🚨 Top Signals
PAN-OS GlobalProtect authentication bypass moved from patching issue to active-exploitation hunt
Unit 42 reported active exploitation of CVE-2026-0257, a PAN-OS GlobalProtect portal and gateway authentication-bypass issue that can let unauthorized attackers initiate VPN connections. The flaw was added to CISA KEV on May 29, and Unit 42 published indicators for successful gateway-connected events.
Sources: Unit 42 · Palo Alto advisory · Rapid7
💡 Key Takeaway: Do not stop at version checks. Patch or mitigate affected GlobalProtect portals and gateways, then hunt for suspicious gateway-connected events, unusual host IDs, unexpected device names, and successful VPN sessions from known suspicious infrastructure.
Cisco SD-WAN exploitation shows the risk of chained control-plane access
Cisco warned that CVE-2026-20245 in Catalyst SD-WAN Manager has been exploited in limited cases, with activity resulting in configuration changes pushed to edge devices. The issue requires netadmin privileges or prior exploitation of related SD-WAN flaws, making it a control-plane chaining problem rather than a standalone web bug.
Sources: Cisco advisory · BleepingComputer
💡 Key Takeaway: Preserve admin-tech files before upgrades, review SD-WAN scripts logs for tenant-list upload activity, validate edge-device configuration changes, and treat compromised SD-WAN management access as a possible network-wide incident.
AI-assisted ransomware tooling is moving toward automation of post-access work
BleepingComputer reported that a threat actor used AI-assisted tooling to automate Active Directory discovery and support EDR evasion work, with development aided by AI agents during coding, analysis, and revision stages.
Sources: BleepingComputer · SC Media
💡 Key Takeaway: Assume post-access workflows will accelerate. Reduce standing privileges, alert on AD discovery commands, monitor for unusual security-tool tampering, and rehearse isolation steps that do not depend on slow manual triage.
🛡️ Exploited & High-Priority Vulnerabilities
Windows Netlogon RCE exploitation warning raises domain-controller urgency
Belgium’s Centre for Cybersecurity warned that CVE-2026-41089, a critical Windows Netlogon remote-code-execution flaw patched in May, is being exploited in the wild. Microsoft’s guidance remains to install current security updates on affected Windows Server domain controllers.
Sources: BleepingComputer · Microsoft MSRC · SecurityWeek
💡 Key Takeaway: Prioritize domain controllers as Tier 0. Confirm patch status, restrict exposed RPC paths, review DC logs for abnormal authentication and service activity, and avoid assuming internal-only vulnerabilities are low risk.
Android June patches fixed an actively exploited Framework flaw
Google’s June Android security bulletin says CVE-2025-48595 may be under limited, targeted exploitation. The issue affects Android Framework and is addressed in the June 2026 patch levels.
Sources: Android Security Bulletin · BleepingComputer
💡 Key Takeaway: Push June Android updates through MDM, prioritize executives and high-risk users, and verify unmanaged or BYOD devices that access corporate email, collaboration, or identity apps.
Everest Forms Pro WordPress RCE exploitation targets site takeover paths
The Hacker News reported active exploitation of CVE-2026-3300, a critical remote-code-execution vulnerability in the Everest Forms Pro WordPress plugin that can allow attackers to take over affected sites.
Source: The Hacker News
💡 Key Takeaway: Inventory WordPress plugins, patch or disable Everest Forms Pro immediately, review admin-user creation and plugin/theme file changes, and scan web roots for new PHP files or injected loaders.
📈 Defender Trend
Control planes are becoming the shortest path from exposure to impact
This week’s pattern is not just more vulnerabilities. It is attackers focusing on the systems that steer access: VPN gateways, SD-WAN managers, domain controllers, mobile token brokers, package registries, and operational monitoring devices. Once these systems are touched, the blast radius is rarely limited to the first host.
💡 Key Takeaway: Build and maintain a control-plane inventory that includes network management, identity, CI/CD, device management, SaaS admin consoles, domain controllers, and OT monitoring systems. For each one, document owner, patch path, log source, emergency isolation step, and token or credential rotation procedure.
🔎 Other Signals
IronWorm hit npm packages in another developer-supply-chain reminder
BleepingComputer reported that 36 npm packages were infected with IronWorm infostealer malware, continuing the pattern of package ecosystems being used to harvest developer and cloud secrets.
Source: BleepingComputer
💡 Key Takeaway: Lock dependency updates behind review, scan build environments for secrets, restrict package-token scopes, and monitor for suspicious install scripts or credential access during CI runs.
Federal agencies warned about attacks on automatic tank gauge systems
CISA, FBI, NSA, DOE, and partners warned critical-infrastructure operators to secure internet-exposed automatic tank gauge systems used to monitor fuel and chemical storage. BleepingComputer separately reported more than 900 U.S. ATG systems exposed online.
Sources: BleepingComputer · TechRepublic
💡 Key Takeaway: Remove ATG systems from public internet exposure, change default credentials, segment them from business networks, and verify alerting for configuration changes that could affect fuel inventory or safety monitoring.
DentaQuest breach claim affected millions of dental-benefits accounts
BleepingComputer reported that DentaQuest disclosed a breach affecting 2.6 million accounts after ShinyHunters claimed to have stolen more than 234 GB of data.
Source: BleepingComputer
💡 Key Takeaway: Healthcare-adjacent benefit providers should review vendor-data access, data-export controls, and breach-response playbooks for extortion claims involving large personal-data stores.
Microsoft 365 Android token bug exposed mobile SSO assumptions
Researchers disclosed that a leftover debug flag in several Microsoft 365 Android apps disabled a token-sharing trust check, allowing a malicious local app to request signed-in account tokens. Microsoft patched the issue in May updates.
Sources: The Hacker News · Dark Reading
💡 Key Takeaway: Push Microsoft 365 Android app updates through MDM, verify managed devices are on fixed builds, and consider token revocation for high-risk users who ran vulnerable apps alongside untrusted mobile software.
✅ This Week’s Defensive Check
Run a Control-Plane Exposure Review
Pick the systems that can move access, configuration, code, identity, or data at scale, then validate whether you can contain each one quickly.
Action: For VPNs, SD-WAN managers, domain controllers, CI/CD systems, package registries, MDM, SaaS admin consoles, and OT monitoring systems, confirm owner, patch level, public exposure, admin MFA, logging source, emergency isolation path, and credential or token rotation plan.
Evidence you’re done: A one-page list of control-plane systems with owners, current exposure status, last patch date, log location, and a named containment action that can be executed in under 30 minutes.
💡 Key Takeaway: The goal is to know which systems create the widest blast radius before attackers test them for you.
🧠 Final Word
The week’s lesson is that the most important systems are not always the most visible ones. VPN gateways, SD-WAN managers, mobile tokens, domain controllers, and build pipelines often sit behind the scenes, but they decide who can reach what. Defenders should patch the urgent flaws, then shrink the access paths that turn one foothold into enterprise-wide leverage.