Weekly Threat Awareness Report'RoguePlanet' Defender Zero-Day · PAN-OS Auth Bypass · Cisco SD-WAN CVSS 10.0
Edge and identity infrastructure is the throughline this week. Two authentication-bypass flaws in perimeter gear - Cisco Catalyst SD-WAN at CVSS 10.0 and PAN-OS GlobalProtect at CVSS 9.1 - can hand attackers the network itself, while a new Microsoft Defender privilege-escalation flaw named 'RoguePlanet' has no patch available yet. The Fortinet 'Fortibleed' credential campaign rounds out the list.
Vaughn Thomas
Compliance Engineer & Threat Researcher · SOClogix Cyber Group
About the Analyst
Vaughn Thomas is SOClogix's Compliance Engineer and principal threat researcher, operating at the intersection of regulatory compliance and active adversary tradecraft. Each week, Vaughn synthesizes intelligence from dark web forums, vendor security advisories, CISA KEV updates, Shodan/Censys exposure data, and real-time telemetry from SOClogix's managed client network - spanning healthcare, financial services, defense industrial base, manufacturing, and local government - to produce actionable threat awareness briefings written for security teams and executive stakeholders at every level. Vaughn actively tracks over 200 threat actor groups and contributes threat sharing intelligence to multiple ISAC communities. His analysis deliberately bridges raw technical findings and business risk so compliance teams and CISOs can act, not just read.
200+
Threat groups tracked
50+
Intel feeds monitored
3 yrs
Threat research tenure
CVEs Affecting Client Assets
Vulnerabilities identified this week with direct relevance to common enterprise environments.
CVE-2026-20127 New this weekCisco Catalyst SD-WAN - Unauthenticated Authentication Bypass
Disclosed: Feb 25, 2026 · Improper Authentication (CWE-287) · Unauthenticated & remote
A severe flaw in Cisco Catalyst SD-WAN lets unauthenticated, remote attackers bypass security and gain full administrative privileges over the core of an enterprise network. It affects the Catalyst SD-WAN Controller (formerly vSmart), Manager (formerly vManage), and Validator (formerly vBond), and stems from an improper authentication flaw in the peering-authentication mechanism that secures device-to-device communication. An attacker can send specially crafted requests to log in as a high-privileged internal user, reach NETCONF, and completely manipulate the SD-WAN fabric - redirecting traffic, shutting down services, creating backdoors, or spying on communications.
Recommended Actions
- Patch Cisco Catalyst SD-WAN Controller, Manager, and Validator to a fixed release immediately
- Restrict management and peering interfaces to trusted segments only
- Audit SD-WAN and NETCONF logs for unexpected high-privilege logins or configuration changes
- Treat any internet-reachable, unpatched controller as presumed-compromised and investigate
CVE-2026-0257 New this weekPalo Alto PAN-OS GlobalProtect - Authentication Bypass
Disclosed: May 13, 2026 · Reliance on cookies without validation (CWE-565) · GlobalProtect portal & gateway
A severe authentication-bypass vulnerability in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS lets attackers get past security checks without valid credentials and establish unauthorized VPN connections. The underlying issue is a reliance on cookies without proper validation or integrity checking, making them vulnerable to manipulation. Successful exploitation can grant an attacker full access to your internal network through a compromised VPN session, opening the door to data theft, malware installation, system compromise, and operational disruption.
Recommended Actions
- Update PAN-OS to a fixed release across all GlobalProtect portals and gateways
- If the authentication override feature is in use, use a dedicated certificate separate from the HTTPS service certificate
- Disable the authentication override feature where it is not operationally required
- Review GlobalProtect logs for forged-cookie sessions and unexpected VPN connections
CVE-2026-50656 New this week No patch yetMicrosoft Defender 'RoguePlanet' - Elevation of Privilege
Identified: Jun 16, 2026 · Improper Link Resolution Before File Access (CWE-59) · Patch pending
A privilege-escalation flaw dubbed 'RoguePlanet' was found in the Microsoft Malware Protection Engine that powers Microsoft Defender, the built-in antivirus for Windows. Categorized as improper link resolution before file access, the engine mishandles file shortcuts and links, so malicious files can be accessed with elevated permissions. An attacker who already has a standard user foothold could escalate to administrative or SYSTEM-level control - installing malware, modifying or deleting critical data, or creating new accounts. Because Defender is near-ubiquitous, the exposure spans individual endpoints to large corporate fleets. Microsoft is actively working on a security update.
Recommended Actions
- Apply the Microsoft security update as soon as it is released, then confirm the Malware Protection Engine version fleet-wide
- Keep Defender engine and signature auto-updates enabled so the fix lands automatically
- Enforce least privilege and monitor for unexpected escalation to admin or SYSTEM context
- Alert on suspicious symlink and junction creation near Defender-scanned paths
Active Threats & Campaigns
Threat actor campaigns with available detection rules or indicators of compromise.
Fortinet "Fortibleed" Campaign - Mass Firewall & VPN Credential Compromise
Security researchers discovered the operational server of a threat group that has been systematically breaking into internet-facing Fortinet firewalls and VPN gateways worldwide. The server held the group's tooling, automation, and a database of verified, working login credentials. Victims span banks, telecoms, hospitals, universities, energy, government, and large multinationals. Telecom was the most-hit sector, and 591 entries belong to government domains.
The attackers run fully automated tooling that scans the internet for Fortinet devices and tests a curated list of previously leaked Fortinet passwords against them. Once inside a device, they monitor passing traffic to harvest additional credentials, which are fed back into the scanner. Many victims were exposed simply because passwords were never rotated after earlier breaches, or because default and built-in accounts (generic admin and Fortinet system accounts) were never renamed.
Immediate Actions
- Rotate ALL FortiGate admin and VPN credentials - do not assume earlier rotation is sufficient
- Rename or disable default and built-in accounts (generic admin, Fortinet system accounts)
- Enforce MFA on all VPN and administrative access
- Restrict management interface exposure to the public internet
- Review FortiGate logs for unauthorized logins and traffic-harvesting indicators
Campaign Profile
Scale: ~73,000 firewalls / VPNs
Top sector: Telecommunications
Gov domains: 591 verified entries
Method: Automated scanning + credential replay
Persistence: Passive traffic credential harvesting
Protect your environment
Vaughn Thomas
Compliance Engineer
SOClogix Cyber Group
200+
Threat groups tracked
50+
Intel feeds monitored
52×
Reports per year
Get Weekly Briefings Free
This Week at a Glance
Get Vaughn's Briefing Every Week
Free weekly threat awareness reports delivered to your inbox. CVEs, active campaigns, and actionable guidance - written for security teams, compliance managers, and executive stakeholders.
Prefer a conversation? Talk to our team about managed security monitoring.