<h1>This Week's Cyber Pulse: Check Point VPN Exploited, Cisco SD-WAN Unpatched, Miasma Supply Chain Attack</h1>
<p>This week's Pulse has one clear theme: <strong>the infrastructure you trust to connect your business is the infrastructure under attack.</strong> A critical Check Point VPN flaw is actively exploited. An unpatched Cisco SD-WAN vulnerability has active exploitation with no patch available. And the Miasma supply chain worm hit Microsoft's own GitHub repositories β 73 of them. If you manage any of these systems, this is your action list for the week.</p>
<h2>1. Check Point VPN β IKEv1 Authentication Bypass (CVE-2026-50751, CVSS 9.3)</h2>
<p>Check Point released an urgent hotfix for a logic flaw in certificate validation that allows unauthenticated remote attackers to bypass user authentication and establish Remote Access VPN connections without a valid password. The flaw specifically affects deployments using the deprecated IKEv1 key exchange protocol. CISA confirmed active exploitation in the wild.</p>
<p><strong>SMB impact:</strong> If you have a Check Point VPN for remote access, an attacker who finds your public IP can attempt to bypass credentials entirely. CVSS 9.3 is as severe as it gets for a network device. This is your top priority this week.</p>
<ul>
<li><strong>Action:</strong> Apply Check Point hotfix SK185033 immediately.</li>
<li><strong>Action:</strong> Disable IKEv1 if patching is delayed β switch to IKEv2 only.</li>
<li><strong>Action:</strong> Audit VPN connection logs for entries from unexpected geographies or unusual hours.</li>
<li><strong>Action:</strong> Restrict VPN management interface to known IP ranges.</li>
</ul>
<h2>2. Cisco Catalyst SD-WAN Manager β Active Exploitation, No Patch Available (CVE-2026-20245)</h2>
<p>Cisco has confirmed active exploitation of CVE-2026-20245, a high-severity flaw in Cisco Catalyst SD-WAN Manager that allows unauthenticated remote attackers to run arbitrary commands as root. Unlike the Check Point flaw, there is no patch for this one yet β Cisco's mitigation guidance is the only protection available.</p>
<p><strong>SMB impact:</strong> SD-WAN is increasingly common in SMBs as a replacement for traditional MPLS. If you run SD-WAN Manager exposed to the internet, assume active targeting. The attack chain is complete and weaponized.</p>
<ul>
<li><strong>Action:</strong> Isolate SD-WAN Manager from the public internet immediately β no exceptions.</li>
<li><strong>Action:</strong> Restrict the management interface to a whitelisted IP list (VPN-only or on-premises access).</li>
<li><strong>Action:</strong> Review SD-WAN admin logs for suspicious commands or session anomalies.</li>
<li><strong>Action:</strong> Subscribe to Cisco PSIRT advisories for patch availability updates.</li>
<li><strong>Action:</strong> Run our <a href="/tools/vulnerability-scanner">Vulnerability Scanner β</a> to check your external attack surface.</li>
</ul>
<h2>3. Miasma Supply Chain Worm β 73 Microsoft GitHub Repositories Compromised</h2>
<p>The ongoing Miasma self-replicating supply chain campaign hit 73 Microsoft repositories across four GitHub organizations: Azure, Azure-Samples, Microsoft, and MicrosoftDocs. GitHub disabled the affected repositories while remediation is underway. The Miasma campaign is a self-propagating supply chain attack that injects malicious code into open-source packages.</p>
<p><strong>SMB impact:</strong> If your development or CI/CD pipelines depend on Microsoft-hosted open-source libraries, SDKs, or samples from these organizations, you may be pulling compromised dependencies. Supply chain attacks can sit dormant for months before activating.</p>
<ul>
<li><strong>Action:</strong> Audit your dependency tree for any packages from Azure, Azure-Samples, Microsoft, or MicrosoftDocs GitHub orgs.</li>
<li><strong>Action:</strong> Pin specific versions of open-source packages β avoid floating version ranges that could pull a compromised version.</li>
<li><strong>Action:</strong> Review CI/CD pipeline build steps for unauthorized script injection.</li>
<li><strong>Action:</strong> Run <code>npm audit</code> or your language's equivalent on all production dependencies.</li>
</ul>
<h2>4. Microsoft June Patch Tuesday β 200 Vulnerabilities, SharePoint Zero-Day Active (CVE-2026-32201)</h2>
<p>Microsoft's June Patch Tuesday addressed 200 vulnerabilities across its product line. CVE-2026-32201 is a SharePoint Server RCE that attackers are already targeting β the window between disclosure and active exploitation is measured in days, not weeks. CVE-2026-33825 ("BlueHammer") is a Windows Defender privilege escalation with public exploit code. Three vulnerabilities were publicly disclosed before patches were released, a pattern that significantly raises exploitation risk.</p>
<p><strong>SMB impact:</strong> Any SMB running SharePoint Server (on-premises or hosted) needs to patch CVE-2026-32201 before the weekend. BlueHammer affects Windows Defender endpoints across the organization. The 200-CVE month means your patch management process needs to prioritize, not batch.</p>
<ul>
<li><strong>Action:</strong> Patch SharePoint Server first β CVE-2026-32201 has active targeting.</li>
<li><strong>Action:</strong> Patch Windows endpoints to close BlueHammer (CVE-2026-33825).</li>
<li><strong>Action:</strong> Run our free <a href="/tools/vulnerability-scanner">Vulnerability Scanner β</a> to prioritize this month's patches by exposure.</li>
</ul>
<h2>5. SolarWinds Serv-U DoS Added to CISA KEV β Active Exploitation Confirmed (CVE-2026-28318)</h2>
<p>CISA added CVE-2026-28318 (SolarWinds Serv-U uncontrolled resource consumption) to the Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. The flaw allows unauthenticated attackers to crash the Serv-U file server via specially crafted POST requests using the Content-Encoding: deflate header. It's a DoS, not an RCE β but a file server going down during a transaction is a real business impact.</p>
<p><strong>SMB impact:</strong> If you run SolarWinds Serv-U as your file transfer server, verify it's patched to version 15.2.5 HF2 or later. If patching is not immediate, isolate Serv-U from direct external access.</p>
<ul>
<li><strong>Action:</strong> Upgrade SolarWinds Serv-U to 15.2.5 HF2 or newer.</li>
<li><strong>Action:</strong> Audit firewall rules for port 22/TCP and 443/TCP access to Serv-U from external IPs.</li>
</ul>
<h2>Your Action Items This Week</h2>
<ol>
<li><strong>Patch Check Point VPN</strong> β Apply SK185033 hotfix. Disable IKEv1 as interim mitigation. Highest priority.</li>
<li><strong>Isolate Cisco SD-WAN Manager from public internet</strong> β No patch yet, active exploitation confirmed.</li>
<li><strong>Audit Microsoft open-source dependencies</strong> β Check for Azure/Microsoft GitHub packages in your dependency tree.</li>
<li><strong>Patch SharePoint Server</strong> β CVE-2026-32201 has active targeting, patch before the weekend.</li>
<li><strong>Patch Windows Defender</strong> β Close BlueHammer (CVE-2026-33825), exploit code is public.</li>
<li><strong>Upgrade SolarWinds Serv-U</strong> β CVE-2026-28318 added to CISA KEV.</li>
</ol>
<h2>Run Your Free Assessment</h2>
<p>If you don't know your exposure across these vulnerabilities, run our free Security Audit. It checks your external attack surface and gives you a concrete risk score β no credit card required.</p>
<p><em>Cyber Pulse is published weekly. Subscribe to get the briefing delivered to your inbox every Monday morning.</em></p>
β‘ Run The Cyber Pulse Stack
Get a personalized security brief covering your specific threats, compliance gaps, and insurance readiness β emailed, texted, or as a PDF.