ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories

The recent confirmation that PAN‑OS CVE‑2026‑0300 is being weaponized underscores how quickly high‑severity flaws can transition from discovery to exploitation. Attackers leveraged crafted packets to gain root access on firewalls, a scenario that can compromise entire network perimeters. Coupled with the FCC's decision to postpone mandatory updates for banned consumer routers until 2029, enterprises face a prolonged exposure window for legacy hardware. Organizations must prioritize rapid patch deployment, conduct thorough inventory of network appliances, and implement compensating controls such as micro‑segmentation to limit lateral movement.

Artificial intelligence is becoming both a target and a vector for new threats. Meta's Incognito Chat promises end‑to‑end privacy by confining inference to a Trusted Execution Environment, yet the broader industry must still grapple with model‑level vulnerabilities. HiddenLayer's demonstration of tokenizer.json tampering shows that attackers can manipulate AI outputs without altering model weights, opening pathways for data exfiltration or misinformation. Meanwhile, the cURL community’s experience with false positives from AI‑driven code scanners highlights the need for balanced validation processes. Firms deploying generative AI should enforce strict supply‑chain checks, sandbox model loading, and continuous monitoring of inference pipelines.

Beyond sophisticated exploits, low‑tech techniques are gaining traction. The GhostLock proof‑of‑concept illustrates how a standard domain user can lock SMB shares, effectively denying access to critical files and mimicking ransomware behavior without elevated privileges. Simultaneously, threat actors are experimenting with unconventional command‑and‑control channels, such as NATS servers, and even staging supply‑chain attack contests that incentivize mass package compromise. These trends demand a shift toward zero‑trust principles, rigorous privilege‑access management, and comprehensive telemetry that can detect anomalous file‑share activity and atypical network protocols. Proactive threat hunting and regular red‑team exercises remain essential to stay ahead of evolving adversary tactics.