Key takeaways
- A newly discovered Cisco SD-WAN zero-day vulnerability is actively exploited against enterprise networks
- Verdant Panda (UNC5221) deploys multiple backdoors for sustained persistence in targeted intrusions
- Nightmare Eclipse researchers unveiled RoguePlanet and greatXML exploits targeting fully patched Windows systems
- ServiceNow breach exposed customer data through an unauthenticated API endpoint
- Attackers exploit Ivanti Sentry pre-authentication OS command injection vulnerability CVE-2026-10520
- ShinyHunters group leaked staging infrastructure details, exposing operational components
- Credential spraying attacks targeting Palo Alto GlobalProtect VPN hosts are increasing
1. New Cisco SD-WAN Zero-Day Exploited in Attacks
Summary
Cisco warned of an actively exploited high-severity zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager allowing low-privilege attackers to escalate to root through insufficient input validation. The vulnerability affects multiple deployment types with no patch currently available.
Category: Zero-day
Industry: Multiple
Analyst comments
The vulnerability stems from a command injection flaw resulting from insufficient input sanitation for uploaded files. Malicious commands are likely embedded in uploaded files, executed when processed with the -cli flag. This vulnerability could potentially chain with CVE-2026-20182 (disclosed May 2026), which has a public proof-of-concept and known wild exploitation.
Actionable guidance
No patch currently exists. Organizations should:
- Restrict device access through ACLs
- Apply patches for previously disclosed vulnerabilities that could enable netadmin access
- Review
/var/log/scripts.logfor exploitation indicators
Fixed Versions:
20.18.3.1
26.1.1.2
Affected versions:
20.9.9.1 and earlier
20.12.7.1 and earlier
20.15.4.4 and earlier
20.15.5.2 and earlier
20.18.3
26.1.1.1 and earlier
2. Verdant Panda (UNC5221) Uses Multiple Backdoors for Longterm Intrusions
Summary
Researchers discovered Chinese threat actor VerdantBamboo (WARP PANDA, UNC5221) compromised victims using malware including BRICKSTORM, AGENTPSD, and PLENET. The actor employed custom persistence mechanisms and living-off-the-land techniques for sustained network access.
Category: State-Sponsored Espionage
Industry: Technology, Government and Public Administration, Aerospace, Finance
Analyst comments
VerdantBamboo maintained access for over 18 months after compromising a storage appliance using stolen credentials and local privilege escalation flaws. The group deployed BRICKSTORM and Python fallback shell AGENTPSD, later adding PLENET compiled in .NET Native AOT. They deliberately targeted devices unlikely to have endpoint detection and response software installed and bypassed Microsoft 365 Conditional Access policies through VPN proxying.
Actionable guidance
Organizations should:
- Rotate credentials and audit firewall/VPN appliance configurations
- Review unknown cron jobs and network callouts from EDR-unprotected devices
- Keep appliances and internet-exposed edge devices updated
- Hunt for suspicious activity on devices without EDR agents
3. NIGHTMARE Eclipse Unveils RoguePlanet & greatXML Exploits Targeting Fully Patched Windows
Summary
Security researcher Nightmare Eclipse released proof-of-concept exploits for RoguePlanet (Microsoft Defender zero-day) and GreatXML (BitLocker bypass), both affecting fully patched Windows systems. RoguePlanet grants SYSTEM privileges through race condition exploitation.
Category: Zero-day
Industry: Multiple
Analyst comments
RoguePlanet exploits a local privilege escalation vulnerability in Defender, successfully tested against fully patched Windows 10 and 11 systems. Windows 11 systems proved more susceptible with higher exploitation success rates. The researcher claims additional undisclosed memory corruption vulnerabilities in Defender and other Windows components. GreatXML provides BitLocker security control bypass capabilities.
Actionable guidance
Organizations should:
- Monitor for VSS and Defender core process forensic artifacts
- Alert on stopped or disabled security processes indicating potential exploitation
- Apply current patches while recognizing future weaponized variants may bypass defenses
- Hunt for indicators associated with privilege escalation attempts
4. ServiceNow Breach Exposed Customer Data
Summary
ServiceNow disclosed a security incident where an unauthenticated API endpoint flaw allowed attackers to query sensitive customer data. Initial malicious attribution was later reconsidered as likely security research or bug bounty activity.
Category: Critical Vulnerabilities
Industry: Technology, Multiple
Analyst comments
The vulnerability existed in the /api/now/related_list_edit/create endpoint configured with requires_authentication=false. Attackers accessed sensitive enterprise data including IT support tickets and employee records. ServiceNow applied security updates June 5, 2026, restricting endpoint access to authenticated users. Activity originated from a single IP address.
51.159.98.241 - AS12876 Scaleway SAS France
Actionable guidance
Affected organizations should:
- Audit exposed tickets and records for sensitive data
- Rotate credentials and tokens passing through support workflows
- Verify API logging is enabled
- Alert on increased request volume to vulnerable endpoint from unknown IPs
5. Ivanti Sentry Pre-Auth OS Command Injection CVE-2026-10520 Exploited in Attacks
Summary
Ivanti published an advisory for two critical Sentry vulnerabilities: pre-authenticated OS Command Injection (CVE-2026-10520) and Authentication Bypass (CVE-2026-10523). Both enable unauthenticated attackers to achieve root-level access and create arbitrary administrative accounts.
Category: Critical Vulnerabilities
Industry: Multiple
Analyst comments
CVE-2026-10520 stems from lack of authentication on the vulnerable endpoint and failure to validate user input via user-supplied messages. The vulnerability has public proof-of-concept code enabling full weaponization. Confirmed exploitation occurs with backdoor deployment on vulnerable instances shortly after PoC disclosure.
Actionable guidance
Organizations should:
- Immediately segregate hosts from the public internet
- Apply the most recent vendor patches
- Hunt for signs of prior exploitation or backdoor deployment
- Monitor for requests to affected endpoint and “execute system…” strings
Affected Versions:
10.5.1, 10.6.1, 10.7.0 and prior
Fixed Versions:
10.5.2, 10.6.2 and 10.7.1
6. ShinyHunters Leaked Staging Infrastructure
Summary
ShinyHunters attacks Oracle PeopleSoft servers, claiming theft of data from over 100 organizations across 300 instances, primarily in education. The group published data from Nottingham University on their leak site and deploys ransom notes post-breach.
Category: Threat Actor Activities
Industry: Business Services, Education, Retail, Technology
Analyst comments
ShinyHunters leverages a “gadget chain” of vulnerabilities, with CVE-2026-35273 reportedly being used to breach universities. The group deploys ransom note scripts targeting PeopleSoft with common administrative credentials like ‘psoft’ and ‘oracle’. CVE-2026-35273 affects the HTTP interface and lacks a public proof-of-concept but reportedly involves simple exploitation methods.
Actionable guidance
Organizations should:
- Apply recently issued patches for CVE-2026-35273 (PeopleSoft 8.61/8.62 users at risk)
- Hunt for files matching signatures of unknown RMM software (MeshCentral commonly observed)
- Monitor for large volumes of failed login attempts from unknown addresses
- Add stale network indicators to blocklists for threat hunting
Get the Complete Report
The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec’s original threat research. Delivered weekly to partners and clients. REQUEST ACCESS