Securityweek:

BLUF: A zero-day authentication bypass vulnerability in Check Point VPN products is being actively exploited by the Qilin ransomware group, allowing attackers to establish VPN connections without valid credentials. All organizations running affected Check Point VPN infrastructure should treat this as an emergency and apply available mitigations immediately. DETAILS Vulnerability type: Authentication bypass in Check Point VPN; confirmed to allow unauthenticated actors to establish VPN sessions without a valid password Threat actor: Qilin ransomware group — a known ransomware-as-a-service (RaaS) operation with a history of double-extortion tactics (data theft + encryption) Exploitation status: Actively exploited in the wild; this is not a theoretical or proof-of-concept threat Patch/fix status: Not fully confirmed in available reporting — organizations should consult Check Point’s official security advisories immediately for current remediation guidance Attribution confidence: Attributed to Qilin per SecurityWeek reporting; independent verification of full attack chain details is pending IMPACT Who is affected: Any organization using Check Point VPN products for remote access or network perimeter security Scope: Successful exploitation grants attackers authenticated VPN access to internal networks — effectively bypassing the perimeter entirely Downstream risk: Once inside, Qilin actors are known to conduct lateral movement, data exfiltration, and ransomware deployment; dwell time before encryption can be significant Sector targeting: No specific sector targeting confirmed at this time — assume broad opportunistic exploitation is underway RECOMMENDED ACTIONS Audit immediately — Review VPN authentication logs for anomalous or unexpected connection attempts, particularly from unfamiliar IPs or geolocations Apply patches/mitigations — Check Point’s official advisory should be treated as the authoritative source; apply any available hotfix or workaround without delay Consider temporary access restrictions — If patching is not immediately possible, evaluate restricting VPN access to known IP ranges or implementing additional authentication layers Hunt for indicators — Engage threat hunting for Qilin TTPs including lateral movement, credential harvesting, and staging activity consistent with pre-ransomware behavior Isolate suspicious sessions — Terminate and investigate any active VPN sessions that cannot be positively attributed to known users ⚠️ UNCERTAINTY FLAGS Full list of affected Check Point product versions not confirmed in available reporting Patch availability and CVE identifier not confirmed — verify directly with Check Point Scope of confirmed victim organizations unknown at this time SOURCES SecurityWeek: Check Point VPN Zero-Day Exploited in Qilin Ransomware Attacks Additional context: Check Point official security portal (check.point.com/support) — consult directly for authoritative technical guidance

Google has patched a fifth actively exploited Chrome zero-day vulnerability in 2026 — CVE-2026-11645. All Chrome users and enterprise administrators should update to the latest stable release immediately. DETAILS CVE-2026-11645 is a zero-day vulnerability in Google Chrome confirmed to have been exploited in the wild prior to patching. Google released a fix following a report submitted in late April 2026 by an anonymous researcher; attribution of active exploitation to a specific threat actor is not yet confirmed in available reporting. This marks the fifth Chrome zero-day exploited in 2026, indicating a sustained and elevated targeting tempo against the Chrome browser this year. Technical details of the vulnerability type (e.g., memory corruption, use-after-free, type confusion) have not been confirmed in available source material at this time — Google typically withholds specifics until a majority of users have patched. The vulnerability was reported to Google in late April 2026; the patch timeline between report and public release is not specified in current reporting. IMPACT Scope: All users and organizations running unpatched versions of Google Chrome across desktop platforms (Windows, macOS, Linux). Mobile impact is unconfirmed at this time. Context: The 2026 Verizon DBIR and concurrent BleepingComputer analysis confirm browser-based attacks are a dominant intrusion vector this year, elevating the risk profile of this vulnerability. Enterprise environments with managed Chrome deployments or Chromium-based browsers (Edge, Brave, Opera) should assess exposure — patch applicability to Chromium derivatives is not yet confirmed in available reporting. Given active exploitation prior to patch release, some organizations may already be compromised. RECOMMENDED ACTIONS Update Chrome immediately — navigate to chrome://settings/help or deploy via enterprise management tooling. Verify version reflects the patched release once Google publishes the specific version number. Prioritize patch deployment in environments where Chrome is used for sensitive workflows, financial systems, or privileged access. Review browser-based endpoint telemetry for anomalous activity, particularly given confirmed pre-patch exploitation window. Monitor Chromium-based browser vendor advisories (Microsoft Edge, Brave, etc.) for downstream patch releases. Do not wait for scheduled patch cycles — active exploitation is confirmed. SOURCES SecurityWeek: Google Patches 5th Chrome Zero-Day Exploited in 2026 (primary) BleepingComputer: What 2026 DBIR Confirms: Attacks Are Living in the Browser (contextual) Qualys / Verizon DBIR 2026 (contextual threat landscape) ⚠ NOTE: Vulnerability type, affected Chrome version range, and threat actor attribution remain unconfirmed pending full Google advisory publication. This alert will require update as additional technical details are released.

BLUF: Cisco has disclosed a seventh actively exploited zero-day vulnerability in its SD-WAN software in 2026. CVE-2026-20245 enables arbitrary command execution as root on affected devices. No patch is currently available. Organizations running Cisco SD-WAN should treat this as an active threat and implement mitigations immediately. DETAILS CVE-2026-20245 has been publicly disclosed by Cisco and is confirmed under active exploitation in the wild as of this reporting. The vulnerability permits arbitrary command execution at root-level privilege, representing full system compromise of affected SD-WAN nodes. This is the seventh Cisco SD-WAN zero-day confirmed exploited in 2026, indicating a sustained and targeted focus on this product line by threat actors — the pattern and actor attribution are not confirmed in available reporting. No patch has been released by Cisco at time of publication. Cisco has issued an advisory; specific affected software versions and workaround guidance should be confirmed directly via Cisco’s Security Advisory portal. Scope of exploitation — including whether attacks are targeted or opportunistic — is not confirmed in current reporting. IMPACT Directly affected: Organizations deploying Cisco SD-WAN solutions, including enterprise, government, and critical infrastructure environments. Severity: Critical. Root-level command execution on network infrastructure devices can enable lateral movement, traffic interception, persistent access, and full network compromise. Broader context: The 2026 Verizon DBIR and ongoing Patch Tuesday cycles reflect an elevated vulnerability exploitation tempo this year; Cisco SD-WAN has been a recurring target throughout 2026. RECOMMENDED ACTIONS Check Cisco’s official Security Advisory for CVE-2026-20245 immediately — confirm whether your specific SD-WAN software version and deployment model are affected. Apply any available workarounds or mitigations published by Cisco in lieu of a patch. Do not wait for a patch before acting. Restrict management-plane access to SD-WAN controllers and edge devices — limit to trusted IPs, enforce MFA, disable unnecessary remote access interfaces. Increase monitoring on SD-WAN infrastructure for anomalous command execution, unexpected process spawning, or unusual outbound connections. Prioritize patching the moment Cisco releases a fix — given the active exploitation status, patch deployment windows should be treated as emergency, not routine. SOURCES SecurityWeek — Cisco Warns of 7th SD-WAN Zero-Day Exploited in 2026 (primary source) Cisco Security Advisory portal — verify CVE-2026-20245 details directly at cisco.com/security ⚠️ UNCERTAINTY FLAG: Specific affected product versions, exploitation scale, and threat actor attribution are not confirmed in available reporting. Consult Cisco’s official advisory for authoritative scope and mitigation details before taking action. ...