Weekly Cybersecurity Update for June 19 2026

Microsoft Working on Defender Patch for RoguePlanet Zero-Day

Microsoft has confirmed it is actively developing a patch for a new zero-day vulnerability in Microsoft Defender, currently tracked as CVE-2026-50656 and dubbed “RoguePlanet.” The vulnerability, caused by a race condition flaw, affects fully patched Windows 10 and 11 systems and allows attackers to spawn command prompts with complete SYSTEM-level privileges.

A proof-of-concept exploit was publicly released by a disgruntled security researcher amid an ongoing dispute with Microsoft over their bug bounty practices.

Privilege escalation flaws in ubiquitous security tools like Defender are highly dangerous. They allow attackers who have gained an initial foothold to seize total administrative control over compromised endpoints. The fact that this flaw exists in fully patched systems is particularly concerning—it means organizations can’t simply patch their way to safety until Microsoft releases the fix.

In the meantime, organizations should assume that an attacker with local access to a Windows 10 or 11 machine can potentially escalate to SYSTEM privileges. Layered defenses—endpoint detection and response, privilege access management, and behavioral monitoring—become even more critical.

Microsoft Fixes Windows Server 2016 Security Update Failures

Microsoft has officially resolved a known bug that was causing the June 2026 security updates to fail on Windows Server 2016 systems. The issue primarily impacted servers that had skipped the previous month’s updates, triggering a “FILE_NOT_FOUND” error code during the installation process.

Microsoft confirmed the issue in an admin portal service alert and has now fixed the deployment path, allowing administrators to successfully install the latest updates.

Consistent patching is fundamental to enterprise security. Resolving update failures ensures that critical infrastructure is no longer left vulnerable to newly disclosed exploits due to stalled deployments. For organizations running Windows Server 2016, this fix removes a major barrier to staying current. If your servers were stuck in update limbo, this is your window to get back on track.

CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices

The Cybersecurity and Infrastructure Security Agency has issued an urgent warning following a massive credential leak known as “FortiBleed.” This breach has exposed the VPN credentials of over 86,000 Fortinet FortiGate devices worldwide.

Because these devices are frequently used to secure network perimeters, the leaked credentials provide cybercriminals with direct access to corporate networks. This isn’t a theoretical risk. With tens of thousands of corporate networks instantly exposed, organizations utilizing Fortinet infrastructure must urgently audit their devices and reset credentials to prevent widespread unauthorized access.

For any organization running FortiGate firewalls or VPN appliances, this is a critical incident. Assume your credentials may be compromised and act accordingly.

FBI, Google Dismantle ‘Outsider Enterprise’ Phishing Service

The FBI, in coordination with Google, has successfully taken down “Outsider Enterprise,” a massive phishing-as-a-service platform. Operating out of China and coordinated via Telegram, the service enabled threat actors to impersonate major brands through automated SMS phishing campaigns.

Over the past three years, the platform facilitated the theft of 3.8 million credit cards and caused an estimated $1.9 billion in financial losses. During the takedown, law enforcement seized domains, cryptocurrency assets, and testing infrastructure.

Dismantling major “cybercrime-as-a-service” platforms significantly disrupts the underground supply chain and protects global consumers and enterprises from highly scalable, automated financial fraud. This takedown is a rare win in the ongoing effort to disrupt organized cybercrime operations. However, it also signals that attackers will simply move to the next platform. The infrastructure of cybercrime is resilient. Defense requires constant vigilance on the victim side.

Cybercriminals Mask Malicious Communications Through Microsoft Teams Relays

Threat actors associated with the DragonForce ransomware group have been observed using a custom malware called “Backdoor.Turn” to exploit legitimate Microsoft Teams relay infrastructure. During a recent intrusion, attackers utilized Microsoft’s TURN relays to mask their command-and-control traffic, making it appear as normal outbound communication to security monitoring tools.

This sophisticated evasion tactic allowed the attackers to remain undetected for months before eventually deploying their ransomware payloads.

This novel abuse of trusted cloud infrastructure highlights how threat actors are continuously evolving their defense evasion techniques. Security teams can no longer rely on basic network filtering or even blocking specific domains. Attackers are weaponizing the legitimate infrastructure that organizations depend on—in this case, Microsoft’s own relay servers—to hide in plain sight.

Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication

A critical vulnerability has been disclosed in Splunk Enterprise that allows malicious actors to execute arbitrary code without requiring any authentication. If exploited, this remote code execution flaw enables threat actors to run unauthorized code directly on the affected Splunk infrastructure.

Given that Splunk serves as a central data logging and monitoring platform for many enterprises, a compromised server could expose sensitive network telemetry, user activity logs, and security event data.

Unauthenticated RCE vulnerabilities in core enterprise logging and security systems are severe risks that must be prioritized for patching to prevent attackers from accessing highly sensitive internal operations data. For organizations running Splunk, this is a critical issue. Your logging infrastructure may be the target, not just a system to monitor other targets.