Weekly dossier · 2026-W28
Joel Traber AG
06.07.2026 – 12.07.2026
Strategic overview
CRITICALIn CW 28, critical vulnerabilities in core components of Joel Traber AG's infrastructure dominate the threat picture: Microsoft Edge alone contains three directly relevant flaws, including remote code execution, privilege escalation, and access control bypass, while a 15-year-old Linux kernel vulnerability (GhostLock) leaves the deployed Ubuntu 24.04 LTS systems exploitable without elevated permissions. A privilege escalation flaw in Microsoft Defender additionally threatens the Windows Server infrastructure, and an authentication weakness in Bitwarden creates potential for full account takeovers.
- Alerts
- 119
- CVEs
- 430
- KEV
- 2
- Critical
- 34
Top news
- TAKTISCH ZDI: Published AdvisoriesZDI-26-331: (Pwn2Own) Microsoft Edge Feedback Log File Handling Directory Traversal Remote Code Execution Vulnerability
A directory-traversal vulnerability in Edge feedback logging enables remote code execution when a user visits a malicious page or opens a malicious file.
→ Microsoft Edge is actively used in the company's tech stack; a directory traversal RCE vulnerability with CVSS 7.5 requiring user interaction represents a direct operational risk to endpoint security.
- TAKTISCH ZDI: Published AdvisoriesZDI-26-355: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability
A use-after-free vulnerability in Adobe Acrobat Reader DC enables remote code execution upon user interaction with CVSS 7.8; no public exploitation known, but timely patching required.
→ Adobe Acrobat Reader DC is explicitly listed in the company's tech stack; a use-after-free RCE with CVSS 7.8 requiring user interaction represents a direct operational risk.
- TAKTISCH The Hacker NewsMicrosoft Patches RoguePlanet Defender Flaw That Can Grant SYSTEM Privileges
The RoguePlanet vulnerability is a race condition in mpengine.dll that can be exploited regardless of whether real-time protection is enabled, and has already been publicly documented with PoC exploits.
→ CVE-2026-50656 is a privilege escalation vulnerability in Microsoft Defender (mpengine.dll) that could be exploited on Windows Server 2022 and Windows Server 2019 in the company's infrastructure to obtain SYSTEM-level access.
- TAKTISCH The Hacker News15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros
GhostLock is a 15-year-old Linux kernel flaw now publicly disclosed with working exploit code offering 97% reliability for local privilege escalation and container escape.
→ CVE-2026-43499 is a critical 15-year-old Linux kernel privilege escalation flaw affecting Ubuntu 24.04 LTS, which is in the company's tech stack; it requires no special permissions and enables local privilege escalation and container escape, making it directly applicable to manufacturing environments running Ubuntu.
- OPERATIV darkreading'Djinn' Stealer Targets Cloud, AI Credentials
The campaign demonstrates that attackers leverage RMM tools as entry points to steal cloud and AI credentials using admin privileges, enabling broad network compromise.
→ RMM tools like SimpleHelp are widely deployed in enterprise environments and are actively targeted by attackers for lateral movement and credential theft; the Djinn stealer campaign demonstrates practical exploitation of this attack vector.
- TAKTISCH The Hacker NewsBeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA
Prior BeyondTrust flaws have been actively exploited for web shell and backdoor deployment, justifying urgent patch prioritization for these critical authentication bypass vulnerabilities.
→ BeyondTrust Remote Support and Privileged Remote Access are not mentioned in the company's specific tech stack, but critical auth bypass flaws (CVSS 9.2) affecting remote access and privilege management products are commonly deployed in similar manufacturing environments.
- TAKTISCH The Hacker News16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems
A 16-year-old use-after-free vulnerability in the Linux KVM hypervisor enables the first reliable guest-to-host escape with full code execution on both Intel and AMD x86 systems.
→ CVE-2026-53359 is a critical KVM hypervisor escape vulnerability affecting Linux KVM on Intel and AMD x86 systems; the company operates VMware vSphere 8 / ESXi environments which use different hypervisor architecture (not Linux KVM), but the vulnerability is relevant to any organization managing virtualized infrastructure and guest isolation.
- TAKTISCH MalwarebytesMicrosoft fixes RoguePlanet zero-day in Defender
A critical elevation of privilege vulnerability in Microsoft Defender allows attackers to escalate from standard user account to full system control (NT AUTHORITY\SYSTEM).
→ Microsoft Defender elevation of privilege zero-day (RoguePlanet/CVE-2026-50656) directly affects the company's Windows Server and endpoint security infrastructure.
- TAKTISCH MalwarebytesThis new Windows malware can take over your PC and wipe it clean
GigaWiper is a modular Golang backdoor observed in intrusions since October 2025, combining multiple wiper functions with C2 and remote access capabilities in a single operational framework.
→ GigaWiper is a destructive Windows backdoor combining remote access and data destruction capabilities, directly relevant to Windows Server environments and endpoints in the company's tech stack; however, no nation-state attribution or DACH-specific targeting has been disclosed.
Research Deep Dives
View all →- MALWAREBYTES 09/07/2026Microsoft fixes RoguePlanet zero-day in Defender
Microsoft has fixed the RoguePlanet zero-day vulnerability (CVE-2026-50656) in Microsoft Defender. This elevation of privilege flaw allowed attackers to escalate from a standard user account to NT AUTHORITY\SYSTEM, gaining full control of the system. The fix is included in Malware Protection Engine version 1.1.26060.3008, which is distributed automatically. Organizations using alternative antivirus solutions with Defender disabled are not affected.
- MALWAREBYTES 10/07/2026This new Windows malware can take over your PC and wipe it clean
The research report describes 'GigaWiper', a modular Windows backdoor written in Golang that combines remote access, espionage, and multiple data destruction methods. The malware leverages components from earlier tools like Crucio ransomware and FlockWiper, and can, among other things, overwrite raw disks, irreversibly encrypt files, and record the desktop. It establishes persistence via a scheduled task named 'OneDrive Update'. The best defense is preventing initial compromise and detecting malicious activity early.
- MICROSOFT SECURITY BLOG 25/06/2026Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access
The report details an active multi-stage intrusion campaign targeting the hospitality and hotel industry since April 2026. The attackers use photo-themed ZIP archives with fake image shortcuts to initiate a chain involving obfuscated PowerShell, a Node.js implant, and dual registry persistence. The campaign evolved in two waves, with the second wave adding dynamic .NET DLL compilation and new domain infrastructure. While the ultimate objective is unclear, the emphasis on obfuscation and persistence indicates preparation for further malicious activities.
Top vendors
- Microsoft 35
- Google 23
- Adobe 12
- Linux 10
- Mozilla Firefox 3
- Mozilla Thunderbird 3
Top CVEs
- CVE-2026-48558 'Djinn' Stealer Targets Cloud, AI Credentials 10.0
- CVE-2026-58281 CVE-2026-58281: Deserialization of Untrusted Data in Microsoft Edge Allows Remote Code Execution 8.3
- CVE-2026-58596 CVE-2026-58596 8.3
- CVE-2026-58525 CVE-2026-58525 8.2
- CVE-2026-32201 The April 2026 Security Update Review 6.5
- CVE-2026-60104 CVE-2026-60104: Bitwarden Server Authentication Request Vulnerability Allows Account Takeover 7.3