Skip to main content
All Threat Briefings
Weekly Threat AwarenessJune 11, 2026|Vol. 1 · Issue 2

Weekly Threat Awareness ReportSharePoint RCE · Windows 'YellowKey' Bypass · Cisco SD-WAN CVSS 10.0

This is our second consecutive weekly briefing. One new CVE lands this week - the Windows 'YellowKey' security feature bypass - while four items first reported on June 4 remain active enough to keep tracking. Each carried-over item includes a short status note on what should already be in place if you acted on last week's guidance.

VT

Vaughn Thomas

Compliance Engineer & Threat Researcher · SOClogix Cyber Group

About the Analyst

Vaughn Thomas is SOClogix's Compliance Engineer and principal threat researcher, operating at the intersection of regulatory compliance and active adversary tradecraft. Each week, Vaughn synthesizes intelligence from dark web forums, vendor security advisories, CISA KEV updates, Shodan/Censys exposure data, and real-time telemetry from SOClogix's managed client network - spanning healthcare, financial services, defense industrial base, manufacturing, and local government - to produce actionable threat awareness briefings written for security teams and executive stakeholders at every level. Vaughn actively tracks over 200 threat actor groups and contributes threat sharing intelligence to multiple ISAC communities. His analysis deliberately bridges raw technical findings and business risk so compliance teams and CISOs can act, not just read.

200+

Threat groups tracked

50+

Intel feeds monitored

3 yrs

Threat research tenure

CVEs Affecting Client Assets

Vulnerabilities identified this week with direct relevance to common enterprise environments.

HighCVE-2026-45659 Tracked since Jun 4
8.8CVSS
85SVRS

Microsoft Office SharePoint - Authenticated Remote Code Execution

Disclosed: May 22, 2026  ·  Deserialization of Untrusted Data  ·  Requires authorized user

Week 2 follow-up: First flagged in our June 4 briefing. If you applied the SharePoint updates last week, you are covered - it stays on the list because unpatched on-prem farms remain a high-value target and scanning continues. Confirm the patch reached every farm, not just the primary.

Microsoft Office SharePoint is grappling with a severe vulnerability that poses a critical risk to organizations. An authorized attacker can exploit this flaw to execute malicious code remotely over a network, potentially seizing full control of vulnerable systems. The flaw is rooted in deserialization of untrusted data - SharePoint improperly processes specially crafted information it receives, inadvertently opening a door for attackers. Given SharePoint's role as a core collaboration and document management platform, the blast radius of successful exploitation is significant.

Recommended Actions

  • Apply the latest SharePoint security updates immediately
  • Audit SharePoint logs for anomalous deserialization or unexpected server-side process execution
  • Restrict content authoring and elevated permissions to least-required users
  • Enable SharePoint audit logging and alert on unusual activity if not already active
MediumCVE-2026-45585 New this week
6.8CVSS
81SVRS

Microsoft Windows - "YellowKey" Security Feature Bypass

Command Injection (CWE-77)  ·  SOCRadar Risk Score 81 (High)  ·  Elevated risk for remote and traveling devices

A significant security feature bypass vulnerability, dubbed 'YellowKey', has been discovered in Microsoft Windows. It is categorized as Improper Neutralization of Special Elements used in a Command (Command Injection), meaning an attacker could trick the system into executing unauthorized commands and bypass intended security protections. If exploited, this could allow unauthorized individuals to bypass Windows security features and gain access to a device's protected data. The risk is particularly high for organizations whose employees use work devices remotely or while traveling - if a device falls into the wrong hands, sensitive information could be accessed without proper authorization.

Recommended Actions

  • Apply the latest Windows security updates across all endpoints
  • Prioritize mobile, remote, and traveling-employee devices for patching
  • Enforce full-disk encryption with strong pre-boot authentication (TPM+PIN)
  • Verify lost and stolen device reporting and remote-wipe capability is in place
MediumCVE-2026-42897 Tracked since Jun 4
6.1CVSS
65SVRS

Microsoft Exchange Server - Cross-Site Scripting (XSS)

Disclosed: May 14, 2026  ·  Cross-site Scripting (XSS)  ·  Actively exploited in the wild

Week 2 follow-up: Carried over from June 4. This one stays elevated because it is still being actively exploited. If the Exchange update is already applied, verify it across all on-prem servers and review OWA and ECP logs for injection attempts during the exposure window.

A newly identified flaw in Microsoft Exchange Server allows attackers to spoof users by injecting malicious code onto web pages. Despite its Medium CVSS rating, it carries an elevated SVRS of 65 and is actively being exploited in the wild, which raises the effective risk considerably. Classified as Cross-site Scripting, the server fails to properly filter or neutralize dangerous input when it generates web pages, so an attacker can trick the system into displaying harmful code to legitimate users, often without their knowledge. Organizations running on-premises Exchange should treat this as a higher priority than the CVSS score alone suggests.

Recommended Actions

  • Apply the latest Exchange Server security update
  • Review Exchange web interface (OWA/ECP) logs for script injection patterns
  • Restrict and monitor external access to Exchange web interfaces
  • Evaluate migration timeline to Exchange Online if still on-premises

Active Threats & Campaigns

Threat actor campaigns with available detection rules or indicators of compromise.

CVSS 10.0CVE-2026-20182CISA KEV · Emergency Directive 26-03 Tracked since Jun 4

UAT-8616 Cisco Catalyst SD-WAN Authentication Bypass Campaign

A highly sophisticated threat actor tracked by Cisco Talos as UAT-8616 - active against Cisco SD-WAN infrastructure since at least 2023 and operating through Operational Relay Box (ORB) networks - has been observed actively exploiting CVE-2026-20182, a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller (vSmart) and Manager (vManage) via the vdaemon DTLS peering service on UDP/12346.

Cisco published advisory cisco-sa-sdwan-rpa2-v69WY2SW and CISA added the CVE to the Known Exploited Vulnerabilities catalog, tying remediation to Emergency Directive 26-03 and requiring all Federal Civilian Executive Branch agencies to patch by May 17, 2026. Rapid7 researchers Stephen Fewer and Jonah Burgess, who discovered the flaw while studying CVE-2026-20127, published a full root-cause analysis and a Metasploit module on disclosure date, so exploitation tooling is broadly available. The vulnerability sits in the same vdaemon DTLS service as CVE-2026-20127 but is a distinct logic flaw, not a patch bypass.

Week 2 follow-up: First reported June 4. The CISA Emergency Directive 26-03 deadline of May 17, 2026 has now passed - any Catalyst SD-WAN Controller or Manager still unpatched should be treated as presumed-compromised and investigated, not simply patched. The Metasploit module remains public.

Immediate Actions

  • Patch Cisco Catalyst SD-WAN Controller and Manager immediately
  • Block UDP/12346 from untrusted network segments
  • Check for indicators of UAT-8616 activity in SD-WAN logs

Threat Actor Profile

Group: UAT-8616

Attribution: Cisco Talos (high confidence)

Active since: At least 2023

Infrastructure: ORB networks

Supply Chain RiskConfirmed breach · May 19-20, 2026 Tracked since Jun 4

TeamPCP GitHub Internal Breach via Poisoned VS Code Extension

TeamPCP, a financially motivated threat actor, compromised a GitHub employee device via a poisoned Visual Studio Code extension, exfiltrating approximately 3,800 private internal repositories. The stolen data includes GitHub's core platform source code, billing logic, enterprise authentication systems, and security tooling internals. The group listed the data for sale on the Breached dark web forum at a minimum price of $50,000 and has threatened public release if no buyer is found.

GitHub confirmed the breach on May 19-20, 2026, isolated the affected device, removed the malicious extension, and rotated critical secrets. No customer repository impact has been confirmed as of this report date. However, organizations dependent on GitHub Actions workflows, GitHub Apps, or OAuth tokens should review their dependency posture for any abnormal behavior.

Week 2 follow-up: First reported June 4. GitHub's assessment is unchanged, with no confirmed customer repository impact, but the stolen data may now be circulating on the Breached forum. If last week's VS Code extension audit and token review are complete, no further action is needed; if not, prioritize them this week.

Recommended Actions

  • Audit installed VS Code extensions across developer workstations - remove unverified publishers
  • Review GitHub OAuth app permissions and revoke unused tokens
  • Enable GitHub Advanced Security and secret scanning if on GitHub Enterprise
  • Monitor for unusual GitHub Actions workflow behavior or unexpected CI/CD triggers
  • Check Breached forum IoCs via SOCRadar for exposure indicators

Additional Intelligence

Industry resources and context relevant this week.

2025 CWE Top 25 Most Dangerous Software Weaknesses

Week 2 follow-up: Included in our June 4 briefing as well and carried forward as a standing reference - no change this week.

MITRE has published the updated 2025 CWE Top 25 list. Security teams should use this as a reference when evaluating software vendor security posture, conducting code reviews, and prioritizing remediation in vulnerability management programs. SOClogix can build LimaCharlie detection rules mapped to these weakness categories - organizations enrolled in our managed SOC will receive these detections as they are deployed.

View the 2025 CWE Top 25
VT

Vaughn Thomas

Compliance Engineer & Threat Researcher, SOClogix

All reports →
VT

Vaughn Thomas

Compliance Engineer

SOClogix Cyber Group

200+

Threat groups tracked

50+

Intel feeds monitored

52×

Reports per year

Global dark web & forum monitoring
Live CISA KEV & NVD tracking
Adversary TTP analysis
Compliance-threat intersection

Get Weekly Briefings Free

Confirmed via email. No spam. Unsubscribe anytime.

This Week at a Glance

CVEs covered3
New this week1
Tracked since Jun 44
Actively exploited1
Active campaigns2
CISA KEV additions1

Get Vaughn's Briefing Every Week

Free weekly threat awareness reports delivered to your inbox every Wednesday. CVEs, active campaigns, and actionable guidance - written for security teams, compliance managers, and executive stakeholders.

Confirmed via email. No spam. Unsubscribe anytime.

Prefer a conversation? Talk to our team about managed security monitoring.