Tageszusammenfassung - 18.06.2026

End-of-Day report

Timeframe: Mittwoch 17-06-2026 18:00 - Donnerstag 18-06-2026 18:00 Handler: Alexander Riepl Co-Handler: n/a

News

Rogueplanet-Exploit: Microsoft verspricht ein "High-Quality-Sicherheitsupdate"

Microsoft will mit einem Update die Ausnutzung des Rogueplanet-Exploits auf Windows-Geräten unterbinden. Wann das passiert, bleibt aber ein Rätsel.

https://www.golem.de/news/rogueplanet-exploit-microsoft-verspricht-ein-high-quality-sicherheitsupdate-2606-209904.html

Jetzt patchen: Nginx-Webserver durch kritische Lücken angreifbar

Angreifer können aufgrund von Sicherheitslücken in drei Nginx-Modulen Webserver lahmlegen oder Schadcode einschleusen. Patches verhindern das.

https://www.golem.de/news/jetzt-patchen-nginx-webserver-durch-kritische-luecken-angreifbar-2606-209926.html

Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline

A French-speaking attacker broke into a small French automotive business, planted a keylogger, and stole banking and email credentials.Ordinary stuff, until one move near the end.Before his command-and-control server went dark, he installed OpenSSH and Tailscale on a victims machine, building a way back in that did not run through the C2 at all. When the Havoc server went ..

https://thehackernews.com/2026/06/junior-hacker-used-tailscale-and.html

Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments

An unknown threat actor has been observed leveraging paid or promoted posts on legitimate news websites to drum up buzz for their warez, according to new findings from Check Point Research.The threat actor also has at their disposal a dedicated WordPress ..

https://thehackernews.com/2026/06/crypto-clipper-campaign-abuses-fake.html

Operation Endgame: Ermittler säubern tausende Blogs von SocGholish

Strafverfolger aus vier Ländern zerschlugen ein Botnet und Wordpress-Blogs, die Kriminelle als Verteilstationen für Schadsoftware mißbrauchten.

https://www.heise.de/news/Operation-Endgame-Ermittler-saeubern-tausende-Blogs-von-SocGholish-11337399.html

Auslaufende Secure Boot-Zertifikate - was war, was ist, was kommt

Zwei völlig unterschiedliche Technologien, eine sehr ähnliche Problematik - DNS und Secure Boot sind beides Technologien die (idealerweise) problemfrei im Hintergrund laufen .. bis sie dann plötzlich zum Thema werden. Genau das könnte im Laufe dieses Jahres bei Secure Boot der Fall sein - die kryptographischen Vertrauensanker, auf denen UEFI Secure Boot beruht, stammen größtenteils aus dem Jahr 2011. Und das Ende fünfzehnjährigen ..

https://www.cert.at/de/blog/2026/6/auslaufende-secure-boot-zertifikate-was-ist-was-kommt

Aktueller Stand rund um "FortiBleed"

Vergangenes Wochenende entdeckte ein Sicherheitsforscher im Rahmen seiner Arbeit eine ungewöhnlich strukturierte Sammlung gestohlener Daten, welche sich nach weiterer Analyse als kompromittierte Zugangsdaten für zehntausende Fortinet-Systeme weltweit herausstellten. Die Echtheit der Daten wurden in weiterer Folge sowohl durch unabhängige Sicherheitsexperten als auch das Sicherheitsunternehmen Hudson Rock bestätigt. Die rund 75.000 betroffenen Fortinet-Systeme ..

https://www.cert.at/de/blog/2026/6/aktueller-stand-rund-um-fortibleed

EU grants Ukraine access to cybersecurity reserve for major attacks

As Kyiv takes steps toward formal accession to the EU, the bloc is integrating Ukraine with its pool of pre-approved cybersecurity incident response companies.

https://therecord.media/ukraine-access-eu-cybersecurity-reserve

Von Blaster bis BlueHammer: Wiederholt sich die Geschichte bei Microsoft?

Seit einigen Wochen gibt es ja einen ziemlichen Disput zwischen einem Sicherheitsforscher mit dem Alias Nightmare Eclipse und dem Microsoft Security Response Center-Team (MSRC-Team). Es geht um die Art, wie Sicherheitslücken gemeldet, ..

https://borncity.com/blog/2026/06/18/von-blaster-bis-bluehammer-wiederholt-sich-die-geschichte-bei-microsoft/

The Road to Post-Quantum Readiness Part 1 of 2: Understanding the Risk

Post-Quantum Cryptography is no longer a future-only concern. Standards are final, major providers have already deployed hybrid protection, and the real risk now is data captured today and decrypted later. Part 1 explains the fundamentals, the threat, and why organizations can no longer afford to wait.

https://blog.nviso.eu/2026/06/18/the-road-to-post-quantum-readiness-part-1/

Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign

Cybercriminals hijacked Google Ads searches for popular AI developer tools to funnel over 2,000 victims toward malicious download pages before quietly moving their operation onto claude.ais own platform, turning the trusted domain into a delivery mechanism for credential-stealing malware.

https://www.trendmicro.com/en_us/research/26/f/claudeai-shared-chat-abused-in-malvertising.html

Vulnerabilities

Drupal core - Critical - PHP object injection - SA-CORE-2026-005

Project: Drupal coreDate: 2026-June-05Security risk: Critical 18 - 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: PHP object injectionAffected versions: =10.6.0 =11.2.0 =11.3.0 CVE IDs: CVE-2026-55803Description: SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web ..

https://www.drupal.org/sa-core-2026-005

Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050

Project: Plotly.js GraphingDate: 2026-June-17Security risk: Critical 19 - 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: PHP object injectionAffected versions: CVE IDs: ..

https://www.drupal.org/sa-contrib-2026-050

Flag attendance field - Critical - PHP object injection - SA-CONTRIB-2026-049

Project: Flag attendance fieldDate: 2026-June-17Security risk: Critical 19 - 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: PHP object injectionAffected versions: CVE IDs: CVE-2026-55809Description: The Flag attendance field module gives you the ability to add attendance by depending on Flag module.flag_attendance_field stores ..

https://www.drupal.org/sa-contrib-2026-049

Formatter Field - Critical - PHP object injection - SA-CONTRIB-2026-048

Project: Formatter FieldDate: 2026-June-17Security risk: Critical 19 - 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: PHP object injectionAffected versions: CVE IDs: CVE-2026-12535Description: The Formatter Field module provides a mechanism for specifying a formatter and formatter settings to be used for displaying a ..

https://www.drupal.org/sa-contrib-2026-048

SVD-2026-0614: OS Command Injection in the btool Configuration Helper in Splunk AI Toolkit

In Splunk AI Toolkit versions below 5.7.4, a user who holds the -admin- Splunk role could execute arbitrary OS commands on the host running the Splunk Enterprise instance.The vulnerability is possible because of an unsafe shell execution pattern in the btool configuration helper, which constructs OS command strings from dynamic parameters without disabling shell interpretation.

https://advisory.splunk.com//advisories/SVD-2026-0614

Cisco Identity Services Engine Remote Code Execution and Information Disclosure Vulnerabilities

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multi-G5WP8vv

Hardcoded Root Cloud Credentials in Application Binaries in Silver Leaf Technologies Worksnaps

https://sec-consult.com/vulnerability-lab/advisory/hardcoded-root-cloud-credentials-in-application-binaries-in-silver-leaf-technologies-worksnaps/