Threat Alerts

A multi-stage campaign uses fake AI-themed documents to deliver AsyncRAT, enabling remote access and persistence. Social engineering via enticing document lures increases the risk of initial compromise across organizations and users.

The attack chain begins with weaponized documents that conceal and invoke hidden PowerShell routines. Those scripts drop and launch an AutoHotkey-based loader which in turn loads a.NET Remote Access Trojan. The payload uses process injection and persistence mechanisms to maintain long-term access and evade basic detection. Obfuscation and staged loaders make identification by simple signature checks difficult.

Investigations note the presence of network command-and-control activity and filesystem artifacts consistent with remote administration tools. The campaign demonstrates how themed lures, script-based loaders, and in-memory injection combine to bypass controls and establish stealthy remote access.

An actively exploited zero-day in the V8 JavaScript/WebAssembly engine permits out-of-bounds memory access, leading to heap corruption with potential arbitrary code execution or system crashes in Chrome. The flaw is tracked as CVE-2026-11645 (CVSS 8.8) and represents an immediate browser security risk.

A maliciously crafted HTML page can trigger the out-of-bounds condition in V8, corrupting the heap and enabling remote attackers to execute code within the browser sandbox or bypass protections like ASLR to cause crashes. The issue is addressed in Chrome 149.0.7827.102/.103 for desktop and 149.0.7827.102 for Linux, alongside numerous other fixes, and evidence indicates active exploitation in the wild.

Authorities have added CVE-2026-11645 to a catalog of known exploited vulnerabilities, underscoring its priority for remediation. This exposure affects environments running the V8 engine; organizations should validate update deployment and monitor for exploitation indicators while treating this as a high-priority patching event. Note: a numeric CVSS score was not provided in the sourced material.

A security incident affecting ServiceNow resulted in unauthorized access to customer data through exploitation of an exposed API endpoint. The activity enabled unauthenticated access to information stored within affected customer environments, creating a risk of sensitive data exposure. Given ServiceNow’s role in managing business processes, IT operations, and organizational workflows, unauthorized access to platform data could provide threat actors with information that may be leveraged in subsequent malicious activity.

According to available information, threat actors identified and abused a ServiceNow API endpoint that did not properly enforce authentication requirements under certain conditions. By sending specially crafted requests, attackers were able to query and retrieve data from affected instances without valid credentials. Following the discovery of the activity, ServiceNow implemented security updates to restrict access to authenticated users and began notifying organizations believed to have been impacted by the exposure.

While publicly available information indicates the activity was limited to unauthorized data access rather than broader system compromise, the incident demonstrates the risks associated with externally accessible APIs that are not adequately protected. Depending on the nature of the exposed information, affected organizations may face an increased risk of phishing, social engineering, reconnaissance, or other follow-on attacks.

A critical zero-day vulnerability, CVE-2026-35273 (CVSS 9.8), in Oracle PeopleSoft is being actively exploited in the wild by a known threat actor, significantly increasing the risk to organizations running affected environments. The flaw resides within the PeopleSoft Environment Management component and allows unauthenticated remote code execution, enabling attackers to compromise vulnerable systems without requiring valid credentials or prior access. Given PeopleSoft’s widespread use in enterprise environments for managing business-critical functions, successful exploitation could provide attackers with direct access to sensitive corporate systems and data.

The activity was identified through a joint threat intelligence investigation, indicating the involvement of a capable and well-resourced adversary actively weaponizing the vulnerability. Because exploitation requires no authentication, attackers can use the flaw as an initial access vector to execute arbitrary code remotely, potentially leading to full system compromise, data theft, credential harvesting, and lateral movement across connected enterprise networks. The active exploitation of a critical remote code execution vulnerability in widely deployed enterprise software highlights the continued trend of threat actors rapidly operationalizing newly disclosed flaws, often before organizations can complete remediation efforts, making immediate patching and exposure assessment essential for affected deployments.

SAP’s June 2026 Security Patch package addresses multiple vulnerabilities across SAP products, including four critical-severity flaws affecting SAP NetWeaver and SAP Commerce Cloud. The release includes fixes for critical vulnerabilities that could enable authentication bypass, memory corruption, directory traversal, and Spring Security exploitation, creating significant risk for enterprise environments if remediation is delayed.
CVE-2026-44748 (CVSS Score 9.9) is an XML Signature Wrapping vulnerability in SAP NetWeaver AS ABAP and ABAP Platform, potentially allowing authentication bypass in SAML-based environments. Specifically, an authenticated attacker with normal privileges can obtain a valid signed message and send modified signed XML documents to the verifier, potentially resulting in acceptance of tampered identity information, unauthorized access to sensitive user data, and disruption of normal system usage. CVE-2026-27671 (CVSS Score 9.8) is a memory corruption flaw in SAP NetWeaver/ABAP Platform Application Server ABAP. An attacker can exploit it without authentication by sending crafted RFC requests to vulnerable endpoints, leveraging improper kernel validation to cause memory corruption. CVE-2026-22732 (CVSS Score 9.1) is a Spring Security-related vulnerability affecting SAP Commerce Cloud and SAP Data Hub. CVE-2026-40128 (CVSS Score 9.0) is a directory traversal vulnerability in SAP NetWeaver Application Server Java’s Web Container. Organizations using the impacted products should prioritize patching, particularly the SAML authentication flaw (CVE-2026-44748) and the memory corruption issue (CVE-2026-27671), which were rated very high in severity and could have a serious impact on enterprise environments.