PAN VPN Bug Exploited; US Troops' Phones Leaking Location Data; CT Data Privacy Law Enhancements

The US Cybersecurity and Infrastructure Security Agency (CISA) added an authentication bypass in Palo Alto Networks (PAN) GlobalProtect portal and gateway to its Known exploited Vulnerabilities (KEV) catalog with a mitigation deadline of Monday, June 1 for Federal Civilian Executive Branch (FCEB) agencies. On May 13 PAN released an advisory and updates for the vulnerability, which affects PAN-OS as well as Prisma Access versions 10.2 and 11.2. The advisory states, "issue affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists." Researchers at Rapid7 detected exploitation of the vulnerability within days of its disclosure; they write that "Successful exploitation of this vulnerability allows a remote unauthenticated attacker to successfully establish a VPN connection through the GlobalProtect gateway of an affected appliance." At the time of the first advisory the vulnerability was rated medium severity, but as reports of exploitation emerged, PAN raised its rating to high severity with highest urgency.

Fourteen US legislators have signed a letter to Defense Department (DoD) CIO Kirsten Davies, asking that the agency take steps "to protect US military personnel from the serious counterintelligence and force protection threat posed by the collection and sale of personal information, including cell phone location data, by data brokers." Specifically, the legislators are concerned that the phones used by military personnel are known to be leaking location data; they write that "DoD has now confirmed to Congress that foreign adversaries are exploiting commercially available location data to target U.S. military personnel in war zones." They urge DoD to "disable the advertising ID on all DoD issued smartphones and issue a policy mandating that DoD personnel disable the advertising ID on all personal phones brought onto DoD facilities or taken to overseas deployments; remove web browsers that are designed to facilitate data collection by Google and other advertising companies, such as Google Chrome, from DoD unclassified computers and smartphones ... [and] pre-install on DoD devices and require the use by DoD personnel of privacy-focused web browsers that protect users with anti-tracking cyber defenses, such as ad blocking and the Global Privacy Control (GPC)...; and coordinate with the California Privacy Protection Agency to enroll all DoD personnel who are California residents in the state’s universal data broker Delete Request and Opt-out Platform, and coordinate with other states that create similar systems."

Two updates to Connecticut Data Privacy Act (CTDPA) are set to take effect on July 1, 2026, and Connecticut Governor Ned Lamont has also now signed into law Senate Bill 4 (SB4), which includes several provisions intended to provide residents with greater personal data protection, including additional amendments to the CTDPA. The initial updates passed in May lower the threshold of the law’s applicability based on the number of state residents whose data a company processes, from 100,000 to 35,000. The updates also expand the scope of the law to include businesses that process sensitive data or sell personal data. There are additional protections for minors and for certain AI practices. SB4, which takes effect October 1, 2026, includes provisions requiring the Commissioner of Consumer Protection to establish an accessible deletion mechanism program, requiring data brokers to register with the state, redefining "facial recognition technology" and "publicly available information," and prohibiting the sale, sharing, transfer or allowance of access to precise geolocation data.

Gogs, an open-source project allowing developers to run their own self-hosted Git services, has a critical vulnerability affecting all supported platforms, which as of this writing has not been fixed by Gogs maintainers and has not been assigned a CVE. Rapid7 reports that any authenticated user can achieve remote code execution on the server by using a malicious branch name when creating a pull request, exploiting the "rebase before merging" merge operation to inject the '—exec' flag into 'git rebase.' The researchers rated this flaw with a CVSS score of 9.4, noting that while rebase merging is not on by default, Gogs default settings permit an attacker to create and become the owner of an account and a repository, then enable rebase merging with a settings toggle. At least four other argument injection flaws in Gogs have been patched since 2024, but this attack bypasses the measures that hardened other vulnerable functions. Rapid7 recommends that defenders search for a specific error as an indicator of compromise (IoC) in the Gogs server logs, as well as possible artifacts, tokens, or payload files. While Gogs acknowledged Rapid7's report of this flaw on March 28, 2026, maintainers have not released a patch or communicated further. Users can mitigate by disabling open registration, preventing users from creating repositories, and continually auditing the "rebase before merging" setting, as "there is no global or organization-level setting to restrict this."

Centre for Cybersecurity Belgium (CCB) has updated its advisory for Microsoft's May 2026 Patch Tuesday to include a warning that the Windows Netlogon vulnerability (CVE-2026-41089) is being actively exploited. The critical remote code execution vulnerability can be exploited without "any prior privileges or user interaction and can be executed remotely." The flaw is due to a stack-based buffer overflow issue and can be exploited by "send[ing] a specially crafted network request to a Windows server that is acting as a domain controller." CCB urges users to apply patches as soon as possible. Microsoft released fixes for the vulnerability on Tuesday, May 13, and updates are available for Windows Server versions 2012 and newer. "The Netlogon Remote Protocol, [is] an RPC interface that is used for user and machine authentication on domain-based networks; to replicate the user account database for operating systems earlier than Windows 2000 backup domain controllers; to discover, manage, and maintain domain relationships of domain members and domain controllers across domains."

The US Department of Commerce's Office of the Inspector General (DOC OIG) performed an audit of the US National Institute for Standards and Technology (NIST), evaluating to what extent NIST's management of the National Vulnerability Database (NVD) is timely, effective, and sustainable. The OIG states that while enriched NVD records are a vital resource for cybersecurity professionals, NIST has failed to meet this standard. The report cites four main problems, the first of which is a growing backlog of unprocessed vulnerabilities due to unrealistic plans, inadequate actions, ineffective prioritization, and siloed enrichment sources. The OIG urges a comprehensive strategic plan for the NVD's overall role and a plan for managing the backlog with specific analysis of capacity, target dates and milestones, and prioritization processes. The second problem is several inefficiencies in the enrichment process. The OIG believes that shifting analysts' time away from severity score calculation could save NIST approximately $800,000, and suggests that the NVD make use of external enrichment for Common Platform Enumeration (CPE) applicability statements. The third problem is unnecessary duplication of parallel enrichment work by NIST and by the CVE program run by the US Cybersecurity and Infrastructure Security Agency (CISA). The OIG believes that lack of coordination with CISA has already led to $200,000 in waste. The fourth problem is a lack of transparent communication about the state of the backlog, which frustrates stakeholders and degrades confidence in the program, and should be resolved with a clear communication strategy. NIST responded to a draft of the report, concurring with all recommendations and outlining efforts to enact them, while taking issue with the report's characterization of NIST through subjective language, lack of context, and lack of acknowledgment for NIST's obligations under US law to perform certain NVD functions.

Google has updated the Chrome stable channel to version 148. The newest version of the browser includes fixes for 151 security issues, 22 of which are rated critical. The majority of the critical vulnerabilities are use-after-free issues. Google detected 134 of the vulnerabilities internally. Two of the critical flaws were awarded $43,000 bug bounty payments: an out-of-bounds write issue in GPU (CVE-2026-9872) and a use-after-free issue in network (CVE-2026-9873). Three additional vulnerabilities were found by external researchers: a use-after-free vulnerability in Dawn (CVE-2026-9874), an out-of-bounds read in WebGL (CVE-2026-9875), and a use-after-free issue in WebGL (CVE-2026-9876).

Dutch Police in collaboration with the National Cyber Security Centre of the Netherlands (NCSC-NL) announced on May 28, 2026 that they had taken down the infrastructure of a large botnet located in the Netherlands. Following a report from a security researcher, the authorities discovered 200 servers hosting a botnet that controlled at least 17 million devices, seized several of these servers, and directed the hosting provider to take the botnet offline due to "criminal activities." The press release did not include specific details on known attacks from this botnet, nor what type of devices were involved, but the NCSC-NL links to a recent article they published on residential proxy networks, explaining that these can range from legitimate voluntary proxy services, to other services that make the user's device part of a proxy network without their knowledge, to malware that infects a device and establishes a proxy connection. The residential IP addresses of devices in these networks make malicious traffic routed through them more difficult to detect and block. The NL Times alleges that the botnet taken down by this action was related to a Russian residential proxy service called ASOCKS, but this has not been independently confirmed. This law enforcement action follows closely on arrests and seizures by the Netherlands Fiscal Information and Investigation Service (FIOD) in connection with a Russian web hosting company under sanctions by the EU.

The FBI's Internet Crime Complaint Center (IC3) has published a public service announcement warning that cybercriminals are spoofing the Fédération Internationale de Football Association (FIFA) websites in attempts to steal sensitive information. The June issue of the SANS OUCH! newsletter also addresses FIFA scams, which prey on fans eager for tickets, streaming opportunities, and merchandise. FIFA 2026 World Cup matches will be played in Canada, Mexico, and the US between June 11 and July 19, 2026.

Charter Communications, a Fortune 100 US telecom and media corporation, confirmed in a May 26 statement to news sources that it experienced a data breach. Charter stated, "We are aware of the situation, following our security protocols and are in the process of alerting appropriate authorities. No sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor as a result of recent activity," but the company has offered no further information about the timing, nature, or scope of the breach, and has not verified any threat actor claims. CPNI is a type of data regulated by US law, designating information about a telecom customer's phone usage data, call patterns, charges, services, and other details, in order to limit how this information may be controlled and shared. On May 28, the Charter breach was added to Troy Hunt's HIBP, connected with a dataset published online that included 4.9 million unique email addresses along with names, physical addresses, and phone numbers, plus a subset including Charter employees' job titles.