Weekly Threat Awareness ReportCritical Fortinet Auth Bypass · Cisco SD-WAN CVSS 10.0 · GitHub Breach
Three CVEs affecting common enterprise assets, two active exploitation campaigns demanding immediate attention, and this week's additional intelligence from Vaughn Thomas and the SOClogix threat research team.
Vaughn Thomas
Compliance Engineer & Threat Researcher · SOClogix Cyber Group
About the Analyst
Vaughn Thomas is SOClogix's Compliance Engineer and principal threat researcher, operating at the intersection of regulatory compliance and active adversary tradecraft. Each week, Vaughn synthesizes intelligence from dark web forums, vendor security advisories, CISA KEV updates, Shodan/Censys exposure data, and real-time telemetry from SOClogix's managed client network - spanning healthcare, financial services, defense industrial base, manufacturing, and local government - to produce actionable threat awareness briefings written for security teams and executive stakeholders at every level. Vaughn actively tracks over 200 threat actor groups and contributes threat sharing intelligence to multiple ISAC communities. His analysis deliberately bridges raw technical findings and business risk so compliance teams and CISOs can act, not just read.
200+
Threat groups tracked
50+
Intel feeds monitored
3 yrs
Threat research tenure
CVEs Affecting Client Assets
Vulnerabilities identified this week with direct relevance to common enterprise environments.
CVE-2026-35616Fortinet FortiClientEMS - Unauthenticated Remote Code Execution
Affected: FortiClientEMS 7.4.5 - 7.4.6 · CWE-284 (Improper Access Control) · Actively exploited in the wild
A critical security flaw in Fortinet FortiClientEMS versions 7.4.5 and 7.4.6 allows attackers to remotely take full control of affected systems without any credentials. Classified as Improper Access Control (CWE-284), the software fails to adequately verify user permissions, allowing an unauthenticated attacker to bypass all security measures and execute arbitrary code remotely. With a CVSS of 9.8 and SVRS of 96, and active in-the-wild exploitation confirmed, this demands immediate action.
Recommended Actions
- Upgrade to FortiClientEMS 7.4.7 or later immediately
- Audit all FortiClientEMS instances for indicators of compromise
- Review network logs for unexpected outbound connections from EMS servers
- Temporarily restrict internet-facing access to EMS management interfaces
CVE-2026-45659Microsoft SharePoint - Authenticated Remote Code Execution
Disclosed: May 22, 2026 · Deserialization of Untrusted Data · Requires authenticated user
An authenticated attacker with standard user permissions can exploit a deserialization flaw in Microsoft Office SharePoint to execute malicious code remotely, potentially seizing full control of the server. The flaw lies in how SharePoint processes specially crafted data - it improperly handles untrusted input during deserialization, opening a path to code execution. Given SharePoint's role as a core document management and collaboration platform in most enterprise environments, the blast radius of successful exploitation is significant.
Recommended Actions
- Apply May 2026 Patch Tuesday updates immediately
- Audit SharePoint access logs for unusual deserialization activity
- Review and restrict external sharing permissions where not required
- Enable SharePoint audit logging if not already active
CVE-2026-42897Microsoft Exchange Server - Cross-Site Scripting (XSS)
Disclosed: May 14, 2026 · Cross-site Scripting (XSS) · Actively exploited in the wild
Despite its Medium CVSS rating, this Exchange Server XSS is actively being exploited - which elevates the effective risk considerably. The server fails to properly filter dangerous input when generating web pages, allowing attackers to inject malicious scripts that execute in the browser of any user who visits an affected Exchange web interface. Common attack paths include credential harvesting, session hijacking, and phishing via trusted Exchange URLs. Organizations running on-premises Exchange should treat this as a higher priority than the CVSS score alone suggests.
Recommended Actions
- Apply Exchange May 2026 security update
- Review Exchange web interface access logs for script injection patterns
- Evaluate migration timeline to Exchange Online if still on-premises
Active Threats & Campaigns
Threat actor campaigns with available detection rules or indicators of compromise.
UAT-8616 Cisco Catalyst SD-WAN Authentication Bypass Campaign
A highly sophisticated threat actor tracked by Cisco Talos as UAT-8616 - active against Cisco SD-WAN infrastructure since at least 2023 and operating through Operational Relay Box (ORB) networks - has been observed actively exploiting CVE-2026-20182, a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller (vSmart) and Manager (vManage) via the vdaemon DTLS peering service on UDP/12346.
CISA added this CVE to the Known Exploited Vulnerabilities catalog and tied remediation to Emergency Directive 26-03, requiring all Federal Civilian Executive Branch agencies to patch by May 17, 2026. Rapid7 researchers Stephen Fewer and Jonah Burgess published a full root-cause analysis and a Metasploit module on disclosure date, meaning exploitation tooling is broadly available. UAT-8616 is the same cluster previously attributed to CVE-2026-20127 against the same component, indicating a sustained campaign targeting SD-WAN infrastructure.
Immediate Actions
- Patch Cisco Catalyst SD-WAN Controller and Manager immediately
- Block UDP/12346 from untrusted network segments
- Check for indicators of UAT-8616 activity in SD-WAN logs
Threat Actor Profile
Group: UAT-8616
Attribution: Cisco Talos (high confidence)
Active since: At least 2023
Infrastructure: ORB networks
TeamPCP GitHub Internal Breach via Poisoned VS Code Extension
TeamPCP, a financially motivated threat actor, compromised a GitHub employee device via a poisoned Visual Studio Code extension, exfiltrating approximately 3,800 private internal repositories. The stolen data includes GitHub's core platform source code, billing logic, enterprise authentication systems, and security tooling internals. The group listed the data for sale on the Breached dark web forum at a minimum price of $50,000 and has threatened public release if no buyer is found.
GitHub confirmed the breach on May 19-20, 2026, isolated the affected device, removed the malicious extension, and rotated critical secrets. No customer repository impact has been confirmed as of this report date. However, organizations dependent on GitHub Actions workflows, GitHub Apps, or OAuth tokens should review their dependency posture for any abnormal behavior.
Recommended Actions
- Audit installed VS Code extensions across developer workstations - remove unverified publishers
- Review GitHub OAuth app permissions and revoke unused tokens
- Enable GitHub Advanced Security and secret scanning if on GitHub Enterprise
- Monitor for unusual GitHub Actions workflow behavior or unexpected CI/CD triggers
- Check Breached forum IoCs via SOCRadar for exposure indicators
Additional Intelligence
Industry resources and context relevant this week.
2025 CWE Top 25 Most Dangerous Software Weaknesses
MITRE has published the updated 2025 CWE Top 25 list. Security teams should use this as a reference when evaluating software vendor security posture, conducting code reviews, and prioritizing remediation in vulnerability management programs. Compliance teams should ensure their security controls documentation addresses the most prevalent weakness categories in their technology stack.
View the 2025 CWE Top 25Related from SOClogix
Vaughn Thomas
Compliance Engineer
SOClogix Cyber Group
200+
Threat groups tracked
50+
Intel feeds monitored
52×
Reports per year
Get Weekly Briefings Free
This Week at a Glance
Get Vaughn's Briefing Every Week
Free weekly threat awareness reports delivered to your inbox every Wednesday. CVEs, active campaigns, and actionable guidance - written for security teams, compliance managers, and executive stakeholders.
Prefer a conversation? Talk to our team about managed security monitoring.