Aviatrix Threat Research Center

In May 2026, a critical zero-day vulnerability was discovered in Gogs, a self-hosted Git service. This argument injection flaw allows authenticated users to execute arbitrary code on servers running Gogs versions 0.14.2 and 0.15.0+dev. Exploitation involves creating a pull request with a malicious branch name that injects the --exec flag into git rebase during the 'Rebase before merging' operation. This vulnerability enables attackers to compromise the server, access all repositories, extract credentials, and potentially pivot to other systems. The incident underscores the persistent risks associated with self-hosted code repositories, especially those with default configurations that permit open registration. Organizations relying on Gogs should assess their exposure, apply available patches promptly, and consider implementing stricter access controls to mitigate similar threats.

In May 2026, threat actors exploited a critical authentication bypass vulnerability (CVE-2026-35616) in Fortinet's FortiClient Enterprise Management Server (EMS) versions 7.4.5 and 7.4.6. This flaw allowed unauthenticated remote attackers to execute arbitrary code via specially crafted requests. Leveraging this vulnerability, attackers delivered the EKZ infostealer malware, disguised as a legitimate Fortinet endpoint update, through FortiClient-managed VPN scripting workflows. The malware targeted credentials and sensitive data stored in web browsers, exfiltrating them to attacker-controlled servers. Fortinet released emergency patches to address this issue, and organizations were urged to apply them promptly to mitigate the risk of compromise. This incident underscores the critical importance of timely patch management and vigilance against sophisticated social engineering tactics. The exploitation of trusted security infrastructure highlights the evolving strategies of threat actors, emphasizing the need for organizations to adopt a proactive and layered security approach to protect against such vulnerabilities.

In May 2026, the FBI issued a warning about the Silent Ransom Group (SRG), a Russia-linked extortion gang targeting U.S. law firms. SRG employs sophisticated social engineering tactics, including impersonating IT support staff via phone calls and phishing emails to gain remote access. When these methods fail, they escalate to in-person visits, where operatives physically infiltrate offices, connect external storage devices to computers, and exfiltrate sensitive client data. This data is then used to extort firms, with threats to publish or sell the information if ransoms are not paid. ([techtimes.com](https://www.techtimes.com/articles/317293/20260527/silent-ransom-group-sends-operatives-law-firm-offices-38-firms-already-leaked.htm?utm_source=openai)) This incident underscores a concerning evolution in cybercriminal tactics, blending traditional cyber attacks with physical intrusion. The legal sector's sensitive data makes it a prime target, highlighting the urgent need for robust security protocols, employee training, and vigilance against both digital and physical social engineering threats.

In May 2026, a mid-sized organization fell victim to an Akira ransomware attack. The intrusion began with the exploitation of a forgotten local VPN account lacking multi-factor authentication, allowing attackers to gain initial access. Subsequently, they conducted network reconnaissance, escalated privileges, and moved laterally across systems. The attackers exfiltrated sensitive data before deploying ransomware to encrypt files, culminating in a ransom demand. This incident underscores the critical need for robust access controls and vigilant monitoring of network activities to prevent such breaches. The Akira ransomware group has demonstrated a rapid escalation in attack sophistication and frequency, particularly targeting organizations with vulnerable VPN configurations. Their ability to swiftly transition from initial access to full data encryption within hours highlights the urgency for organizations to implement comprehensive cybersecurity measures, including timely patching, multi-factor authentication, and continuous network monitoring.

In April 2026, Anodot, a business monitoring software provider, experienced a significant data breach when attackers exploited authentication tokens to access customer cloud data. The cybercriminal group ShinyHunters claimed responsibility, leading to data theft from at least a dozen companies, including Rockstar Games. This incident underscores the vulnerabilities in third-party service providers and the cascading risks to their clients. The breach highlights a growing trend where threat actors target software vendors to gain access to multiple organizations simultaneously. Such supply chain attacks necessitate enhanced security measures and vigilance among businesses relying on external service providers.