EXECUTIVE SUMMARY
This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.
KEY TAKEAWAYS
SUMMARY
Cisco has warned of an actively exploited high-severity zero-day vulnerability (CVE-2026-20245) in the Cisco Catalyst SD-WAN Manager that allows attackers with low privileges to escalate to root through insufficient input validation. The vulnerability affects multiple deployment types, and no patch is currently available.
Category
Zero-day
Industry
Multiple
Sources
https://www.reddit.com/r/networking/comments/1u0xug8/another_cisco_sdwan_manager_bug_is_being/
https://thehackernews.com/2026/06/cisco-catalyst-sd-wan-manager-cve-2026.html
https://www.cybersecuritydive.com/news/cisa-zero-day-cisco-catalyst-vulnerabilities/822494/
ANALYST COMMENTS
Cisco warned of a high-severity, unpatched zero-day vulnerability (CVE-2026-20245) in the Cisco Catalyst SD-WAN Manager that allows root privilege escalation through insufficient validation of user-supplied input. This vulnerability impacts all deployment types of the SD-WAN Manager and requires attackers to have netadmin privileges to exploit it, typically obtained via valid credentials or other vulnerabilities.
While the vulnerability requires netadmin privileges on, there is the possibility that this vulnerability could be chained with CVE-2026-20182 (disclosed in May), largely bypassing the user access requirements altogether. CVE-2026-20182 has a publicly available PoC and is known to have been exploited in the wild. Chaining vulnerabilities in this manner aligns with previous exploitation of similar Cisco SD-WAN appliance issues and is likely applicable in this as well.
In regards to CVE-2026-20245, the vulnerability is due to a command injection flaw resulting from insufficient input sanitation for uploaded files. Based on the log samples provided by Cisco, malicious commands are likely embedded in uploaded files. When the files are uploaded with the -cli flag, command orchestration is initiated, causing the system to read and interpret the uploaded file contents as commands or code before executing them. This vulnerability is currently known to be actively exploited in the wild.
ACTIONABLE GUIDANCE
There is currently no patch available for this vulnerability. Compensating controls should focus on restricting access to affected devices, including the use of ACLs to prevent unauthorized access to Cisco SD WAN Manager. Organizations should also apply patches for previously disclosed vulnerabilities, as those issues may be used to gain the netadmin access required to exploit this vulnerability.
Detection efforts should include reviewing /var/log/scripts.log for known indicators or events associated with exploitation.
# Fixed Versions
20.18.3.1
26.1.1.2
# Affected versions
20.9.9.1 and earlier
20.12.7.1 and earlier
20.15.4.4 and earlier
20.15.5.2 and earlier
20.18.3
26.1.1.1 and earlier
SUMMARY
Researchers discovered that a Chinese threat actor, VerdantBamboo (aka WARP PANDA, UNC5221), had compromised a victim using malware like BRICKSTORM, AGENTPSD, and PLENET. The actor used custom persistence mechanisms and living-off-the-land techniques to maintain long-term access to the network.
Category
State-Sponsored Espionage
Industry
Technology, Government and Public Administration, Aerospace, Finance
Sources
https://www.volexity.com/blog/2026/06/04/verdantbamboo-just-another-brickstorm-in-the-firewall/
ANALYST COMMENTS
In September 2025, researchers discovered that Chinese threat actor VerdantBamboo (UNC5521, WAP PANDA) had spent over 18 months silently inside a victim's network after compromising a storage appliance. Using stolen credentials and a local privilege escalation flaw, they deployed BRICKSTORM and a Python fallback shell called AGENTPSD. They also proxied traffic through the victim's own VPN to bypass Microsoft 365 Conditional Access policies undetected. A second backdoor, PLENET, compiled in .NET Native AOT to hinder analysis, was later deployed to a Network Attached Storage (NAS) device. Throughout the intrusions, the threat actor made deliberate attempts to target devices that are unlikely to have EDR installed. Further activity has only recently been identified through recent sample submissions. The malware in use, including BRICKSTORM and SLAYSTYLE, overlaps with recent activity attributed to China-nexus actor UNC6201.
The group initially exploits edge devices, such as VPNs, NAS, and Firewalls exposed to the internet. They also gain access via stolen credentials used to access these devices and Microsoft 365 tenants.
ACTIONABLE GUIDANCE
Operationally, recent malware samples show little change, making detection and blocking based on malware hashes more reliable than network indicators, especially as the actor shifts towards legitimate services. Credential rotation and auditing of firewall and VPN appliance configurations are also warranted, as the actor has previously made configuration changes after establishing access within the environment.
If compromise is suspected, organizations should review unknown cron jobs and network callouts from devices that may not have EDR agents installed, as these have been common locations for persistence in past activity. Appliances and hosts should also be kept up to date, especially internet exposed edge devices, as these remain high value targets and are likely initial entry points based on previous attacks.
SUMMARY
Security researcher Nightmare Eclipse released a proof-of-concept exploit for a Microsoft Defender zero-day vulnerability called RoguePlanet, which can grant SYSTEM privileges on fully patched Windows systems. The release also highlights an ongoing dispute between the researcher and Microsoft over vulnerability disclosure practices. Hours later, the researcher published another PoC affecting BitLocker, dubbed GreatXML.
Category
Zero-day
Industry
Multiple
Sources
Internal OSec Research
ANALYST COMMENTS
Security researcher Nightmare Eclipse released a proof-of-concept exploit for the RoguePlanet zero-day, a local privilege escalation vulnerability in Defender, which exploits a race condition to grant attackers SYSTEM-level privileges on fully patched Windows 10 and 11 systems. Nightmare Eclipse also claims to have found additional memory corruption vulnerabilities and other security issues in Defender and other Windows components not disclosed. Hours later, the researcher also released another PoC dubbed GreatXML, which affects BitLocker and can result in a bypass of the security control.
We have tested both vulnerabilities in our lab environment. RoguePlanet was tested against fully patched Windows 10 and 11 hosts, and the PoC executed successfully in both cases. Execution against Windows 10 was less reliable and failed more frequently. Windows 11 systems appeared more susceptible, with most executions successfully gaining SYSTEM level privileges.
ACTIONABLE GUIDANCE
Applying the current patch is still recommended, as it appears to protect against the unaltered PoC. However, there is a high likelihood that the code will be modified during weaponization, which may render the current defensive package ineffective.
Organizations should monitor for forensic artifacts associated with exploitation, especially events involving VSS and Defender’s core process. Since this vulnerability may be used to disable Defender or other security controls, alerts for stopped or disabled security processes may indicate use of this PoC or similar activity on a vulnerable host.
SUMMARY
ServiceNow addressed a security incident where an unauthenticated access flaw in an API endpoint allowed attackers to query sensitive data from customer instances. While the activity was initially believed to be malicious, ServiceNow now suggests it was likely due to security research or bug bounty submissions.
Category
Critical Vulnerabilities
Industry
Technology, Multiple
Sources
https://www.reddit.com/r/servicenow/comments/1u0c45c/potential_servicenow_breach/
https://trust.servicenow.com/notifications/1205429e-fea3-4cbf-b37b-8cd3a4e07aef
ANALYST COMMENTS
ServiceNow addressed a security incident where attackers exploited an unauthenticated access flaw via a vulnerable API endpoint, enabling unauthorized data queries from customer instances. The company informed affected customers via support bulletins after detecting anomalous activity. ServiceNow applied a security update to hosted instances on June 5, 2026, changing the API endpoint configuration to limit access to authenticated users only.
Affected data included sensitive enterprise information like IT support tickets and employee records, with attackers potentially accessing this data through the '/api/now/related_list_edit/create' endpoint configured with 'requires_authentication=false'. ServiceNow later clarified that the activity was likely from security researchers or customer-led research associated with bug bounty submissions, not malicious actors, and disclosed a delayed deployment of the security update due to receiving a confidential bug bounty submission on April 22, 2026.
Multiple customer records were exposed, which suggests the actor likely targeted more than one customer instance. Based on the root cause, the actor likely interacted with the endpoint directly by sending crafted requests to an API endpoint that did not require authentication. External reporting indicates the activity originated from a single IP address.
51.159.98.241 - AS12876 Scaleway SAS FranceACTIONABLE GUIDANCE
While major downstream effects are unlikely for affected organizations, the following actions are still recommended. Organizations should audit exposed tickets and records for sensitive data, rotate any credentials or tokens that passed through support workflows, and verify that API logging is enabled.
Organizations should also alert on increased request volume to the vulnerable endpoint or communication from unknown IP addresses that only interact with that endpoint. This activity should be treated as more suspicious if the associated IP address is not observed during authentication, is not associated with other ServiceNow API activity, or matches the IP address noted above.
SUMMARY
Ivanti published an advisory outlining two critical vulnerabilities in its Sentry product; a pre-authenticated OS Command Injection (CVE-2026-10520) and an Authentication Bypass (CVE-2026-10523). Both issues can be exploited by unauthenticated attackers to achieve root-level access and create arbitrary administrative accounts, respectively.
Category
Critical Vulnerabilities
Industry
Multiple
Sources
https://thehackernews.com/2025/09/unc5221-uses-brickstorm-backdoor-to.html
ANALYST COMMENTS
Ivanti published an advisory detailing two critical vulnerabilities in its Sentry product, which manages and secures traffic between mobile devices and enterprise systems. The first vulnerability, CVE-2026-10520, is an OS Command Injection that allows remote unauthenticated users to achieve root-level remote code execution. The second, CVE-2026-10523, is an Authentication Bypass vulnerability that permits attackers to create arbitrary administrative accounts and gain full administrative access.
This vulnerability has a publicly available PoC, associated research, and confirmed exploitation in the wild. The PoC and research released allows full weaponization of the vulnerability. The issue stems from a lack of authentication on the vulnerable endpoint and failure to validate user input via a user supplied message.
This is currently being weaponized to plant backdoors on vulnerable instances of Ivanti Sentry with exploitation observed shortly after the PoC was disclosed.
ACTIONABLE GUIDANCE
Organizations should immediately segregate these hosts from the public internet and then ensure that the most recent vendor patches have been applied. If the patch cannot be applied at this time, segregation of the host is still recommended. Monitoring should be configured to detect activity targeting the vulnerable endpoint and the malicious string observed in exploitation. Threat hunting should also be performed to identify any signs of prior exploitation or backdoor deployment. Monitoring priorities should look for requests to the affected endpoint in device logs and detect on “execute system…” strings. The following strings below can be used to detect and hunt for past or active compromise abusing this vulnerability.
Affected Versions
10.5.1, 10.6.1, 10.7.0 and prior
Fixed Versions
10.5.2, 10.6.2 and 10.7.1 SUMMARY
ShinyHunters is attacking Oracle PeopleSoft servers, claiming to have stolen data from over 100 organizations across 300 instances, primarily in the education sector. The threat actor has published data from Nottingham University on their leak site and is known to deploy ransom notes after breaching systems.
Category
Threat Actor Activities
Industry
Business Services, Education, Retail, Technology
Sources
https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
https://x.com/nahamike01/status/2064529246178210220
Internal OSec Research
ANALYST COMMENTS
ShinyHunters is attacking Oracle PeopleSoft servers, claiming to have stolen data from over 100 organizations across 300 instances, primarily in the education sector.
The threat actor uses a "gadget chain" of vulnerabilities and has recently published data from Nottingham University on their leak site. They deploy a ransom note script targeting PeopleSoft systems with common administrative credentials like 'psoft' and 'oracle' after breaches. The group appears to leverage CVE-2026-35273 to breach universities, based on leaked information from Shinyhunters staging infrastructure.
CVE-2026-35273 is among the vulnerabilities reportedly being used. The vulnerability affects the HTTP interface for affected PeopleSoft servers and is not currently known to have a public PoC. Further details of the vulnerability are unavailable, however it is noted as being simple to exploit. This is likely one of the vulnerabilities that ShinyHunters have developed and has only recently been patched by Oracle.
ACTIONABLE GUIDANCE
Organizations using PeopleSoft versions 8.61 and 8.62 are at risk of exploitation by this threat actor and should apply the recently issued patch for CVE-2026-35273. The group makes heavy use of RMM software in their tactics, with most recent examples using MeshCentral. Organizations should hunt for files that match signatures of unknown RMM software, as this may indicate abuse. While the network indicators are all stale aside from the IP associated with the leak site, they can be added to a blocklist or used for threat hunting if a previous compromise is suspected. The group will also use brute-force and credential spray tactics in their behavior, so seeing large volumes of failed login attempts from unknown addresses may also indicate abuse.
The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS