The Threat Signal created by the FortiGuard Labs is intended to provide you with insight on emerging issues that are trending within the cyber threat landscape. The Threat Signal will provide concise technical details about the issue, mitigation recommendations and a perspective from the FortiGuard Labs team in an FAQ style format.
|
What is the Vulnerability? |
Multiple critical vulnerabilities affecting Ubiquiti UniFi OS can be chained together to achieve unauthenticated remote code execution (RCE) with root privileges. The vulnerabilities include CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, which together bypass authentication, access protected resources, and execute arbitrary operating system commands.
|
|
What is the recommended Mitigation? |
Organizations should:
|
|
What FortiGuard Coverage is available? |
• FortiGuard Intrusion Prevention System (IPS) protects against exploit attempts.
Intrusion Prevention | FortiGuard Labs
|
|
What is the Vulnerability? |
FortiGuard Labs continues to observe exploitation attempts targeting CVE-2026-10520 following the public release of technical details and proof-of-concept (PoC) exploit code.
|
|
What is the recommended Mitigation? |
Affected:
|
|
What FortiGuard Coverage is available? |
• FortiGuard IPS protects against exploit attempts targeting vulnerable Ivanti Sentry appliances.
Intrusion Prevention | FortiGuard Labs
|
|
What is the Attack? |
A critical authentication bypass vulnerability, CVE-2026-20253 (CVSS 9.8), affects Splunk Enterprise versions 10.0.x and 10.2.x. The flaw stems from missing authentication on a PostgreSQL sidecar service endpoint, allowing an unauthenticated attacker to create or truncate arbitrary files on a vulnerable server.
|
|
What is the recommended Mitigation? |
Affected:
|
|
What FortiGuard Coverage is available? |
• FortiGuard IPS provides protection against exploit attempts targeting vulnerable services.
|
|
What is the Attack? |
Google Threat Intelligence Group (GTIG) and Mandiant have identified an active compromise and extortion campaign attributed to ShinyHunters (tracked as UNC6240) targeting Oracle PeopleSoft environments. The attackers exploited a previously unknown remote code execution vulnerability, CVE-2026-35273, before Oracle released an advisory and patches, making this a true zero-day attack. The campaign primarily targeted higher education institutions, with approximately 68% of identified victims belonging to the education sector.
|
|
What is the recommended Mitigation? |
Potentially exposed systems include:
|
|
What FortiGuard Coverage is available? |
• FortiGuard IPS: Detects and blocks exploitation attempts targeting Oracle PeopleSoft vulnerabilities.
Intrusion Prevention | FortiGuard Labs
|
|
What is the Vulnerability? |
Cisco has disclosed a critical security vulnerability, CVE-2026-20245, affecting Cisco Catalyst SD-WAN Manager and confirmed that it is being actively exploited in the wild. The vulnerability resides in the platform's command-line interface (CLI) and allows an authenticated attacker with netadmin privileges to execute arbitrary commands as root on the underlying operating system.
|
|
What is the recommended Mitigation? |
• Restrict access to SD-WAN Manager administrative interfaces to trusted management networks.
|
|
What FortiGuard Coverage is available? |
• FortiGuard Antivirus & Behavior Detection: Detects and blocks malicious payloads and abnormal process execution that may result from successful exploitation.
|
|
What is the Attack? |
Researchers have identified a large-scale software supply chain campaign targeting the npm ecosystem, leveraging malicious JavaScript packages to distribute a multi-stage cryptocurrency-focused malware framework. The campaign affected numerous npm packages that collectively accumulated more than 2.7 million downloads, significantly increasing the potential victim pool among developers, software organizations, and CI/CD environments. The malware is designed to steal cryptocurrency wallet data, harvest credentials, exfiltrate sensitive information, and deploy additional payloads on compromised systems.
|
|
What is the recommended Mitigation? |
• Audit all recently installed npm dependencies for unauthorized or suspicious packages.
|
|
What FortiGuard Coverage is available? |
• FortiGuard Antivirus & Behavior Detection: Detects and blocks malware components, credential theft modules, and suspicious behaviors associated with malicious npm packages and multi-stage payload delivery.
|
|
What is the Vulnerability? |
CVE-2026-0257 is a high-severity authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS and certain Prisma Access deployments. Successful exploitation allows an unauthenticated remote attacker to bypass security controls and establish unauthorized VPN connections without valid credentials. Palo Alto Networks, Unit 42, Rapid7, and other security researchers have confirmed active exploitation in the wild, prompting inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog.
|
|
What is the recommended Mitigation? |
Affected products include vulnerable versions of:
|
|
What FortiGuard Coverage is available? |
• FortiGuard Intrusion Prevention System (IPS) Service: Provides protection against exploitation attempts targeting CVE-2026-0257 and related GlobalProtect authentication bypass activity.
|
|
What is the Vulnerability? |
A critical authentication bypass vulnerability, CVE-2026-50751 (CVSS 9.3), is being actively exploited against vulnerable Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol. The flaw allows unauthenticated attackers to bypass user authentication through a certificate validation logic weakness and establish a VPN session without valid credentials. Check Point has confirmed in-the-wild exploitation and released emergency hot fixes for affected products.
|
|
What is the recommended Mitigation? |
Affected products include Check Point Remote Access VPN, Mobile Access, and Spark Firewall deployments utilizing IKEv1. Organizations running legacy VPN configurations should immediately apply the vendor hotfixes and assess exposed VPN gateways for signs of unauthorized access.
|
|
What FortiGuard Coverage is available? |
• FortiGuard Antivirus & Behavior Detection: Detects malware and suspicious behaviors associated with ransomware operators and threat actors leveraging compromised VPN access for lateral movement and payload deployment.
|
|
What is the Vulnerability? |
A critical vulnerability, CVE-2026-41089, affecting the Windows Netlogon service is now being actively exploited in the wild. The vulnerability was patched by Microsoft during the May 2026 Patch Tuesday release and was recently highlighted by the Centre for Cybersecurity Belgium (CCB) after observing active exploitation attempts targeting unpatched systems.
|
|
What is the recommended Mitigation? |
• Immediately apply Microsoft's May 2026 security updates addressing CVE-2026-41089.
|
|
What FortiGuard Coverage is available? |
• FortiGuard Intrusion Prevention System (IPS) Service: Provides protection against known exploitation techniques and suspicious activity targeting the Windows Netlogon Remote Code Execution Vulnerability.
Intrusion Prevention | FortiGuard Labs
|
|
What is the Vulnerability? |
CVE-2026-41940 is a critical authentication bypass vulnerability affecting WebPros cPanel & WHM, DNSOnly, and WP Squared installations. The vulnerability stems from improper handling of CRLF injection during the login and session-loading process, enabling attackers to forge authenticated sessions and gain unauthorized administrative access.
|
|
What is the recommended Mitigation? |
• Affected versions include cPanel & WHM releases prior to:
|
|
What FortiGuard Coverage is available? |
• FortiGuard Intrusion Prevention System (IPS) Service: FortiGuard IPS Service provides coverage to detect and block exploitation attempts targeting CVE-2026-41940, including malicious authentication bypass attempts against vulnerable cPanel & WHM deployments.
|