Cyber Threat Intelligence Report

This week, we briefed our clients on the new Ghost-sender Email Spoofing research from InfoGuard Labs. Be sure to test your domain for the vulnerability.

 KEY TAKEAWAYS 

• Ghost-Sender email spoofing misconfiguration for Microsoft Exchange Online allows emails to appear to be from any sender.

• Critical and high-severity vulnerabilities in Microsoft, Oracle, Check Point, Cisco, Splunk, SAP, and Veeam, plus updates to CISA KEV, patch now!

Ghost-Sender Email Spoofing

 Security researchers at InfoGuard Labs recently published detailed research on a newly discovered configuration issue for Microsoft Exchange Online that allows for "Universal Email Spoofing". Dubbed Ghost-Sender, this email configuration issue allows an attacker to send emails that appear to originate from any internal or external sender, even when the spoofed domain has valid SPF, DKIM, and DMARC protections. The issue arises when an organization uses Microsoft Exchange Online (or hybrid Exchange) with an external MX record, such as a third-party email server or spam protection solution. If the MX record points somewhere other than directly to Exchange Online Protection, the spoofed email will make it through. This effectively allows an attacker to impersonate any sender, including internal addresses. 

How to Tell if You Are Vulnerable

The researchers at InfoGuard Labs created a Ghost-Sender testing tool that can be found here. Users have the ability to scan their domain to see if it is vulnerable, and also send a proof-of-concept email as validation.

If the MX record points directly to Exchange Online Protection (example-com.mail.protection.outlook.com), then your organization is not vulnerable to Ghost-Sender.

If an external MX record is used and no further configurations are made, then your organization is vulnerable to Ghost-Sender. Any emails sent directly to Exchange Online are delivered straight to the inbox, regardless of SPF, DKIM, and DMARC protections.

Mitigations

As of this writing, Microsoft states this is not a product vulnerability and is instead a "known architectural limitation." No patch can be applied to fix it, so administrators must take one of the following actions if they are vulnerable:

• Point the MX record directly to Exchange Online Protection. Additionally, harden DMARC configuration and disable DirectSend. The end result configuration should look similar to: v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; sp=reject; adkim=s; aspf=s; pct=100. This scenario largely applies if your organization does not use a 3^rd party email gateway or spam filter.
• Set up a partner organization connector that applies to emails being sent from any domain (wildcard entry) and rejects emails based on either IP or certificate-based validation.
• Configure a mail flow rule that quarantines all inbound messages that do not match an approved sender IP range or carry the X-SM-Exchange-Organization-AuthAs:Internal header.

As the disclosure timeline in the InfoGuard report shows Microsoft acknowledging active spoofing campaigns as of at least April 21, administrators are urged to check if their email configurations are vulnerable and apply appropriate mitigations as soon as possible.

Fig. 1: Visual representation of how the attack works | Source: InfoGuard Labs

Resources

• https://labs.infoguard.ch/posts/ghost-sender/
  

• https://ghost-sender.com/tester
  

• https://techcommunity.microsoft.com/blog/exchange/introducing-more-control-over-direct-send-in-exchange-online/4408790
  

• https://techcommunity.microsoft.com/blog/exchange/direct-send-vs-sending-directly-to-an-exchange-online-tenant/4439865
  

• https://www.darkreading.com/vulnerabilities-threats/exchange-flaw-attackers-spoof-email-address 

Vulnerability Roundup

Microsoft Patch Tuesday

As with every second Tuesday of the month, Microsoft released it's monthly security updates for Patch Tuesday. However, this month saw a record 206 security vulnerabilities get fixed, including 39 rated critical, and six 0-days. Notable fixes include the following:

• CVE-2026-47291 - An integer overflow or wraparound in Windows HTTP.sys that allows an unauthorized attacker to execute code over a network.
• CVE-2026-44815 - A stack-based buffer overflow in Windows DHCP Client that allows an unauthorized attacker to execute code over a network.
• CVE-2026-45586 - A local privilege escalation vulnerability in Windows Collaborative Translation Framework (CTFMON)
• CVE-2026-49160 - "HTTP/2 Bomb" - A denial-of-service flaw in HTTP/2
• CVE-2026-45585 - "YellowKey" - Windows BitLocker Security Feature Bypass Vulnerability
• CVE-2026-50507 - "bitskrieg" - Windows BitLocker Security Feature Bypass Vulnerability
• CVE-2020-17103 - "Mini-Plasma" - A local privilege escalation vulnerability affecting the 'cldflt.sys' Cloud Filter driver.
• CVE-2026-42897 - Microsoft Exchange Server spoofing vulnerability, allowing arbitrary JavaScript to be executed if a user opens a specially crafted email.

Due to the criticality and active exploitation of many of these vulnerabilities, administrators are urged to apply the update as soon as possible.

• https://msrc.microsoft.com/update-guide/releaseNote/2026-Jun
  

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47291
  

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44815
  

• https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-45586
  

• https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-49160
  

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45585
  

• http://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-50507
  

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17103
  

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
  

• https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2026-patch-tuesday-fixes-6-zero-days-200-flaws/
  

• https://thehackernews.com/2026/06/new-http2-bomb-vulnerability-allows.html
  

• https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-yellowkey-greenplasma-miniplasma-zero-days/
  

• https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-exchange-server-zero-day-exploited-in-attacks/

ShinyHunters Exploits Oracle PeopleSoft

Last week, Oracle released a security advisory detailing a critical 0-day vulnerability in the PeopleSoft application that has been exploited since at least May 27, 2026 by the ShinyHunters threat group. Tracked as CVE-2026-35273, the flaw is a critical remote code execution vulnerability in the Environment Management component, affecting PeopleSoft versions 8.61 and 8.62. The Google Threat Intelligence Group published a detailed rundown of the campaign, including remediation and hardening steps, as well as network IOCs. As this vulnerability is under active exploitation, administrators are urged to apply the fixes as soon as possible, and also review the application for signs of compromise.

PacketWatch query for the network IOCs:

\*.host:(azurenetfiles.net) OR \*.ip:(142.11.200.186 OR 142.11.200.187 OR 142.11.200.188 OR 142.11.200.189 OR 142.11.200.190)

• https://www.oracle.com/security-alerts/alert-cve-2026-35273.html

• https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit

Check Point VPN 0-Day Exploited by Qilin

On June 8, Check Point published an advisory detailing an actively exploited 0-day of their Remote Access VPN and Mobile Access deployments. The vulnerability, tracked as CVE-2026-50751, is a critical authentication bypass flaw in VPN and Mobile Access deployments that are configured to use the deprecated IKEv1 key exchange protocol. The advisory attributes at least one intrusion to the Qilin ransomware group. The following versions and device configurations are affected:

• Security Gateways:
  • R82.10 Jumbo Hotfix Take 19 or below
  • R82 Jumbo Hotfix Take 103 or below
  • R81.20 Jumbo Hotfix Take 141 or below
  • R81.10 (EOS)
  • R81 (EOS)
  • R80.40 (EOS)
• Spark Firewalls: R80.20.X (EOS), R81.10.X, R82.00.X
• When:

• VPN Remote Access or Mobile Access is enabled
• IKEv1 is enabled for remote access
• Gateways accept legacy Remote Access clients
• Gateways do not demand a machine certificate for connections

Per the advisory, administrators are urged to install the "Jumbo Hotfix Accumulator". If patching is not possible, there are 3 potential mitigations: Remove support for legacy remote access client, configure Global properties for Remove Access VPN Authentication to IKEv2 only, or set the Machine Certificate Authentication as mandatory.

Below is a PacketWatch query to check for any traffic associated with the known IOCs from this campaign:

\*.ip:(45.77.149.152 OR 45.77.149.152 OR 209.182.225.136 OR 209.182.225.136 OR 38.60.157.139 OR 38.60.157.139 OR 162.33.177.101 OR 162.33.177.101 OR 45.76.26.42 OR 45.76.26.42 OR 144.208.127.155 OR 144.208.127.155 OR 38.54.88.201 OR 38.54.88.201 OR 38.54.107.167 OR 66.42.99.200 OR 45.63.104.106 OR 45.61.136.173 OR 146.71.81.184 OR 208.123.119.167 OR 64.176.228.109 OR 158.247.195.147 OR 144.208.127.134)

• https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/
  

• https://support.checkpoint.com/results/sk/sk185033
  

• https://www.bleepingcomputer.com/news/security/check-point-links-vpn-zero-day-attacks-to-qilin-ransomware-gang/ 

Cisco Catalyst SD-WAN Flaw Under Active Exploitation

Cisco recently published an advisory for a high-severity flaw in their Catalyst SD-WAN Manager, stating the vulnerability is currently under active exploitation. The flaw, tracked as CVE-2026-20245, allows a local authenticated attacker to "execute arbitrary commands as root by supplying a crafted file to the affected system." In order to successfully exploit this vulnerability, the attacker must have netadmin privileges on the system, which require either valid credentials, or exploiting authentication bypass vulnerabilities such as CVE-2026-20182 or CVE-2026-20127. As this vulnerability is under active exploitation, administrators are urged to apply the security update as soon as possible.

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx
  

• https://thehackernews.com/2026/06/cisco-catalyst-sd-wan-manager-cve-2026.html
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-20245

Critical Vulnerability in Splunk

On June 12, Splunk released a security advisory detailing a new critical Unauthenticated Arbitrary File Creation vulnerability in Splunk Enterprise. Tracked as CVE-2026-20253, the flaw affects Splunk Enterprise versions below 10.2.4 and 10.0.7. Per the advisory, "an unauthenticated user could create or truncate arbitrary files through a PostreSQL sidecar service endpoint. The vulnerability exists because the PostreSQL sidecar service lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials." Administrators are urged to upgrade to versions 10.4.0, 10.2.4, and 10.0.7 or higher.

• https://advisory.splunk.com/advisories/SVD-2026-0603
  

• https://thehackernews.com/2026/06/critical-splunk-enterprise-flaw-lets.html
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-20253

Multiple Critical Vulnerabilities in SAP Products

As part of the June 2026 Security Patch updates for SAP, there are fixes for 15 total flaws, of which there are 4 critical vulnerabilities affecting SAP NetWeaver and SAP Commerce Cloud. The vulnerabilities are as follows:

• CVE-2026-44748 - XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform, potentially allowing authentication bypass in SAML-based environments.
• CVE-2026-27671 - Memory corruption flaw in SAP NetWeaver/ABAP Platform Application Server ABAP.
• CVE-2026-22732 - Spring Security-related vulnerability affecting SAP Commerce Cloud and SAP Data Hub.
• CVE-2026-40128 - Directory traversal vulnerability in SAP NetWeaver Application Server Java's Web Container.

Administrators are urged to apply the security updates as soon as possible.

• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/june-2026.html
  

• https://www.bleepingcomputer.com/news/security/sap-fixes-critical-flaws-in-netweaver-and-commerce-cloud/
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-44748
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-27671
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-22732
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-40128

Critical Vulnerability in Veeam Backup & Replication

On June 9, Veeam released a security update for a new critical remote code execution vulnerability in the Veeam Backup & Replication product. The vulnerability, tracked as CVE-2026-44963, allows for remote code execution on the Backup Server by an authenticated domain user. The flaw affects versions 12.3.2.4465 and earlier version 12 builds. It does not affect any 13.x version. Administrators are urged to apply the update as soon as possible.

• https://www.veeam.com/kb4869
  
• https://thehackernews.com/2026/06/veeam-backup-replication-rce-flaw-lets.html
  
• https://nvd.nist.gov/vuln/detail/CVE-2026-44963

Nightmare-Eclipse Releases More 0-Days

Last week, the security researcher known as Nightmare-Eclipse (aka MSNightmare) released 2 new zero-days for Microsoft Windows. The first is a privilege escalation flaw in Windows Defender called "RoguePlanet", where successful exploitation allows the attacker to gain SYSTEM-level permissions. This vulnerability is alleged to work on fully patched Windows 10 and 11 machines. The following day, they released a new Windows BitLocker bypass they call "GreatXML". The bypass only works if a Windows Defender Offline Scan was ever run on the host. However, as an attacker, triggering this scan requires administrative credentials which would enable disabling of BitLocker anyway. It remains to be seen if and when Microsoft will address these vulnerabilities. Having 3rd party EDR tools on the endpoint will help detect and prevent exploitation of these vulnerabilities.

• https://thehackernews.com/2026/06/microsoft-defender-rogueplanet-zero-day.html
  

• https://thehackernews.com/2026/06/new-greatxml-exploit-bypasses-windows.html 

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

• CVE-2026-35273 - Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability
• CVE-2026-10520 - Ivanti Sentry OS Command Injection Vulnerability
• CVE-2026-20245 - Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability
• CVE-2026-7473 - Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
• CVE-2026-11645 - Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
• CVE-2026-50751 - Check Point Security Gateway Improper Authentication Vulnerability
• CVE-2026-42271 - BerriAI LiteLLM Command Injection Vulnerability
• CVE-2026-28318 - SolarWinds Serv-U Uncontrolled Resource Consumption Vulnerability
• CVE-2026-45247 - Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability
• CVE-2025-48595 - Android Framework Integer Overflow Vulnerability
• CVE-2022-0492 - Linux Kernel Improper Authentication Vulnerability
• CVE-2024-21182 - Oracle WebLogic Server Unspecified Vulnerability

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Visit our Cyber Threat Profile Blog for detailed intelligence profiles.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.