Cyber Roundup — Week of May 25

Here are the main stories you missed last week.

1. ChatGPhish: any web page can now inject phishing into ChatGPT

What happened: Permiso Security researcher Andi Ahmeti disclosed ChatGPhish on May 29, 2026, a browser-based prompt injection technique that transforms any web page into a phishing delivery surface by exploiting ChatGPT’s implicit trust in Markdown rendering. When a user asks ChatGPT to summarize a page, hidden instructions embedded in that page render as live phishing links, fake security alerts, and QR codes inside the trusted chatgpt.com interface. The Register independently reproduced the behavior on the day of disclosure. As of publication, OpenAI had not confirmed a fix was applied.

What’s actually happening: The chatgpt.com response renderer trusts Markdown links and image URLs originating from third-party pages. It auto-fetches those images and surfaces those links as live, clickable elements inside the assistant UI, with no origin label distinguishing attacker-controlled content from genuine assistant output. Both share identical visual formatting.

Passive reconnaissance runs through the same mechanism. Embedded image URLs in the malicious page automatically leak the user’s IP address, User-Agent string, Referer header, and high-resolution timing data to attacker-controlled infrastructure during what appears to be normal AI usage.

What changes here is the delivery surface. Traditional phishing requires a suspicious domain, a convincing email, and social engineering skill. ChatGPhish requires none of that. All it needs is a page the user might legitimately want summarized. The attack surface is the entire web. For a broader look at how API-level trust relationships create similar injection risks, see our post on API security risks.

The CISO question: If your employees use ChatGPT to summarize vendor documentation, research papers, or competitor sites, do you have controls to detect when that workflow is being used to deliver phishing or exfiltrate reconnaissance data?

2. CVE-2026-0257: GlobalProtect authentication bypass exploited across multiple customers

What happened: Active exploitation of CVE-2026-0257, an authentication bypass in Palo Alto Networks PAN-OS GlobalProtect (CVSS 7.8), began May 17. Rapid7 MDR identified successful compromises across numerous customers through two distinct attack waves. The first originated from Vultr-hosted infrastructure on May 18, and the second from Dromatics Systems on May 21. Consistent MAC addresses across both waves indicate the same threat actor. CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on May 29 with a federal remediation deadline of June 1. Rapid7 did not observe lateral movement from compromised devices in the cases they analyzed, though attackers achieved VPN-level network access equivalent to any authenticated user.

What’s actually happening: The vulnerability affects GlobalProtect deployments where authentication override cookies are enabled and the encryption certificate is shared with another service, a configuration that reduces authentication friction and exists widely in enterprise environments. That shared certificate lets attackers discover the public key and forge valid session cookies, establishing unauthorized VPN connections without credentials.

The attack pattern was systematic, not opportunistic. Both waves targeted the local administrator account specifically. Organizations affected did not detect the unauthorized access through their own monitoring. External notification from Rapid7 identified the compromises. VPN authentication logs, session anomalies, and network access patterns were not generating alerts despite VPNs being critical access controls.

Temporary mitigations: disable the authentication override feature, or generate a dedicated certificate used exclusively for authentication override cookies.

The CISO question: Would your organization detect an unauthorized VPN connection through internal monitoring, or would you need an external vendor to identify it?

3. Three Linux CVEs form a root access chain security teams are treating as separate tickets

What happened: Security Boulevard reported three Linux CVEs from May 2026 that form a reliable exploit chain from public internet access to root privileges on systems running nginx in front of critical applications: CVE-2026-42945 (NGINX Rift), CVE-2026-31431 (Copy Fail), and CVE-2026-43284/43500 (Dirty Frag). The chain produces no disk writes, no race conditions, and no detectable system state changes.

Important technical note: CVE-2026-42945 enables reliable remote code execution only on systems where Address Space Layout Randomization (ASLR) is disabled. On systems with ASLR enabled, the default on modern Linux, the exploit produces denial-of-service through nginx worker crashes rather than code execution. The privilege escalation steps apply once a foothold exists by either path.

What’s actually happening: NGINX Rift (CVE-2026-42945) is a heap buffer overflow in ngx_http_rewrite_module that has existed in every nginx build since 2008. A single crafted HTTP request triggers it with no authentication, no prior session, and no prerequisites beyond a network path to port 80 or 443. On ASLR-disabled systems, this produces code execution in the nginx worker process.

Copy Fail (CVE-2026-31431) and Dirty Frag (CVE-2026-43284/43500) escalate that worker process foothold to root through different kernel paths. Dirty Frag routes through xfrm-ESP or rxrpc specifically to bypass Copy Fail’s mitigation, which means blacklisting one path leaves the other open.

The forensic profile is what makes this chain operationally serious. Page cache corruption means file integrity checks pass because underlying files on disk are never modified. The privilege escalation leaves no forensic evidence visible to standard host-based detection.

The CISO question: Is your patch management tracking these three CVEs as a coordinated chain, or as three independent tickets competing against 200 other criticals?

4. CVE-2026-35616: FortiClient EMS exploited to deliver a credential stealer disguised as a Fortinet patch

What happened: Arctic Wolf documented active exploitation of CVE-2026-35616 (CVSS 9.1), a critical improper access control flaw in FortiClient Endpoint Management Server, in May 2026. Attackers bypassed API authentication without credentials and used FortiClient’s own management infrastructure to push a credential stealer, named EKZ Infostealer by Arctic Wolf and delivered as FortiEndpoint_Patch.exe, to managed endpoints via PowerShell. The vulnerability was first patched by Fortinet in early April 2026 after being observed as a zero-day in the wild. The May campaign represents continued exploitation of that same flaw against unpatched deployments.

What’s actually happening: CVE-2026-35616 is an improper access control flaw. When specially crafted HTTP requests reach certain FortiClient EMS endpoints without valid credentials, the system processes them as legitimate administrative actions. From that position, attackers can interact with EMS functionality that would normally require administrative access, including pushing software to every managed endpoint simultaneously.

EKZ Infostealer targets Chrome, Firefox, and Chromium-based browsers. It extracts session cookies, saved credentials, and autofill data including credit card details and addresses, stores results in a SQLite-backed local log, and exfiltrates to attacker-controlled infrastructure over HTTP. Understanding how stolen credentials get used after exfiltration is covered in detail in our post on credential intelligence and account takeover prevention.

Execution context is what defeats detection here. The malicious PowerShell runs with the same administrative privileges as a legitimate FortiClient EMS update. Process monitoring sees what looks like a routine security operation.

The CISO question: Can your endpoint monitoring distinguish between a legitimate EMS administrative action and a malicious payload that inherited the same execution context?

5. YellowKey: BitLocker bypass requires physical access, standard hardware, and public tools

What happened: Microsoft released mitigation guidance on May 20, 2026 for CVE-2026-45585, a BitLocker security feature bypass named YellowKey (CVSS 6.8), after researcher Nightmare Eclipse published a working proof-of-concept without coordinated disclosure. The vulnerability exploits trusted behavior in the Windows Recovery Environment (WinRE) to give an attacker with physical access an unrestricted shell and access to the encrypted volume during pre-boot recovery. As of publication, no full security patch had been released, only workarounds. Affected versions: Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025.

What’s actually happening: The attack targets WinRE, the recovery tool built into virtually all Windows installations. It requires only brief physical access, no specialized forensic hardware, and no persistent hardware artifacts, only tools available publicly on GitHub. Capabilities previously limited to law enforcement and nation-state actors are now accessible to ordinary criminals, and that shift is the point.

The default enterprise BitLocker configuration, TPM-only mode, is enabled because it allows silent PIN-free boot. That is exactly what YellowKey defeats. Organizations that have not enforced TPM+PIN via policy face the greatest exposure.

Microsoft’s available mitigations: remove the vulnerable autofstx.exe value from the WinRE image hive and reestablish BitLocker trust for WinRE, or switch from TPM-only to TPM+PIN mode via PowerShell, command line, or Group Policy.

The CISO question: For devices assigned to executives, field staff, and frequent travelers, have you audited whether TPM+PIN is actually enforced by policy, or assumed?

Trusted systems became attack delivery mechanisms this week.

ChatGPT’s summarization feature delivered phishing through an interface users trust completely. GlobalProtect VPN authentication granted unauthorized network access to multiple organizations simultaneously. Nginx web servers provided the entry point for a forensically silent privilege escalation chain. FortiClient EMS pushed credential stealers disguised as security updates. BitLocker full disk encryption failed to protect against physical access using publicly available tools.

Every compromise succeeded because attackers weaponized infrastructure organizations depend on for legitimate operations. The threat model most security teams carry, external attacker versus defended perimeter, does not account for the case where the perimeter’s own tools are the payload.

CybelAngel identifies exposed credentials, misconfigured services, and compromised infrastructure across the digital ecosystem before attackers establish those footholds.