Welcome to this week's Risk Radar. Robert Kehoe, CTO at Smarttech247, covers three significant disclosures from the past seven days that security teams should be acting on now.

‍

Item 1 — Over 5,800 Palo Alto firewalls exposed to critical RCE vulnerability

More than 5,800 Palo Alto firewall deployments are currently exposed to a critical vulnerability that allows an unauthenticated attacker with access to the authentication portal to execute arbitrary remote code on the device. No credentials are required to exploit this.

The key takeaway for security teams is straightforward: access to the Palo Alto authentication platform must be restricted to known internal IP ranges. Any exposure to the internet or untrusted network zones should be blocked immediately. If your organisation cannot confirm that restriction is in place, treat this as an urgent remediation task.

Organisations running Palo Alto Cortex managed by Smarttech247 have continuous monitoring in place to detect exploitation attempts against this class of vulnerability. If you are managing Palo Alto independently, this warrants immediate attention.

‍

Item 2 — 275 million students, teachers and staff exposed in Canvas LMS breach

Over 275 million individuals across 8,800 higher education institutions have had personal data exposed following a breach of the Canvas learning management system. Canvas is used by more than 41 percent of all higher education institutions in North America.

The extortion group ShinyHunters breached Canvas LMS infrastructure and accessed names, email addresses, student IDs, and billions of internal messages. The scale of message exposure is particularly significant — this is not simply a credentials breach but a disclosure of private communications at an extraordinary volume.

The CISO takeaway here is a question of data minimisation: does your learning management system actually need to retain the volume of data it currently holds? Organisations should audit what their LMS stores, how long it retains it, and whether that data is necessary to deliver the service. ShinyHunters has a well-documented track record of high-impact intrusions — see our earlier coverage of ShinyHunters' targeted intrusion activity for context on how this group operates.

For institutions in the education sector, this reinforces a pattern of systemic underinvestment in security relative to the volume of sensitive data held. Read more on the top security challenges facing education.

‍

Item 3 — Nine-year-old Linux kernel privilege escalation bug disclosed

A privilege escalation vulnerability has been disclosed in the Linux kernel that has been present for over nine years. The flaw allows a local user to elevate their privileges to root level using just 732 bytes of exploit code. Exploitation does require local access, which limits the immediate scope, but that mitigation is narrower than it sounds.

The CISO question here is: who has local access to your Linux systems, and is any of that access reachable from the internet without a VPN? If external users or contractors can connect directly to affected systems, the local-access requirement does not adequately contain the risk. Any account that can reach the system remotely and execute code effectively has a path to root.

This is a strong reminder that patching remains one of the most effective and most neglected controls in enterprise security. Nine years of exposure across a widely deployed operating system is not unusual — but it should be.

‍

Key takeaways this week

• Restrict Palo Alto authentication portal access to internal IPs only. Block all internet-facing exposure immediately.
• Audit your LMS and similar platforms for data minimisation. If the data is not required to deliver the service, it should not be retained.
• Review who has local and remote access to Linux systems. Ensure no external users can connect without VPN controls in place.

Stay safe and share this with your team.