RoguePlanet, GreatXML, and Check Point VPN zero-days in the wild

LevelBlue SpiderLabs revealed RoguePlanet, a local privilege escalation that hijacks Microsoft Defender to run attacker code as SYSTEM without kernel exploits, and GreatXML, which manipulates the Windows Recovery Environment to maintain access to BitLocker‑protected data. Both rely on legitimate component interactions, highlighting the need for behavior‑based detections.

Check Point’s IKEv1 Remote Access VPN contains a critical authentication bypass (CVE‑2026‑50751, CVSS 9.3) that attackers have been exploiting since early May 2026, targeting dozens of organizations and even a ransomware affiliate. The flaw lets clients skip certificate validation, letting unauthenticated users gain network access. Patch the listed Gaia versions immediately.

A misconfigured /heapdump endpoint in TeleMessage SGNL, the Signal‑like app used by U.S. agencies, leaks 150 MB memory dumps containing usernames, passwords and session tokens. Researchers saw at least 11 IPs actively pulling these dumps, and CISA added CVE‑2025‑48927 to its KEV list. The flaw was patched in early May, but the incident underscores the danger of outdated Spring Boot defaults.

Google’s Threat Intelligence Group uncovered a campaign where UNC6148 hijacked admin credentials on fully patched, end‑of‑life SonicWall SMA‑100 devices and installed the custom OVERSTEP rootkit. The malware hides its files, deletes logs, and maintains persistence across reboots, enabling credential theft and further exploitation.

Co-op Group confirmed that hackers exfiltrated the personal details of all 6.5 million members in an April breach. The attack sidestepped ransomware but forced a network shutdown, crippling UK stores and exposing the retailer's lack of cyber‑insurance. It underscores the rising threat from the Scattered Spider collective targeting retail data.

A ransomware attack on Episource, UnitedHealth’s billing subsidiary, let attackers copy health and insurance data for 5.4 million patients between Jan 27 and Feb 6, 2025. The breach underscores how cyber‑criminals are shifting focus to third‑party providers, jeopardizing patient privacy across the health‑care ecosystem.

The Trump administration earmarked $1 billion for offensive cyber ops, funneling funds into private‑sector hack‑back programs even as it slashed defensive cyber budgets. The move raises legal risks for companies and signals a shift toward aggressive, militarized cyber strategy that could reshape U.S. cyber conflict posture.