# [CRIT] Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now

**Source:** The Hacker News, Unit 42 (Palo Alto)
**Published:** 2026-06-09
**Article:** https://thehackernews.com/2026/06/chrome-v8-zero-day-cve-2026-11645.html

## Threat Profile

Threat Research Center 
High Profile Threats 
Vulnerabilities 
Vulnerabilities 
Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 
2 min read 
Related Products Advanced URL Filtering Cortex Cortex Xpanse GlobalProtect Next-Generation Firewall 
By: Andy Piazza 
Unit 42 
Published: June 5, 2026 
Categories: High Profile Threats 
Vulnerabilities 
Tags: CVE-2026-0257 
Vulnerability 
Palo Alto Networks Unit 42 has observed active exploitation of PAN-OS vulnerability CVE-2026-0257 by an uniden…

## Indicators of Compromise (high-fidelity only)

- **CVE:** `CVE-2026-0257`
- **IPv4 (defanged):** `23.128.228.6`
- **IPv4 (defanged):** `104.207.144.154`
- **IPv4 (defanged):** `146.19.216.119`
- **IPv4 (defanged):** `146.19.216.120`
- **IPv4 (defanged):** `146.19.216.125`
- **IPv4 (defanged):** `179.43.172.213`
- **IPv4 (defanged):** `185.195.232.139`
- **IPv4 (defanged):** `198.12.106.60`
- **IPv4 (defanged):** `202.144.192.47`
- **IPv4 (defanged):** `209.99.191.137`
- **IPv4 (defanged):** `79.130.26.202`

## MITRE ATT&CK Techniques

- **T1071.001** — Web Protocols
- **T1071.004** — DNS
- **T1071** — Application Layer Protocol
- **T1190** — Exploit Public-Facing Application
- **T1021.002** — SMB/Windows Admin Shares
- **T1569.002** — Service Execution
- **T1059.001** — PowerShell
- **T1027** — Obfuscated Files or Information
- **T1219** — Remote Access Software
- **T1189** — Drive-by Compromise
- **T1203** — Exploitation for Client Execution

## Kill chain phases observed

_(none detected from narrative keywords)_

## Recommended hunts

### Unpatched Chrome vulnerable to CVE-2026-11645 and 2026 in-the-wild zero-days

`UC_84_6` · phase: **exploit** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count min(_time) as firstSeen max(_time) as lastSeen from datamodel=Vulnerabilities.Vulnerabilities where Vulnerabilities.cve IN ("CVE-2026-11645","CVE-2026-2441","CVE-2026-3909","CVE-2026-3910","CVE-2026-5281") by Vulnerabilities.dest Vulnerabilities.signature Vulnerabilities.cve Vulnerabilities.severity Vulnerabilities.cvss | `drop_dm_object_name(Vulnerabilities)` | `security_content_ctime(firstSeen)` | `security_content_ctime(lastSeen)` | sort - cvss
```

**Defender KQL:**
```kql
DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2026-11645","CVE-2026-2441","CVE-2026-3909","CVE-2026-3910","CVE-2026-5281")
| where SoftwareName has "chrome" or SoftwareVendor has "google"
| join kind=leftouter (
    DeviceTvmSoftwareInventory
    | where SoftwareName has "chrome"
    | summarize arg_max(Timestamp, SoftwareVersion, EndOfSupportStatus) by DeviceId, SoftwareName
  ) on DeviceId
| project Timestamp, DeviceName, OSPlatform, SoftwareVendor, SoftwareName, InstalledVersion=SoftwareVersion, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate
| order by VulnerabilitySeverityLevel asc, Timestamp desc
```

### Chrome process executing with pre-fix V8 version (149.0.7827.<102) post-disclosure

`UC_84_7` · phase: **exploit** · confidence: **Medium** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count min(_time) as firstSeen max(_time) as lastSeen values(Processes.process_version) as process_version from datamodel=Endpoint.Processes where Processes.process_name=chrome.exe by Processes.dest Processes.user Processes.process_version | `drop_dm_object_name(Processes)` | where match(process_version, "^\d+\.\d+\.\d+\.\d+$") | rex field=process_version "^(?<major>\d+)\.(?<minor>\d+)\.(?<build>\d+)\.(?<patch>\d+)$" | eval major=tonumber(major), minor=tonumber(minor), build=tonumber(build), patch=tonumber(patch) | where (major<149) OR (major=149 AND minor=0 AND build<7827) OR (major=149 AND minor=0 AND build=7827 AND patch<102) | `security_content_ctime(firstSeen)` | `security_content_ctime(lastSeen)` | sort - lastSeen
```

**Defender KQL:**
```kql
let FixedMajor = 149;
let FixedBuild = 7827;
let FixedPatch = 102;
DeviceProcessEvents
| where Timestamp > datetime(2026-06-09)
| where FileName =~ "chrome.exe"
| where ProcessVersionInfoCompanyName has "Google"
| where isnotempty(ProcessVersionInfoProductVersion)
| extend Parts = split(ProcessVersionInfoProductVersion, ".")
| extend Major = toint(Parts[0]), Minor = toint(Parts[1]), Build = toint(Parts[2]), Patch = toint(Parts[3])
| where isnotnull(Major) and isnotnull(Build) and isnotnull(Patch)
| where (Major < FixedMajor)
     or (Major == FixedMajor and Minor == 0 and Build < FixedBuild)
     or (Major == FixedMajor and Minor == 0 and Build == FixedBuild and Patch < FixedPatch)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), ExecCount=count(), AnyCmd=any(ProcessCommandLine) by DeviceName, AccountName, ProcessVersionInfoProductVersion, FolderPath
| order by LastSeen desc
```

### Beaconing — periodic outbound to small set of destinations

`UC_BEACONING` · phase: **c2** · confidence: **Medium**

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count, values(All_Traffic.dest_port) AS ports
    from datamodel=Network_Traffic.All_Traffic
    where All_Traffic.action="allowed" AND All_Traffic.dest_category!="internal"
    by _time span=10s, All_Traffic.src, All_Traffic.dest
| `drop_dm_object_name(All_Traffic)`
| streamstats current=f last(_time) AS prev_time by src, dest
| eval delta = _time - prev_time
| stats avg(delta) AS avg_delta stdev(delta) AS sd_delta count by src, dest
| where count > 30 AND sd_delta < 5 AND avg_delta>=30 AND avg_delta<=600
| sort - count
```

**Defender KQL:**
```kql
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteIPType == "Public" and ActionType == "ConnectionSuccess"
| project DeviceName, RemoteIP, RemotePort, Timestamp
| sort by DeviceName asc, RemoteIP asc, RemotePort asc, Timestamp asc
| extend prev_dev = prev(DeviceName, 1), prev_ip = prev(RemoteIP, 1),
         prev_port = prev(RemotePort, 1), prev_ts = prev(Timestamp, 1)
| where DeviceName == prev_dev and RemoteIP == prev_ip and RemotePort == prev_port
| extend delta_sec = datetime_diff('second', Timestamp, prev_ts)
| summarize conn_count = count(), avg_delta = avg(delta_sec), stdev_delta = stdev(delta_sec)
    by DeviceName, RemoteIP, RemotePort
| where conn_count > 30 and avg_delta between (30.0 .. 600.0) and stdev_delta < 5.0
| order by conn_count desc
```

### Remote service execution — PsExec / SMB lateral movement

`UC_LATERAL_PSEXEC` · phase: **actions** · confidence: **High**

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime
    from datamodel=Endpoint.Processes
    where Processes.process_name IN ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py")
       OR (Processes.process_name="wmic.exe" AND Processes.process="*/node:*")
    by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name
| `drop_dm_object_name(Processes)`
```

**Defender KQL:**
```kql
DeviceProcessEvents
| where Timestamp > ago(7d)
| where AccountName !endswith "$"
| where FileName in~ ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py")
   or (FileName =~ "wmic.exe" and ProcessCommandLine has "/node:")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
```

### PowerShell encoded / obfuscated command

`UC_PS_OBFUSCATED` · phase: **exploit** · confidence: **High**

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime
    from datamodel=Endpoint.Processes
    where Processes.process_name IN ("powershell.exe","pwsh.exe")
      AND (Processes.process="*-enc *" OR Processes.process="*EncodedCommand*"
        OR Processes.process="*FromBase64String*" OR Processes.process="*-nop*"
        OR Processes.process="*-w hidden*" OR Processes.process="*Invoke-Expression*"
        OR Processes.process="*IEX(*" OR Processes.process="*DownloadString*"
        OR Processes.process="*Net.WebClient*")
    by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name
| `drop_dm_object_name(Processes)`
```

**Defender KQL:**
```kql
DeviceProcessEvents
| where Timestamp > ago(7d)
| where AccountName !endswith "$"
| where FileName in~ ("powershell.exe","pwsh.exe")
| where ProcessCommandLine matches regex @"(?i)(-enc|encodedcommand|frombase64string|-nop|-w\s+hidden|invoke-expression|iex\s*\(|downloadstring|net\.webclient)"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine
```

### RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard

`UC_RMM_TOOLS` · phase: **install** · confidence: **High**

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime
    from datamodel=Endpoint.Processes
    where Processes.process_name IN ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe",
        "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe",
        "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe","kaseya*.exe")
    by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name
| `drop_dm_object_name(Processes)`
```

**Defender KQL:**
```kql
DeviceProcessEvents
| where Timestamp > ago(7d)
| where AccountName !endswith "$"
| where FileName in~ ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe",
        "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe",
        "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe")
   or FileName matches regex @"(?i)kaseya.*\.exe"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
```

### IOC-driven hunts (use shared templates)

These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing.

- **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High**
  - IP / domain IOC(s): `23.128.228.6`, `104.207.144.154`, `146.19.216.119`, `146.19.216.120`, `146.19.216.125`, `179.43.172.213`, `185.195.232.139`, `198.12.106.60` _(+3 more)_

- **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High**
  - CVE(s): `CVE-2026-0257`


## Why this matters

Severity classified as **CRIT** based on: CVE present, IOCs present, 8 use case(s) fired, 11 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.