Weekly Recap: PAN-OS Exploit, Gogs Zero-Day, GlassWorm Takedown, and AI-Driven Threats
This week's cybersecurity roundup covers active exploitation of a PAN-OS flaw, a critical unpatched Gogs RCE, the takedown of the GlassWorm C2 operation, and AI-powered attacks against Ukraine.
The past week in cybersecurity was marked by a flurry of activity, from active exploitation of a Palo Alto Networks firewall vulnerability to the takedown of a sophisticated malware operation. A critical unpatched zero-day in the open-source Git service Gogs also emerged, while threat actors continued to leverage artificial intelligence to enhance their attacks. Here's a breakdown of the key stories.
Palo Alto Networks warned that CVE-2026-0257, a medium-severity authentication bypass in PAN-OS and Prisma Access GlobalProtect, is now under active exploitation. The flaw, carrying a CVSS score of 7.8, allows attackers to set up VPN connections when authentication override cookies are enabled with a specific certificate configuration. Rapid7 MDR reported observing exploitation in the wild, with attackers using cookie-based authentication to access internal networks. Organizations using affected firewalls are urged to apply patches immediately.
A critical unpatched zero-day vulnerability in Gogs, the popular self-hosted Git service, exposes servers to remote code execution (RCE). Discovered by Rapid7, the injection flaw can be exploited by authenticated attackers via pull requests with malicious branch names. Since Gogs ships with open registration enabled by default, an unauthenticated attacker can simply create an account and repository on any default-configured instance. The exploit chain requires no interaction from other users and can lead to full server compromise, including access to all repositories and credentials. No patch has been released as of publication.
In a coordinated takedown, CrowdStrike, Google, and the Shadowserver Foundation dismantled the GlassWorm malware operation on May 26, 2026, by simultaneously taking down all four of its command-and-control (C2) channels. GlassWorm, which emerged last year, conducted a multi-pronged campaign using trojanized VS Code extensions published on the Microsoft VS Code Marketplace and Open VSX, as well as compromised npm and Python packages. Evidence suggests the operators are of Russian origin)Skip. The takedown severed the operators' access to infected hosts, but experts warn that the broader economics of repository abuse mean the operators could resurface under new accounts.
India's CERT-In issued new guidelines urging organizations to patch actively exploited vulnerabilities in internet-facing or crown jewel systems within 12 hours, citing the speed that AI now brings to cyber attacks. The agency warned that AI-assisted attacks are dramatically compressing the time between vulnerability disclosure and exploitation. The framework also recommends one-day remediation for critical externally exposed vulnerabilities and three days for critical internal vulnerabilities affecting high-value systems.
A previously undocumented Russian group codenamed GREYVIBE has been found to make extensive use of large language models (LLMs) in attacks against private, government, and military organizations in Ukraine. WithSecure reported that the group, active since August 2025, uses AI in an operationally integrated manner to gather intelligence for the ongoing war. The group's ties to the broader cybercrime ecosystem suggest it may involve current or former cybercriminal actors.
Finally, a new campaign is using AI chatbot recommendations to redirect users to sketchy sites that trick them into downloading cryptojacking malware. The campaign leverages searches for popular tools in AI chatbots to drive traffic to malicious sites. This highlights the growing trend of attackers using AI to lower the barrier for social engineering and malware distribution.