Main Menu
Guillermo SánchezEthan Grammer / / 5 minutes of reading

Recent Breaches/Incidents

1. Ransomware Attack on ChipSoft Disrupts Dutch Hospitals 


https://therecord.media/chipsoft-ransomware-attack-disrupts-dutch-hospitals

Description:

A ransomware attack targeting Dutch healthcare software provider ChipSoft has disrupted hospital operations across the Netherlands, highlighting the growing cybersecurity risks facing the healthcare sector. ChipSoft, whose HiX electronic health record (EHR) platform is used by approximately 80% of Dutch hospitals, confirmed the incident after systems and digital services were taken offline. 

Following the attack, at least 11 hospitals temporarily disconnected ChipSoft systems from their networks as a precautionary measure. Several healthcare institutions reported outages affecting patient portals, scheduling systems, and other digital services, while communication shifted to manual processes and telephone coordination. Despite the disruption, Dutch healthcare cybersecurity agency Z-CERT stated that no critical patient care services had completely stopped. 

The incident began on April 7, 2026, when ChipSoft detected unauthorized access within its environment. In response, the company disabled connections to key services including Zorgportaal, HiX Mobile, and Zorgplatform to contain the threat. The ransomware group responsible has not yet been publicly identified. 

Cybersecurity experts say the attack demonstrates the significant supply chain risks associated with centralized healthcare technology providers. Because ChipSoft supports a large portion of the country’s medical infrastructure, the compromise created a ripple effect across multiple hospitals simultaneously. 

The event serves as another reminder that healthcare organizations remain prime ransomware targets due to the critical nature of medical operations and the pressure to restore services quickly. Security teams are encouraged to review third-party risk management practices, validate business continuity plans, segment critical systems, and ensure incident response procedures are regularly tested. 

Advisories/ Vulnerabilities/Alerts

1. Critical PAN-OS Vulnerability Under Active Exploitation – CVE-2026-0300 

Source Advisory URL: https://security.paloaltonetworks.com/CVE-2026-0300

Description:

A newly disclosed critical vulnerability, CVE-2026-0300, is affecting Palo Alto Networks PAN-OS firewalls and is already being actively exploited in the wild. Organizations using PA-Series or VM-Series firewalls should immediately assess exposure and implement mitigations while applying vendor-recommended patches. 

CVE-2026-0300 is a critical buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal (Captive Portal) service. Successful exploitation allows an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets to vulnerable devices. 

The vulnerability carries a CVSS severity score of 9.3 and has been added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog due to confirmed active exploitation. 

The issue impacts: 

  • PAN-OS 10.2  
  • PAN-OS 11.1  
  • PAN-OS 11.2  
  • PAN-OS 12.1  

Specifically, the vulnerability affects PA-Series and VM-Series firewalls running vulnerable PAN-OS versions with the User-ID Authentication Portal enabled. 

Palo Alto Networks has begun releasing fixes across affected PAN-OS branches, with some updates becoming available starting May 13, 2026, and additional maintenance releases scheduled later in the month. 

Recommended Actions:

  • Restrict User-ID Authentication Portal access to trusted internal networks only  
  • Disable Response Pages on internet-facing interfaces  
  • Disable the Authentication Portal entirely if not required  
  • Upgrade to fixed PAN-OS versions as soon as patches become available  
  • Review firewall logs for suspicious portal activity or exploitation attempts 

2. Critical cPanel & WHM Authentication Bypass Under Active Exploitation 

Source Advisory URL: https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/

Description:

Security researchers are warning organizations about a critical vulnerability affecting cPanel & WHM and WP Squared, identified as CVE-2026-41940. The flaw allows unauthenticated remote attackers to bypass authentication and gain administrative access to vulnerable systems, potentially leading to full server compromise. 

The vulnerability has received a CVSS score of 9.8 and is already being actively exploited in the wild. Reports indicate attackers may have been abusing the flaw since February 2026, before patches became publicly available. 

According to technical analysis published by researchers, the issue stems from a flaw in session handling involving a CRLF injection vulnerability in cPanel’s login and session-loading process. Successful exploitation can allow attackers to gain root-level administrative access without valid credentials. 

The vulnerability affects cPanel & WHM versions after 11.40, including multiple supported release branches and WP Squared installations. Because cPanel is widely used by hosting providers and enterprises to manage websites, databases, email, and DNS services, exploitation could impact millions of internet-facing systems globally. Rapid7 estimates that approximately 1.5 million cPanel instances may be exposed online. 

Affected Software: The vendor states that all versions after 11.40 are affected, prior to the following available fixed versions. 

Recommended Actions: 

  • Immediately upgrade all affected cPanel & WHM systems to the latest patched versions released by cPanel.  
  • Temporarily restrict or block external access to ports 2083 and 2087 if patching cannot be performed immediately.  
  • Review authentication and access logs for suspicious login attempts, unauthorized administrative access, or unusual session activity.  
  • Identify and validate all internet-facing cPanel services to minimize unnecessary external exposure.  
  • Update vulnerability scanners, detection signatures, and security monitoring tools to identify vulnerable or potentially compromised systems.  
  • Ensure firewall rules and access controls limit administrative access to trusted IP addresses whenever possible.  
  • Conduct a compromise assessment on exposed servers to verify no unauthorized changes, accounts, or persistence mechanisms were introduced.  
  • Reinforce incident response and backup procedures to support rapid recovery if exploitation is detected. 

3. Critical Critical Nginx UI Vulnerability Under Active Exploitation  

Source Advisory URL: https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/

Description:

Security researchers are warning that a critical vulnerability affecting Nginx UI, tracked as CVE-2026-33032, is now being actively exploited in the wild. The flaw allows unauthenticated attackers to fully compromise vulnerable Nginx servers through an exposed Model Context Protocol (MCP) endpoint. 

According to reports, the vulnerability exists because the /mcp_message endpoint in Nginx UI does not properly enforce authentication. Attackers can exploit this weakness to execute privileged administrative actions, including modifying Nginx configuration files, restarting services, and triggering automatic configuration reloads, effectively allowing complete server takeover without valid credentials. 

The issue impacts Nginx UI versions prior to 2.3.6 and carries a CVSS severity score of 9.8. Researchers estimate that more than 2,600 internet-facing Nginx UI instances may currently be exposed worldwide. Public proof-of-concept (PoC) exploit code is also available, increasing the likelihood of widespread attacks. 

Cybersecurity experts warn that successful exploitation could allow attackers to intercept web traffic, deploy malicious configurations, establish persistence, or disrupt critical web services. Organizations using Nginx UI are strongly advised to immediately upgrade to the latest patched version, restrict access to administrative interfaces, and monitor logs for suspicious requests targeting the /mcp_message endpoint. 

Recommended Actions: 

  • Immediately upgrade all Nginx UI installations to the latest patched version to remediate CVE-2026-33032.  
  • Identify and inventory all systems running Nginx UI, especially internet-facing instances.  
  • Restrict access to the Nginx UI management interface to authorized administrators only.  
  • Limit management interface exposure using firewall rules, VPN access, IP allowlists, or network segmentation.  
  • Disable direct public internet access to administrative interfaces whenever possible.  
  • Monitor web server and application logs for suspicious requests, particularly attempts targeting the /mcp_message endpoint.  
  • Review Nginx configuration files and system changes for signs of unauthorized modifications or persistence mechanisms.  
  • Regularly apply security updates and vulnerability patches to reduce exposure to newly disclosed threats.  
  • Implement continuous vulnerability scanning and configuration audits for externally accessible services.  
  • Enforce strong authentication and least-privilege administrative access controls across all management platforms.