// #exploitation

2 articles

Rapid7 MDR confirmed on 21 May that a second, larger exploitation wave of CVE-2026-0257, an authentication bypass in Palo Alto Networks GlobalProtect VPN, began on 21 May targeting enterprise sectors not covered in the initial wave. CISA added the CVE to the Known Exploited Vulnerabilities catalogue with a 1 June remediation deadline. The vulnerability affects PAN-OS 10.2, 11.1, 11.2, and 12.1 as well as Prisma Access.

May 21, 2026 #palo-alto +7

🛡️ SecOps

Google GTIG Confirms First AI-Developed Zero-Day Used in Active Exploitation — 2FA Bypass via Automated Vulnerability Discovery

Google's Threat Intelligence Group has confirmed the first documented case of a threat actor using AI tools to discover and develop a working zero-day exploit deployed in a live attack campaign. The target was a 2FA bypass in a widely-used open-source web administration tool. A separate China-aligned actor was also found using AI platforms for automated offensive reconnaissance.

May 11, 2026 #ai-security +5

Commentary tagged #exploitation

Opinion

The Risk Calculus Changed Today

Google's confirmation of the first AI-developed zero-day used in live exploitation is not a warning about the future. It is a statement about the present. The security industry's habit of treating AI-assisted exploitation as a 'horizon threat' just ran out of runway.

CipherWatch Editorial

Security Intelligence Platform

May 11, 2026

PAN-OS GlobalProtect CVE-2026-0257: Rapid7 Confirms Second Exploitation Wave — CISA Adds to KEV

Google GTIG Confirms First AI-Developed Zero-Day Used in Active Exploitation — 2FA Bypass via Automated Vulnerability Discovery

Commentary tagged #exploitation

The Risk Calculus Changed Today