Skip to main content
All Threat Briefings
Weekly Threat AwarenessJune 18, 2026|Vol. 1 · Issue 3|Covers June 8-14, 2026

Weekly Threat Awareness Report'RoguePlanet' Defender Zero-Day · PAN-OS Auth Bypass · Cisco SD-WAN CVSS 10.0

Edge and identity infrastructure is the throughline this week. Two authentication-bypass flaws in perimeter gear - Cisco Catalyst SD-WAN at CVSS 10.0 and PAN-OS GlobalProtect at CVSS 9.1 - can hand attackers the network itself, while a new Microsoft Defender privilege-escalation flaw named 'RoguePlanet' has no patch available yet. The Fortinet 'Fortibleed' credential campaign rounds out the list.

VT

Vaughn Thomas

Compliance Engineer & Threat Researcher · SOClogix Cyber Group

About the Analyst

Vaughn Thomas is SOClogix's Compliance Engineer and principal threat researcher, operating at the intersection of regulatory compliance and active adversary tradecraft. Each week, Vaughn synthesizes intelligence from dark web forums, vendor security advisories, CISA KEV updates, Shodan/Censys exposure data, and real-time telemetry from SOClogix's managed client network - spanning healthcare, financial services, defense industrial base, manufacturing, and local government - to produce actionable threat awareness briefings written for security teams and executive stakeholders at every level. Vaughn actively tracks over 200 threat actor groups and contributes threat sharing intelligence to multiple ISAC communities. His analysis deliberately bridges raw technical findings and business risk so compliance teams and CISOs can act, not just read.

200+

Threat groups tracked

50+

Intel feeds monitored

3 yrs

Threat research tenure

CVEs Affecting Client Assets

Vulnerabilities identified this week with direct relevance to common enterprise environments.

CriticalCVE-2026-20127 New this week
10.0CVSS
90SVRS

Cisco Catalyst SD-WAN - Unauthenticated Authentication Bypass

Disclosed: Feb 25, 2026  ·  Improper Authentication (CWE-287)  ·  Unauthenticated & remote

Series context: This is the same vdaemon peering-authentication weakness family behind the UAT-8616 SD-WAN campaign (CVE-2026-20182) we tracked on June 4 and June 11. If you already patched for that campaign, confirm this distinct CVE is also covered - they are separate logic flaws in the same service.

A severe flaw in Cisco Catalyst SD-WAN lets unauthenticated, remote attackers bypass security and gain full administrative privileges over the core of an enterprise network. It affects the Catalyst SD-WAN Controller (formerly vSmart), Manager (formerly vManage), and Validator (formerly vBond), and stems from an improper authentication flaw in the peering-authentication mechanism that secures device-to-device communication. An attacker can send specially crafted requests to log in as a high-privileged internal user, reach NETCONF, and completely manipulate the SD-WAN fabric - redirecting traffic, shutting down services, creating backdoors, or spying on communications.

Recommended Actions

  • Patch Cisco Catalyst SD-WAN Controller, Manager, and Validator to a fixed release immediately
  • Restrict management and peering interfaces to trusted segments only
  • Audit SD-WAN and NETCONF logs for unexpected high-privilege logins or configuration changes
  • Treat any internet-reachable, unpatched controller as presumed-compromised and investigate
CriticalCVE-2026-0257 New this week
9.1CVSS
91SVRS

Palo Alto PAN-OS GlobalProtect - Authentication Bypass

Disclosed: May 13, 2026  ·  Reliance on cookies without validation (CWE-565)  ·  GlobalProtect portal & gateway

A severe authentication-bypass vulnerability in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS lets attackers get past security checks without valid credentials and establish unauthorized VPN connections. The underlying issue is a reliance on cookies without proper validation or integrity checking, making them vulnerable to manipulation. Successful exploitation can grant an attacker full access to your internal network through a compromised VPN session, opening the door to data theft, malware installation, system compromise, and operational disruption.

Recommended Actions

  • Update PAN-OS to a fixed release across all GlobalProtect portals and gateways
  • If the authentication override feature is in use, use a dedicated certificate separate from the HTTPS service certificate
  • Disable the authentication override feature where it is not operationally required
  • Review GlobalProtect logs for forged-cookie sessions and unexpected VPN connections
HighCVE-2026-50656 New this week No patch yet
7.8CVSS
77SVRS

Microsoft Defender 'RoguePlanet' - Elevation of Privilege

Identified: Jun 16, 2026  ·  Improper Link Resolution Before File Access (CWE-59)  ·  Patch pending

Series context: This is the RoguePlanet flaw we flagged in our June 10 Patch Tuesday analysis as a Defender weakness with no fix in sight. Microsoft is still working on a security update, so detection and least-privilege controls are your primary mitigations this week.

A privilege-escalation flaw dubbed 'RoguePlanet' was found in the Microsoft Malware Protection Engine that powers Microsoft Defender, the built-in antivirus for Windows. Categorized as improper link resolution before file access, the engine mishandles file shortcuts and links, so malicious files can be accessed with elevated permissions. An attacker who already has a standard user foothold could escalate to administrative or SYSTEM-level control - installing malware, modifying or deleting critical data, or creating new accounts. Because Defender is near-ubiquitous, the exposure spans individual endpoints to large corporate fleets. Microsoft is actively working on a security update.

Recommended Actions

  • Apply the Microsoft security update as soon as it is released, then confirm the Malware Protection Engine version fleet-wide
  • Keep Defender engine and signature auto-updates enabled so the fix lands automatically
  • Enforce least privilege and monitor for unexpected escalation to admin or SYSTEM context
  • Alert on suspicious symlink and junction creation near Defender-scanned paths
Read our RoguePlanet analysis from June Patch Tuesday

Active Threats & Campaigns

Threat actor campaigns with available detection rules or indicators of compromise.

Credential Exposure73,000+ devices worldwide New this week

Fortinet "Fortibleed" Campaign - Mass Firewall & VPN Credential Compromise

Security researchers discovered the operational server of a threat group that has been systematically breaking into internet-facing Fortinet firewalls and VPN gateways worldwide. The server held the group's tooling, automation, and a database of verified, working login credentials. Victims span banks, telecoms, hospitals, universities, energy, government, and large multinationals. Telecom was the most-hit sector, and 591 entries belong to government domains.

The attackers run fully automated tooling that scans the internet for Fortinet devices and tests a curated list of previously leaked Fortinet passwords against them. Once inside a device, they monitor passing traffic to harvest additional credentials, which are fed back into the scanner. Many victims were exposed simply because passwords were never rotated after earlier breaches, or because default and built-in accounts (generic admin and Fortinet system accounts) were never renamed.

Series context: This is the concrete campaign behind the Fortinet authentication-bypass theme we first raised on June 4. It carries into next week's briefing as well - assume any FortiGate whose passwords were never rotated is already in the leaked dataset.

Immediate Actions

  • Rotate ALL FortiGate admin and VPN credentials - do not assume earlier rotation is sufficient
  • Rename or disable default and built-in accounts (generic admin, Fortinet system accounts)
  • Enforce MFA on all VPN and administrative access
  • Restrict management interface exposure to the public internet
  • Review FortiGate logs for unauthorized logins and traffic-harvesting indicators

Campaign Profile

Scale: ~73,000 firewalls / VPNs

Top sector: Telecommunications

Gov domains: 591 verified entries

Method: Automated scanning + credential replay

Persistence: Passive traffic credential harvesting

VT

Vaughn Thomas

Compliance Engineer & Threat Researcher, SOClogix

All reports →
VT

Vaughn Thomas

Compliance Engineer

SOClogix Cyber Group

200+

Threat groups tracked

50+

Intel feeds monitored

52×

Reports per year

Global dark web & forum monitoring
Live CISA KEV & NVD tracking
Adversary TTP analysis
Compliance-threat intersection

Get Weekly Briefings Free

Confirmed via email. No spam. Unsubscribe anytime.

This Week at a Glance

CVEs covered3
Critical severity2
CVSS 10.01
Awaiting patch1
Active campaigns1
Fortinet devices exposed73K

Get Vaughn's Briefing Every Week

Free weekly threat awareness reports delivered to your inbox. CVEs, active campaigns, and actionable guidance - written for security teams, compliance managers, and executive stakeholders.

Confirmed via email. No spam. Unsubscribe anytime.

Prefer a conversation? Talk to our team about managed security monitoring.