← All threat briefs
Threat Brief

Weekly Situation Report — 6/15/26

Key takeaways

  • A newly discovered Cisco SD-WAN zero-day vulnerability is actively exploited against enterprise networks
  • Verdant Panda (UNC5221) deploys multiple backdoors for sustained persistence in targeted intrusions
  • Nightmare Eclipse researchers unveiled RoguePlanet and greatXML exploits targeting fully patched Windows systems
  • ServiceNow breach exposed customer data through an unauthenticated API endpoint
  • Attackers exploit Ivanti Sentry pre-authentication OS command injection vulnerability CVE-2026-10520
  • ShinyHunters group leaked staging infrastructure details, exposing operational components
  • Credential spraying attacks targeting Palo Alto GlobalProtect VPN hosts are increasing

1. New Cisco SD-WAN Zero-Day Exploited in Attacks

Summary

Cisco warned of an actively exploited high-severity zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager allowing low-privilege attackers to escalate to root through insufficient input validation. The vulnerability affects multiple deployment types with no patch currently available.

Category: Zero-day

Industry: Multiple

Analyst comments

The vulnerability stems from a command injection flaw resulting from insufficient input sanitation for uploaded files. Malicious commands are likely embedded in uploaded files, executed when processed with the -cli flag. This vulnerability could potentially chain with CVE-2026-20182 (disclosed May 2026), which has a public proof-of-concept and known wild exploitation.

Actionable guidance

No patch currently exists. Organizations should:

  • Restrict device access through ACLs
  • Apply patches for previously disclosed vulnerabilities that could enable netadmin access
  • Review /var/log/scripts.log for exploitation indicators
Fixed Versions:
20.18.3.1
26.1.1.2

Affected versions:
20.9.9.1 and earlier
20.12.7.1 and earlier
20.15.4.4 and earlier
20.15.5.2 and earlier
20.18.3
26.1.1.1 and earlier

2. Verdant Panda (UNC5221) Uses Multiple Backdoors for Longterm Intrusions

Summary

Researchers discovered Chinese threat actor VerdantBamboo (WARP PANDA, UNC5221) compromised victims using malware including BRICKSTORM, AGENTPSD, and PLENET. The actor employed custom persistence mechanisms and living-off-the-land techniques for sustained network access.

Category: State-Sponsored Espionage

Industry: Technology, Government and Public Administration, Aerospace, Finance

Analyst comments

VerdantBamboo maintained access for over 18 months after compromising a storage appliance using stolen credentials and local privilege escalation flaws. The group deployed BRICKSTORM and Python fallback shell AGENTPSD, later adding PLENET compiled in .NET Native AOT. They deliberately targeted devices unlikely to have endpoint detection and response software installed and bypassed Microsoft 365 Conditional Access policies through VPN proxying.

Actionable guidance

Organizations should:

  • Rotate credentials and audit firewall/VPN appliance configurations
  • Review unknown cron jobs and network callouts from EDR-unprotected devices
  • Keep appliances and internet-exposed edge devices updated
  • Hunt for suspicious activity on devices without EDR agents

3. NIGHTMARE Eclipse Unveils RoguePlanet & greatXML Exploits Targeting Fully Patched Windows

Summary

Security researcher Nightmare Eclipse released proof-of-concept exploits for RoguePlanet (Microsoft Defender zero-day) and GreatXML (BitLocker bypass), both affecting fully patched Windows systems. RoguePlanet grants SYSTEM privileges through race condition exploitation.

Category: Zero-day

Industry: Multiple

Analyst comments

RoguePlanet exploits a local privilege escalation vulnerability in Defender, successfully tested against fully patched Windows 10 and 11 systems. Windows 11 systems proved more susceptible with higher exploitation success rates. The researcher claims additional undisclosed memory corruption vulnerabilities in Defender and other Windows components. GreatXML provides BitLocker security control bypass capabilities.

Actionable guidance

Organizations should:

  • Monitor for VSS and Defender core process forensic artifacts
  • Alert on stopped or disabled security processes indicating potential exploitation
  • Apply current patches while recognizing future weaponized variants may bypass defenses
  • Hunt for indicators associated with privilege escalation attempts

4. ServiceNow Breach Exposed Customer Data

Summary

ServiceNow disclosed a security incident where an unauthenticated API endpoint flaw allowed attackers to query sensitive customer data. Initial malicious attribution was later reconsidered as likely security research or bug bounty activity.

Category: Critical Vulnerabilities

Industry: Technology, Multiple

Analyst comments

The vulnerability existed in the /api/now/related_list_edit/create endpoint configured with requires_authentication=false. Attackers accessed sensitive enterprise data including IT support tickets and employee records. ServiceNow applied security updates June 5, 2026, restricting endpoint access to authenticated users. Activity originated from a single IP address.

51.159.98.241 - AS12876 Scaleway SAS France

Actionable guidance

Affected organizations should:

  • Audit exposed tickets and records for sensitive data
  • Rotate credentials and tokens passing through support workflows
  • Verify API logging is enabled
  • Alert on increased request volume to vulnerable endpoint from unknown IPs

5. Ivanti Sentry Pre-Auth OS Command Injection CVE-2026-10520 Exploited in Attacks

Summary

Ivanti published an advisory for two critical Sentry vulnerabilities: pre-authenticated OS Command Injection (CVE-2026-10520) and Authentication Bypass (CVE-2026-10523). Both enable unauthenticated attackers to achieve root-level access and create arbitrary administrative accounts.

Category: Critical Vulnerabilities

Industry: Multiple

Analyst comments

CVE-2026-10520 stems from lack of authentication on the vulnerable endpoint and failure to validate user input via user-supplied messages. The vulnerability has public proof-of-concept code enabling full weaponization. Confirmed exploitation occurs with backdoor deployment on vulnerable instances shortly after PoC disclosure.

Actionable guidance

Organizations should:

  • Immediately segregate hosts from the public internet
  • Apply the most recent vendor patches
  • Hunt for signs of prior exploitation or backdoor deployment
  • Monitor for requests to affected endpoint and “execute system…” strings
Affected Versions:
10.5.1, 10.6.1, 10.7.0 and prior

Fixed Versions:
10.5.2, 10.6.2 and 10.7.1

6. ShinyHunters Leaked Staging Infrastructure

Summary

ShinyHunters attacks Oracle PeopleSoft servers, claiming theft of data from over 100 organizations across 300 instances, primarily in education. The group published data from Nottingham University on their leak site and deploys ransom notes post-breach.

Category: Threat Actor Activities

Industry: Business Services, Education, Retail, Technology

Analyst comments

ShinyHunters leverages a “gadget chain” of vulnerabilities, with CVE-2026-35273 reportedly being used to breach universities. The group deploys ransom note scripts targeting PeopleSoft with common administrative credentials like ‘psoft’ and ‘oracle’. CVE-2026-35273 affects the HTTP interface and lacks a public proof-of-concept but reportedly involves simple exploitation methods.

Actionable guidance

Organizations should:

  • Apply recently issued patches for CVE-2026-35273 (PeopleSoft 8.61/8.62 users at risk)
  • Hunt for files matching signatures of unknown RMM software (MeshCentral commonly observed)
  • Monitor for large volumes of failed login attempts from unknown addresses
  • Add stale network indicators to blocklists for threat hunting

Get the Complete Report

The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec’s original threat research. Delivered weekly to partners and clients. REQUEST ACCESS

More briefs
Weekly Situation Report — 6/8/26Jun 11, 2026Weekly Situation Report — 6/1/26Jun 4, 2026Weekly Situation Report — 5/25/26May 28, 2026
Talk to an expert