Cyber Threat Brief — June 29 2026
⚠️ This report is AI-generated. Always validate findings.
1. Exchange Server SSRF → EoP/File Read — CVE-2026-45504 / CVE-2026-45502
TL;DR: Public PoCs now available for two Exchange Server SSRF bugs patched June 9. CVE-2026-45504 chains WOPI URL scheme manipulation for arbitrary file read as SYSTEM; CVE-2026-45502 forces outbound HTTP from Exchange to attacker-controlled hosts. Verify June SU applied immediately.
What’s New:
- CVE-2026-45504 (CVSS 8.0): authenticated EoP via WOPI
WebApplicationUrlscheme injection — Exchange builds WAC preview URLs without validating scheme, enabling arbitrary local file reads - CVE-2026-45502 (CVSS 6.5): authenticated SSRF via EWS
InstallAppSOAPManifestUrl— forces Exchange to make outbound HTTP GET to attacker listener - Aretiq AI published
poc_CVE-2026-45502.pyJune 22; CVE-2026-45504 PoC circulating since June 27 - Both require authenticated mailbox access; WebDialer not required
- Patched in June 9 2026 SU (KB5094139 for SE, KB5094142 for 2019 CU14, KB5094140 for 2019 CU15)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
ManifestUrl in EWS InstallApp SOAP pointing to external host | SSRF trigger | T1190 | IIS W3SVC logs (EWS vdir) | Alert on InstallApp requests with external ManifestUrl |
| Outbound HTTP GET from Exchange to non-Microsoft hosts on unusual ports | SSRF callback | T1071.001 | Firewall / proxy egress logs | Baseline Exchange outbound; alert on anomalous destinations |
| WOPI token requests with non-HTTP scheme in WAC URL | File read exploit | T1005 | IIS W3SVC logs (OWA vdir) | Hunt for unusual scheme prefixes in WAC-related requests |
ReferenceAttachment with crafted ProviderEndpointUrl | SSRF primitive | T1190 | Exchange message tracking | Monitor attachment creation with external provider URLs |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for EWS InstallApp SSRF or WOPI scheme abuse |
| Elastic | None | No rule for Exchange WOPI token manipulation |
| Sigma | None | Need rules for anomalous Exchange outbound HTTP and WOPI scheme validation bypass |
Sources: CybersecurityNews PoC, GBHackers PoC, MSRC CVE-2026-45504, MSRC CVE-2026-45502
2. Exploitarium Mass PoC Dump — CVE-2026-20896 (Gitea Docker Auth Bypass)
TL;DR: Anonymous researcher “bikini” dropped 130+ PoCs across 22 projects on June 28 without vendor notification. Most are noise, but CVE-2026-20896 is a trivial Gitea auth bypass affecting all Docker Hub official images — single header grants admin. Audit Gitea Docker deployments now.
What’s New:
bikini/exploitariumGitHub repo hit #5 on Hacker News June 28 (726 points)- CVE-2026-20896: Gitea official Docker images ship with
REVERSE_PROXY_TRUSTED_PROXIES = *, allowing any IP to sendX-WEBAUTH-USER: adminfor full admin access - Zero exploit chain needed — single HTTP header grants full admin on any Docker-deployed Gitea without manual config changes
- Fixed in Gitea 1.26.3/1.26.4; reverse-proxy auth now opt-in
- Bulk of other “exploitarium” claims assessed as AI-generated noise by security community, but individual PoCs should be validated
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
X-WEBAUTH-USER header in HTTP requests to Gitea | Auth bypass | T1078.001 | Reverse proxy / WAF logs | Alert on X-WEBAUTH-USER header from non-proxy sources |
REVERSE_PROXY_TRUSTED_PROXIES = * in Gitea config | Misconfiguration | T1078.001 | Docker config audit | Audit all Gitea Docker deployments for default trust config |
| New admin accounts created without UI interaction | Persistence | T1136.001 | Gitea admin audit log | Monitor for admin account creation outside normal workflow |
docker.io/gitea/gitea images < 1.26.3 | Vulnerable version | T1195.002 | Container inventory | Inventory and upgrade all Gitea Docker instances |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Gitea-specific detection rules |
| Elastic | None | No Gitea-specific detection rules |
| Sigma | None | Need rule for X-WEBAUTH-USER header injection from untrusted sources |
Sources: byteiota Exploitarium, Gitea 1.26.3/1.26.4 Release, GitHub bikini/exploitarium
Status Updates
- CVE-2026-20262 (Cisco SD-WAN Manager): CISA KEV federal deadline TODAY June 29. Zero-day file write via web UI. 8th SD-WAN CVE of 2026. Original brief.
- CVE-2026-12569 (PTC Windchill/FlexPLM): CISA KEV federal deadline passed June 28. Active webshell deployment ongoing. JSP shells with 16-hex-char filenames under
/Windchill/codebase/login/. Original brief. - CVE-2026-50656 (Windows Defender RoguePlanet): Still UNPATCHED — 7th Defender zero-day in 10 weeks. Cyderes confirms behavioral chain survives recompilation. WDAC/AppLocker remains only mitigation. Original brief.
- CVE-2026-20253 (Splunk Enterprise PostgreSQL Sidecar): Active ITW exploitation ongoing per Splunk PSIRT. Federal deadline passed June 21. No ESCU rule yet — monitor sidecar endpoints. Original brief.