Weekly dossier · 2026-W27
Joel Traber AG
29.06.2026 – 05.07.2026
Strategic overview
CRITICALIn CW 27, two critical areas require immediate attention: the actively exploited SimpleHelp vulnerability allows attackers to execute malicious code on affected systems, posing a direct operational risk to the production environment. In addition, multiple sandbox escape vulnerabilities in Google Chrome and a deserialization flaw in the company's Microsoft SharePoint Server have been disclosed, increasing the risk of targeted attacks against employee endpoints and collaboration infrastructure.
- Alerts
- 200
- CVEs
- 123
- KEV
- 3
- Critical
- 52
Top news
- TAKTISCH ZDI: Published AdvisoriesZDI-26-331: (Pwn2Own) Microsoft Edge Feedback Log File Handling Directory Traversal Remote Code Execution Vulnerability
A directory-traversal vulnerability in Microsoft Edge enables remote code execution through visiting a malicious web page, was demonstrated at Pwn2Own, and has been assigned CVSS 7.5.
→ Microsoft Edge is widely deployed in the company's tech stack and this CVE represents a direct remote code execution vulnerability affecting the browser with moderate CVSS severity.
- TAKTISCH ZDI: Published AdvisoriesZDI-26-349: Adobe Acrobat Pro DC Annots.api Use-After-Free Remote Code Execution Vulnerability
Use-After-Free vulnerability in Adobe Acrobat Pro DC enables remote code execution when a user interacts with a malicious file or webpage.
→ Adobe Acrobat Pro DC is deployed in the company tech stack and this RCE vulnerability requires user interaction but poses a direct threat to document handling workflows.
- TAKTISCH ZDI: Published AdvisoriesZDI-26-266: Fortinet FortiWeb cat_cgi_paths Out-Of-Bounds Write Remote Code Execution Vulnerability
An authenticated RCE vulnerability in Fortinet FortiWeb with high CVSS score enables arbitrary code execution and requires prompt patch prioritization in network security infrastructure.
→ Although FortiWeb is not explicitly listed in the tech stack, Fortinet FortiGate is central to the company's network security; an RCE vulnerability in a Fortinet product with CVSS 8.8 and authentication requirement is operationally relevant.
- TAKTISCH ZDI: Published AdvisoriesZDI-26-346: Adobe Acrobat Reader DC Annotation Use-After-Free Information Disclosure Vulnerability
The vulnerability requires user interaction (opening malicious files) and has low-to-medium risk with CVSS 3.3, but affects widely deployed software in manufacturing enterprises.
→ Adobe Acrobat Reader DC is deployed in the company's tech stack and used for PDF processing; the use-after-free vulnerability enables information disclosure upon file opening.
- TAKTISCH darkreading'Djinn' Stealer Targets Cloud, AI Credentials
Active attack campaign exploits authentication bypass in RMM tools to gain admin access and deploy credential-stealing malware in enterprise environments , an attack pattern enabling widespread compromise.
→ SimpleHelp is an RMM tool used for enterprise environment management; exploitation of CVE-2026-48558 demonstrates how attackers abuse trusted admin access to deploy malware such as 'Djinn' , a relevant threat for organizations using RMM solutions.
- TAKTISCH BleepingComputerCritical SimpleHelp flaw exploited to deploy new stealer malware
A critical remote-access vulnerability in SimpleHelp is being actively exploited to deploy a new information stealer , a risk for organizations using this tool for technical support.
→ SimpleHelp is a remote support tool that may be used in manufacturing environments; active exploitation of a critical RCE flaw with malware deployment represents direct operational risk.
- OPERATIV CERT Recently Published Vulnerability NotesVU#980487: Local privilege escalation in Linux Kernel (Dirty Frag)
Chaining of two previously known kernel vulnerabilities enables memory corruption and local privilege escalation on Linux 4.10+; public PoC available since May 2026.
→ Linux kernel privilege escalation affects Ubuntu 24.04 LTS systems in the company's infrastructure; requires patching but no active exploitation or geopolitical implication reported.
- OPERATIV ZDI: Published AdvisoriesZDI-26-339: Microsoft Windows Narrator Braille Support brlapi Exposed Dangerous Function Local Privilege Escalation Vulnerability
Local escalation in optional Narrator Braille feature requires already having low-privilege code execution on the target system.
→ Local privilege escalation in Windows Narrator Braille support affects Windows Server 2022 and 2019 deployments; requires low-privileged code execution and optional Braille feature installation.
- TAKTISCH Unit 42Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
An unidentified threat actor is actively exploiting CVE-2026-0257 to bypass authentication on PAN-OS GlobalProtect gateways and establish unauthorized VPN connections.
→ CVE-2026-0257 is an authentication bypass in PAN-OS GlobalProtect affecting VPN access, a critical control for remote access management; Joel Traber AG uses Fortinet FortiGate and Remote Desktop Gateway but not Palo Alto Networks PAN-OS, limiting direct operational impact but warranting monitoring for similar VPN/gateway vulnerabilities in deployed stack.
- OPERATIV SecurelistThe SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign
Threat actors distribute manipulated ScreenConnect archives disguised as legitimate freeware utilities (OBS Studio, DS4Windows, DNS Jumper, Glary Utilities) to gain access to enterprise-wide systems.
→ ScreenConnect is a commonly deployed remote-access tool in enterprise IT; the campaign demonstrates a tactic targeting organizations with Windows-based infrastructure and examines abuse patterns of legitimate tools.
Research Deep Dives
View all →- UNIT 42 09/06/2026Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
Unit 42 observed active exploitation of the PAN-OS vulnerability CVE-2026-0257, which allows an authentication bypass in GlobalProtect. The vulnerability has been added to the Known Exploited Vulnerabilities catalog, but no lateral movement or post-access activity has been detected so far. Organizations should hunt for provided indicators, activate incident response for successful connections, and apply available patches or workarounds.
- SECURELIST 01/07/2026The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign
The report reveals a large-scale campaign where attackers abuse the legitimate remote access tool ScreenConnect to distribute AsyncRAT malware. Malicious installers are disguised as popular freeware applications like OBS Studio and Bandicam, hosted on over 90 spoofed websites across 10 languages. These installers bundle a signed Microsoft executable to bypass security and deploy the remote access trojan. The campaign highlights how trusted tools can be weaponized for stealthy system compromise and data theft.
- MALWAREBYTES 01/07/2026Chrome needs another whopper update to fix 382 security bugs
Google has released a critical Chrome update to fix 382 security vulnerabilities, 15 of which are rated critical. These flaws could allow attackers to execute arbitrary code outside the browser's sandbox. Notably, CVE-2026-13789 is a use-after-free vulnerability in the GPU process that enables sandbox escape via specially crafted HTML pages. Users should update Chrome and other Chromium-based browsers immediately.
Top vendors
- Google 104
- Microsoft 31
- Adobe 14
- Fortinet 5
- Linux 5
- 7-Zip 4
Top CVEs
- CVE-2026-45659 CVE-2026-45659 , Microsoft SharePoint Server Deserialization of Untrusted Data Vulnerability 8.8
- CVE-2026-0257 Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 9.1
- CVE-2026-14382 CVE-2026-14382: Sandbox Escape Vulnerability in ANGLE in Google Chrome Prior to 150.0.7871.46 9.6
- CVE-2026-14390 CVE-2026-14390: Use After Free in ANGLE in Google Chrome Prior to 150.0.7871.46 9.6
- CVE-2026-14411 CVE-2026-14411: Sandbox Escape in Google Chrome ANGLE Prior to 150.0.7871.46 9.6
- CVE-2026-14417 CVE-2026-14417 Use After Free in Dawn in Google Chrome Prior to 150.0.7871.46 Allows Remote Sandbox Escape 9.6