PAN-OS VPN Bypass and Gogs RCE Exploited Amid AI Phishing

A PAN-OS authentication-bypass flaw and an unpatched Gogs remote code execution vulnerability are being exploited as AI-assisted phishing and supply-chain attacks increase. Palo Alto Networks and Rapid7 published separate advisories outlining active abuse and exploitation risks.

Palo Alto Networks reported that CVE-2026-0257, assigned a CVSS score of 7.8, affects firewalls running GlobalProtect portals or gateways when authentication override cookies are enabled and a specific certificate configuration is present. The vulnerability can allow an attacker to bypass authentication and establish VPN sessions. The vendor reported active exploitation in the wild and advised operators to review configurations and follow its mitigation guidance.

Rapid7 disclosed a critical zero-day in the self-hosted Git service Gogs. The flaw can be triggered by malicious branch names in pull requests and allows authenticated attackers to execute arbitrary commands as the Gogs server process user. Rapid7 noted that default Gogs instances ship with open registration and no repository-creation limits, which lets unauthenticated actors create accounts and push repositories. Rebase merging, a single setting a repository owner can enable, allows the exploit chain to run without interaction from other users. Rapid7 outlined that a successful attack can expose all repositories on an instance, dump credentials and secrets, pivot to other systems, and modify hosted code. No patch was available at the time of disclosure. Affected deployments include Windows, Linux and macOS installations running default settings.

On May 26, CrowdStrike, working with Google and the Shadowserver Foundation, took down four command-and-control servers used by the GlassWorm operation. GlassWorm distributed malware through trojanized Visual Studio Code extensions and compromised npm and Python packages. The coordinated takedown severed the operators’ access to infected hosts; affected endpoints were instructed to beacon to the IP address 164.92.88.210 to help identify infections.

India’s CERT-In urged organizations to speed remediation, recommending that actively exploited, internet-facing or crown-jewel systems be patched within 12 hours where feasible. The agency provided indicative timelines for other cases: one day for critical externally exposed flaws, three days for critical internal vulnerabilities on high-value systems, and five days for high-severity issues, to be applied according to operational criticality.

Researchers reported multiple campaigns that combine AI tools and supply-chain tactics. Attackers used AI chatbots to redirect searches for popular tools to malicious sites that drop cryptomining malware and install persistent remote-access tools. A phishing-as-a-service kit named EvilTokens automates OAuth device-code phishing at scale. A group tracked as GREYVIBE has been observed integrating large language models into reconnaissance and social-engineering workflows in attacks targeting Ukraine. Security researchers also recorded increased scanning of SonicWall management interfaces and continued probing of recently disclosed vulnerabilities.

Rapid7 and Palo Alto Networks published checks and mitigation steps for affected systems. Rapid7 emphasized exposure on default-configured Gogs instances across operating systems. Palo Alto Networks recommended that administrators verify whether authentication override cookies are enabled on GlobalProtect portals or gateways and implement the vendor’s recommended mitigations.

Security teams and vendors reported that repository-based distribution and automated phishing tools can allow threat actors to relaunch campaigns using new accounts or package names.