top of page
ALL POSTS
Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Bypass Flaw (CVE-2026-0257)
Key Findings CVE-2026-0257 is an authentication bypass vulnerability in Palo Alto Networks PAN-OS affecting GlobalProtect portals and gateways Active exploitation confirmed by Rapid7 starting May 17, 2026, with two distinct attack waves originating from different hosting providers Vulnerability allows attackers to forge authentication cookies and bypass VPN access controls without credentials CISA added the flaw to its Known Exploited Vulnerabilities catalog in early June, re
Jun 153 min read
PAN-OS GlobalProtect Authentication Bypass Vulnerability Under Active Exploitation in the Wild
Key Findings CVE-2026-0257 is an authentication bypass vulnerability actively exploited in the wild against Palo Alto Networks PAN-OS appliances Threat actors can forge valid VPN authentication cookies without credentials if specific certificate configurations exist CISA added this flaw to the Known Exploited Vulnerabilities catalog due to active exploitation campaigns A single threat actor orchestrated at least two waves of attacks starting May 17, 2026, successfully obtaini
May 303 min read
Global Law Enforcement Dismantles First VPN Used by 25 Ransomware Groups in Historic Takedown
Key Findings First VPN Service, a criminal VPN operating since 2014, was dismantled in a coordinated international operation led by France and the Netherlands At least 25 ransomware groups used the service to conduct attacks, including network reconnaissance, data theft, fraud, and denial-of-service operations The takedown involved 16 countries and resulted in the seizure of 33 servers across 27 countries and the shutdown of associated domains First VPN marketed itself specif
May 223 min read
Attackers Bypass MFA on SonicWall VPNs Due to Flawed Prior Patch
Key Findings SonicWall Gen6 SSL-VPN devices remain vulnerable to MFA bypass despite firmware patches because administrators are missing six required manual remediation steps CVE-2024-12802 exploitation observed in-the-wild between February and March 2026, leading to ransomware-related intrusions across multiple organizations Attackers successfully brute-forced VPN credentials and bypassed MFA, reaching internal file servers in some cases within 30 minutes Gen6 devices reached
May 222 min read
Fortinet Warns of Active FortiCloud SSO Bypass Impacting Patched Devices
Key Findings Fortinet confirmed attacks are bypassing FortiCloud SSO authentication, affecting even fully patched devices, similar to recent SSO flaws. Threat actors automate firewall changes, add users, enable VPNs, and steal configs, in campaigns resembling December 2025 exploits of critical FortiCloud SSO flaws. Arctic Wolf researchers reported a new automated attack cluster observed since January 15, 2026, targeting FortiGate devices. Attackers created generic accounts fo
Jan 231 min read
bottom of page
