Critical Gogs Zero-Day RCE; PAN-OS Flaw Under Active Exploitation

Palo Alto Networks has issued a critical warning regarding CVE-2026-0257, a medium-severity authentication bypass vulnerability affecting PAN-OS and Prisma Access with a CVSS score of 7.8. The flaw specifically targets firewalls running GlobalProtect portal or gateway configurations where authentication override cookies are enabled alongside a specific certificate setup. Attackers can exploit this vulnerability to establish unauthorized VPN connections. Organizations should immediately verify their firewall configurations and consider running an port scanner to identify exposed GlobalProtect interfaces. The vulnerability is currently under active exploitation in the wild, marking yet another instance of threat actors rapidly weaponizing newly disclosed flaws.

In a separate development, Rapid7 researchers have identified a critical zero-day remote code execution vulnerability in Gogs, the popular open-source self-hosted Git service. The injection flaw allows authenticated attackers to achieve RCE through pull requests containing malicious branch names. Given that Gogs ships with open registration enabled by default and imposes no repository creation limits, unauthenticated attackers can simply register an account and exploit the vulnerability on any default-configured instance. The attack chain leverages repository rebase merging—a single toggle available to repository owners—to execute arbitrary commands as the Gogs server process user. This grants attackers full compromise of the server, access to all repositories including private repos, credential harvesting (password hashes, API tokens, SSH keys, 2FA secrets), and lateral movement capabilities. The vulnerability affects Gogs installations across Windows, Linux, and macOS, and no patch has been released. Admins should audit their instances immediately and review privacy checkup procedures for exposed credentials.

In law enforcement news, a coordinated effort by CrowdStrike, Google, and the Shadowserver Foundation has resulted in the successful takedown of the GlassWorm command-and-control infrastructure. All four of GlassWorm's C2 servers were seized, disrupting a malware operation that had been actively targeting organizations. This operation demonstrates the ongoing collaboration between private cybersecurity firms and non-profit organizations in combating threat actors. Security teams should review their logs for any indicators of compromise associated with GlassWorm and ensure their SSL/TLS checker configurations are properly validated to prevent similar infections.

These developments underscore the current threat landscape's emphasis on rapid exploitation of disclosed vulnerabilities and the importance of proactive security measures. Organizations running Gogs instances should consider temporary mitigations such as disabling rebase merging and restricting repository creation, while Palo Alto Networks customers must prioritize patching their GlobalProtect configurations to prevent authentication bypass attacks.