On Tuesday, 2026-05-06, CISA added Palo Alto's PAN-OS captive portal flaw to its Known Exploited Vulnerabilities catalog.
Federal agencies got three days to remediate.
Two days later, Fortinet pushed an emergency hotfix for FortiClient EMS, with researchers at Defused confirming the bug had been a zero-day in the wild.
Cisco followed with a Crosswork DoS that requires a manual reboot to clear.
Three perimeter vendors. One week.
fix lands Wednesday for PAN-OS. We publish on Thursday.
That gives you about 24 hours of head start on the patch order, and another 72 before attackers shift from limited targeting to mass exploitation.
Your firewall isn't a wall.
It's an attack surface.
But first, some catch-up on infra this week.
🚨 The Perimeter Becomes the Threat
Most BFSI and manufacturing networks in India run on three vendors at the edge.
Palo Alto. Fortinet. Cisco.
This week, all three shipped advisories for products that sit at the trust boundary.
CVE-2026-0300, PAN-OS captive portal. Buffer overflow in the User-ID Authentication Portal service. Unauthenticated. Remote. Root.
CVSS 9.3 if the portal is reachable from the internet. CVSS 8.7 if you've restricted it to trusted IPs.
Affected: PAN-OS 12.1, 11.2, 11.1, 10.2 across multiple hotfix branches.
Palo Alto's fixes start landing 2026-05-13.
Limited exploitation observed already against publicly exposed portals.
👉 If you run guest Wi-Fi, partner-access portals, or any branch site with PAN-OS captive portal exposed to the public internet, that interface is the door.
CVE-2026-35616, FortiClient EMS. Pre-auth API access bypass. Affects 7.4.5 and 7.4.6. (7.2 is unaffected.)
Fortinet's words: "Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6."
Shadowserver counted over 2,000 exposed FortiClient EMS instances online when the disclosure dropped.
EMS is the management plane. Compromise here means an attacker controls the policy push for every endpoint that customer manages.
👉 If your MSP runs your endpoint stack on FortiClient EMS, the hotfix isn't optional. Ask them to confirm the version and the patch window in writing.
CVE-2026-20188, Cisco Crosswork NC and NSO. Inadequate rate limiting on incoming network connections. Unauthenticated DoS. Low complexity.
Successful exploitation exhausts connection resources and wedges the platform.
Manual reboot required to recover. Automated recovery is not possible.
Affected: CNC 7.1 and earlier, NSO 6.3 and earlier. Fixed: CNC 7.2, NSO 6.4.1.3, NSO 6.5.
For the network architect reading this, that one stings differently. CNC and NSO are the change-window control planes. If an attacker can DoS them, they can wedge your team's ability to respond to anything else.
Stack this with the Apache HTTP/2 flaw CVE-2026-23918 (DoS, possible RCE, patches in MINA and HTTP Server) and you have four products under active scrutiny in seven days.
The captive portal is the door. The management plane is the keys.
What to do before Monday:
✔ Inventory every internet-facing PAN-OS captive portal. Note the OS branch.
✔ Schedule the PAN-OS upgrade window for the night of 2026-05-13 onward.
✔ Confirm FortiClient EMS version with your endpoint operator. If 7.4.5 or 7.4.6, install the hotfix this week.
✔ Patch CNC to 7.2 and NSO to 6.4.1.3 or 6.5. Even with no active exploitation, the DoS-and-manual-reboot combo is a gift to a motivated attacker.
✔ Add the four advisories to the next change-advisory-board pack so a paper trail exists for the auditor.
The vendor isn't the problem.
The vendor's management plane on the wrong side of the firewall is.
How we plug in: Our Cyberdefense practice runs the patch-cadence work for Indian BFSI and manufacturing clients on these exact vendor stacks. We triage advisories on the same business day, map exposed surface against the customer's actual deployment, and stage the fix windows so your branch sites do not all reboot at once. If your current provider is still emailing you the CISA KEV list as if that were the deliverable, that is the gap.
📋 CERT-In Said Urgent. They Almost Never Do.
Two days after the PAN-OS advisory, CERT-In published an urgent warning that AI-powered cyberattacks are rapidly reshaping India's digital threat landscape.
CERT-In rarely uses the word "urgent."
When they do, the Indian admin reads carefully.
The advisory names five threat categories operating at scale: automated phishing, AI-assisted ransomware, zero-day exploitation, credential theft, and network intrusion automation.
It also names the primary target.
MSMEs are the target.
That is the line worth re-reading. Not Fortune-500 CISOs. Not regulated-bank security teams with seven-figure SOC budgets. The micro, small, and medium enterprises that run a fraction of the headcount and a fraction of the monitoring.
The CERT-In recommendations read like an operational checklist:
✔ Move from reactive to proactive posture
✔ Faster threat detection
✔ Stronger patch management
✔ Continuous network monitoring for real-time anomaly detection
✔ Detailed system logs
If that list looks familiar, it should. It is a managed-services scope of work.
The regulator is signalling that the gap between "we have a firewall" and "we run the firewall" has closed. The Indian MSME running on a single-pair-of-eyes IT setup, with patches deferred because there is no one to test them, is exactly who the CERT-In advisory describes as exposed.
Now layer the DPDP Act consultation MeitY opened earlier this year.
The proposal is to compress the Significant Data Fiduciary compliance window from 18 months to 12.
The full operational compliance deadline is still 13 May 2027. Penalties run from ₹10,000 for minor procedural lapses up to ₹250 crore per instance for serious breaches.
Those breaches now include the AI-driven attack patterns CERT-In just named.
If you run an SDF and your security operations cannot answer "show me the logs from last quarter, by user, by event type" inside 72 hours, the DPDP timeline compression is the operational risk.
Every other line on the CERT-In advisory rolls into the DPDP audit log.
The bolded thesis for this section is short.
Regulator pressure is now operational pressure.
How we plug in: Our Complete IT Infrastructure Solution practice maps CERT-In and DPDP requirements onto a buyer's actual managed-services contract. Specifically: which provider is responsible for the patch SLA, the log retention, the breach-reporting window. We have done this work for Indian BFSI, manufacturing, pharma, and textile clients across thirty-five years. The procurement decision usually moves the needle more than the technology one.
🔍 Airtel Just Built India's First Managed ZTNA. Here's What to Ask.
For a decade, the "fully managed Zero Trust" story belonged to global SASE vendors. Zscaler. Netskope. Cato. Palo Alto Prisma.
This week, Airtel launched Secure Workforce, described by the company as India's first fully managed, unified Zero Trust enterprise platform.
The launch landed on 2026-05-07.
What is included, per Airtel: an end-to-end compliance-ready security stack. Centralised protection across users, devices, networks, applications, and data. A unified visibility dashboard. Audit-grade logs. Endpoint detection and response. Structured incident response workflows. All hosted on Airtel Cloud, monitored 24x7 from Airtel's nationwide network.
The pitch is built on two specific promises.
First managed ZTNA from an Indian carrier, hosted on Indian infrastructure, designed against DPDP requirements out of the gate.
And a cost claim: enterprises can reduce security-related spending by up to 30 percent.
Sharat Sinha, CEO of Airtel Business: enterprises face "increasing pressure to protect users and devices against targeted, AI-enabled attacks."
That language tracks the CERT-In advisory two sections up almost word for word.
For the buyer, the change is structural. Until this launch, an Indian BFSI or manufacturing IT lead evaluating ZTNA was choosing among providers whose decision plane sat outside India, whose data went through hyperscaler regions, and whose audit logs lived under foreign jurisdiction. The procurement conversation always included a cross-border-data-flow paragraph and a legal-review escalation.
Airtel offers a domestically hosted alternative. That changes the RFP shortlist.
It does not, automatically, change the answer.
Four questions to put on the evaluation form before you pilot Airtel Secure Workforce against an incumbent:
👉 What does the policy plane actually enforce? End-to-end ZTNA needs identity context, device posture, and per-application policy. Confirm Airtel's offering covers all three at the depth your applications need.
👉 What does the visibility dashboard surface, and what does it suppress? "Unified dashboard" is a marketing term until you see the field list. Ask for a demo against a real workload, not the sandbox.
👉 What is the incident-response SLA, and who triages? "24x7 monitoring" is shift coverage. Triage time is the operational metric. Ask for a sample incident timeline from a comparable customer.
👉 How does the platform integrate with the EDR you already run? Most Indian enterprises are not greenfield. The "EDR included" line in the launch is useful only if it co-exists with your existing endpoint stack, not replaces it on day one.
Airtel built a Centre of Excellence on Airtel Cloud where enterprises can evaluate the platform live before deployment. Use it.
The Indian buyer who has been quietly waiting for a domestic ZTNA option just got one.
The shortlist changed. The evaluation discipline did not.
How we plug in: Our Enterprise Connectivity practice runs underlay assessments for organisations rolling out SD-WAN, SASE, or ZTNA across Indian branch sites. We sit on the buyer side of these RFPs, not the vendor side. If you are about to pilot Airtel Secure Workforce against a global incumbent, we will help you define the evaluation criteria, run the side-by-side, and read the contract clauses that change the day-2 economics.
💡 HPE Says Self-Driving Networks Are Done Being Aspirational
While the patch week ran in the foreground, HPE moved its self-driving network actions out of preview and into production across Mist and Aruba Central.
This is the first production roll-out since the Aruba and Juniper Mist platforms came under the same roof.
Rami Rahim, the HPE executive who led the announcement, used a line worth quoting: "The self-driving network is no longer aspirational. It's operational."
What ships, today, in production:
✔ Automated RF tuning during capacity spikes
✔ VLAN misconfiguration fixes
✔ Rogue DHCP server detection and mitigation
✔ Wireless congestion management
✔ Interference detection and remediation
The architecture is microservices spanning both Mist AI and Aruba Central. Dual-platform access points can operate on either system. Configurable autonomy ships as a setting: full automation if you want it, human-in-the-loop if you don't. Post-execution validation explains what the system changed and why. Sandbox testing for access-control policies. Expanded OpenRoaming integration.
For the Indian campus refresh buyer who chose Aruba or Juniper in the last five years, this is the "what does my vendor's roadmap mean for me" anchor.
The honest read: the actions on the list are the high-frequency, contained problems. RF tuning, VLAN typos, rogue DHCP. The 2 a.m. pages that previously needed a human are increasingly going to a model.
The actions not on the list are the ones that still need a human. Cross-domain incidents. Identity-context ambiguity. Anything where the explanation needs to satisfy a CERT-In advisory or a DPDP audit trail.
This pairs with the EMA research on the SD-WAN to SASE shift released this week. The data point: 60 percent of SD-WAN deployments will be SASE-integrated by end of 2026, up from 35 percent in 2024. 67 percent of enterprises plan SASE integration by year-end, driven by cloud-app traffic patterns.
The autonomous-actions list above is what the SASE underlay needs to be running by then.
Self-driving in the AP. Identity-aware policy in the SASE plane. Telemetry observable across both.
If your campus is on the Aruba or Juniper side of HPE's portfolio, the next twelve months are about turning on what shipped this week, validating what it does and doesn't remediate, and deciding which class of incident still routes to your NOC.
Autonomous networking is not the absence of operators.
It's a higher bar for what an operator does.
How we plug in: Our VEMIO™ practice sits exactly where this matters. When the AP self-tunes RF, the audit trail is in the controller. When the SASE underlay re-routes traffic, the telemetry is in the gateway. VEMIO™ unifies both into a single observability plane so the human operator running the NOC sees what the autonomous layer just did, in context, instead of stitching three vendor consoles together at 2 a.m. We have built this for managed-services books across BFSI, manufacturing, and pharma in India.
🔍 Links We Liked This Week
Two India ransomware claims in a week, Sinobi against Positiwise Infotech and "thegentlemen" against NRT India
DeXpose, 2026-05-05.
Both are leak-site claims, not forensically confirmed breaches. The pattern worth noting: Sinobi's known method is access to Hyper-V, then virtual machines, then customer backups. Audit your hypervisor exposure and your backup isolation regardless of whether either claim turns out to hold.
Microsoft takes Agent 365 GA; "shadow AI" becomes a named enterprise category
VentureBeat, 2026-05-01.
The interesting bit isn't the GA. It's the public preview of registry sync to AWS Bedrock and Google Cloud agent registries. Microsoft is positioning Agent 365 as the cross-cloud agent governance plane. The Gravitee figure cited in the same week: of an estimated three million AI agents already running inside enterprises, only 47.1 percent are actively monitored or secured.
Gartner identifies six steps to manage AI agent sprawl
Gartner, 2026-04-28.
Worth pairing with the Microsoft piece above. Same problem, framed from the IT-leadership side.
Cognizant sets aside $270M for layoffs under "Project Leap"; up to 15,000 jobs
CRN, 2026-05-08.
The Indian-IT-services workforce is restructuring under your feet. If your managed-services contract is with a firm running this kind of program, ask what the bench looks like for your account in Q3.
Lumen acquires Alkira for $475M
Data Center Dynamics, 2026-05.
Telco buying a network-as-a-service startup to chase multi-cloud. Belden bought Ruckus last week. The transport-and-fabric supplier split is collapsing.
💡 My Take
If you only do one thing with this issue, it should be this.
Patch the products that watch the products.
The PAN-OS captive portal, the FortiClient EMS console, the Cisco Crosswork orchestrator. Those are not endpoints. They are the management planes that decide what the rest of the network does. When they fall, everything else they manage falls with them.
That is the thread running through the week's CVEs, through the CERT-In urgent advisory, through the DPDP timeline compression, and through the Airtel and HPE launches. Each one is, in its own way, an argument that the management plane has become the most valuable target on the network.
watch the watchers first.
The reactive read of this week is: patch order. Inventory the four advisories, line them up against your deployment, schedule the windows, document for the auditor.
The proactive read is harder. It is the discipline of asking, every quarter, "what new control plane did we add to the network in the last 90 days, and what is its blast radius if it gets compromised at 3 a.m. on a Saturday?"
Most Indian enterprises do the reactive read in week one and never get to the proactive read.
If your managed services provider is delivering the reactive read for you, that is the floor of the contract. If they are running the proactive read with you, that is the ceiling.
The gap between those two readings is the entire reason a managed services contract exists.
VEMIO™ is the place we put the proactive read into a single observability plane. Patch coverage. Management-plane reachability. Vendor-advisory tracking. Runbook timestamps. The artefacts the auditor and the CIO and the night-shift NOC operator all need from different angles.
This week's CVE list will be patched by next Friday.
The next week's CVE list is already in someone's draft folder.
You either run a system that sees both, or you keep running incident-response on whatever made it to the news.
Reply to this email with the one piece of management-plane infrastructure you have not patched in the last 90 days, and we will feature the most operationally interesting reply (anonymised, with consent) next issue.
Until next time,
Ajay Salvi & the Vinay Enterprises team.