Skip to main content
All Threat Briefings
Weekly Threat AwarenessJune 4, 2026|Vol. 1 · Issue 1

Weekly Threat Awareness ReportCritical Fortinet Auth Bypass · Cisco SD-WAN CVSS 10.0 · GitHub Breach

Three CVEs affecting common enterprise assets, two active exploitation campaigns demanding immediate attention, and this week's additional intelligence from Vaughn Thomas and the SOClogix threat research team.

VT

Vaughn Thomas

Compliance Engineer & Threat Researcher · SOClogix Cyber Group

About the Analyst

Vaughn Thomas is SOClogix's Compliance Engineer and principal threat researcher, operating at the intersection of regulatory compliance and active adversary tradecraft. Each week, Vaughn synthesizes intelligence from dark web forums, vendor security advisories, CISA KEV updates, Shodan/Censys exposure data, and real-time telemetry from SOClogix's managed client network - spanning healthcare, financial services, defense industrial base, manufacturing, and local government - to produce actionable threat awareness briefings written for security teams and executive stakeholders at every level. Vaughn actively tracks over 200 threat actor groups and contributes threat sharing intelligence to multiple ISAC communities. His analysis deliberately bridges raw technical findings and business risk so compliance teams and CISOs can act, not just read.

200+

Threat groups tracked

50+

Intel feeds monitored

3 yrs

Threat research tenure

CVEs Affecting Client Assets

Vulnerabilities identified this week with direct relevance to common enterprise environments.

CriticalCVE-2026-35616
9.8CVSS
96SVRS

Fortinet FortiClientEMS - Unauthenticated Remote Code Execution

Affected: FortiClientEMS 7.4.5 - 7.4.6  ·  CWE-284 (Improper Access Control)  ·  Actively exploited in the wild

A critical security flaw in Fortinet FortiClientEMS versions 7.4.5 and 7.4.6 allows attackers to remotely take full control of affected systems without any credentials. Classified as Improper Access Control (CWE-284), the software fails to adequately verify user permissions, allowing an unauthenticated attacker to bypass all security measures and execute arbitrary code remotely. With a CVSS of 9.8 and SVRS of 96, and active in-the-wild exploitation confirmed, this demands immediate action.

Recommended Actions

  • Upgrade to FortiClientEMS 7.4.7 or later immediately
  • Audit all FortiClientEMS instances for indicators of compromise
  • Review network logs for unexpected outbound connections from EMS servers
  • Temporarily restrict internet-facing access to EMS management interfaces
HighCVE-2026-45659
8.8CVSS
85SVRS

Microsoft SharePoint - Authenticated Remote Code Execution

Disclosed: May 22, 2026  ·  Deserialization of Untrusted Data  ·  Requires authenticated user

An authenticated attacker with standard user permissions can exploit a deserialization flaw in Microsoft Office SharePoint to execute malicious code remotely, potentially seizing full control of the server. The flaw lies in how SharePoint processes specially crafted data - it improperly handles untrusted input during deserialization, opening a path to code execution. Given SharePoint's role as a core document management and collaboration platform in most enterprise environments, the blast radius of successful exploitation is significant.

Recommended Actions

  • Apply May 2026 Patch Tuesday updates immediately
  • Audit SharePoint access logs for unusual deserialization activity
  • Review and restrict external sharing permissions where not required
  • Enable SharePoint audit logging if not already active
MediumCVE-2026-42897
6.1CVSS
65SVRS

Microsoft Exchange Server - Cross-Site Scripting (XSS)

Disclosed: May 14, 2026  ·  Cross-site Scripting (XSS)  ·  Actively exploited in the wild

Despite its Medium CVSS rating, this Exchange Server XSS is actively being exploited - which elevates the effective risk considerably. The server fails to properly filter dangerous input when generating web pages, allowing attackers to inject malicious scripts that execute in the browser of any user who visits an affected Exchange web interface. Common attack paths include credential harvesting, session hijacking, and phishing via trusted Exchange URLs. Organizations running on-premises Exchange should treat this as a higher priority than the CVSS score alone suggests.

Recommended Actions

  • Apply Exchange May 2026 security update
  • Review Exchange web interface access logs for script injection patterns
  • Evaluate migration timeline to Exchange Online if still on-premises

Active Threats & Campaigns

Threat actor campaigns with available detection rules or indicators of compromise.

CVSS 10.0CVE-2026-20182CISA KEV · Emergency Directive 26-03

UAT-8616 Cisco Catalyst SD-WAN Authentication Bypass Campaign

A highly sophisticated threat actor tracked by Cisco Talos as UAT-8616 - active against Cisco SD-WAN infrastructure since at least 2023 and operating through Operational Relay Box (ORB) networks - has been observed actively exploiting CVE-2026-20182, a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller (vSmart) and Manager (vManage) via the vdaemon DTLS peering service on UDP/12346.

CISA added this CVE to the Known Exploited Vulnerabilities catalog and tied remediation to Emergency Directive 26-03, requiring all Federal Civilian Executive Branch agencies to patch by May 17, 2026. Rapid7 researchers Stephen Fewer and Jonah Burgess published a full root-cause analysis and a Metasploit module on disclosure date, meaning exploitation tooling is broadly available. UAT-8616 is the same cluster previously attributed to CVE-2026-20127 against the same component, indicating a sustained campaign targeting SD-WAN infrastructure.

Immediate Actions

  • Patch Cisco Catalyst SD-WAN Controller and Manager immediately
  • Block UDP/12346 from untrusted network segments
  • Check for indicators of UAT-8616 activity in SD-WAN logs

Threat Actor Profile

Group: UAT-8616

Attribution: Cisco Talos (high confidence)

Active since: At least 2023

Infrastructure: ORB networks

Supply Chain RiskConfirmed breach · May 19-20, 2026

TeamPCP GitHub Internal Breach via Poisoned VS Code Extension

TeamPCP, a financially motivated threat actor, compromised a GitHub employee device via a poisoned Visual Studio Code extension, exfiltrating approximately 3,800 private internal repositories. The stolen data includes GitHub's core platform source code, billing logic, enterprise authentication systems, and security tooling internals. The group listed the data for sale on the Breached dark web forum at a minimum price of $50,000 and has threatened public release if no buyer is found.

GitHub confirmed the breach on May 19-20, 2026, isolated the affected device, removed the malicious extension, and rotated critical secrets. No customer repository impact has been confirmed as of this report date. However, organizations dependent on GitHub Actions workflows, GitHub Apps, or OAuth tokens should review their dependency posture for any abnormal behavior.

Recommended Actions

  • Audit installed VS Code extensions across developer workstations - remove unverified publishers
  • Review GitHub OAuth app permissions and revoke unused tokens
  • Enable GitHub Advanced Security and secret scanning if on GitHub Enterprise
  • Monitor for unusual GitHub Actions workflow behavior or unexpected CI/CD triggers
  • Check Breached forum IoCs via SOCRadar for exposure indicators

Additional Intelligence

Industry resources and context relevant this week.

2025 CWE Top 25 Most Dangerous Software Weaknesses

MITRE has published the updated 2025 CWE Top 25 list. Security teams should use this as a reference when evaluating software vendor security posture, conducting code reviews, and prioritizing remediation in vulnerability management programs. Compliance teams should ensure their security controls documentation addresses the most prevalent weakness categories in their technology stack.

View the 2025 CWE Top 25
VT

Vaughn Thomas

Compliance Engineer & Threat Researcher, SOClogix

All reports →
VT

Vaughn Thomas

Compliance Engineer

SOClogix Cyber Group

200+

Threat groups tracked

50+

Intel feeds monitored

52×

Reports per year

Global dark web & forum monitoring
Live CISA KEV & NVD tracking
Adversary TTP analysis
Compliance-threat intersection

Get Weekly Briefings Free

Confirmed via email. No spam. Unsubscribe anytime.

This Week at a Glance

CVEs covered3
Critical severity1
High severity1
Actively exploited2
Active campaigns2
CISA KEV additions1

Get Vaughn's Briefing Every Week

Free weekly threat awareness reports delivered to your inbox every Wednesday. CVEs, active campaigns, and actionable guidance - written for security teams, compliance managers, and executive stakeholders.

Confirmed via email. No spam. Unsubscribe anytime.

Prefer a conversation? Talk to our team about managed security monitoring.