Rapid responses

PAN-OS is the proprietary operating system that powers all Palo Alto Networks Next-Generation Firewalls (NGFW) across physical, virtual, and cloud environments. It uses a Single-Pass Parallel Processing (SP3) architecture to provide deep visibility and control over network traffic by identifying applications, users, and content simultaneously.

Certain versions of Palo Alto Networks PAN-OS are affected by an authentication bypass vulnerability in the GlobalProtect portal and gateway. Successful exploitation allows a remote, unauthenticated attacker to bypass security restrictions, establish an unauthorized VPN connection, and gain access to restricted networks.

There is evidence that this vulnerability is being actively exploited in the wild.

The following versions are affected:

• PAN-OS 12.1: Versions 12.1.5 through 12.1.6, and 12.1.2 through 12.1.4-h*.
• PAN-OS 11.2: Versions 11.2.11 or later, 11.2.8 through 11.2.10-h*, 11.2.5 through 11.2.7-h*, and 11.2.0 through 11.2.4-h*.
• PAN-OS 11.1: Versions 11.1.14 or later, 11.1.11 through 11.1.13-h*, 11.1.8 through 11.1.10-h*, 11.1.7 through 11.1.7-h*, 11.1.5 through 11.1.6-h*, and 11.1.0 through 11.1.4-h*.
• PAN-OS 10.2: Versions 10.2.17 through 10.2.18-h*, 10.2.14 through 10.2.16-h*, 10.2.11 through 10.2.13-h*, 10.2.8 through 10.2.10-h*, and 10.2.0 through 10.2.7-h*.

Note: It is possible that older, unsupported PAN-OS versions are also vulnerable, but this has not been confirmed.

Severity & Risk Assessment

• Severity: High – Successful exploitation allows an attacker to establish an unauthorized VPN connection and gain access to protected networks.
• Risk: High – This vulnerability can be exploited by a remote, unauthenticated attacker, meaning the barrier to entry for an attacker is low. This significantly increases the likelihood of widespread exploitation.

Gogs is an open-source, self-hosted Git repository management system written in Go that provides a web-based interface for version control with minimal hardware resource requirements.

Certain versions of Gogs are affected by an argument injection vulnerability within the pull request “Rebase before merging” style merge handling. The flaw is caused by a malicious pull request branch name being passed directly to the git rebase command without a -- delimiter to indicate the end of options. As a result, the branch name is interpreted as the --exec flag. Successful exploitation allows a remote, authenticated attacker to achieve remote code execution (RCE) as the Gogs server process user via a crafted pull request. Because Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false), the authentication requirement poses less of a barrier in default configurations.

This vulnerability does not currently have a CVE ID assigned, and the vendor has not released a patch.

The following versions are affected:

• Gogs: Versions 0.14.2 and 0.15.0+dev (commit b53d3162)
• Note: Prior versions supporting the “Rebase before merging” merge style are likely to be vulnerable as well.

Drupal core is the blank-slate version of the PHP-based content management system (CMS) and web application framework that includes only the essential tools needed to build, log into, and run a basic website.

Certain versions of Drupal core are affected by a SQL injection vulnerability in the database abstraction API due to the improper neutralization of special elements. This flaw allows a remote, unauthenticated attacker to send specially crafted requests that result in arbitrary SQL execution on sites configured to use a PostgreSQL database. Successful exploitation allows an attacker to achieve information disclosure and, in select cases, privilege escalation, remote code execution (RCE), or other attacks.

There is evidence that this vulnerability is being actively exploited in the wild.

The following versions are affected:

• Drupal: Versions 8.9.0 to before 10.4.10
• Drupal: Versions 10.5.0 to before 10.5.10
• Drupal: Versions 10.6.0 to before 10.6.9
• Drupal: Versions 11.0.0 to before 11.1.10
• Drupal: Versions 11.2.0 to before 11.2.12
• Drupal: Versions 11.3.0 to before 11.3.10

Next.js, an open-source React framework developed by Vercel, provides structure, routing, and rendering solutions for building full-stack web applications.

Self-hosted Next.js applications using the built-in Node.js server are vulnerable to server-side request forgery (SSRF) within the WebSocket upgrade handling mechanism. A remote, unauthenticated attacker can exploit this flaw by sending crafted WebSocket upgrade requests. Successful exploitation allows the server to proxy requests to arbitrary internal or external destinations. This can expose sensitive internal services or cloud infrastructure endpoints, such as the Instance Metadata Service (IMDS), a local HTTP endpoint used by virtual machines to retrieve configurations, IP addresses, and IAM roles via a link-local address.

The following versions are affected:

• Next.js 13, 14, and 15: Versions 13.4.13 through 15.5.15
• Next.js 16: Versions 16.0.0 through 16.2.4