top of page

Cybersecurity Weekly Update: 25 May - 1 June 2026

  • Writer: SOC Team
    SOC Team
  • 5 hours ago
  • 4 min read

1. PAN-OS GlobalProtect Authentication Bypass Comes Under Active Escalated Exploitation


On May 30, 2026, threat researchers confirmed that a critical authentication bypass vulnerability (CVE-2026-0257) affecting the GlobalProtect portal and gateway modules within Palo Alto Networks PAN-OS software has entered widespread active exploitation. Rapid7 incident response teams detected two distinct waves of successful external exploitation in the wild.


The attacks abuse cookie validation mechanics without integrity checks, allowing unauthenticated threat actors to assign themselves corporate VPN IP addresses and establish persistent, authenticated tunnels into internal networks without valid enterprise credentials.


Why it matters: Firewalls running PAN-OS serve as a primary border defense for critical banking networks, defense manufacturing suppliers, and healthcare infrastructures throughout Europe and South Africa. Because this exploit targets edge-facing enterprise appliances, a successful compromise completely circumvents external perimeter defenses, placing attackers instantly within the internal network where they can intercept unencrypted data and compromise directory systems.


Action: Immediately apply the official vendor hotfixes to affected PAN-OS appliances (targeting safe updates beyond 12.1.4-h6, 11.2.4-h17, and 10.2.7-h34). If patching cannot be executed immediately out-of-band, disable the "Authentication Override" feature in the GlobalProtect portal and gateway configuration panels to mitigate the unvalidated cookie flaw.


2. Threat Actors Weaponize FortiClient EMS Flaw to Mass-Deploy EKZ Infostealer


On May 28, 2026, threat analysts published an urgent technical advisory revealing that an actively weaponized security flaw impacting Fortinet FortiClient Endpoint Management Server (EMS) deployments (CVE-2026-35616) is being used in a global campaign to drop a highly evasive payload known as the EKZ Infostealer. The vulnerability allows an unauthenticated remote actor to bypass certificate-based authentication through HTTP header spoofing, achieving administrative command execution on the management server.


Once inside, the threat actors use the trusted administrative pathways of the Fortinet infrastructure to masquerade as an endpoint update, silently pushing malicious PowerShell commands to thousands of managed corporate workstations.


Why it matters: FortiClient EMS platforms are heavily utilized across distributed educational campus networks, healthcare facilities, and financial branches to monitor and secure employee workstations. By hijacking the central management server, attackers turn a core security appliance into a malware distribution hub, allowing them to extract stored browser credentials, session cookies, and VPN tokens from across the entire organization without needing a separate intrusion path to each device.


Action: Immediately audit FortiClient EMS logs for unauthorized configuration changes, unexpected administrative system commands, or modifications to remote access profiles. Upgrade to the latest patched software versions (FortiClient EMS 7.4.7 or later) as outlined by the vendor, and ensure that management interfaces are isolated behind an internal network layer unreachable by public internet traffic.


3. NCSC Issues Urgent Structural Warning Targeting Flawed Zero Trust Implementations


The UK's National Cyber Security Centre (NCSC) issued revised nationwide architecture framework guidance on May 28, 2026, targeting systemic security vulnerabilities introduced by flawed Zero Trust Network Access (ZTNA) deployments. The NCSC warned that many enterprise organizations are implementing modern ZTNA tools but are making a catastrophic mistake: carrying legacy "walled garden" trust models forward. Specifically, organizations continue to treat an employee’s physical office branch or VPN connection state as a primary indicator of network trust.

(Source: dig.watch)


Why it matters: Organizations across Europe and South Africa frequently rely on basic ZTNA configurations to secure remote access for distributed workforces in banking and healthcare. If your ZTNA deployment grants broad network-level access simply because a device is on a recognized network location, an attacker who compromises a single laptop or physical workstation can pivot laterally through your entire corporate backend.


Action: Redesign corporate access control architectures to ensure that access to private applications is determined strictly on a per-session, least-privilege basis. Identity and device health validation must happen continuously, independent of whether an employee is logging on from home or a trusted corporate office.


4. GitLab Issues Urgent Fixes for Duo AI Workflow Access Failures


GitLab published emergency patch releases 19.0.1, 18.11.4, and 18.10.7 for its Community Edition (CE) and Enterprise Edition (EE) platforms to resolve multiple critical infrastructure vulnerabilities. Chief among the disclosures is CVE-2026-4868, an Improper Access Control flaw within the integrated GitLab Duo AI workflow runners.


The bug allows an authenticated user, under specific environment conditions, to bypass user identity resolution protocols, forcing specialized Duo AI workflows to execute commands under the identity profile of an entirely different, higher-privileged user.

(Source: gitlab.com)


Why it matters: Software development pipelines within fintech organizations and defense contractors utilize GitLab to manage proprietary software codebases. An identity resolution exploit within an AI workflow runner allows an internal developer or compromised account to run unauthorized tasks with administrative privileges, risking supply-chain injection or proprietary source-code data theft.


Action: Upgrade self-managed GitLab instances to the designated patch releases immediately. Audit all automated pipeline actions and logs tied to active GitLab Duo AI workflows to ensure no unauthorized administrative identity switches occurred prior to patching.


Key Recommendations:


  • Isolate and Patch Edge Firewalls: Block PAN-OS management interfaces from the public internet and immediately apply emergency vendor updates to neutralize the actively exploited GlobalProtect authentication bypass (CVE-2026-0257).

  • Harden Endpoint Management Infrastructures: Audit FortiClient EMS logs for malicious PowerShell triggers, upgrade to version 7.4.7 or later to patch CVE-2026-35616, and isolate management nodes from external traffic.

  • Dismantle Network Location-Based Trust: Restructure your ZTNA deployment according to NCSC frameworks to mandate continuous, per-session, context-aware identity validation rather than trusting physical branch or VPN parameters.

  • Secure DevSecOps AI Integrations: Immediately upgrade self-managed GitLab environments to versions 19.0.1, 18.11.4, or 18.10.7 to remediate the critical GitLab Duo AI privilege escalation flaw (CVE-2026-4868).



 
 
bottom of page