Skip to content
Auto-CTI

Weekly dossier · 2026-W28

Joel Traber AG

06.07.2026 – 12.07.2026

Strategic overview

CRITICAL

In CW 28, critical vulnerabilities in core components of Joel Traber AG's infrastructure dominate the threat picture: Microsoft Edge alone contains three directly relevant flaws, including remote code execution, privilege escalation, and access control bypass, while a 15-year-old Linux kernel vulnerability (GhostLock) leaves the deployed Ubuntu 24.04 LTS systems exploitable without elevated permissions. A privilege escalation flaw in Microsoft Defender additionally threatens the Windows Server infrastructure, and an authentication weakness in Bitwarden creates potential for full account takeovers.

Alerts
119
CVEs
430
KEV
2
Critical
34

Top news

  • TAKTISCH ZDI: Published Advisories
    ZDI-26-331: (Pwn2Own) Microsoft Edge Feedback Log File Handling Directory Traversal Remote Code Execution Vulnerability

    A directory-traversal vulnerability in Edge feedback logging enables remote code execution when a user visits a malicious page or opens a malicious file.

    → Microsoft Edge is actively used in the company's tech stack; a directory traversal RCE vulnerability with CVSS 7.5 requiring user interaction represents a direct operational risk to endpoint security.

  • TAKTISCH ZDI: Published Advisories
    ZDI-26-355: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability

    A use-after-free vulnerability in Adobe Acrobat Reader DC enables remote code execution upon user interaction with CVSS 7.8; no public exploitation known, but timely patching required.

    → Adobe Acrobat Reader DC is explicitly listed in the company's tech stack; a use-after-free RCE with CVSS 7.8 requiring user interaction represents a direct operational risk.

  • TAKTISCH The Hacker News
    Microsoft Patches RoguePlanet Defender Flaw That Can Grant SYSTEM Privileges

    The RoguePlanet vulnerability is a race condition in mpengine.dll that can be exploited regardless of whether real-time protection is enabled, and has already been publicly documented with PoC exploits.

    → CVE-2026-50656 is a privilege escalation vulnerability in Microsoft Defender (mpengine.dll) that could be exploited on Windows Server 2022 and Windows Server 2019 in the company's infrastructure to obtain SYSTEM-level access.

  • TAKTISCH The Hacker News
    15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros

    GhostLock is a 15-year-old Linux kernel flaw now publicly disclosed with working exploit code offering 97% reliability for local privilege escalation and container escape.

    → CVE-2026-43499 is a critical 15-year-old Linux kernel privilege escalation flaw affecting Ubuntu 24.04 LTS, which is in the company's tech stack; it requires no special permissions and enables local privilege escalation and container escape, making it directly applicable to manufacturing environments running Ubuntu.

  • OPERATIV darkreading
    'Djinn' Stealer Targets Cloud, AI Credentials

    The campaign demonstrates that attackers leverage RMM tools as entry points to steal cloud and AI credentials using admin privileges, enabling broad network compromise.

    → RMM tools like SimpleHelp are widely deployed in enterprise environments and are actively targeted by attackers for lateral movement and credential theft; the Djinn stealer campaign demonstrates practical exploitation of this attack vector.

  • TAKTISCH The Hacker News
    BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA

    Prior BeyondTrust flaws have been actively exploited for web shell and backdoor deployment, justifying urgent patch prioritization for these critical authentication bypass vulnerabilities.

    → BeyondTrust Remote Support and Privileged Remote Access are not mentioned in the company's specific tech stack, but critical auth bypass flaws (CVSS 9.2) affecting remote access and privilege management products are commonly deployed in similar manufacturing environments.

  • TAKTISCH The Hacker News
    16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems

    A 16-year-old use-after-free vulnerability in the Linux KVM hypervisor enables the first reliable guest-to-host escape with full code execution on both Intel and AMD x86 systems.

    → CVE-2026-53359 is a critical KVM hypervisor escape vulnerability affecting Linux KVM on Intel and AMD x86 systems; the company operates VMware vSphere 8 / ESXi environments which use different hypervisor architecture (not Linux KVM), but the vulnerability is relevant to any organization managing virtualized infrastructure and guest isolation.

  • TAKTISCH Malwarebytes
    Microsoft fixes RoguePlanet zero-day in Defender

    A critical elevation of privilege vulnerability in Microsoft Defender allows attackers to escalate from standard user account to full system control (NT AUTHORITY\SYSTEM).

    → Microsoft Defender elevation of privilege zero-day (RoguePlanet/CVE-2026-50656) directly affects the company's Windows Server and endpoint security infrastructure.

  • TAKTISCH Malwarebytes
    This new Windows malware can take over your PC and wipe it clean

    GigaWiper is a modular Golang backdoor observed in intrusions since October 2025, combining multiple wiper functions with C2 and remote access capabilities in a single operational framework.

    → GigaWiper is a destructive Windows backdoor combining remote access and data destruction capabilities, directly relevant to Windows Server environments and endpoints in the company's tech stack; however, no nation-state attribution or DACH-specific targeting has been disclosed.

Research Deep Dives

View all →
  • MALWAREBYTES 09/07/2026
    Microsoft fixes RoguePlanet zero-day in Defender

    Microsoft has fixed the RoguePlanet zero-day vulnerability (CVE-2026-50656) in Microsoft Defender. This elevation of privilege flaw allowed attackers to escalate from a standard user account to NT AUTHORITY\SYSTEM, gaining full control of the system. The fix is included in Malware Protection Engine version 1.1.26060.3008, which is distributed automatically. Organizations using alternative antivirus solutions with Defender disabled are not affected.

  • MALWAREBYTES 10/07/2026
    This new Windows malware can take over your PC and wipe it clean

    The research report describes 'GigaWiper', a modular Windows backdoor written in Golang that combines remote access, espionage, and multiple data destruction methods. The malware leverages components from earlier tools like Crucio ransomware and FlockWiper, and can, among other things, overwrite raw disks, irreversibly encrypt files, and record the desktop. It establishes persistence via a scheduled task named 'OneDrive Update'. The best defense is preventing initial compromise and detecting malicious activity early.

  • MICROSOFT SECURITY BLOG 25/06/2026
    Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access

    The report details an active multi-stage intrusion campaign targeting the hospitality and hotel industry since April 2026. The attackers use photo-themed ZIP archives with fake image shortcuts to initiate a chain involving obfuscated PowerShell, a Node.js implant, and dual registry persistence. The campaign evolved in two waves, with the second wave adding dynamic .NET DLL compilation and new domain infrastructure. While the ultimate objective is unclear, the emphasis on obfuscation and persistence indicates preparation for further malicious activities.

Top vendors

  • Microsoft 35
  • Google 23
  • Adobe 12
  • Linux 10
  • Mozilla Firefox 3
  • Mozilla Thunderbird 3

Top CVEs

  • CVE-2026-48558 'Djinn' Stealer Targets Cloud, AI Credentials 10.0
  • CVE-2026-58281 CVE-2026-58281: Deserialization of Untrusted Data in Microsoft Edge Allows Remote Code Execution 8.3
  • CVE-2026-58596 CVE-2026-58596 8.3
  • CVE-2026-58525 CVE-2026-58525 8.2
  • CVE-2026-32201 The April 2026 Security Update Review 6.5
  • CVE-2026-60104 CVE-2026-60104: Bitwarden Server Authentication Request Vulnerability Allows Account Takeover 7.3
ESC