Cyber Roundup: Week of June 15

Here are the main stories you missed last week.

1. Palo Alto Networks: CVE-2026-0257 GlobalProtect VPN authentication bypass under active exploitation

The headline: On June 15, 2026, Palo Alto Networks confirmed active exploitation of CVE-2026-0257, a CVSS 7.8 authentication bypass affecting the portal and gateway components of PAN-OS GlobalProtect deployments. An unknown threat actor is using the flaw to obtain unauthorized access to GlobalProtect portals. The vulnerability was originally disclosed earlier this month. Palo Alto’s update on Monday escalated the advisory from “disclosed” to “exploited.”

What we’re actually watching: Two consecutive weeks, two different vendors, the same target category. Check Point’s IKEv1 authentication bypass last week and now Palo Alto’s GlobalProtect bypass this week confirm that VPN appliances are the active perimeter target of the quarter.

The authentication bypass produces the same operational outcome as the Check Point IKEv1 flaw from the prior week: an attacker obtains access to GlobalProtect portals without valid credentials. Both vendors hold significant enterprise market share in remote access, and both flaws skip the credential layer entirely. The pattern across the two disclosures matters more than either individual vulnerability. Threat actors are no longer trying to crack VPN authentication. They are looking for ways to skip it.

For SOC teams, the operational guidance against Palo Alto is the same as last week against Check Point, applied to a different vendor. Inventory which VPN portals are internet-exposed, confirm whether they sit on the patched PAN-OS version, and treat any authentication event from a known PAN-OS appliance as a candidate for forensic review against the IOCs Palo Alto has published.

2. Cisco: CVE-2026-20262 marks the second exploited SD-WAN flaw in two weeks

The headline: On June 16, 2026, Cisco disclosed CVE-2026-20262, an authenticated file upload vulnerability in Catalyst SD-WAN Manager that allows an attacker with valid credentials to create or overwrite arbitrary files on the underlying operating system. The CVSS score is 6.5. CISA added the flaw to the Known Exploited Vulnerabilities catalog the same week. It is the second exploited SD-WAN bug Cisco has disclosed in fourteen days.

What we’re actually watching: Threat actors are working through the Cisco SD-WAN stack methodically. Two exploited vulnerabilities in two weeks against a single product family suggests focused vulnerability research, not opportunistic discovery.

The vulnerability requires valid credentials with at least write access, which would normally lower the urgency. In practice, credential-stealing campaigns make “authenticated” a soft constraint. UNC3753, the OnyxC2 stealer, and the broader infostealer market that prior roundups covered sell and steal exactly the kind of credentials that turn an authenticated RCE into an unauthenticated compromise across two attacker-controlled hops.

The targeting pattern matters more than the individual CVE. When the same product family attracts two CVE disclosures with active exploitation inside two weeks, the right inference is that more disclosures are coming. SD-WAN management consoles are now in the same vulnerability cycle that perimeter VPN appliances entered last quarter.

The CISO question: If you operate Cisco SD-WAN, how many user accounts hold write access to the management console, and do all of them still need it, or has access creep extended that list beyond what your incident response plan assumes?

3. CISA: Joomla Content Editor CVE-2026-48907 added to KEV at maximum CVSS 10.0

What we’re actually watching: A CVSS 10.0 score with active exploitation in a long-standing CMS plugin is rare enough to deserve attention on its own. The deeper signal is that attackers continue to find maximum-severity paths in older, widely deployed web infrastructure that organizations stopped tracking years ago.

Joomla deployments rarely sit on the security team’s daily inventory. They live in marketing sites, partner portals, conference microsites, and customer-facing forms built years ago and never decommissioned. The Widget Factory JCE plugin runs on a meaningful fraction of those sites. A CVSS 10.0 unauthenticated code execution flaw in a plugin of that age and reach is exactly the kind of vulnerability that produces five-year-old backdoors discovered during unrelated incident response.

For SOC teams, the immediate action is asset discovery rather than patch deployment. Many of the affected sites are not on a patching schedule because nobody remembers they exist. CybelAngel’s external attack surface monitoring routinely surfaces these forgotten Joomla and WordPress deployments before attackers do.

The CISO question: How many Joomla, WordPress, and other CMS instances does your organization actually operate, and is that number based on a current inventory or on a list someone last updated three years ago?

4. Microsoft: CVE-2026-50656 “RoguePlanet” Defender zero-day confirmed unpatched with public PoC

The headline: On June 17, 2026, Microsoft confirmed CVE-2026-50656, a privilege escalation vulnerability in the Microsoft Malware Protection Engine publicly referred to as “RoguePlanet.” The flaw is a race condition that grants attackers a shell with SYSTEM-level privileges. Researcher Chaotic Eclipse (Nightmare-Eclipse) published a working exploit nearly a week before Microsoft’s confirmation. No patch is available. Microsoft has said only that it is “working to provide a high-quality security update.”

What we’re actually watching: The Nightmare Eclipse disclosure dispute that last week’s Patch Tuesday roundup flagged produced the predicted unpatched zero-day. Researchers who lose trust in vendor disclosure processes now drop working exploits publicly, and Microsoft’s response timeline is measured in weeks rather than days.

RoguePlanet is a local privilege escalation, which limits the initial attack scope. An attacker needs a foothold on the endpoint before the exploit becomes useful. That foothold is exactly what OnyxC2 stealers, phishing campaigns, and UNC3753-style social engineering produce in volume. Local-to-SYSTEM elevation through Defender itself is a particularly clean attack chain because the security agent is rarely the asset defenders monitor for compromise.

The disclosure-process angle deserves separate attention. Chaotic Eclipse has now published three exploits in three weeks against Microsoft products, after publicly stating that the MSRC handling of their submissions had broken down. When researcher relationships fail, the failure mode is unpatched zero-days circulating with working exploit code attached.

The CISO question: Your endpoint detection product is also an unpatched attack vector this week. Is your detection strategy resilient to its primary tool being the compromise, or does the SOC assume Defender’s signal is a trustworthy ground truth that doesn’t itself need monitoring?

5. Splunk: CVE-2026-20253 unauthenticated RCE added to CISA KEV with three-day federal deadline

The headline: On June 19, 2026, CISA added Splunk Enterprise CVE-2026-20253 to the Known Exploited Vulnerabilities catalog with a federal patching deadline of June 22. The CVSS score is 9.8. The flaw enables unauthenticated file operations and remote code execution against Splunk Enterprise deployments. Splunk released a fix the preceding week. The KEV addition followed evidence of in-the-wild exploitation.

What we’re actually watching: The SIEM platform that thousands of SOC teams use to detect threats is itself the threat this week. CISA’s three-day deadline is reserved for the highest-confidence active exploitation evidence and signals federal targeting.

Splunk Enterprise typically sits in privileged network positions with read access to log sources across the environment. Compromise of a Splunk deployment provides attackers with the same operational view defenders rely on: which detections fired, which alerts the SOC missed, which credentials passed through authentication systems, and which assets log what to where. The intelligence value of a compromised SIEM exceeds the intelligence value of most application servers.

The irony for SOC readers is structural, not rhetorical. The platform many teams use to detect compromise is exactly the platform that, this week, is the compromise. Detection rules built to alert on this CVE will be running on the same product the rule is trying to protect.

The CISO question: If your SIEM was the initial access point this week, would your detection program notice before attackers exfiltrate the credential map your Splunk holds, or does your monitoring strategy assume the SIEM is the one system that doesn’t itself need monitoring?

The pattern across all five stories

Every story this week involves a control that defenders count on to see attackers. VPN authentication, SD-WAN segmentation, CMS protection, endpoint detection, and SIEM correlation are the layers between the security team and the threat. This week, every one of them was the threat.

The unifying pattern is detection infrastructure as attack surface. Attackers have read the same architecture diagrams as defenders. They know which platforms produce the most detection signal, which sit at network chokepoints, which hold the privileged access maps. Those are the platforms under active exploitation right now. CybelAngel monitors what attackers see from outside those defenses: the exposed VPN portals, the forgotten CMS sites, the leaked credentials that turn authenticated CVEs into unauthenticated compromises. The view from outside is the view that matters when the inside is also under attack.