Threat Brief: May 8, 2026

Three GTI-verified campaigns are reported this week, sourced from Google Threat Intelligence (GTI), CISA, and Palo Alto Networks Unit 42. The most critical is CVE-2026-0300, a zero-day out-of-bounds write (CWE-787) in the Palo Alto Networks PAN-OS User-ID Authentication Portal (Captive Portal) — CISA added it to the KEV catalog on May 6 with a federal deadline of May 9, and no patch is yet available. GTI rates this P0 with a CVSS base score of 9.8. Also new this week: two linked campaigns directly targeting US healthcare organizations — CAMP.26.055, a ClickFix social engineering access-broker campaign active as recently as May 7, and CAMP.26.053, a heavily obfuscated PowerShell intrusion operation flagged by GTI as consistent with pre-ransomware activity, last observed May 1. The dominant theme this week: a no-patch critical network infrastructure zero-day under active state-sponsored exploitation, and a live access-broker-to-pre-ransomware chain actively targeting healthcare.