Weekly Threat Awareness ReportSharePoint RCE · Windows 'YellowKey' Bypass · Cisco SD-WAN CVSS 10.0
This is our second consecutive weekly briefing. One new CVE lands this week - the Windows 'YellowKey' security feature bypass - while four items first reported on June 4 remain active enough to keep tracking. Each carried-over item includes a short status note on what should already be in place if you acted on last week's guidance.
Vaughn Thomas
Compliance Engineer & Threat Researcher · SOClogix Cyber Group
About the Analyst
Vaughn Thomas is SOClogix's Compliance Engineer and principal threat researcher, operating at the intersection of regulatory compliance and active adversary tradecraft. Each week, Vaughn synthesizes intelligence from dark web forums, vendor security advisories, CISA KEV updates, Shodan/Censys exposure data, and real-time telemetry from SOClogix's managed client network - spanning healthcare, financial services, defense industrial base, manufacturing, and local government - to produce actionable threat awareness briefings written for security teams and executive stakeholders at every level. Vaughn actively tracks over 200 threat actor groups and contributes threat sharing intelligence to multiple ISAC communities. His analysis deliberately bridges raw technical findings and business risk so compliance teams and CISOs can act, not just read.
200+
Threat groups tracked
50+
Intel feeds monitored
3 yrs
Threat research tenure
CVEs Affecting Client Assets
Vulnerabilities identified this week with direct relevance to common enterprise environments.
CVE-2026-45659 Tracked since Jun 4Microsoft Office SharePoint - Authenticated Remote Code Execution
Disclosed: May 22, 2026 · Deserialization of Untrusted Data · Requires authorized user
Microsoft Office SharePoint is grappling with a severe vulnerability that poses a critical risk to organizations. An authorized attacker can exploit this flaw to execute malicious code remotely over a network, potentially seizing full control of vulnerable systems. The flaw is rooted in deserialization of untrusted data - SharePoint improperly processes specially crafted information it receives, inadvertently opening a door for attackers. Given SharePoint's role as a core collaboration and document management platform, the blast radius of successful exploitation is significant.
Recommended Actions
- Apply the latest SharePoint security updates immediately
- Audit SharePoint logs for anomalous deserialization or unexpected server-side process execution
- Restrict content authoring and elevated permissions to least-required users
- Enable SharePoint audit logging and alert on unusual activity if not already active
CVE-2026-45585 New this weekMicrosoft Windows - "YellowKey" Security Feature Bypass
Command Injection (CWE-77) · SOCRadar Risk Score 81 (High) · Elevated risk for remote and traveling devices
A significant security feature bypass vulnerability, dubbed 'YellowKey', has been discovered in Microsoft Windows. It is categorized as Improper Neutralization of Special Elements used in a Command (Command Injection), meaning an attacker could trick the system into executing unauthorized commands and bypass intended security protections. If exploited, this could allow unauthorized individuals to bypass Windows security features and gain access to a device's protected data. The risk is particularly high for organizations whose employees use work devices remotely or while traveling - if a device falls into the wrong hands, sensitive information could be accessed without proper authorization.
Recommended Actions
- Apply the latest Windows security updates across all endpoints
- Prioritize mobile, remote, and traveling-employee devices for patching
- Enforce full-disk encryption with strong pre-boot authentication (TPM+PIN)
- Verify lost and stolen device reporting and remote-wipe capability is in place
CVE-2026-42897 Tracked since Jun 4Microsoft Exchange Server - Cross-Site Scripting (XSS)
Disclosed: May 14, 2026 · Cross-site Scripting (XSS) · Actively exploited in the wild
A newly identified flaw in Microsoft Exchange Server allows attackers to spoof users by injecting malicious code onto web pages. Despite its Medium CVSS rating, it carries an elevated SVRS of 65 and is actively being exploited in the wild, which raises the effective risk considerably. Classified as Cross-site Scripting, the server fails to properly filter or neutralize dangerous input when it generates web pages, so an attacker can trick the system into displaying harmful code to legitimate users, often without their knowledge. Organizations running on-premises Exchange should treat this as a higher priority than the CVSS score alone suggests.
Recommended Actions
- Apply the latest Exchange Server security update
- Review Exchange web interface (OWA/ECP) logs for script injection patterns
- Restrict and monitor external access to Exchange web interfaces
- Evaluate migration timeline to Exchange Online if still on-premises
Active Threats & Campaigns
Threat actor campaigns with available detection rules or indicators of compromise.
UAT-8616 Cisco Catalyst SD-WAN Authentication Bypass Campaign
A highly sophisticated threat actor tracked by Cisco Talos as UAT-8616 - active against Cisco SD-WAN infrastructure since at least 2023 and operating through Operational Relay Box (ORB) networks - has been observed actively exploiting CVE-2026-20182, a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller (vSmart) and Manager (vManage) via the vdaemon DTLS peering service on UDP/12346.
Cisco published advisory cisco-sa-sdwan-rpa2-v69WY2SW and CISA added the CVE to the Known Exploited Vulnerabilities catalog, tying remediation to Emergency Directive 26-03 and requiring all Federal Civilian Executive Branch agencies to patch by May 17, 2026. Rapid7 researchers Stephen Fewer and Jonah Burgess, who discovered the flaw while studying CVE-2026-20127, published a full root-cause analysis and a Metasploit module on disclosure date, so exploitation tooling is broadly available. The vulnerability sits in the same vdaemon DTLS service as CVE-2026-20127 but is a distinct logic flaw, not a patch bypass.
Immediate Actions
- Patch Cisco Catalyst SD-WAN Controller and Manager immediately
- Block UDP/12346 from untrusted network segments
- Check for indicators of UAT-8616 activity in SD-WAN logs
Threat Actor Profile
Group: UAT-8616
Attribution: Cisco Talos (high confidence)
Active since: At least 2023
Infrastructure: ORB networks
TeamPCP GitHub Internal Breach via Poisoned VS Code Extension
TeamPCP, a financially motivated threat actor, compromised a GitHub employee device via a poisoned Visual Studio Code extension, exfiltrating approximately 3,800 private internal repositories. The stolen data includes GitHub's core platform source code, billing logic, enterprise authentication systems, and security tooling internals. The group listed the data for sale on the Breached dark web forum at a minimum price of $50,000 and has threatened public release if no buyer is found.
GitHub confirmed the breach on May 19-20, 2026, isolated the affected device, removed the malicious extension, and rotated critical secrets. No customer repository impact has been confirmed as of this report date. However, organizations dependent on GitHub Actions workflows, GitHub Apps, or OAuth tokens should review their dependency posture for any abnormal behavior.
Recommended Actions
- Audit installed VS Code extensions across developer workstations - remove unverified publishers
- Review GitHub OAuth app permissions and revoke unused tokens
- Enable GitHub Advanced Security and secret scanning if on GitHub Enterprise
- Monitor for unusual GitHub Actions workflow behavior or unexpected CI/CD triggers
- Check Breached forum IoCs via SOCRadar for exposure indicators
Additional Intelligence
Industry resources and context relevant this week.
2025 CWE Top 25 Most Dangerous Software Weaknesses
MITRE has published the updated 2025 CWE Top 25 list. Security teams should use this as a reference when evaluating software vendor security posture, conducting code reviews, and prioritizing remediation in vulnerability management programs. SOClogix can build LimaCharlie detection rules mapped to these weakness categories - organizations enrolled in our managed SOC will receive these detections as they are deployed.
View the 2025 CWE Top 25Related from SOClogix
Vaughn Thomas
Compliance Engineer
SOClogix Cyber Group
200+
Threat groups tracked
50+
Intel feeds monitored
52×
Reports per year
Get Weekly Briefings Free
This Week at a Glance
Get Vaughn's Briefing Every Week
Free weekly threat awareness reports delivered to your inbox every Wednesday. CVEs, active campaigns, and actionable guidance - written for security teams, compliance managers, and executive stakeholders.
Prefer a conversation? Talk to our team about managed security monitoring.