This week exposed a cascading authentication crisis: Chinese APTs maintained a decade-long auth compromise, Linux PAM backdoors evaded detection for nearly 10 years, and Microsoft Defender itself became a privilege escalation vector to SYSTEM access. Meanwhile, CISA accelerated federal patching timelines to 3 days for critical flaws, and active exploits of Ivanti, Splunk, and LiteLLM hit production within hours of disclosure. The message is unambiguous: if your identity and access management layer is compromised, your entire security posture is theater.

01 —

Chinese APT Maintained Decade-Long Auth Compromise with Full Administrative Access

🔴 Critical / APT / Active Persistence

Chinese threat actors compromised an organization's authentication infrastructure and maintained undetected access for a decade with full administrative visibility. The incident demonstrates critical IAM vulnerabilities enable complete insider threat capability, data exfiltration, and regulatory breach liability across all dependent systems.

EDITOR’S NOTE
Audit your entire authentication stack immediately—PAM, LDAP, Kerberos, SSO providers, MFA implementations. If you haven't implemented real-time anomaly detection on auth events and admin account access, you're operating blind. Assume compromise and conduct authentication forensics across your environment dating back 2+ years.

Read on Bleeping Computer

02 —

CISA Issues 3-Day Patch Mandate for Critical Ivanti Flaw Under Active Exploitation

🔴 Critical / CISA BOD / Active Exploit

CISA issued Binding Operational Directive 26-04 requiring federal agencies to patch an actively exploited Ivanti Sentry vulnerability within 72 hours. The directive reflects critical infrastructure risk and signals elevated threat severity warranting immediate enterprise attention.

EDITOR’S NOTE
This is not advisory—this is enforcement. Treat CISA BODs as mandatory operational requirements. Activate your incident response team now if you run Ivanti products. The 3-day window is your reality; if you can't patch in that timeframe, implement network segmentation and enhanced monitoring immediately. This will cascade to private sector expectations.

Read on Bleeping Computer

03 —

Critical Splunk Enterprise RCE (CVE-2026-20253) Allows Unauthenticated Code Execution

🔴 Critical / RCE / CVSS 9.8

Splunk patched CVE-2026-20253, a CVSS 9.8 RCE vulnerability in Splunk Enterprise allowing unauthenticated attackers to execute arbitrary code and perform unauthorized file operations. Affected versions below 10.2.4 and 10.0.7 require immediate patching.

EDITOR’S NOTE
Splunk is your security backbone—compromise it and your entire detection infrastructure is compromised. Patch 10.2.4+ and 10.0.7+ immediately across all instances. Simultaneously deploy network-level access controls restricting Splunk API exposure. Assume attacker reconnaissance of your Splunk endpoints and conduct forensic analysis of API logs for the past 90 days.

Read on The Hacker News

04 —

Microsoft Defender Zero-Day (RoguePlanet) Grants SYSTEM Access on Updated Windows

🔴 Critical / Zero-Day / Privilege Escalation

RoguePlanet, a zero-day in Microsoft Defender, enables attackers to achieve SYSTEM-level access on updated Windows through a race condition exploit. Public proof-of-concept code with 100% success rate has been released.

EDITOR’S NOTE
Your endpoint security is the attack surface. Treat this as critical: deploy the emergency Windows update immediately when available. Implement behavior monitoring for Defender processes spawning child processes with elevated privileges. Conduct threat hunting for RoguePlanet exploitation indicators across your Windows fleet. Consider interim EDR supplementation until patch deployment is verified.

Read on The Hacker News

05 —

China-Linked Velvet Ant APT Backdoored Linux PAM for Nearly a Decade

🔴 Critical / APT / Linux Authentication Backdoor

The Velvet Ant threat group maintained nearly 10 years of undetected access in enterprise Linux systems by backdooring PAM and OpenSSH authentication components, evading standard remediation efforts. This sophisticated persistence technique demonstrates advanced targeting of critical authentication layers.

EDITOR’S NOTE
Linux authentication compromise is invisible to most security stacks. Audit PAM configurations, SSH key management, and sudoers files across all Linux infrastructure immediately. Deploy file integrity monitoring (AIDE, Samhain) on authentication binaries (/bin/login, /usr/sbin/sshd, PAM modules). Implement centralized logging of all authentication events with anomaly detection. This is as critical as the Windows Defender finding.

Read on The Hacker News

LiteLLM RCE (CVE-2026-42271) Added to CISA KEV Catalog—Active Exploitation Confirmed — If you use LiteLLM as an LLM proxy layer, patch immediately and audit your LLM integration architecture for other supply chain risks.

US Government Orders Anthropic to Suspend Claude Model Access for Foreign Nationals — Evaluate your AI vendor compliance and export control posture—government enforcement actions will accelerate and cascade across vendor ecosystems.

Microsoft Exchange Email Spoofing Flaw (Ghost-Sender) Exploited in Wild — Implement DMARC/SPF/DKIM enforcement and audit mail flow rules for anomalies indicating spoofing infrastructure.

Miasma Supply Chain Worm Injected Malicious Code Into 73 Microsoft Repositories — Conduct dependency audit across your software supply chain—if you consume Microsoft packages, verify integrity and audit build pipelines for compromise.

Share this issue