🚨 Top Signals
Check Point VPN zero-day exploitation linked to Qilin ransomware activity
Check Point disclosed active exploitation of CVE-2026-50751, a critical authentication-bypass flaw in Remote Access VPN and Mobile Access deployments using deprecated IKEv1. Reporting linked at least one incident to Qilin ransomware activity, and CISA added the flaw to KEV with a shortened federal remediation window.
Sources: Check Point · SecurityWeek · BleepingComputer
💡 Key Takeaway: Treat VPN appliances as breach-entry infrastructure, not routine network gear. Apply hotfixes or mitigations, disable deprecated IKEv1 exposure where possible, review successful VPN session logs, rotate exposed credentials, and hunt for post-auth lateral movement.
Oracle PeopleSoft zero-day exploitation put ERP data theft back in focus
Google and Mandiant confirmed exploitation of CVE-2026-35273, a critical unauthenticated PeopleSoft Enterprise PeopleTools RCE issue, in ShinyHunters-linked data-theft activity. Oracle released mitigations, while reporting indicated education-sector targeting and possible exposure through Environment Management Hub endpoints.
Sources: SecurityWeek · The Hacker News · Oracle
💡 Key Takeaway: ERP systems hold HR, payroll, finance, and campus or business data in one place. Restrict PeopleSoft management endpoints, apply Oracle guidance, inspect web and application logs for unusual PSEMHUB access, and prepare data-exposure review before extortion contact arrives.
ServiceNow incident shows SaaS API bugs can become customer-data events
ServiceNow warned impacted customers after attackers exploited an unauthenticated access flaw through a vulnerable API endpoint, allowing them to query customer instance data. The company updated API endpoint configuration to restrict access to authenticated users.
Source: BleepingComputer
💡 Key Takeaway: SaaS trust does not remove the need for logging and data-access monitoring. Review ServiceNow notices, confirm endpoint updates, identify queried tables where possible, and tighten integrations that allow high-volume access to tickets, assets, HR, or security workflows.
🛡️ Exploited & High-Priority Vulnerabilities
Google patched another exploited Chrome zero-day
Google released Chrome updates for CVE-2026-11645, a V8 issue exploited in the wild. SecurityWeek reported that Chrome 149 patched 74 vulnerabilities, including this zero-day.
Sources: Google Chrome Releases · SecurityWeek · BleepingComputer
💡 Key Takeaway: Force browser updates through endpoint management and verify restart compliance. Browser zero-days are often only the first stage, so prioritize high-risk users, unmanaged endpoints, and systems that stay open for weeks without relaunching.
Splunk Enterprise critical flaw enables unauthenticated file operations and possible RCE
Splunk disclosed CVE-2026-20253, a CVSS 9.8 issue involving unauthenticated arbitrary file creation and truncation in a PostgreSQL sidecar service endpoint. Splunk Enterprise 10.0 and 10.2 releases require fixed versions, while Splunk Cloud is not affected.
Sources: Splunk advisory · The Hacker News
💡 Key Takeaway: Patch affected Splunk Enterprise systems quickly, especially where management or sidecar endpoints are reachable. Review network exposure, preserve splunkd and OS logs, and verify whether unexpected file creation or truncation occurred before patching.
Veeam Backup & Replication RCE risk targets the recovery layer
Veeam released updates for CVE-2026-44963, a critical flaw that can allow remote code execution on a Backup & Replication server by an authenticated domain user. Backup infrastructure remains a high-impact target because it often has broad access to production systems and recovery data.
Sources: Veeam · BleepingComputer · The Hacker News
💡 Key Takeaway: Patch Veeam, restrict who can authenticate to backup servers, separate backup admin roles from ordinary domain users, and validate immutable or offline recovery paths. A compromised backup server can turn an incident into a failed recovery.
📈 Defender Trend
Incident response is moving closer to the exposed business system
This week was less about one malware family and more about how quickly business-facing platforms became security events. Check Point VPN appliances, Oracle PeopleSoft, ServiceNow APIs, Splunk Enterprise, Veeam Backup & Replication, LiteLLM, and Ivanti Sentry all sit close to identity, data, operations, or recovery. When one of them is exposed or exploited, defenders need application owners, infrastructure, identity, and incident response moving from the same ticket instead of waiting for handoffs.
💡 Key Takeaway: For the systems that hold business data or grant operational reach, build incident-response hooks into the patch process. Every exploited advisory should trigger three parallel actions: patch or mitigate, check for compromise, and identify what data, credentials, logs, or recovery paths the system could affect.
🔎 Other Signals
LiteLLM flaw added to KEV after active exploitation evidence
CISA added CVE-2026-42271, a LiteLLM command-injection vulnerability, to KEV after evidence of active exploitation. Researchers also described a chain using a Starlette host-header validation bypass to reach unauthenticated RCE against vulnerable deployments.
Sources: GitHub Security Advisory · The Hacker News
💡 Key Takeaway: AI gateway and proxy services belong in vulnerability management. Patch LiteLLM, restrict admin exposure, review container and host command execution logs, and inventory experimental AI services that quietly became production dependencies.
Ivanti Sentry exploitation followed quickly after patch disclosure
Attackers began targeting CVE-2026-10520 in Ivanti Sentry, a maximum-severity flaw that can lead to root-level code execution on internet-exposed secure mobile gateway appliances. CISA added the vulnerability to KEV and ordered federal remediation under its new accelerated directive.
Sources: BleepingComputer · BleepingComputer · Help Net Security
💡 Key Takeaway: Mobile access gateways should be patched and checked for compromise immediately after exploit news. Limit internet exposure, review appliance logs, and plan replacement or segmentation for systems that cannot be updated quickly.
CISA’s BOD 26-04 formalizes faster risk-based patching for federal agencies
CISA issued Binding Operational Directive 26-04, requiring federal civilian agencies to prioritize security updates based on risk. The highest-risk categories can require action in as little as three days, and guidance emphasizes public exposure, KEV status, automation potential, and exploit access level.
💡 Key Takeaway: Private-sector teams should borrow the model even if they are not bound by it. A single patch SLA is too slow; remediation speed should change when a flaw is exploited, internet-facing, automatable, or grants privileged access.
AudiA6 crypto-laundering service disruption hit ransomware financial infrastructure
Europol announced the disruption of AudiA6, a cryptocurrency laundering pipeline trusted by ransomware gangs and cybercriminal networks and tied to hundreds of millions of euros in illicit funds. The operation involved international law enforcement cooperation and infrastructure seizure.
Sources: Europol · The Hacker News · Help Net Security
💡 Key Takeaway: Law-enforcement disruption can change attacker economics, but it does not remove the operational risk. Continue hardening backup, identity, VPN, and data-egress controls while monitoring for ransomware groups shifting payment and laundering channels.
✅ This Week’s Defensive Check
Open a 72-Hour Exposed-System Response Ticket
Action: Open one response ticket covering this week’s highest-risk exposed systems and attach it to the normal vulnerability workflow.
Who runs it: Vulnerability management owns the ticket. System owners for VPN, ERP, SaaS, SIEM, backup, AI gateway, MDM, mobile gateway, and remote-access infrastructure provide status. Incident response reviews compromise evidence. Identity reviews credential or token exposure.
Check these specifically: Check Point VPN, Oracle PeopleSoft, ServiceNow APIs, Splunk Enterprise, Veeam Backup & Replication, LiteLLM, Ivanti Sentry, Chrome enterprise update compliance, and any internet-facing system that appears in KEV or active-exploitation reporting.
Evidence you’re done: The ticket includes owner, exposure status, current version, mitigation or patch status, log source, compromise-review result, credential or token rotation decision, and emergency isolation method for each affected system.
💡 Key Takeaway: A fast patch is only half the job. For exposed systems tied to access, data, logs, or recovery, the ticket must also prove whether compromise was checked and who owns the next action.
🧠 Final Word
This was a high-leverage systems week. VPN access, PeopleSoft management endpoints, ServiceNow APIs, Splunk infrastructure, Veeam backup servers, AI gateways, and mobile access appliances all showed up in the same news cycle. That is the shape of modern enterprise risk: the most valuable targets are the systems that quietly connect everything else.
Patch the urgent items, but also update the operating model. Internet exposure, KEV status, exploit automation, and privilege impact should decide how fast the organization moves.