ServiceNow tells customers a bug left some of their data exposed to the internet
Cloud platform giant ServiceNow has notified enterprise customers that a software bug was allowing unauthenticated users to access data stored in customer instances without requiring credentials. The flaw, patched on June 5, was caused by an API endpoint configured with authentication disabled, which allowed anyone on the internet to query sensitive customer data including IT support tickets, employee records, and credentials embedded in ticket descriptions. While ServiceNow says the exposure primarily affected Australian instances, customers outside Australia have reported finding evidence of external access in their logs, and have shared an IP address (51.159.98.241) as a potential indicator of compromise. The company later clarified that the activity it observed came from security researchers probing for bug bounty submissions rather than malicious actors, though the scope of any legitimate attacker access remains unclear.
New Windows Zero-Day Exploit ‘RoguePlanet’ Released
A security researcher known as Nightmare Eclipse has dropped yet another Windows zero-day just hours after Microsoft shipped its June 2026 Patch Tuesday updates — this time a proof-of-concept exploit dubbed RoguePlanet that exploits a race condition in Microsoft Defender to escalate privileges to SYSTEM on fully patched Windows 10 and 11 machines. Multiple security researchers have independently validated that the exploit can spawn a SYSTEM-level command prompt, though its reliability varies across hardware configurations. RoguePlanet is the latest in a series of public zero-days from the same researcher — following BlueHammer, RedSun, GreenPlasma, and YellowKey — released as part of an ongoing dispute with Microsoft over its vulnerability disclosure and bug bounty practices. Microsoft patched two earlier exploits from the same researcher (GreenPlasma and YellowKey, corresponding to CVE-2026-45586 and CVE-2026-50507) in this month’s Patch Tuesday, but the new exploit has already been published to GitHub under a fresh account after Microsoft suspended the researcher’s original account.
SAP fixes critical flaws in NetWeaver and Commerce Cloud
SAP’s June 2026 Security Patch Day addressed 15 vulnerabilities across its product portfolio, including four critical flaws in its core enterprise platforms. The most severe, CVE-2026-44748 (CVSS 9.9), is an XML Signature Wrapping flaw in SAP NetWeaver AS ABAP and ABAP Platform that lets an authenticated attacker with normal privileges bypass SAML authentication by forging identity information in signed XML documents. CVE-2026-27671 (CVSS 9.8) is an unauthenticated memory corruption issue in the SAP Kernel that can be triggered via crafted RFC requests. Two additional critical flaws affect Commerce Cloud and Data Hub via a Spring Security vulnerability, and NetWeaver’s Java Web Container through a directory traversal issue. SAP says details and workarounds are only available to customers with a security portal account, but strongly advises prioritizing the SAML bypass and memory corruption patches given their potential for unauthorized access in enterprise environments.
Google Releases Patch for Chrome Vulnerability Exploited in the Wild
Google has pushed an emergency update patching 74 Chrome vulnerabilities, including CVE-2026-11645, a high-severity out-of-bounds read and write flaw in the V8 JavaScript engine that has been confirmed as actively exploited in the wild. Marked the fifth Chrome zero-day exploited in 2026 so far, the vulnerability carries a CVSS score of 8.8 and allows a remote attacker to execute arbitrary code inside the browser sandbox via a crafted HTML page. The fix ships in Chrome 149.0.7827.102/103 for Windows and macOS and will roll out to users over the coming days. Google awarded the reporting researcher, identified only as “303f06e3,” a $55,000 bug bounty for the April 27 disclosure; as is standard practice, technical details of the exploitation are being withheld until the majority of users have applied the patch.
Qilin ransomware affiliate exploited Check Point VPN zero-day (CVE-2026-50751)
Check Point has disclosed that a Qilin ransomware affiliate exploited CVE-2026-50751, an authentication bypass zero-day in its VPN Remote Access and Mobile Access solutions, to establish remote access VPN connections without valid credentials. The vulnerability, which affects Security Gateways configured to use the deprecated IKEv1 key exchange protocol, allows an unauthenticated remote attacker to bypass user authentication entirely. Check Point says it first observed suspicious activity on June 4, 2026, though the earliest known attacks date to early May; exploitation attempts increased sharply in early June and have so far targeted a few dozen organizations globally. The threat actor used dedicated VPS infrastructure hosted across Kaupo Cloud HK, Shock Hosting, and Vultr, and leveraged Rclone for data exfiltration — and is suspected of also exploiting related VPN vulnerabilities in Palo Alto, Fortinet, and F5 products. Customers are urged to upgrade immediately or, as a workaround, disable IKEv1 and enforce machine certificate requirements on gateways.
