative activity.

Your security tools are not exempt from zero-trust architecture. RuntimeAI governs them the same way it governs everything else — because this week proved they need it.

11 — CVE-2025-48595: Android Zero-Day Actively Exploited — Local Privilege Escalation in Framework Layer

The Android update fragmentation problem makes “Google patched it” meaningfully different from “enterprise devices are patched.” Google’s bulletin triggers a patch chain that must flow through OEM customization, carrier certification, and MDM deployment — a process that stretches weeks in large enterprise fleets. The “limited, targeted exploitation” disclosure language signals intelligence community or nation-state use: spyware frameworks that target specific individuals rather than mass exploitation campaigns. AI agents running on corporate mobile devices inherit whatever access those devices have been granted — a compromised device becomes a compromised agent endpoint.

Most Advanced AI Security Zero Trust · Defence in Depth

• Discovery — mobile device security posture inventory: RuntimeAI’s Cloud Security and KYA modules track the patch status and privilege level of every mobile device running AI agents with enterprise system access. When CVE-2025-48595 disclosed, the specific devices in the enterprise fleet running unpatched Android with AI agent access were immediately identifiable.
• Behavioural enforcement — mobile agent access scope restriction: AI agents running on mobile devices are issued KYA credentials with the minimum scope required for their mobile use case. A device compromised via CVE-2025-48595 yields access only to the mobile agent’s declared scope — not the full enterprise access available from a workstation credential.
• Flow / egress control — unpatched device quarantine policy: Flow Enforcer can enforce patch-level-based access policies: devices with confirmed unpatched critical CVEs in the Framework layer are restricted to read-only or low-privilege agent operations until patched, without manual MDM intervention.
• Immutable audit trail — mobile agent activity logging: Every action taken by AI agents on mobile devices is logged in the Audit Black Box. Post-compromise forensics on a device affected by CVE-2025-48595 includes the full agent activity timeline, making the scope of any data access through the compromised device immediately clear.

Mobile devices are AI agent endpoints. RuntimeAI ensures that a compromised mobile device yields bounded agent access — not enterprise-wide lateral movement.

Supply Chain

12 — Red Hat npm Supply Chain: Miasma Worm Backdoors 32 Official Packages, Targets Cloud & Kubernetes Credentials

Red Hat is one of the most trusted names in enterprise infrastructure tooling. The @redhat-cloud-services namespace is not a niche package; it is infrastructure code used in production Kubernetes and OpenShift deployments across the enterprise world. When an official namespace publishes malicious code, the trust chain is not just broken for that package — it is broken for every developer assumption about “official vendor packages are safe to install.” Supply chain attacks against trusted namespaces are the highest-leverage attack vector in the developer toolchain ecosystem because they exploit the trust that makes software ecosystems function.

The Miasma credential target list is instructive: cloud credentials, Kubernetes tokens, Vault tokens. Not browser cookies or local files — infrastructure access credentials that convert a developer machine compromise into a production environment compromise. The attacker’s goal was infrastructure access, not data theft from individual machines.

Most Advanced AI Security Zero Trust · Defence in Depth

• Discovery — npm package provenance tracking: RuntimeAI’s NHI Security tracks every npm package in the enterprise dependency graph with source, hash, and publish timestamp. When the Miasma backdoor was identified, affected organizations immediately determined which of their services or CI/CD pipelines had installed the compromised packages — not days of manual inventory.
• Behavioural enforcement — postinstall script restrictions: KYA enforces that npm postinstall scripts cannot access cloud credential files, Kubernetes config directories, or Vault token paths. The Miasma payload’s credential harvesting step executes inside a KYA-enforced sandbox where the credential files it was built to read are inaccessible.
• Flow / egress control — developer tool outbound restriction: Flow Enforcer blocks outbound calls from package installer processes to non-allowlisted endpoints. Miasma’s exfiltration step — sending harvested credentials to the attacker’s server — is blocked at the network layer before any credential reaches the attacker.
• Immutable audit trail — package install timeline reconstruction: The Audit Black Box records every package installation, postinstall execution, and resulting file access across the fleet. The blast radius of the Miasma campaign — which machines installed it, what credential files were accessed, which CI/CD pipelines were affected — is determinable in minutes.

Trusted vendor namespaces are not a safe harbor. RuntimeAI applies zero-trust controls to package installation regardless of publisher — because this week confirmed that official namespaces are now an active attack vector.

13 — Palo Alto PAN-OS: Two CISA KEV CVEs in One Week — Auth Bypass and Unauthenticated RCE

The operational irony of both Cisco SD-WAN (incident #10) and Palo Alto PAN-OS appearing in the same week’s KEV catalog is not subtle: the two vendors that together account for a majority of enterprise network security spend both had zero-days under active exploitation simultaneously. The CISA KEV catalog is not a warning list — it is a confirmed-exploitation list. Organizations running either product have confirmed exploits in the wild targeting them right now. Perimeter security products are perimeter attack surfaces. Zero-trust architecture built on top of a product with an authentication bypass is not zero-trust.

CVE-2026-0300’s unauthenticated RCE with root privileges on firewalls is categorically the worst-case vulnerability profile: no credentials required, full system access, on the device sitting between the internet and your internal network. The blast radius is complete network access for any attacker who exploits it before the patch is deployed.

Most Advanced AI Security Why RuntimeAI Customers Are Protected

• Discovery — firewall and network security inventory: RuntimeAI’s Cloud Security module inventories every network security appliance in the enterprise, including PAN-OS versions and patch status. When CVE-2026-0257 and CVE-2026-0300 were added to CISA KEV, affected organizations immediately had a prioritized list of unpatched PAN-OS deployments with their network exposure scope.
• Behavioural enforcement — assume-breach perimeter containment: RuntimeAI’s zero-trust architecture does not depend on the perimeter firewall remaining uncompromised. KYA-issued scoped credentials for every workload mean that an attacker who exploits CVE-2026-0300 to compromise the PAN-OS firewall cannot use that position to directly access production data — each lateral movement hop requires a separately valid KYA credential.
• Flow / egress control — post-exploitation movement prevention: An attacker with root on a compromised PAN-OS firewall has visibility into network traffic but cannot reach internal systems without presenting valid scoped credentials for each target. Flow Enforcer’s per-workload policy enforcement operates independent of the network perimeter layer — perimeter compromise does not yield workload access.
• Immutable audit trail — perimeter compromise detection: Anomalous traffic patterns, unauthorized VPN connections (CVE-2026-0257), and unusual root-level process execution (CVE-2026-0300) are logged in the Audit Black Box from the first deviation. The attack sequence through the compromised firewall is preserved for forensic reconstruction regardless of what the attacker does to clean up on the PAN-OS device itself.

Two vendors. Two CVSS 10-class vulnerabilities. One week. The perimeter is not the defense — it is the attack surface. RuntimeAI’s enforcement operates at the workload and data layer, where perimeter compromise becomes the beginning of the investigation, not the end of the defense.