Skip to content
Auto-CTI

Weekly dossier · 2026-W25

Joel Traber AG

15.06.2026 – 21.06.2026

Strategic overview

CRITICAL

In calendar week 25, several critical vulnerabilities were disclosed affecting core components of Joel Traber AG, including actively exploited flaws in Fortinet FortiSandbox, an unpatched zero-day in Microsoft Defender, and multiple remote code execution and sandbox escape vulnerabilities in Google Chrome requiring immediate action. Of particular concern is the combination of active exploitation in the wild and missing patches for Defender and Fortinet, which significantly increases the risk of a successful compromise of production and endpoint environments.

Alerts
126
CVEs
38
KEV
2
Critical
62

Top news

  • TAKTISCH The Hacker News
    Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw

    Unknown threat actors are actively exploiting an authentication bypass in Palo Alto VPN gateways to gain unauthorized access , a critical risk for networked manufacturing organizations in the DACH region whose partners or suppliers operate such systems.

    → CVE-2026-0257 is an active VPN authentication bypass affecting Palo Alto PAN-OS GlobalProtect; while the company does not operate Palo Alto firewalls in their stated tech stack, GlobalProtect VPN solutions are commonly deployed in manufacturing and DACH regions, and active exploitation by unknown threat actors presents supply-chain and geopolitical risk for adjacent organizations.

  • TAKTISCH The Hacker News
    Attackers Exploit Three Fortinet FortiSandbox Flaws, One Patched Last Week

    All three critical flaws (CVE-2026-39813, CVE-2026-39808, CVE-2026-25089) are being actively exploited; working exploits exist for at least two vulnerabilities, making immediate patching a priority for organizations running FortiSandbox.

    → Fortinet FortiGate and FortiClient are core security appliances in the stack, and are actively targeted by attackers; three critical RCE flaws in FortiSandbox with active exploitation.

  • TAKTISCH ZDI: Published Advisories
    ZDI-26-331: (Pwn2Own) Microsoft Edge Feedback Log File Handling Directory Traversal Remote Code Execution Vulnerability

    A Pwn2Own winning vulnerability in Microsoft Edge enables remote code execution via feedback log file handling when users visit malicious web pages.

    → Microsoft Edge is part of the company's technology stack, and a directory traversal RCE with CVSS 7.5 presents direct risk if users visit malicious pages.

  • TAKTISCH ZDI: Published Advisories
    ZDI-26-266: Fortinet FortiWeb cat_cgi_paths Out-Of-Bounds Write Remote Code Execution Vulnerability

    A critical vulnerability in Fortinet FortiWeb enables authenticated remote code execution with high CVSS score; the company uses FortiGate rather than FortiWeb, so direct impact is limited, but Fortinet dependencies should be verified.

    → Fortinet FortiWeb is not listed in the company's tech stack, but Fortinet FortiGate is a critical component of the network infrastructure; however, this CVE affects a different Fortinet product line.

  • TAKTISCH The Hacker News
    Microsoft Confirms RoguePlanet Defender Zero-Day, Says Patch is in Development

    The vulnerability is a race condition in the Malware Protection Engine that grants SYSTEM-level privileges regardless of real-time protection status and has already been publicly exploited by a security researcher.

    → Microsoft Defender is a core component of the company's endpoint security strategy (Microsoft Defender for Endpoint), and a privilege escalation zero-day in the Malware Protection Engine directly affects Windows Server environments (2022, 2019) and client systems.

  • OPERATIV ZDI: Published Advisories
    ZDI-26-252: Mozilla Firefox IonMonkey Switch Statement Optimization Type Confusion Remote Code Execution Vulnerability

    A critical type confusion vulnerability in the IonMonkey JIT engine enables remote code execution through visiting a malicious webpage without elevated user interaction via plugins.

    → Mozilla Firefox is widely deployed in the company's Windows and Linux environments; a remote code execution vulnerability with CVSS 8.8 affecting the browser requires prompt patching.

  • OPERATIV ZDI: Published Advisories
    ZDI-26-276: Microsoft Windows Secure Kernel Double Free Local Privilege Escalation Vulnerability

    Local privilege escalation in Windows Secure Kernel requires pre-existing high-privileged code execution capability; threat is limited to scenarios with local system access.

    → CVE-2026-26179 is a local privilege escalation in Windows Secure Kernel affecting Microsoft Windows Server 2022 and 2019, both in the company's tech stack.

  • TAKTISCH Unit 42
    Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257

    Unidentified threat actor actively exploiting PAN-OS authentication bypass to access GlobalProtect VPN,organizations must hunt for indicators and review mitigations immediately.

    → CVE-2026-0257 is an authentication bypass in PAN-OS GlobalProtect affecting VPN access,a critical control for organizations using Fortinet FortiGate and similar security appliances, though Palo Alto Networks products are not listed in the company's tech stack.

  • TAKTISCH Malwarebytes
    Microsoft working on a fix for RoguePlanet, a flaw that grants full PC control

    A publicly available exploit for a critical privilege escalation in Microsoft Defender enables full system takeover with SYSTEM privileges; the same researcher has submitted at least four additional Windows zero-days that have since been patched by Microsoft.

    → Microsoft Defender Elevation of Privilege vulnerability with publicly available exploit directly affects Windows deployments and Microsoft Defender for Endpoint in the company's tech stack.

Research Deep Dives

View all →
  • UNIT 42 09/06/2026
    Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257

    The PAN-OS vulnerability CVE-2026-0257 is being actively exploited by an unknown threat actor attempting to access GlobalProtect through an authentication bypass. The vulnerability was added to the Known Exploited Vulnerabilities catalog on May 29. So far, no lateral movement or post-access activity has been identified, and only a small portion of probed devices established VPN connections. Organizations are strongly advised to hunt for the provided indicators and apply available patches or workarounds.

  • MALWAREBYTES 18/06/2026
    Microsoft working on a fix for RoguePlanet, a flaw that grants full PC control

    A publicly available vulnerability called RoguePlanet (CVE-2026-50656) allows attackers to gain full control of Windows systems by escalating privileges to SYSTEM level. Microsoft has confirmed the flaw in Microsoft Defender and is working on a security update. Exploitation depends on a race condition but can work even with active protection enabled. Recommended measures include installing the patch, regular backups, caution with downloads, and using additional anti-malware solutions.

  • MICROSOFT SECURITY BLOG 03/06/2026
    Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign

    Microsoft Threat Intelligence identified a large-scale npm supply chain attack involving 32 malicious packages under the @redhat-cloud-services scope. The attackers compromised the CI/CD pipeline and leveraged legitimate GitHub Actions OIDC workflows to publish trojanized packages with forged provenance signatures. The malware executed via a preinstall hook, downloaded the Bun runtime, and harvested credentials from cloud services, developer systems, and CI/CD environments. It also propagated in a worm-like fashion by compromising additional maintainer packages.

Top vendors

  • Microsoft 38
  • Google 21
  • Fortinet 20
  • Adobe 5
  • Mozilla 4
  • Ubiquiti 3

Top CVEs

  • CVE-2026-0257 Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw 7.8
  • CVE-2026-12440 CVE-2026-12440: Use-After-Free in DigitalCredentials in Google Chrome on Windows Prior to 149.0.7827.155 Allows Sandbox Escape 9.6
  • CVE-2026-12441 CVE-2026-12441: Use After Free in File Input in Google Chrome on Linux prior to 149.0.7827.155 8.8
  • CVE-2026-12443 CVE-2026-12443: Use-After-Free in Web Authentication in Google Chrome Prior to 149.0.7827.155 Allows Remote Code Execution 8.8
  • CVE-2026-12466 CVE-2026-12466: Heap Buffer Overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 8.8
  • CVE-2026-12451 CVE-2026-12451: Use-after-free in DigitalCredentials in Google Chrome prior to 149.0.7827.155 allows sandbox escape 8.3
ESC