پارتیان ابتکار پایدار

Oracle PeopleSoft Zero-Day

What is the Attack?	Google Threat Intelligence Group (GTIG) and Mandiant have identified an active compromise and extortion campaign attributed to ShinyHunters (tracked as UNC6240) targeting Oracle PeopleSoft environments. The attackers exploited a previously unknown remote code execution vulnerability, CVE-2026-35273, before Oracle released an advisory and patches, making this a true zero-day attack. The campaign primarily targeted higher education institutions, with approximately 68% of identified victims belonging to the education sector. Organizations running internet-accessible Oracle PeopleSoft Environment Management components are at highest risk. Successful exploitation enables unauthenticated remote code execution, deployment of remote management tooling, data theft, and extortion activities. An attacker who successfully exploits CVE-2026-35273 can: • Execute arbitrary code on vulnerable Oracle PeopleSoft servers. • Establish persistent remote access using legitimate administration tools. • Conduct reconnaissance of enterprise infrastructure and configurations. • Move laterally within the environment. • Steal sensitive employee, student, financial, and operational data. • Conduct extortion or ransomware-style operations using stolen data.
What is the recommended Mitigation?	Potentially exposed systems include: Internet-facing Oracle PeopleSoft deployments. • Immediately apply Oracle's security updates for CVE-2026-35273. • Restrict external access to PeopleSoft Environment Management services. • Review logs for suspicious activity between May 27 and June 9, 2026. • Hunt for unauthorized MeshCentral agents and remote management tools. • Monitor for unusual administrative activity, data access, and large outbound transfers. • Conduct compromise assessments on exposed PeopleSoft systems.
What FortiGuard Coverage is available?	• FortiGuard IPS: Detects and blocks exploitation attempts targeting Oracle PeopleSoft vulnerabilities. Intrusion Prevention \| FortiGuard Labs • FortiGuard Web Filtering: Blocks access to known malicious infrastructure and command-and-control domains. • FortiGuard AntiVirus and Behavior-Based Detection: Detects Mesh-Central-based payloads and malicious post-exploitation activity. • FortiEDR and FortiXDR: Identify suspicious remote administration activity, persistence mechanisms, and lateral movement behavior. • FortiSIEM and FortiAnalyzer: Provide visibility into exploitation attempts and post-compromise activity across the environment.

Cisco Catalyst SD-WAN Manager Privilege Escalation Vulnerability

What is the Vulnerability?	Cisco has disclosed a critical security vulnerability, CVE-2026-20245, affecting Cisco Catalyst SD-WAN Manager and confirmed that it is being actively exploited in the wild. The vulnerability resides in the platform's command-line interface (CLI) and allows an authenticated attacker with netadmin privileges to execute arbitrary commands as root on the underlying operating system. According to Cisco, successful exploitation has been observed in real-world attacks and has resulted in unauthorized configuration changes being pushed to managed SD-WAN edge devices. At the time of disclosure, Cisco had not released a software fix or workaround and instead provided indicators of compromise and investigation guidance to assist affected organizations.
What is the recommended Mitigation?	• Restrict access to SD-WAN Manager administrative interfaces to trusted management networks. • Review Cisco-provided indicators of compromise and audit logs for evidence of suspicious file uploads, root-level activity, or unauthorized configuration changes. • Verify the integrity of SD-WAN edge device configurations and policies. • Rotate privileged SD-WAN credentials and investigate potential credential exposure. • Monitor Cisco security advisories and apply updates immediately once a fix becomes available. • Engage incident response procedures if signs of compromise are identified, as patching alone may not remediate an already compromised environment.
What FortiGuard Coverage is available?	• FortiGuard Antivirus & Behavior Detection: Detects and blocks malicious payloads and abnormal process execution that may result from successful exploitation. • FortiGuard Incident Response Service: Assists organizations in investigating potential compromise, identifying attacker activity, and supporting remediation efforts. • FortiGuard Managed Detection and Response (MDR): Provides continuous monitoring and detection of post-exploitation activity, privilege escalation attempts, and unauthorized configuration changes within affected environments.

npm Supply Chain Cryptocurrency Malware

What is the Attack?	Researchers have identified a large-scale software supply chain campaign targeting the npm ecosystem, leveraging malicious JavaScript packages to distribute a multi-stage cryptocurrency-focused malware framework. The campaign affected numerous npm packages that collectively accumulated more than 2.7 million downloads, significantly increasing the potential victim pool among developers, software organizations, and CI/CD environments. The malware is designed to steal cryptocurrency wallet data, harvest credentials, exfiltrate sensitive information, and deploy additional payloads on compromised systems. The campaign highlights the growing risk posed by software supply chain attacks, where trusted open-source repositories are abused to distribute malware through legitimate development workflows. Successful infection may allow attackers to: • Steal cryptocurrency wallet credentials and digital assets. • Harvest developer credentials, API keys, and authentication tokens. • Obtain access to cloud environments and CI/CD platforms. • Exfiltrate source code and sensitive project data. • Compromise software build pipelines and downstream software consumers. • Deploy additional malware or persistence mechanisms on infected systems. • Facilitate further supply chain compromises through stolen publishing credentials.
What is the recommended Mitigation?	• Audit all recently installed npm dependencies for unauthorized or suspicious packages. • Implement software composition analysis (SCA) and dependency monitoring solutions. • Enforce package integrity verification and package provenance validation. • Rotate npm, GitHub, cloud, and CI/CD credentials if compromise is suspected. • Restrict the use of long-lived access tokens and enforce least-privilege permissions. • Monitor developer endpoints and build systems for unusual network activity. • Implement continuous monitoring for unauthorized package publishing activity. • Review software supply chain security controls and dependency approval processes.
What FortiGuard Coverage is available?	• FortiGuard Antivirus & Behavior Detection: Detects and blocks malware components, credential theft modules, and suspicious behaviors associated with malicious npm packages and multi-stage payload delivery. • FortiGuard IOC Service: Added coverage for all publicly disclosed malicious infrastructure and indicators of compromise associated with this campaign at the time of publication. • FortiGuard IPS Service: Provides protection against known command-and-control communications, malware delivery infrastructure, and exploitation techniques used by follow-on payloads. • FortiGuard Attack Surface Security Service: Helps identify exposed developer assets, CI/CD infrastructure, and internet-facing systems that may be leveraged following a credential compromise. • FortiGuard Incident Response Service: Assists organizations in investigating software supply chain compromises, identifying affected systems, assessing credential exposure, and supporting remediation efforts. • FortiGuard Managed Detection and Response (MDR) Service: Provides continuous monitoring and threat hunting to identify suspicious package activity, credential abuse, unauthorized cloud access, and post-compromise attacker activity.

Palo Alto Networks PAN-OS GlobalProtect Authentication Bypass

What is the Vulnerability?	CVE-2026-0257 is a high-severity authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS and certain Prisma Access deployments. Successful exploitation allows an unauthenticated remote attacker to bypass security controls and establish unauthorized VPN connections without valid credentials. Palo Alto Networks, Unit 42, Rapid7, and other security researchers have confirmed active exploitation in the wild, prompting inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog. The vulnerability impacts deployments that use GlobalProtect authentication override cookies in combination with specific certificate configurations. Threat actors can forge or manipulate authentication cookies to circumvent normal authentication requirements and gain network access.
What is the recommended Mitigation?	Affected products include vulnerable versions of: Palo Alto Networks PAN-OS with GlobalProtect enabled. Prisma Access deployments running vulnerable releases. According to Palo Alto Networks, Panorama and Cloud NGFW are not affected by this vulnerability. Recommended Actions • Upgrade PAN-OS and Prisma Access deployments to fixed versions identified by Palo Alto Networks. • Disable authentication override cookies if operationally feasible. • Review GlobalProtect configurations for affected authentication settings. • Monitor VPN authentication logs for anomalous or unauthorized access. • Investigate successful VPN connections originating from unexpected users, geographies, or devices. • Validate that all externally exposed GlobalProtect gateways are fully patched.
What FortiGuard Coverage is available?	• FortiGuard Intrusion Prevention System (IPS) Service: Provides protection against exploitation attempts targeting CVE-2026-0257 and related GlobalProtect authentication bypass activity. • FortiGuard Antivirus & Behavior Detection: Detects and blocks malware or post-compromise activity that may be delivered following unauthorized VPN access. • FortiGuard Attack Surface Security Service: Helps identify externally exposed PAN-OS GlobalProtect services and vulnerable internet-facing assets. • FortiGuard Incident Response Service: Assists organizations in investigating unauthorized VPN access, determining the scope of compromise, and supporting remediation efforts following exploitation.

Check Point VPN Authentication Bypass Vulnerability

What is the Vulnerability?	A critical authentication bypass vulnerability, CVE-2026-50751 (CVSS 9.3), is being actively exploited against vulnerable Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol. The flaw allows unauthenticated attackers to bypass user authentication through a certificate validation logic weakness and establish a VPN session without valid credentials. Check Point has confirmed in-the-wild exploitation and released emergency hot fixes for affected products. Check Point's investigation identified exploitation activity affecting multiple organizations globally. Public reporting indicates that affiliates of the ransomware operation Qilin have leveraged the vulnerability to gain initial access to targeted environments. Exploitation has reportedly been observed since early May 2026, prior to public disclosure and patch availability.
What is the recommended Mitigation?	Affected products include Check Point Remote Access VPN, Mobile Access, and Spark Firewall deployments utilizing IKEv1. Organizations running legacy VPN configurations should immediately apply the vendor hotfixes and assess exposed VPN gateways for signs of unauthorized access. • Check Point Remote Access VPN • Check Point Mobile Access • Check Point Spark Firewall • Deployments configured to use the deprecated IKEv1 key exchange protocol Recommended Actions • Apply the latest Check Point hotfixes and security updates immediately. • Disable IKEv1 where operationally feasible and migrate to supported VPN configurations. • Review VPN logs for suspicious authentication activity and unexpected remote access sessions. • Investigate any unauthorized VPN connections originating from unknown users or devices. • Conduct threat hunting activities to identify potential post-compromise activity following successful VPN access. • Reset credentials and review privileged account activity if compromise is suspected.
What FortiGuard Coverage is available?	• FortiGuard Antivirus & Behavior Detection: Detects malware and suspicious behaviors associated with ransomware operators and threat actors leveraging compromised VPN access for lateral movement and payload deployment. • FortiGuard Managed Detection and Response (MDR): Provides continuous monitoring and detection of post-exploitation activity, privilege escalation attempts, and unauthorized configuration changes within affected environments. • FortiGuard Incident Response Services: Organizations that suspect exposure or compromise resulting from exploitation of CVE-2026-50751 should engage FortiGuard Incident Response for investigation, containment, and remediation assistance.

Windows Netlogon Remote Code Execution Vulnerability

What is the Vulnerability?	A critical vulnerability, CVE-2026-41089, affecting the Windows Netlogon service is now being actively exploited in the wild. The vulnerability was patched by Microsoft during the May 2026 Patch Tuesday release and was recently highlighted by the Centre for Cybersecurity Belgium (CCB) after observing active exploitation attempts targeting unpatched systems. Netlogon is a core Windows service responsible for authentication and secure communication between domain controllers and domain-joined systems. The vulnerability stems from a stack-based buffer overflow within the Netlogon Remote Procedure Call (RPC) interface and allows an unauthenticated attacker to achieve remote code execution against a vulnerable domain controller. Successful exploitation could provide attackers with complete control of an Active Directory environment, making this vulnerability particularly dangerous for enterprise networks.
What is the recommended Mitigation?	• Immediately apply Microsoft's May 2026 security updates addressing CVE-2026-41089. • Prioritize patching all internet-facing or externally accessible domain controllers. • Restrict RPC access to domain controllers wherever operationally feasible. • Review domain controller logs for unusual Netlogon, RPC, or authentication-related activity. • Monitor for unexpected account creation, privilege escalation, or Group Policy modifications. • Validate that domain controller backups are current and recoverable. • Conduct threat hunting activities to identify signs of post-exploitation activity in Active Directory environments.
What FortiGuard Coverage is available?	• FortiGuard Intrusion Prevention System (IPS) Service: Provides protection against known exploitation techniques and suspicious activity targeting the Windows Netlogon Remote Code Execution Vulnerability. Intrusion Prevention \| FortiGuard Labs • FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications on an endpoint, eliminating manual processes while reducing the attack surface. Endpoint Vulnerability \| FortiGuard Labs • FortiGuard Antivirus & Behavior Detection: Protects against malicious payloads and post-exploitation activity associated with compromised Windows domain controllers, including privilege escalation, unauthorized account creation, credential theft, lateral movement, suspicious process execution, and attempts to establish persistence within Active Directory environments. • FortiGuard Incident Response: Organizations that suspect exposure or compromise involving vulnerable Windows domain controllers should engage FortiGuard Incident Response for rapid investigation, compromise assessment, containment, forensic analysis, Active Directory recovery support, and remediation. • FortiGuard Web Filtering: Prevents access to known malicious infrastructure, attacker-controlled domains, and command-and-control servers leveraged in campaigns targeting vulnerable Windows environments and domain services. • FortiGuard Labs Threat Intelligence: FortiGuard Labs continues to monitor active exploitation activity, emerging attacker techniques, and infrastructure associated with CVE-2026-41089 to provide timely protection updates, threat intelligence, and actionable guidance for defenders.

cPanel & WHM Authentication Bypass

What is the Vulnerability?	CVE-2026-41940 is a critical authentication bypass vulnerability affecting WebPros cPanel & WHM, DNSOnly, and WP Squared installations. The vulnerability stems from improper handling of CRLF injection during the login and session-loading process, enabling attackers to forge authenticated sessions and gain unauthorized administrative access. Successful exploitation may allow remote unauthenticated attackers to obtain full administrative control of vulnerable hosting environments, potentially leading to website compromise, credential theft, web shell deployment, malicious configuration changes, and persistent access. CISA added CVE-2026-41940 to the Known Exploited Vulnerabilities (KEV) Catalog on April 30, 2026 due to evidence of active exploitation in the wild, with public proof-of-concept exploit code already available.
What is the recommended Mitigation?	• Affected versions include cPanel & WHM releases prior to: 11.110.0.97 11.118.0.63 11.126.0.54 11.132.0.29 11.134.0.20 11.136.0.5 Organizations should immediately: • Upgrade to vendor-fixed releases • Restrict exposure of WHM administrative interfaces • Review session directories and authentication logs • Rotate administrative credentials • Hunt for suspicious session creation activity
What FortiGuard Coverage is available?	• FortiGuard Intrusion Prevention System (IPS) Service: FortiGuard IPS Service provides coverage to detect and block exploitation attempts targeting CVE-2026-41940, including malicious authentication bypass attempts against vulnerable cPanel & WHM deployments. • FortiGuard Antivirus & Behavior Detection: Protects against malicious payloads and post-exploitation activity associated with compromised cPanel environments, including detection of suspicious administrative session creation, web shell deployment, unauthorized privilege escalation, and abnormal process execution originating from exploited hosting infrastructure. • FortiGuard Web Application Firewall (WAF): FortiGuard WAF provides protection against authentication bypass attempts, malicious HTTP requests, CRLF injection abuse, and suspicious session manipulation targeting vulnerable cPanel & WHM services. • FortiGuard Web Filtering: Blocks access to known malicious domains, attacker-controlled infrastructure, and command-and-control servers associated with exploitation campaigns targeting exposed cPanel administrative interfaces. • FortiGuard Incident Response: Organizations that suspect compromise or unauthorized administrative access involving CVE-2026-41940 should engage FortiGuard Incident Response for rapid investigation, persistence analysis, credential exposure assessment, containment, and remediation. • FortiGuard Labs Threat Intelligence: FortiGuard Labs continues to monitor active exploitation activity, emerging indicators of compromise, attacker infrastructure, and evolving tactics associated with CVE-2026-41940 to provide timely protections and actionable intelligence updates.

Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability

What is the Attack?	CVE-2026-20182 is a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager deployments, including on-premises and cloud-managed environments. Cisco confirmed active exploitation in the wild. Attackers can impersonate trusted SD-WAN peers and establish authenticated control connections, ultimately obtaining high-privileged administrative access. Researchers note similarities to the previously exploited CVE-2026-20127 vulnerability, though Cisco states this is a distinct flaw. The vulnerability allows unauthenticated remote attackers to bypass device authentication and gain administrative privileges on vulnerable systems. CISA added the flaw to the KEV catalog and directed federal agencies to remediate affected systems by May 17, 2026.
What is the recommended Mitigation?	• Impacted platforms include: Cisco Catalyst SD-WAN Controller (formerly vSmart) Cisco Catalyst SD-WAN Manager (formerly vManage) Cisco SD-WAN Cloud deployments Cisco SD-WAN Government/FedRAMP environments • Cisco states there are currently no workarounds for this vulnerability. Organizations should: • Immediately upgrade to fixed Cisco releases • Audit exposed SD-WAN control infrastructure • Restrict public exposure of SD-WAN management interfaces • Review peering and authentication logs • Open TAC cases if compromise is suspected • Collect and preserve admin-tech bundles for forensic review
What FortiGuard Coverage is available?	• FortiGuard Antivirus & Behavior Detection: Protects against malicious payloads and post-exploitation activity associated with compromised SD-WAN infrastructure, including suspicious administrative access, abnormal process execution, unauthorized configuration changes, and attacker persistence mechanisms. • FortiGuard Incident Response: Organizations that suspect exposure or compromise involving vulnerable Cisco Catalyst SD-WAN Controller or SD-WAN Manager instances should engage FortiGuard Incident Response for rapid investigation, compromise assessment, containment, forensic analysis, and remediation. • FortiGuard Web Filtering: Prevents access to known malicious infrastructure, attacker-controlled domains, and command-and-control servers associated with exploitation campaigns targeting exposed SD-WAN environments. • FortiGuard Labs Threat Intelligence: FortiGuard Labs continues to monitor active exploitation activity, attacker infrastructure, and evolving tactics associated with CVE-2026-20182 to provide timely protection updates and actionable threat intelligence.

Microsoft Shell Spoofing Zero-day Vulnerability

What is the Attack?

A newly disclosed vulnerability, CVE-2026-32202, has emerged due to an incomplete patch by Microsoft for a previously exploited remote code execution flaw (CVE-2026-21510). While the original update addressed both RCE and SmartScreen bypass, it failed to eliminate a residual zero-click NTLM authentication coercion issue. This allows attackers to silently force a victim system to authenticate against a malicious server without user interaction.

The threat activity has been linked to APT28 (also known as Fancy Bear / UAC-0001), which began exploiting the original vulnerability chain in December 2025, targeting organizations across Ukraine and the EU. Evidence confirms exploitation in the wild as early as January 2026, prior to Microsoft’s February Patch Tuesday release.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued remediation directives to federal agencies, citing confirmed zero-day exploitation involving CVE-2026-32202.

Vulnerability Chain Overview
The attack chain combines multiple flaws within crafted LNK files:
CVE-2026-21510 – Remote Code Execution (pre-patch)
CVE-2026-21513 – Malicious LNK file handling flaw
CVE-2026-32202 – Residual zero-click NTLM authentication coercion (post-patch)

What is the recommended Mitigation?

Mitigation & Recommendations

Apply the latest Microsoft patches addressing CVE-2026-32202 and related vulnerabilities
Disable or restrict NTLM authentication where possible
Implement SMB signing and enforce Extended Protection for Authentication (EPA)
Monitor for anomalous outbound authentication attempts (e.g., SMB/HTTP to untrusted hosts)
Block or inspect suspicious LNK file delivery vectors

Detection Opportunities

Outbound NTLM authentication attempts to unknown or external IPs
Suspicious LNK file execution or delivery patterns
Indicators tied to known APT28 infrastructure or tactics

What FortiGuard Coverage is available?

• FortiGuard Intrusion Prevention System (IPS) Service: FortiGuard IPS provides coverage to detect and block exploitation attempts targeting CVE-2026-32202. Intrusion Prevention | FortiGuard Labs

• FortiGuard Antivirus & Behavior Detection: Protects against malicious payloads and post-exploitation activity, including detection of suspicious LNK file execution, abnormal authentication behavior, and attempts to coerce outbound NTLM authentication to attacker-controlled infrastructure.

• FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching, eliminating manual processes while reducing the attack surface for CVE-2026-21510, CVE-2026-21513, and CVE-2026-32202 .
Endpoint Vulnerability | FortiGuard Labs
Endpoint Vulnerability | FortiGuard Labs
Endpoint Vulnerability | FortiGuard Labs

• FortiGuard Incident Response: Organizations that suspect exposure to exploitation activity linked to APT28 or these vulnerabilities should engage FortiGuard Incident Response for rapid investigation, credential exposure assessment, containment, and remediation.

• FortiGuard Web Filtering: Blocks access to known malicious domains and attacker-controlled servers used for NTLM hash capture, payload delivery, and command-and-control communication

Apache ActiveMQ RCE

What is the Vulnerability?

CVE-2026-34197 is a high-severity remote code execution (RCE) vulnerability affecting Apache ActiveMQ Classic. The flaw resides in the exposed Jolokia JMX-HTTP interface and allows attackers to execute arbitrary commands on the underlying system via crafted broker management requests.

Recent reporting indicates that this vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild and elevating its priority for remediation.

What is the recommended Mitigation?

• Immediate Actions: Upgrade to:
ActiveMQ 5.19.4+
ActiveMQ 6.2.3+

• Restrict access to ActiveMQ web console (port 8161)
• Disable or tightly restrict Jolokia API
• Enforce strong authentication; remove default credentials
• Limit MBean execution permissions
• Place management interfaces behind VPN or internal networks
• Monitor for abnormal Jolokia API usage
• Inspect logs for MBean exec calls
• Track outbound connections to untrusted hosts
• Use EDR to detect suspicious Java child processes

What FortiGuard Coverage is available?

• FortiGuard Intrusion Prevention System (IPS) Service: FortiGuard IPS Service is available to detect and block exploit attempts targeting CVE-2026-34197.

• FortiGuard Antivirus & Behavior Detection: Protects against known malware and leverages advanced behavioral analysis to detect suspicious activity, including abnormal process execution originating from exploited ActiveMQ services.

• FortiGuard Incident Response: Organizations that suspect exposure or compromise involving vulnerable Apache ActiveMQ instances should engage FortiGuard Incident Response for rapid investigation, containment, and remediation.

• FortiGuard Web Filtering: Prevent access to malicious payload hosting.

FortiGuard Labs | FortiGuard Center - Threat Signal Report