The Lyceum: Cyber Intelligence Daily — May 31, 2026

The gap between "researcher publishes" and "attacker exploits" has compressed to something you can measure with a stopwatch. Palo Alto's GlobalProtect VPN is under active exploitation, with CISA's federal patch deadline expiring Monday evening. Ukraine's national cyber agency is being impersonated to deliver malware to the very government workers it's supposed to protect. A working zero-day exploit for Gogs is circulating with no patch in sight. It's the kind of Sunday where every story is about the perimeter falling first.

• CVE-2026-0257 — Palo Alto Networks PAN-OS GlobalProtect: actively exploited, KEV-listed with a federal remediation deadline of Monday, June 1. Authentication bypass; attackers forge auth cookies to walk past the VPN.
• Gogs RCE zero-day — Self-hosted Git server: no patch available, working exploit module circulating. Remote code execution on internal developer infrastructure.
• CVE-2026-10120 — TRENDnet TEW-432BRP router: end-of-life since 2009, public exploit, no fix coming. Vendor has formally declined to patch.
• CIFSwitch Linux kernel flaw — Local privilege escalation with public PoC; default installs of Linux Mint, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali, and SLES 15 SP7 are vulnerable.
• DriveSurge threat actor — New actor using ClickFix and fake-update drive-by lures; surfaced in threat intel channels overnight.
• CERT-UA UAC-0252 campaign — Phishing wave using SHADOWSNIFF and SALATSTEALER while impersonating CERT-UA itself.

Someone may already be trying to walk through your front door without a key.

Palo Alto Networks updated its advisory Saturday to confirm that CVE-2026-0257 is now being actively exploited. According to BleepingComputer, the flaw lets attackers forge authentication cookies to trick vulnerable GlobalProtect gateways into treating them like legitimate users. In plain English: instead of stealing a password, attackers fake the digital hall pass. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog with a federal remediation deadline of Monday, June 1 — federal agencies are legally required to patch by then, and everyone else should treat that deadline as a signal about urgency.

If a patch can't go in immediately, Palo Alto's mitigations meaningfully reduce exposure: restrict User-ID Authentication Portal access to trusted zones, disable authentication override, or use a separate certificate for that feature. The thing to watch is whether a second exploitation wave materializes after Monday evening's deadline. If it does, the same hosting infrastructure pattern observed in earlier PAN-OS campaigns has resurfaced, and this gets folded into ransomware initial-access toolkits within days. If patching cadence holds and scanning telemetry drops, the worst case stays contained to the unlucky few who slept on the alert.

Using a country's own cybersecurity agency as the lure to compromise that country's government workers takes a particular kind of audacity. That's exactly what's happening in Ukraine right now.

CERT-UA, operating under Ukraine's State Service for Special Communications, reports that attackers are sending emails to government agencies, military personnel, and workers at critical infrastructure facilities that impersonate CERT-UA and SSSCIP. The subject line translates roughly to: "URGENT! CERT-UA Order No. 102/5-4092-IS dated May 26, 2026. Threat UAC-0252. Mandatory compliance." The message claims an "unprecedented cyberattack on government information systems" using DEAFTICKv2 malware, and instructs recipients to follow attached instructions to inspect their workstations. The genius of this approach is that it weaponizes exactly what defenders are trained to do: respond urgently to official security alerts.

CERT-UA's separate technical advisory ties the campaign to the stealers SHADOWSNIFF and SALATSTEALER — tools built to harvest credentials and browser data rather than smash systems. If this tactic stays Ukraine-only, it's a regional problem. If it spreads — if CERT-DE or CISA start fielding "fake official emergency guidance" reports next week — impersonating-the-responder has graduated into a portable playbook, and every national CERT becomes a phishing brand to spoof. The observable signal will be a CERT-UA advisory upgrade or a Western CERT echoing the IOCs within days.

A self-hosted Git service is supposed to make developers feel independent. Instead, it can become a neat little doorway into source code, secrets, and deployment pipelines.

Russian-language outlet Xakep reports that a zero-day vulnerability in Gogs — a lightweight, self-hosted alternative to GitHub used by teams that want control without a cloud dependency — has a working exploit module circulating. The flaw enables remote code execution, meaning an attacker who can reach a Gogs instance over the network can run commands on the underlying server. There is no patch yet.

This matters out of proportion to its visibility: internal developer infrastructure is routinely over-trusted and under-monitored. A compromised Gogs server is rarely just a Gogs server — it's repository contents, CI/CD tokens, deploy keys, and often a credential pivot into production. The thing to watch is GreyNoise scanning telemetry against Gogs default ports over the next 72 hours. A scanning spike before a patch arrives means mass exploitation has begun, and shared-hosting providers running Gogs as a managed service will spend their week in the same position GitLab admins occupied during the 2021 zero-day waves. If scanning stays flat and a maintainer patch lands first, this stays a near-miss.

If you run Linux servers — and if you're in IT, you almost certainly do — this one landed in the past 48 hours and needs attention before Monday morning.

A newly disclosed local privilege escalation vulnerability dubbed CIFSwitch in the Linux kernel lets attackers forge CIFS authentication key descriptions, abuse the kernel's key-request mechanism, and gain root, according to BleepingComputer. CIFS — the protocol Linux uses to connect to Windows file shares — sits in virtually every enterprise Linux deployment. The attack path is local privilege escalation: an attacker who already has any foothold — a compromised web app, a low-privilege user account, a container escape — can use this flaw to become root. The disclosure came with a public proof-of-concept and a list of vulnerable default installs that includes Linux Mint, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali, and SLES 15 SP7.

Broad distribution coverage combined with a clear escalation path makes this high-priority even without remote code execution. Attackers chain LPE bugs with initial access vectors constantly — it's how a compromised web server becomes a fully owned host. The signal to watch is how fast Red Hat, Ubuntu, Debian, and SUSE ship coordinated kernel updates. Patches in the next 24–72 hours mean maintainers are treating the PoC as justification for fast-track. If patching drags into next week, expect CIFSwitch bundled into commodity post-exploitation toolkits by July.

CERT-UA's "Danger Bulletin" CERT-UA#19542 documents that the cluster Ukraine tracks as UAC-0001 — known in the West as APT28 or Fancy Bear — is actively weaponizing CVE-2026-21509 against Ukrainian and EU targets. The advisory matters for two reasons. First, it's a reminder that patching doesn't buy you much time when a well-resourced espionage group decides it likes a bug. Second, the target geography is broader than "just Ukraine," which is how these campaigns often get filed away in Western SOCs — a mistake, because Ukrainian infrastructure is the proving ground, not the boundary. Watch for CISA or major European CERTs to publish matching guidance; if they do, this has crossed from regional warning into broader operational concern.

Source: CERT-UA Advisory #19542 — Ukrainian. No English-language coverage confirmed at time of publication.

Russian-language outlet Xakep published technical detail on a Gogs zero-day that allows remote code execution, with a working exploit already in circulation and no vendor patch yet available. Gogs is widely deployed as a lightweight self-hosted Git service inside small and mid-sized engineering teams — the kind of internal infrastructure that rarely sits behind a WAF and almost never makes it onto the patching priority list until something breaks. Xakep's writeup arrived ahead of major English-language coverage, which is the part to take seriously: in the prior GitLab zero-day waves, the gap between Russian-language disclosure and mass scanning was measured in days.

Source: Xakep.ru (Хакер) — Russian. No English-language coverage confirmed at time of publication.

A Russian researcher publishes a Git server exploit while Microsoft's lawyers polish their ban notices, Ukrainian government workers click "URGENT compliance" emails from people pretending to be the agency that warns them about clicking compliance emails, and somewhere a 2009-vintage TRENDnet router is still online and still accepting connections from anyone who wants them. The perimeter isn't falling — it's already on the ground, and we're just naming the pieces. See you tomorrow. Forward this to the friend who still runs Gogs and tells everyone it's fine.