Four Edge Appliances, One Weekend: PAN-OS, Check Point, Serv-U, and PeopleSoft Are All 0-Day'd Right Now

Run down this weekend's actively-exploited zero-day list and notice what every entry has in common. Palo Alto Networks PAN-OS — CVE-2026-0257, an authentication bypass on GlobalProtect portals, exploited in the wild. Check Point VPN — CVE-2026-50751, exploited since early May, now linked to a Qilin ransomware affiliate. SolarWinds Serv-U — CVE-2026-28318, being used to crash servers. Oracle PeopleSoft — CVE-2026-35273, a 9.8 remote code execution gadget chain that ShinyHunters and Cl0p rode into a hundred-plus organizations before Oracle could publish an advisory.

Four products. One weekend. And every single one of them is the box that sits at the edge of the network, facing the internet, holding the front door open by design. That is not a coincidence. That is the strategy.

The perimeter became the target because the perimeter is the only thing left facing out

For two decades the security industry told everyone to put their valuable stuff behind a VPN, a firewall, a secure file-transfer gateway, an authentication portal. So that's where the valuable stuff went — and that's where the adversaries went, because those appliances are now the highest-value, most-exposed, least-inspectable surface on the internet. They terminate encrypted tunnels, so your network sensors can't see inside them. They run vendor firmware you can't patch on your own schedule. They authenticate everyone, so an auth bypass in one is a skeleton key. And they are, definitionally, reachable from anywhere.

A GlobalProtect auth bypass means the thing guarding the VPN waves the attacker through. A Check Point VPN zero-day means the encrypted tunnel everyone trusts is the entry. A Serv-U flaw means the box you use to move files securely moves the attacker's payload instead. A PeopleSoft RCE means the HR and student-records system that has to be reachable for staff is reachable for everyone. The security appliance and the security exposure are now the same device.

Different adversaries, identical doorway

Here's the part that turns four product advisories into a single story. The actors behind these have nothing to do with each other. Qilin is a ransomware-as-a-service affiliate operation. ShinyHunters is a data-theft extortion crew. Cl0p is a mass-exploitation ransomware brand. Whoever's burning the PAN-OS and Serv-U bugs may be different again. They share no infrastructure, no motive, no playbook beyond this: they all converged on the internet-facing appliance because that's where the cheap, scalable, pre-authentication access lives.

This is the thesis we keep returning to, and the edge keeps proving it: the adversary's motive matters far less than the door they share. You cannot defend against "Qilin" and "ShinyHunters" and "Cl0p" as separate problems when they're all walking through the same four doorframes. You defend the doorframe. The convergence is the signal — when unrelated crews independently decide the perimeter appliance is the play, that's the market telling you where the soft, scalable access is.

What actually moves the needle

The honest answer is unglamorous and it is mostly not a threat feed. It is exposure management: knowing which of your PAN-OS, Check Point, Serv-U, and PeopleSoft instances are internet-facing before an adversary's mass-scanner finds them, and getting them off the public internet or behind something that fails closed. The window that mattered for PeopleSoft was the two weeks of zero-day exploitation before Oracle's out-of-band patch existed — and in that window the only defense was not being reachable.

Where threat intelligence does earn its keep is the cross-reference and the lead time. All four of these CVEs flow into the CISA Known Exploited Vulnerabilities catalog, which we carry in our feed — so the question "is this the one being exploited right now" has an answer before your scanner finishes its sweep. And the edge layer cuts both ways: the same internet-facing posture that exposes these appliances is exactly what an edge-blocking layer is built to filter, dropping the mass-scanning traffic that finds them in the first place. The scanners hunting these four products are loud, repetitive, and shared — block the scanner population and you raise the cost of the whole campaign.

We cap confidence at 95 percent: exploitation details are still firming up on a couple of these, attribution on the PAN-OS and Serv-U activity is incomplete, and patch availability is moving daily. But the pattern is not subtle and it is not going to reverse. The industry spent twenty years concentrating value behind a handful of internet-facing appliance brands, and the adversaries spent this weekend proving that concentration is a target list. The perimeter is no longer the wall. The perimeter is the payload.

If you run any of the four, the action is the same and it's today: confirm CVE-2026-0257, CVE-2026-50751, CVE-2026-28318, and CVE-2026-35273 against your inventory, patch or pull from the internet, and assume the two weeks before you read this were someone else's opportunity window.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register