The cybersecurity landscape continued its rapid evolution this past week, with a significant focus on rapidly exploited vulnerabilities and the increasing role of artificial intelligence in both hacking and defense. A critical flaw in the Gogs self-hosted Git service emerged as a major concern, enabling remote code execution for authenticated attackers. Meanwhile, the speed at which vulnerabilities are being weaponized has prompted urgent calls for faster patching, particularly in India. The week also saw the dismantling of the GlassWorm command-and-control infrastructure, though concerns remain about the broader ecosystem of repository abuse. As attackers increasingly leverage AI, defenders are urged to adapt their strategies to counter these evolving threats.
A notable trend this week is the speed at which vulnerabilities are being actively exploited following their disclosure. The Palo Alto Networks PAN-OS GlobalProtect authentication bypass (CVE-2026-0257) serves as a prime example, with attackers already leveraging the medium-severity flaw to establish unauthorized VPN connections. This trend underscores the shrinking window between a patch being released and its exploitation in the wild, a phenomenon exacerbated by AI-powered attack tools that lower the barrier to entry for malicious actors.
⚡ Threat of the Week: PAN-OS Authentication Bypass Under Exploitation
Palo Alto Networks issued a warning that a recently disclosed authentication bypass vulnerability in PAN-OS, tracked as CVE-2026-0257, is currently being exploited by threat actors. This medium-severity flaw carries a CVSS score of 7.8 and could allow attackers to establish unauthorized VPN connections. The vulnerability specifically impacts firewalls configured with GlobalProtect portal or gateway functionality, especially when authentication override cookies are enabled alongside a particular certificate configuration.
🔔 Top Cybersecurity News and Trends
The week’s top news highlights the critical vulnerabilities and evolving tactics employed by cybercriminals. A critical zero-day flaw in the popular Gogs self-hosted Git service represents a significant risk, allowing for remote code execution and potential compromise of sensitive data. In contrast, a coordinated effort led by CrowdStrike successfully dismantled the GlassWorm command-and-control infrastructure, a testament to collaborative cybersecurity efforts. However, the underlying issues of open-source ecosystem abuse persist, suggesting that such campaigns may resurface in different forms.
Compounding these concerns, CERT-In in India has issued urgent advisories recommending that organizations patch actively exploited vulnerabilities within 12 hours. This accelerated timeline is a direct response to the increased speed of cyberattacks, largely attributed to the influence of artificial intelligence. The agency noted that AI-assisted attacks are dramatically compressing the time between vulnerability disclosure and exploitation, necessitating a more proactive and rapid patching strategy.
Furthermore, the emergence of the GREYVIBE group, which extensively utilizes large language models (LLMs) for intelligence gathering against Ukraine, demonstrates the growing integration of AI in state-sponsored operations. This trend is mirrored in phishing campaigns where AI chatbot recommendations are being manipulated to redirect users toward cryptojacking malware, underscoring the multifaceted ways AI is lowering the bar for sophisticated cybercrime.
Critical Unpatched Flaw in Gogs Exposes Servers
Rapid7 has reported a critical zero-day vulnerability in Gogs, an open-source self-hosted Git service, which enables remote code execution (RCE). The injection flaw can be exploited by authenticated attackers via pull requests containing malicious branch names. Due to Gogs’ default open registration and repository creation settings, unauthenticated attackers can also gain entry by creating an account. Once in, an attacker with write access to repositories configured with rebase merging can execute arbitrary commands as the Gogs server process, leading to potential compromise of the entire server, access to private repositories, and exfiltration of credentials.
GlassWorm C2 Infrastructure Dismantled
CrowdStrike, Google, and the Shadowserver Foundation announced the successful takedown of all four command-and-control (C2) channels for the GlassWorm malware operation. This malware, active since last year, used trojanized VS Code extensions and compromised npm and Python packages. The coordinated action has severed the operators’ access to infected hosts. Evidence suggests the operators are Russian, based on the malware’s locale checks and Russian-language comments in its code. While this disrupts the operation, the broader issue of repository abuse and the potential for operators to resurface remains a significant concern.
CERT-In Urges Rapid Patching Amidst AI-Driven Attacks
India’s CERT-In has advised organizations to patch actively exploited vulnerabilities on internet-facing systems within 12 hours, where feasible. This recommendation acknowledges the accelerated pace of cyberattacks due to artificial intelligence. The agency also suggests one-day remediation for critical externally exposed vulnerabilities and three to five days for other high-severity flaws, emphasizing risk prioritization and the reduced timeframes between vulnerability disclosure and exploitation.
GREYVIBE Group Leverages AI for Intelligence Gathering
A previously undocumented Russian group, codenamed GREYVIBE, has been observed extensively using large language models (LLMs) in its attacks against Ukrainian organizations. The group, active since August 2025, aims to gather intelligence for the ongoing war, with indications of ties to the cybercrime ecosystem. Their use of AI is described as “operationally integrated rather than isolated or experimental,” highlighting the pervasive nature of AI in modern cyber operations.
AI Chatbot Recommendations Lead to Cryptojacking Malware
A new campaign is exploiting searches for popular tools within AI chatbots to redirect users to malicious websites. These sites trick users into downloading executables that install cryptocurrency miners and establish persistent remote access. This tactic, leveraging AI chatbots as an entry point, demonstrates how threat actors are adapting to new technologies for malicious purposes, including financial gain and broader network compromise.
🔥 Trending CVEs Highlight Active Exploitation
The rapid exploitation of vulnerabilities remains a critical concern, with the gap between patch release and active exploitation continuing to shrink. Key vulnerabilities this week include CVE-2026-8732 in the WP Maps Pro plugin, CVE-2026-0257 in Palo Alto Networks PAN-OS and Prisma Access, and CVE-2026-27771 in Gitea. Other notable CVEs span a wide range of software, including Microsoft SharePoint, Casdoor, Notepad++, Veeam Backup & Replication, and BIND 9, underscoring the pervasive nature of security weaknesses across diverse platforms.
The list of trending CVEs also includes issues in Oracle, Samba, Microsoft Windows 11, OpenVPN Connect for macOS, and GitLab. Additionally, specific vulnerabilities were noted in Gogs, Microsoft Visual Studio Code Remote-SSH extension, and Roundcube Webmail. The sheer volume and variety of these vulnerabilities necessitate a consistent and vigilant patching strategy for all organizations.
The ongoing exploitation of vulnerabilities in widely used software like WordPress plugins and remote access tools signifies a persistent threat landscape. Organizations are strongly advised to prioritize patching based on severity and active exploitation status, focusing on CVEs that pose the most immediate risk to their operations. The emergence of issues like CVE-2025-59199, dubbed “Click Or Trick,” in Microsoft Windows 11 further emphasizes the need for timely updates from major software vendors.
Around the Cyber World
New Windows Flaw Under Attack: Belgium’s Centre for Cybersecurity (CCB) has alerted organizations to the active exploitation of CVE-2026-41089, a recently patched Windows flaw involving a stack-based buffer overflow in Netlogon that allows for remote code execution. Microsoft addressed this vulnerability in its May 2026 Patch Tuesday update.
Anthropic Confirms Mythos Release Plans: Anthropic has announced its intention to release Mythos-class models to all customers in the coming weeks, stating that it is actively developing stronger cyber safeguards in preparation for the rollout.
New Linux Flaw CIFSwitch Uncovered: A local privilege escalation (LPE) vulnerability on Linux, dubbed CIFSwitch, has been discovered. It allows low-privileged users to gain root access by exploiting a logic flaw in the Linux kernel CIFS client and the cifs-utils package. A patch for this kernel-side bug, which has existed since 2007, has been merged into mainline Linux.
Dashlane Warns of Brute-Force Attack: Password manager Dashlane reported that user accounts were targeted in a brute-force attack, leading to the suspension of affected accounts as a security measure. The company stated there is no evidence of its own systems being compromised.
Global Smishing Operation Impacts 19 Countries: Hunt.io identified a large-scale smishing operation spanning 19 countries, utilizing over 1,600 malicious URLs across various sectors. These campaigns aim to trick users into making payments or divulging personal information through fabricated emergencies.
Microsoft Teams and Google Drive Abused to Deliver Java RAT: In one observed incident targeting the legal industry, attackers used Microsoft Teams for voice phishing to gain remote access via Quick Assist, subsequently deploying the Nimbus RAT. This Java-based implant utilizes Google Drive and Google Sheets for command-and-control (C2) communications.
Tracking Site Visitors Via FROST: New research details a side-channel attack named FROST that uses tiny changes in SSD access times measured via JavaScript to track user activity on both Linux and macOS systems. This attack, exploiting the Origin Private File System (OPFS), can fingerprint user activity and even infer application usage without further user interaction.
Instagram Exploit Allegedly Enabled Account Takeover: Reports suggest an exploit targeting Meta AI allowed for password resets on Instagram accounts without multi-factor authentication (MFA) enabled, though the vulnerability has since been patched.
EvilTokens Abuses OAuth Flow, RatPressto Kit Surfaces: The phishing-as-a-service (PhaaS) platform EvilTokens is being used for large-scale device code phishing attacks by abusing the OAuth 2.0 device authorization flow and employing AI for infrastructure generation. Concurrently, a new phishing toolkit called RatPressto has emerged, hosted on compromised WordPress sites and used to deliver ScreenConnect for remote access.
Solo Russian-Speaking Threat Actor Linked to Patriot Bait Campaign: A single threat actor, tracked as “bandcampro,” ran a MAGA-themed Telegram channel and pivoted to AI-automated content, fraud, and credential theft. A jailbroken Google Gemini AI was used to generate Q-styled posts, deploy infrastructure, and run a QAnon-styled chatbot, demonstrating how AI safety controls can be circumvented.
SonicWall Scanning Spike Recorded: GreyNoise observed a significant increase in scanning activity targeting SonicWall SonicOS management interfaces between May 9 and May 18, 2026, with a majority of sessions originating from networks in the Netherlands and Ukraine.
New Payload Ransomware Emerges: Cybersecurity researchers have analyzed new ransomware families, including Payload, which has already victimized 50 entities since its emergence in February 2026. The group’s operations quickly expanded globally.
Conclusion
The past week has been characterized by a relentless pace of threat activity and a growing reliance on artificial intelligence by malicious actors. The recurring themes of exploited legacy vulnerabilities, default configurations, and the increasing sophistication of AI-driven attacks demand a heightened level of vigilance from organizations. The consistent exploitation of readily available attack vectors, often for minimal cost to the attacker, highlights that fundamental security practices remain critical. Organizations must prioritize patching well-known vulnerabilities, auditing their systems for unusual activity, and addressing even seemingly minor security gaps, as these often represent the initial point of compromise.