This week’s intelligence highlights severe vulnerabilities striking the core of enterprise environments. Foundational platforms are buckling under critical authentication and validation flaws, allowing remote attackers to seize control of networks and databases without any credentials. Concurrently, zero-day research continues to expose profound weaknesses in local operating system security, proving that full-disk encryption and antimalware engines can be weaponized to achieve total system compromise.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

Enterprise Edge and Orchestration Flaws

‍Critical unauthenticated flaws in network management, identity authentication, and data platforms are exposing enterprise backbones to immediate takeover.

• Cisco Catalyst SD-WAN Manager Auth Bypass (CVE-2026-20182) — A critical authentication bypass allows unauthenticated remote attackers to gain full administrative control over the vManage REST API. By forging requests, attackers can orchestrate the entire SD-WAN fabric, modify VPNs, and intercept traffic.
• Active Zero-Day in Cisco Catalyst SD-WAN (CVE-2026-20245) — A high-severity command injection flaw in the CLI of vManage allows authenticated attackers (netadmin) to execute arbitrary commands as root. Attackers are chaining this with existing auth bypasses (like CVE-2026-20182) to push unauthorized routing rules and rogue network peers downstream.
• Fortinet FortiAuthenticator RCE (CVE-2026-44277) — A critical improper access control flaw (CVSS 9.8) allows unauthenticated remote attackers to execute arbitrary code or commands on the IAM appliance, potentially compromising an organization's MFA and identity databases.
• ChromaDB Pre-Auth RCE (CVE-2026-45829) — A critical CVSS 10.0 flaw in the Python implementation of the ChromaDB vector database allows unauthenticated attackers to execute arbitrary code. By passing malicious model configurations before authentication checks occur, attackers achieve full host takeover.
• Microsoft Exchange Server XSS Zero-Day (CVE-2026-42897) — Microsoft warned of an actively exploited cross-site scripting flaw in on-premise Exchange Servers. Attackers can execute malicious JavaScript within an authenticated Outlook Web Access (OWA) session via crafted emails. Microsoft is deploying emergency mitigations via EEMS.

OS Level: Kernel Exploits and Security Feature Bypasses

‍Local vulnerabilities are proving disastrous, allowing attackers who have secured a low-level foothold to effortlessly escalate to root/SYSTEM privileges or bypass disk encryption entirely.

• "RoguePlanet" Defender Zero-Day — A critical zero-day exploit targets the Microsoft Defender Antimalware Engine (MsMpEng.exe). By manipulating directory paths (symlink/junction abuse), a local low-privilege attacker can trick the high-privilege antimalware service into granting write permissions on system binaries or loading a malicious DLL, resulting in NT AUTHORITY\SYSTEM access.
• "GreatXML" BitLocker Zero-Day — This zero-day bypasses BitLocker encryption on "TPM-only" deployments. By planting a malicious unattend.xml file in the recovery partition and rebooting into the Windows Recovery Environment (WinRE), the TPM is tricked into releasing the Volume Master Key. The XML file then interrupts the recovery process, dropping the attacker into an unencrypted SYSTEM-level command shell.
• MiniPlasma Windows Kernel Zero-Day (CVE-2026-40899) — A critical Use-After-Free (UAF) race condition in the Windows Cloud Files Mini Filter Driver (cldflt.sys) remains unpatched. Exploitable on fully updated Windows 11 systems, it allows local attackers to overwrite process tokens and achieve SYSTEM privileges.
• DirtyDecrypt Linux Kernel LPE (CVE-2026-31635) — A missing Copy-on-Write (COW) guard in the Linux kernel’s rxgk module allows local, unprivileged users to overwrite the page cache during decryption operations, granting full root access. Functional proof-of-concept exploits are already public.
• Fragnesia Linux Kernel LPE (CVE-2026-46300) — A critical local privilege escalation flaw in the Linux networking stack (ESP-in-TCP) allows an unprivileged user to achieve root access by triggering a heap buffer overflow via malformed packet fragments.

Advanced Phishing and Supply Chain Attacks

‍Adversaries are exploiting trusted notification systems and open-source infrastructure to bypass email gateways and developer controls.

• Microsoft Internal Account Infrastructure Phishing — Scammers are exploiting unvalidated input fields during Microsoft tenant enrollment to trigger fully authenticated, automated emails directly from msonlineservicesteam@microsoftonline.com. Because the emails originate from core Microsoft infrastructure, they easily bypass SPF/DKIM/DMARC and Secure Email Gateways (SEGs).

Proactive steps for the week

• Secure BitLocker Configurations: Transition enterprise Windows endpoints from "TPM-only" to TPM + PIN (or Startup Key) to mitigate the "GreatXML" and "YellowKey/GreenPlasma" physical bypass attacks.
• Harden Local Windows Defenses: To mitigate the "RoguePlanet" and "MiniPlasma" zero-days, strictly enforce the Principle of Least Privilege. Use AppLocker/WDAC to block unapproved scripts, enforce Driver Signature Enforcement, and monitor C:\ProgramData\Microsoft\Windows Defender\ for anomalous junction creations.
• Patch Core Network Assets: Prioritize updates for FortiAuthenticator (v8.0.3/6.6.9+), Cisco SD-WAN (v20.12.3+ for auth bypass). For the active Cisco SD-WAN zero-day (CVE-2026-20245), capture forensic diagnostics before any upgrades and isolate the management plane until the hotfix is available.
• Isolate AI Infrastructure: Ensure ChromaDB instances are not internet-facing and terminate authentication at a reverse proxy layer. Transition to the native Rust server architecture if possible to mitigate the pre-auth RCE.
• Address Kernel Flaws: Deploy Linux distribution patches for DirtyDecrypt and Fragnesia immediately. If patching Fragnesia is delayed, disable unprivileged user namespaces (sysctl -w kernel.unprivileged_userns_clone=0).

‍