At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
Pulse Secure VPN Backdoor Poses Risk of Unauthorized Access
Recent reports indicate that certain versions of Pulse Secure VPN software were found to include an embedded backdoor that may have been exploited to gain unauthorized access to enterprise networks. The issue impacts multiple organizations and highlights the persistent risks associated with VPN infrastructure and third-party supply chains, particularly given the high level of access these systems provide.
As VPN appliances enable privileged remote connectivity, any hidden access mechanism could facilitate lateral movement, credential abuse, and potential data compromise. It is therefore critical for organizations to review vendor guidance, apply necessary updates or mitigations, rotate administrative credentials, and closely monitor remote access activity for signs of suspicious behavior.
RECOMMENDATIONS
- Organizations utilizing Ivanti VPN solutions should immediately investigate for signs of compromise.
- Implement robust network segmentation to limit the potential impact of attacks.
- Regularly patch and update VPN software to address known vulnerabilities.
- Enhance monitoring and logging to detect suspicious activity.
- Implement multi-factor authentication (MFA) for VPN access.
- Conduct thorough security audits and penetration testing to identify and remediate vulnerabilities.
VMware Fixes Spring Data Vulnerability Allowing Path Traversal
VMware has released one security fix with the following severity: One High. The update addresses CVE-2026-2818 affecting Spring Data Geode and Spring Data GemFire. This vulnerability involves a zip-slip path traversal issue in Spring Data Geode’s import snapshot functionality, which may allow attackers to write files outside the intended extraction directory. The vulnerability appears to affect Windows operating systems only.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Active Exploitation of BeyondTrust Flaw Enables Remote System Compromise
Researchers have detected active exploitation of the critical vulnerability CVE-2026-1731 in BeyondTrust remote support software. This flaw found in the thin-scc-wrapper component, allows unauthenticated attackers to execute operating system commands via a command injection. The exploit occurs during the WebSocket handshake where attacked inject malicious input into the remoteVersion parameter, resulting in remote code execution and full control of the appliance.
After gaining access, attackers performed reconnaissance, created administrative accounts, deployed web shells, installed remote access tools such as SparkRAT and VShell, and established command-and-control communications. This activity has impacted multiple sectors globally – including financial services, healthcare, education, legal, technology, and retail – highlighting the vulnerability’s severity and its potential for sustained compromise and data exfiltration.
RECOMMENDATIONS
- Immediately apply any available patches or mitigations provided by BeyondTrust for CVE-2026-1731.
- Implement robust network segmentation to limit the potential impact of a compromise.
- Monitor network traffic for indicators of compromise (IOC) associated with VShell and SparkRAT.
- Review and strengthen system hardening practices, including least-privilege access controls and regular security audits.
- Ensure comprehensive logging and alerting are in place to detect and respond to suspicious activity.
Microsoft Releases Fix for Teams Vulnerability Allowing Data Exposure
Microsoft has released one security fix with a severity rating of high.
The update addresses CVE-2026-21535 in Microsoft Teams, where improper access control allows an unauthorized attacker to disclose information over a network.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Splunk Releases Security Fixes Addressing Critical Vulnerabilities
Splunk has released six security fixes—five Medium and one Low—addressing vulnerabilities in Splunk Enterprise and Splunk Cloud Platform. These include unauthorized access to sensitive keys, such as RSA accessKey, Duo Two-Factor Authentication (2FA) keys, and Security Assertion Markup Language (SAML) configurations; bypass of Search Processing Language (SPL) safeguards in Data Models; and client-side Denial of Service (DoS) via the REST API. The vulnerabilities primarily affect users of Splunk Search Head Cluster (SHC) deployments with access to the _internal index or low-privileged accounts. Organizations are strongly advised to apply these updates promptly to prevent data exposure, system disruption, and potential misuse of administrative functions.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
References
https://www.herodevs.com/vulnerability-directory/cve-2026-2818
https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21535
https://advisory.splunk.com/advisories/SVD-2026-0207
https://advisory.splunk.com/advisories/SVD-2026-0202
https://advisory.splunk.com/advisories/SVD-2026-0204
https://advisory.splunk.com/advisories/SVD-2026-0206
