Jordan: If you're running Palo Alto firewalls with an internet-facing authentication portal, stop what you're doing. There is an actively exploited zero-day in PAN-OS right now. No patch. CVSS 9.3. Unauthenticated remote code execution. We'll tell you exactly what to do in the next sixty seconds.

Alex: Welcome to Cleartext. It's Wednesday, May 6th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Today we have a full slate. That PAN-OS zero-day is our lead. We've also got CISA's new CI Fortify initiative, which is one of the most significant posture shifts from the agency in years. Two supply chain compromises — one of them hits a security vendor's source code. The Middle East cyber battlefield is expanding fast. And we'll get into non-human identity, Australia's new cyber review board, and what the latest SANS survey tells us about where CISO priorities are actually shifting. Let's get into it.

Jordan: CVE-2026-0300. Buffer overflow in the PAN-OS User-ID Authentication Portal. CVSS 9.3. Unauthenticated RCE, confirmed exploitation in the wild, no patch available as of this morning. If your authentication portal is internet-facing, you are exposed right now. Palo Alto has published mitigation guidance — the immediate action is to disable or restrict access to the User-ID Authentication Portal from the internet if you haven't already. That is not optional at this point. Get your network team on the phone, confirm exposure status, and if you're using a managed service provider for your firewall ops, they should already be calling you. If they're not, that's a different conversation you need to have.

Alex: The board implication here is straightforward. Firewalls are perimeter. When perimeter becomes the attack surface, everything behind it is in scope. Document your exposure assessment and your mitigation steps today. If you're breached through this before a patch drops, you want a clear record that you acted on vendor guidance as soon as it was published. Watch for the patch. When it comes, treat it as emergency change control.

Jordan: Moving to the story I think has the longest strategic tail this week. CISA launched CI Fortify. The guidance is asking critical infrastructure operators to build the capability to operate in complete isolation — disconnected from IT networks and third-party vendors — for weeks to months. Not hours. Not days. Weeks to months. And they're backing this up with targeted assessments.

Alex: Let me translate that for anyone who needs to take this to their board. CISA is telling you, in writing, that the U.S. government believes nation-state actors — and the guidance specifically points to Chinese threat actors — are already embedded in operational systems. Not hypothetically. Already there. The agency is now asking operators to prove they can sustain operations if those IT and OT connections get severed in a conflict scenario. That is a fundamental shift in what resilience means for critical infrastructure.

Jordan: The OT-IT convergence trend of the last decade was about efficiency. CI Fortify is essentially asking you to architect for the opposite scenario — intentional, sustained segmentation under adversarial conditions. If your OT environment can't run for 30 days without calling home to a cloud vendor or a third-party patch server, you have a gap that CISA is now actively looking for. And with these targeted assessments coming, this isn't a future compliance problem. It's a current one.

Alex: Budget framing for this: the question you should be asking is what it costs to maintain isolated operational capability versus what it costs to go dark during a conflict. For most critical infrastructure operators, the latter is existential. This is a capital planning conversation, not a security team conversation.

Jordan: And tying directly to this theme — the Middle East. Breach attempts targeting UAE critical infrastructure tripled in recent weeks. As the Iran conflict has escalated, so has the cyber dimension, and the UAE is catching a significant share of that activity. If you have operations in the Gulf region — financial services, energy, logistics — your threat level needs to be elevated right now. This isn't ambient noise. Tripling of attempts in a few weeks against critical infrastructure sectors is a deliberate campaign pivot.

Alex: Review your regional exposure. Check your third-party relationships in that geography. And make sure your SOC team has the regional threat context they need to prioritize correctly.

Jordan: Two supply chain stories this week, and both deserve attention for different reasons. First, DAEMON Tools. Kaspersky found that attackers compromised the official DAEMON Tools website and swapped in trojanized installers — signed with legitimate developer certificates — starting April 8th. Thousands of infection attempts, at least a dozen confirmed compromises. Kaspersky attributes this to a Chinese-linked threat actor.

Alex: The signed certificate piece is what makes this operationally difficult. Your endpoint controls that validate signatures would have seen a clean bill of health. This is the supply chain problem in its purest form — the trust signal you rely on was weaponized at the source. Immediate action: audit your environment for DAEMON Tools installations, particularly anything installed after April 8th. If you find it, treat it as a potential compromise, not just a software issue.

Jordan: Second supply chain story hits closer to home for a lot of listeners. Trellix is investigating a breach of its source code repository. No confirmed exploitation yet, no code publicly released as of this morning, but that's almost beside the point.

Alex: Right. When a security vendor's source code is breached, the value to an attacker isn't necessarily releasing it publicly. It's studying it privately. Understanding where the detections are, how the logic works, where the blind spots are. If you're running Trellix products, you should be monitoring for any vendor communications, watching for anomalous behavior in those tools, and frankly thinking about detection diversity — whether you have enough independent visibility that a single vendor's logic being reverse-engineered doesn't create a coverage gap across your entire environment.

Jordan: Quick one on market structure. Cisco is reportedly in talks to acquire Astrix Security, a non-human identity startup, for somewhere between $250 and $350 million. That's a 25-plus percent premium over their last valuation.

Alex: Non-human identity is no longer an emerging category — it's arrived. Service accounts, API keys, OAuth tokens, machine credentials. The attack surface here has been growing for years while most organizations' governance hasn't kept pace. A Cisco acquisition at this price signals that NHI is being treated as core infrastructure-level security, not a specialty tool. If you don't have a current inventory of your non-human identities and a governance model around them, that gap is increasingly hard to justify.

Jordan: Two governance items to close out. Australia launched a Cyber Incident Review Board this week, explicitly modeled on the U.S. CSRB — which was, notably, recently disbanded here. The Australian board will conduct no-fault, post-incident reviews focused on systemic lessons rather than corporate culpability.

Alex: If you have Australian operations, get familiar with this body and its scope. The no-fault framing is designed to encourage honest participation, but participation in a government review of your incident is still a significant event. From a global governance standpoint, it's also worth noting: Australia is standing up the institutional infrastructure the U.S. just walked away from. That's a data point worth tracking.

Jordan: And the SANS survey finding that's useful for your next board conversation: skills and capability gaps have overtaken headcount as CISOs' top concern for the first time. Not vacancies — skills. The problem has shifted from not having enough people to not having people with the right capabilities.

Alex: This is a budget argument and a strategy argument simultaneously. Hiring your way out of a skills gap doesn't work if the talent pool doesn't have the skills you need. Training investment, capability development, retention of senior practitioners — these need to be line items that you can defend with data. That SANS finding is your data point.

Jordan: So what's the theme of this week?

Alex: Dependency. Every major story this week is fundamentally about what happens when something you trust fails or gets turned against you. Your firewall vendor's software. Your disk image utility's installer. Your security vendor's source code. Your OT network's IT connectivity. The thread running through all of it is that trusted dependencies — software, networks, vendors — are where the most sophisticated attackers are operating.

Jordan: The defense posture that follows from that is uncomfortable for a lot of organizations because it requires acknowledging that your control environment has assumptions baked into it that adversaries are actively testing. CI Fortify is the government making that explicit for critical infrastructure. The supply chain compromises are making it explicit for everyone else.

Alex: Next week, watch for a PAN-OS patch and whether exploitation has expanded beyond the initial targeting. Watch for any public release of the Trellix source code and how the vendor responds. And watch whether CISA's CI Fortify guidance triggers any mandatory compliance language — right now it's guidance, but the assessment program suggests that may not stay voluntary for long.

Jordan: That's Cleartext for Wednesday, May 6th. Show notes and links to every story we covered today are at cleartext.fm. If this was useful, share it with a peer. We'll be back tomorrow.

Alex: Stay sharp.