Daily Threat Intelligence Brief: 02 Jun 2026
Executive Summary
The 1–2 June window is dominated by three continuing high-severity developments. The Belgium Centre for Cybersecurity confirmed active exploitation of CVE-2026-41089 (Windows Netlogon RCE, CVSS 9.8) on 1 June, elevating this vulnerability from theoretical to confirmed-exploited-in-the-wild. PAN-OS GlobalProtect CVE-2026-0257 exploitation continues despite the CISA deadline passing yesterday — Rapid7 MDR reports 8 of 10 monitored environments accepted forged authentication cookies. The TrapDoor AI framework supply chain campaign continues with no confirmed actor takedown. No new first-seen IOCs in this window; the threat landscape is one of persistent, ongoing exploitation across known vulnerabilities.
Top priorities for today:
- CVE-2026-41089 (Windows Netlogon RCE) — Belgium CCB confirmed exploitation in the wild on 1 June. This is a pre-authentication stack overflow in the Netlogon
BuildSamLogonResponsefunction allowing unauthenticated domain controller RCE → SYSTEM. If your Windows Server environment has not applied the May 2026 cumulative update, do so immediately. Half-patched forests (domain controllers running mixed patch levels) are not a defensible posture. - CVE-2026-0257 (PAN-OS GlobalProtect) — CISA deadline passed yesterday. Exploitation is ongoing. Any GlobalProtect deployment not yet patched must be treated as actively targeted. Apply the PAN-OS patch and retroactively audit logs for forged MAC/machine name indicators from 17 May onwards.
- TrapDoor supply chain — Still active. AI/ML development environments should complete dependency audits and API key rotation as a matter of urgency.
Threat Landscape Overview
| # | Threat Cluster | Severity | Status | Timestamp |
|---|---|---|---|---|
| 1 | CVE-2026-41089 — Windows Netlogon RCE (CVSS 9.8) — exploitation confirmed | CRITICAL | [UPDATED] Belgium CCB confirmed 2026-06-01 | 2026-06-01 |
| 2 | CVE-2026-0257 — PAN-OS GlobalProtect — CISA deadline passed, ongoing | CRITICAL | [UPDATED] Post-deadline, ongoing | 2026-06-02 |
| 3 | TrapDoor supply chain — AI framework targeting still active | HIGH | [UPDATED] Active, no takedown | 2026-06-02 |
Updated Intelligence
1. CVE-2026-41089 — Windows Netlogon RCE — Exploitation Confirmed in the Wild CRITICAL [UPDATED]
CVE: CVE-2026-41089 • CVSS: 9.8 • Belgium CCB confirmed exploitation: 2026-06-01 • Source: Belgium Centre for Cybersecurity (CCB), Acros Security, BleepingComputer
The Belgium Centre for Cybersecurity published a security advisory on 1 June confirming active exploitation of CVE-2026-41089 in the wild in Belgium and the broader EU. This elevates the vulnerability from “patch as soon as practicable” to “emergency remediation required.”
Technical background: CVE-2026-41089 is a stack-based buffer overflow in the Windows Netlogon Remote Protocol (netlogon.dll) service, specifically in the BuildSamLogonResponse function that handles authentication requests from domain-joined workstations. An unauthenticated attacker on a network with access to a domain controller’s Netlogon port (TCP 445 or UDP 138) can send a crafted authentication request that overflows the stack buffer, ultimately leading to arbitrary code execution in the context of the Netlogon service, which runs as SYSTEM. No credentials or prior access to the domain are required.
The vulnerability affects all currently-supported Windows Server versions when operating as a domain controller. The May 2026 cumulative update addresses the vulnerability. Microsoft patched it on Patch Tuesday (13 May 2026) but it was not added to CISA KEV until exploitation was confirmed; Belgium CCB’s advisory triggered the KEV addition.
Acros Security micropatches: Acros Security (0patch) published micropatches on 2 June for legacy Windows Server versions no longer receiving standard updates: Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. Organisations running these EOL versions should apply the 0patch micropatches as an interim measure while planning migration. Standard-support versions (2016, 2019, 2022, 2025) are addressed by the May 2026 cumulative update.
Critical advisory on mixed-patch environments: Active Directory forests where some domain controllers are patched and others are not create a dangerous exposure window. An attacker targeting a single unpatched domain controller in a forest can compromise it and use the resulting SYSTEM-level access to enumerate and attack the broader domain, including extracting the KRBTGT hash to forge Kerberos tickets valid across the entire forest. Half-patched forests are not a defensible state.
IOCs: Anomalous Netlogon authentication requests to domain controllers from non-domain-joined sources • Unusual spikes in Netlogon event log entries (Event ID 5723, 5805) • LSASS memory access following Netlogon authentication anomalies
TTPs: T1210 Exploitation of Remote Services • T1558.001 Kerberos: Golden Ticket (post-exploitation) • T1003.001 OS Credential Dumping: LSASS Memory
2. PAN-OS GlobalProtect CVE-2026-0257 — CISA Deadline Passed, Exploitation Continues CRITICAL [UPDATED]
CISA deadline passed: 2026-06-01 • Updated: 2026-06-02 • Source: Rapid7 MDR
Despite the CISA federal remediation deadline passing on 1 June, exploitation of PAN-OS GlobalProtect CVE-2026-0257 continues. Rapid7 MDR’s updated telemetry as of 2 June shows that 8 of 10 monitored environments with GlobalProtect deployments have accepted at least one forged authentication cookie since Wave 1 exploitation began on approximately 17 May.
The exploitation pattern remains consistent: attackers use the forged MAC address aa:bb:cc:dd:ee:ff and machine names GP-CLIENT or DESKTOP-GP01 to bypass MFA and obtain a valid GlobalProtect session. Post-exploitation activity in confirmed compromises has included credential harvesting from VPN session tokens, lateral movement to internal network segments, and reconnaissance of Active Directory environments. In two confirmed cases, attackers remained dwell-silent for 5–7 days before active lateral movement was detected.
Organisations that have already patched should still retroactively audit GlobalProtect authentication logs from 17 May onwards for the forged identifiers. A patched deployment does not retroactively secure sessions that may have been established before patching.
Immediate action: Apply PAN-OS patch. Audit GlobalProtect logs from 17 May for MAC aa:bb:cc:dd:ee:ff and machine names GP-CLIENT/DESKTOP-GP01. Revoke all sessions established from matching identifiers. Review internal network traffic logs for lateral movement originating from VPN-assigned IP ranges.
3. TrapDoor Supply Chain — AI Framework Targeting Continues HIGH [UPDATED]
Updated: 2026-06-02 • Actor: GitHub account ddjidd564
The TrapDoor supply chain campaign continues as of 2 June with no confirmed law enforcement action or actor takedown. The ddjidd564 GitHub account continues to submit pull requests against LangChain, LlamaIndex, LangFlow, MetaGPT, and OpenHands repositories. GitHub Security has blocked several recent PR submissions, but the actor is creating new issue threads and comment threads to maintain visibility on target repositories.
SlowMist’s updated estimate places downstream affected projects at approximately 14,000, up from 12,000 in the 31 May estimate. The incremental increase reflects newly identified transitive dependencies rather than new direct compromises. Affected projects that have already cleaned their dependencies should still audit for secondary transitive infections where the malicious package was included as a subdependency of a cleaned direct dependency.
Action required: Complete API key rotation for all LLM providers (OpenAI, Anthropic, Cohere, HuggingFace) in any Python environment using the affected frameworks. Audit pip freeze output and poetry.lock/requirements.txt lockfiles for unexpected version changes. Block the ddjidd564 GitHub account from contributing to your repositories.
KQL Hunting Queries
HUNT-01: Netlogon CVE-2026-41089 — Anomalous Authentication Requests to Domain Controllers
Covers CVE-2026-41089 exploitation — anomalous Netlogon authentication attempts from non-standard sources. MITRE: T1210.
// HUNT-01: CVE-2026-41089 — anomalous Netlogon authentication to domain controllers
// Covers: Windows Netlogon RCE pre-auth exploitation
// MITRE: T1210
DeviceLogonEvents
| where Timestamp > ago(24h)
| where LogonType == 3
| where ActionType == "LogonFailed"
| where TargetDeviceName has_any ("DC", "DOMCON", "-DC-", "-AD-")
| summarize FailureCount = count(), DistinctAccounts = dcount(AccountName), FirstAttempt = min(Timestamp), LastAttempt = max(Timestamp)
by RemoteDeviceName, RemoteIP, TargetDeviceName, bin(Timestamp, 5m)
| where FailureCount > 20 or DistinctAccounts > 5
| extend AlertNote = "High-volume Netlogon failures — possible CVE-2026-41089 exploitation attempt"
| project FirstAttempt, LastAttempt, TargetDeviceName, RemoteIP, FailureCount, DistinctAccounts, AlertNote
| order by FirstAttempt descHUNT-02: Netlogon Post-Exploitation — LSASS Memory Access After Netlogon Anomaly
Covers LSASS credential dumping following successful CVE-2026-41089 exploitation on a domain controller. MITRE: T1003.001.
// HUNT-02: CVE-2026-41089 post-exploitation — LSASS dump on domain controller
// Covers: Credential harvesting following Netlogon RCE
// MITRE: T1003.001
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "LsassProcessAccess"
| where TargetDeviceName has_any ("DC", "DOMCON", "-DC-", "-AD-")
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "SentinelAgent.exe", "csagent.exe", "lsm.exe", "svchost.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, AdditionalFields
| order by Timestamp descHUNT-03: GlobalProtect CVE-2026-0257 — Lateral Movement from VPN IP Range
Covers post-exploitation lateral movement from sessions established via the forged GlobalProtect authentication. MITRE: T1021.
// HUNT-03: CVE-2026-0257 post-exploitation — lateral movement from VPN IP range
// Covers: Attacker pivoting from forged GlobalProtect session
// MITRE: T1021
DeviceLogonEvents
| where Timestamp > ago(168h)
| where LogonType in (3, 10)
| where RemoteIP startswith "10.8." or RemoteIP startswith "172.16." or RemoteIP startswith "192.168.100."
| join kind=inner (
CommonSecurityLog
| where TimeGenerated > ago(168h)
| where DeviceVendor == "Palo Alto Networks"
| where Message has_any ("GP-CLIENT", "DESKTOP-GP01", "aa:bb:cc:dd:ee:ff")
| project ForgedAuthTime = TimeGenerated, ForgedIP = SourceIP
) on $left.RemoteIP == $right.ForgedIP
| where Timestamp > ForgedAuthTime
| project Timestamp, DeviceName, AccountName, RemoteIP, LogonType, ForgedAuthTime
| order by Timestamp descHUNT-04: Netlogon Stack Overflow — Windows Event Log Anomalies on DCs
Covers Windows Security Event Log indicators of CVE-2026-41089 exploitation attempts. MITRE: T1210.
// HUNT-04: CVE-2026-41089 — Netlogon event log anomalies on domain controllers
// Covers: Windows Netlogon service event IDs indicating exploitation
// MITRE: T1210
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (5723, 5805, 4625)
| where Computer has_any ("DC", "DOMCON", "-DC-")
| summarize EventCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated)
by Computer, IpAddress, EventID, bin(TimeGenerated, 5m)
| where EventCount > 10
| extend AlertNote = strcat("Event ID ", tostring(EventID), " spike on DC — possible Netlogon CVE-2026-41089 exploitation")
| project FirstSeen, LastSeen, Computer, IpAddress, EventID, EventCount, AlertNote
| order by FirstSeen descHUNT-05: TrapDoor Exfil — Python Process Contacting Unknown Endpoints After AI Framework Import
Covers TrapDoor payload contacting C2 after AI framework import in development environment. MITRE: T1041.
// HUNT-05: TrapDoor — Python outbound connection after AI framework import
// Covers: TrapDoor supply chain C2 exfiltration
// MITRE: T1041
DeviceNetworkEvents
| where Timestamp > ago(72h)
| where InitiatingProcessFileName in~ ("python.exe", "python", "python3")
| where RemoteIPType != "Private"
| where RemoteUrl !has "openai.com" and RemoteUrl !has "anthropic.com" and RemoteUrl !has "huggingface.co"
| where RemoteUrl !has "pypi.org" and RemoteUrl !has "github.com" and RemoteUrl !has "githubusercontent.com"
| where InitiatingProcessCommandLine has_any ("langchain", "llama_index", "langflow", "metagpt", "openhands")
| project Timestamp, DeviceName, AccountName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessCommandLine
| order by Timestamp descHUNT-06: Golden Ticket Forgery Following Netlogon Compromise
Covers Kerberos Golden Ticket creation following CVE-2026-41089 exploitation and KRBTGT hash extraction. MITRE: T1558.001.
// HUNT-06: Post-CVE-2026-41089 — Kerberos Golden Ticket forgery indicators
// Covers: KRBTGT abuse following Netlogon DC compromise
// MITRE: T1558.001
SecurityEvent
| where TimeGenerated > ago(72h)
| where EventID == 4769
| where TicketEncryptionType == "0x17"
| where ServiceName != "krbtgt"
| where IpAddress !in ("::1", "127.0.0.1")
| summarize TicketCount = count(), DistinctServices = dcount(ServiceName)
by IpAddress, Account, bin(TimeGenerated, 1h)
| where TicketCount > 30 or DistinctServices > 10
| extend AlertNote = "High-volume RC4 Kerberos service ticket requests — possible Golden Ticket usage post-Netlogon RCE"
| project TimeGenerated, IpAddress, Account, TicketCount, DistinctServices, AlertNote
| order by TimeGenerated descHUNT-07: Acros 0patch Micropatch Not Applied — Legacy DC Exposure Check
Identifies legacy domain controllers running EOL Windows Server versions that require Acros Security micropatches for CVE-2026-41089. MITRE: T1210.
// HUNT-07: Legacy DC running EOL Windows Server — CVE-2026-41089 micropatch check
// Covers: Windows Server 2008R2/2012/2012R2 DCs needing Acros 0patch
// MITRE: T1210
DeviceInfo
| where Timestamp > ago(24h)
| where OSVersionInfo has_any ("2008 R2", "2012", "2012 R2")
| where DeviceName has_any ("DC", "DOMCON", "-DC-", "-AD-")
| join kind=leftouter (
DeviceTvmSoftwareInventory
| where SoftwareName has "0patch" or SoftwareName has "0Patch"
| project DeviceName, MicropatchInstalled = SoftwareName
) on DeviceName
| where isempty(MicropatchInstalled)
| project DeviceName, OSVersionInfo, MicropatchInstalled
| extend AlertNote = "Legacy domain controller without Acros 0patch micropatch — high risk for CVE-2026-41089"
| order by DeviceName ascHUNT-08: GlobalProtect Forged Session Retroactive Audit (17 May – Present)
Retroactive audit of GlobalProtect logs for CVE-2026-0257 forged authentication indicators since Wave 1 exploitation began. MITRE: T1078, T1550.004.
// HUNT-08: CVE-2026-0257 retroactive audit — forged GP sessions from 2026-05-17
// Covers: All GlobalProtect auth bypass sessions since Wave 1 exploitation
// MITRE: T1078, T1550.004
CommonSecurityLog
| where TimeGenerated >= datetime(2026-05-17)
| where DeviceVendor == "Palo Alto Networks"
| where Message has_any ("aa:bb:cc:dd:ee:ff", "GP-CLIENT", "DESKTOP-GP01")
| summarize SessionCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), SourceIPs = make_set(SourceIP)
by bin(TimeGenerated, 1d)
| extend AlertNote = "Retroactive GlobalProtect CVE-2026-0257 forged auth sessions — review all source IPs for post-auth activity"
| project FirstSeen, LastSeen, SessionCount, SourceIPs, AlertNote
| order by FirstSeen ascKQL Detection Rules (High Fidelity)
DET-01: Windows Netlogon RCE — Unauthenticated Stack Overflow Pattern CRITICAL
Rationale: CVE-2026-41089 exploitation manifests as a burst of anomalous Netlogon authentication failures from a single non-domain-joined source IP against a domain controller, followed by successful authentication or process execution. High failure count plus LSASS access from the same source within minutes is a near-definitive exploitation indicator.
// DET-01: CVE-2026-41089 — Netlogon RCE exploitation pattern
// MITRE: T1210 | Severity: CRITICAL
let LogonFailures = DeviceLogonEvents
| where Timestamp > ago(24h)
| where ActionType == "LogonFailed"
| where TargetDeviceName has_any ("DC", "DOMCON", "-DC-")
| summarize FailureCount = count() by RemoteIP, TargetDeviceName, bin(Timestamp, 5m)
| where FailureCount > 15;
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "LsassProcessAccess"
| where DeviceName has_any ("DC", "DOMCON", "-DC-")
| join kind=inner LogonFailures on $left.DeviceName == $right.TargetDeviceName
| extend AlertTitle = "CVE-2026-41089 Windows Netlogon RCE — Possible Exploitation Followed by LSASS Access"
| extend Severity = "CRITICAL"
| extend MITRETechnique = "T1210 — Exploitation of Remote Services"
| extend RecommendedAction = "CRITICAL: Domain controller may be fully compromised. Immediately isolate DC from network. Take memory dump before any remediation. Assume KRBTGT hash is compromised — begin Golden Ticket response procedure (double KRBTGT password reset). Apply May 2026 CU to all DCs immediately. Engage IR."
| project Timestamp, AlertTitle, Severity, MITRETechnique, RecommendedAction, DeviceName, RemoteIP, FailureCount, InitiatingProcessFileName
| order by Timestamp descDET-02: GlobalProtect Post-Auth Lateral Movement from Forged Session CRITICAL
Rationale: An authenticated VPN session established with forged identifiers (MAC aa:bb:cc:dd:ee:ff or machine names GP-CLIENT/DESKTOP-GP01) followed by lateral movement from the assigned VPN IP is a confirmed attacker pivot. The combination of forged auth plus internal SMB/RDP is high-confidence hostile activity.
// DET-02: CVE-2026-0257 post-auth lateral movement from forged GlobalProtect session
// MITRE: T1133, T1021 | Severity: CRITICAL
let ForgedSessions = CommonSecurityLog
| where TimeGenerated > ago(168h)
| where DeviceVendor == "Palo Alto Networks"
| where Message has_any ("GP-CLIENT", "DESKTOP-GP01", "aa:bb:cc:dd:ee:ff")
| project ForgedIP = SourceIP, AuthTime = TimeGenerated;
DeviceLogonEvents
| where Timestamp > ago(168h)
| where LogonType in (3, 10)
| join kind=inner ForgedSessions on $left.RemoteIP == $right.ForgedIP
| where Timestamp > AuthTime
| extend AlertTitle = "GlobalProtect CVE-2026-0257 — Lateral Movement from Forged VPN Session"
| extend Severity = "CRITICAL"
| extend MITRETechnique = "T1021 — Remote Services (lateral movement from compromised VPN)"
| extend RecommendedAction = "Immediately terminate the VPN session and block the source IP. Audit all logon events from this IP since the auth time. Revoke credentials for any accounts authenticated from this source. Determine scope of internal network access before remediation."
| project Timestamp, AlertTitle, Severity, MITRETechnique, RecommendedAction, DeviceName, AccountName, RemoteIP, LogonType, AuthTime
| order by Timestamp descDET-03: Golden Ticket — RC4 Kerberos Tickets at Scale Post-DC Compromise CRITICAL
Rationale: A Golden Ticket attack using the KRBTGT hash harvested from a compromised domain controller produces high volumes of RC4-encrypted Kerberos service tickets (encryption type 0x17) from a single source IP requesting access to many services. This is a known post-exploitation pattern following Netlogon RCE. AES-only environments will see anomalous downgrade attempts instead.
// DET-03: Post-CVE-2026-41089 — Golden Ticket usage at scale
// MITRE: T1558.001 | Severity: CRITICAL
SecurityEvent
| where TimeGenerated > ago(72h)
| where EventID == 4769
| where TicketEncryptionType == "0x17"
| summarize TicketCount = count(), DistinctTargets = dcount(ServiceName), TargetList = make_set(ServiceName, 20)
by IpAddress, Account, bin(TimeGenerated, 30m)
| where TicketCount > 25 and DistinctTargets > 8
| extend AlertTitle = "Possible Kerberos Golden Ticket — RC4 Service Tickets at Scale"
| extend Severity = "CRITICAL"
| extend MITRETechnique = "T1558.001 — Steal or Forge Kerberos Tickets: Golden Ticket"
| extend RecommendedAction = "CRITICAL: Initiate Golden Ticket response. Perform double KRBTGT password reset (two resets, 10+ hours apart). Audit all service access from this account/IP. Identify and isolate compromised domain controllers. Engage IR immediately."
| project TimeGenerated, AlertTitle, Severity, MITRETechnique, RecommendedAction, IpAddress, Account, TicketCount, DistinctTargets, TargetList
| order by TimeGenerated descDET-04: TrapDoor — Python Making Unexpected Outbound Connection During AI Framework Execution HIGH
Rationale: TrapDoor payload exfiltrates LLM API keys and developer secrets to an unknown C2 endpoint when the affected AI framework is imported. Legitimate AI framework imports do not establish outbound connections to arbitrary IPs. Any Python process importing a known-affected framework and connecting to a non-whitelisted endpoint is a direct indicator of the TrapDoor payload executing.
// DET-04: TrapDoor supply chain — unexpected outbound during AI framework execution
// MITRE: T1041 | Severity: HIGH
DeviceNetworkEvents
| where Timestamp > ago(72h)
| where InitiatingProcessFileName in~ ("python.exe", "python", "python3")
| where RemoteIPType != "Private"
| where RemoteUrl !has_any ("openai.com", "anthropic.com", "huggingface.co", "cohere.com",
"pypi.org", "github.com", "githubusercontent.com", "conda.io", "anaconda.com")
| where InitiatingProcessCommandLine has_any ("langchain", "llama_index", "llamaindex", "langflow", "metagpt", "openhands")
| extend AlertTitle = "TrapDoor Supply Chain — Python AI Framework Making Unexpected Outbound Connection"
| extend Severity = "HIGH"
| extend MITRETechnique = "T1041 — Exfiltration Over C2 Channel"
| extend RecommendedAction = "Immediately quarantine the development environment. Rotate all LLM API keys for OpenAI, Anthropic, Cohere, and HuggingFace. Audit all Python packages in this environment against known TrapDoor indicators. Review ddjidd564 GitHub account activity against installed package sources."
| project Timestamp, AlertTitle, Severity, MITRETechnique, RecommendedAction, DeviceName, AccountName, RemoteIP, RemoteUrl, InitiatingProcessCommandLine
| order by Timestamp descMitigation Priorities
Emergency remediation (act now)
- CVE-2026-41089 (Windows Netlogon RCE) — Apply the May 2026 cumulative update to ALL domain controllers immediately. Mixed-patch forests are not secure. For EOL Windows Server 2008 R2/2012/2012 R2 DCs, apply Acros Security 0patch micropatches as an interim measure while planning migration.
- If domain controllers show Netlogon authentication anomalies or LSASS access events consistent with exploitation, initiate Golden Ticket response: double KRBTGT password reset (two separate resets, at least 10 hours apart to invalidate all existing Kerberos tickets).
Post-deadline remediation (continued urgency)
- CVE-2026-0257 (PAN-OS GlobalProtect) — Apply PAN-OS patch if not yet applied. Retroactively audit GlobalProtect logs from 17 May for MAC
aa:bb:cc:dd:ee:ffand machine namesGP-CLIENT/DESKTOP-GP01. Revoke all affected sessions and associated credentials.
AI / ML development (continued)
- Complete TrapDoor dependency audits and LLM API key rotation. The campaign is still active with no takedown. Block
ddjidd564as a GitHub contributor across all AI/ML repositories in your organisation. - Verify that transitive dependencies have been audited — not just direct dependencies. Use
pip-auditorsafetyto scan the full dependency graph.
Sources
- Belgium CCB Security Advisory: CVE-2026-41089 Windows Netlogon RCE Exploitation Confirmed — Centre for Cybersecurity Belgium, 2026-06-01
- Acros Security (0patch) Micropatches for CVE-2026-41089 on Windows Server 2008R2/2012/2012R2 — Acros Security Blog, 2026-06-02
- Half-Patched Forests: Why Mixed-Patch AD Environments Amplify Netlogon RCE Risk — BleepingComputer, 2026-06-02
- Rapid7 MDR Update: GlobalProtect CVE-2026-0257 Still Active Post-CISA Deadline — Rapid7, 2026-06-02
- TrapDoor Supply Chain Update: 14,000 Downstream Projects Affected, No Takedown — SlowMist, 2026-06-02