This website uses cookies

Read our Privacy policy and Terms of use for more information.

In partnership with

Help us make better ads

Did you recently see an ad for beehiiv in a newsletter? We’re running a short brand lift survey to understand what’s actually breaking through (and what’s not).

It takes about 20 seconds, the questions are super easy, and your feedback directly helps us improve how we show up in the newsletters you read and love.

If you’ve got a few moments, we’d really appreciate your insight.

This is not a “patch one thing and relax” week. This is a “prove what is exposed and fix what matters first” week.

Let’s dive in.

Veeam Backup RCE Exposes Domain-Joined Backup Servers

Risk Level: Critical

Business Impact: Backup server compromise can become ransomware acceleration, credential theft, backup destruction, and full recovery failure.

What You Need to Know

Veeam released fixes for CVE-2026-44963, a critical Backup & Replication flaw that allows remote code execution on the backup server by an authenticated domain user. The vendor confirms the issue affects version 12 builds when the backup server is domain-joined, with details in the official Veeam advisory and the NHS Digital cyber alert.

Why This Matters

  • Backup systems are recovery infrastructure, not normal servers.

  • Domain-joined backup servers are a gift to ransomware crews.

  • If backup infrastructure falls, your recovery plan becomes a theory.

Executive Actions

🩹 Patch Veeam immediately and verify the running build is fixed.

🔒 Remove Veeam servers from the domain where feasible, following backup security best practices.

🔐 Restrict access to backup consoles, repositories, and service accounts.

🧯 Validate immutable/offline backups and test restore paths now, not during the incident.

Check Point VPN Zero-Day Exploited by Ransomware Affiliates

Risk Level: Critical

Business Impact: VPN authentication bypass can give attackers remote access into internal networks and create a direct path to ransomware staging.

What You Need to Know

Check Point confirmed active exploitation of CVE-2026-50751, an authentication bypass affecting Remote Access VPN and Mobile Access deployments using deprecated IKEv1. The flaw allows attackers to establish VPN sessions without a valid password, with Check Point documenting the issue in its security advisory, Rapid7 outlining the exposure conditions in its technical analysis, and SecurityWeek reporting the Qilin ransomware connection in its incident coverage.

Why This Matters

  • VPN compromise is still one of the cleanest paths into an enterprise.

  • Deprecated protocols are not “legacy support,” they are exposure debt.

  • Ransomware crews move quickly once remote access is established.

Executive Actions

🧯 Patch Check Point gateways immediately and validate configuration status.

🔒 Disable IKEv1 and require modern VPN authentication controls.

🔐 Enforce machine certificates and MFA for remote access.

🕵️ Hunt for anomalous VPN sessions, new source geos, and unusual post-login activity.

Chrome V8 Zero-Day Exploited in the Wild

Risk Level: Critical

Business Impact: Browser exploitation can lead to arbitrary code execution, session theft, and credential exposure across high-value users.

What You Need to Know

Google released emergency Chrome updates for CVE-2026-11645, an actively exploited V8 out-of-bounds memory access issue. Google confirms exploitation exists in the wild in the official Chrome release notes, while Help Net Security summarizes the operational impact and update urgency in its Chrome zero-day report.

Why This Matters

  • The browser is where business happens now.

  • Session theft often beats password controls and MFA friction.

  • Exploited Chrome zero-days punish “auto-update will handle it eventually” thinking.

Executive Actions

🧩 Force Chrome updates and verify actual installed versions.

🔐 Tighten browser extension allowlisting and restrict risky downloads.

🕵️ Monitor for browser-spawned child processes and unusual credential access.

👑 Prioritize executives, admins, finance, HR, and developers for compliance checks.

Leadership Insight:

This week is not about one category of technology. It is about systems that multiply impact.

Backup servers determine recovery. VPN gateways determine access. Browsers hold sessions. Python packages touch build pipelines. Archive tools execute user-driven payloads. Microsoft patch cycles define endpoint exposure.

The executive priority is simple: patch what is exposed, verify what is fixed, rotate what may be stolen, and stop treating support systems like second-class security assets.

See Why HubSpot Chose Mintlify for Docs

HubSpot switched to Mintlify and saw 3x faster builds with 50% fewer eng resources. Beautiful, AI-native documentation that scales with your product — no custom infrastructure required.

Microsoft June Patch Tuesday Hits Record Volume

Risk Level: High

Business Impact: Large patch bundles create triage pressure across Windows, Office, SharePoint, Exchange, Azure, and endpoint fleets.

What You Need to Know

Microsoft’s June Patch Tuesday landed with a record-breaking patch load, including more than 200 CVEs and multiple publicly disclosed zero-days. Dark Reading’s Patch Tuesday analysis highlights priority issues including Windows CTFMON privilege escalation, Windows HTTP.sys remote code execution, Windows DHCP Client exposure, and BitLocker bypass concerns.

Why This Matters

  • Big patch months create missed-asset risk.

  • Public disclosure compresses the attacker timeline.

  • Patch volume is increasing, and organizations need prioritization discipline.

Executive Actions

🩹 Patch priority fleets first: execs, admins, finance, developers, and internet-facing servers.

📊 Require a 48-hour compliance snapshot for high-risk systems.

🔎 Hunt for exploitation on systems delayed by compatibility or maintenance windows.

🧱 Reduce blast radius with least privilege, segmentation, and stronger endpoint hardening.

Hades PyPI Campaign Pushes Shai-Hulud Style Credential Theft

Risk Level: High

Business Impact: Poisoned Python packages can steal cloud credentials, developer tokens, CI/CD secrets, and package publishing access.

What You Need to Know

The Hades campaign is a PyPI-focused branch of the Mini Shai-Hulud and Miasma supply chain lineage, using malicious Python wheels and startup hooks to execute credential-stealing payloads before normal package use. Dark Reading covers the campaign in its Hades PyPI report, Orca details how the packages harvest cloud credentials in its supply chain analysis, and Endor Labs breaks down the bioinformatics package impact in its Hades wave write-up.

Why This Matters

  • Package installation can become code execution before anyone imports the library.

  • Developer and CI/CD environments are credential-rich by design.

  • One compromised token can become many poisoned packages.

Executive Actions

📦 Audit PyPI dependencies installed in the last week, especially developer and CI environments.

🔑 Rotate cloud, GitHub, PyPI, and CI/CD tokens exposed to affected systems.

🧱 Restrict CI runner egress and limit what secrets each job can access.

🧪 Enforce dependency allowlists, package pinning, and publisher verification.

Russia-Aligned Campaigns Keep Exploiting Old WinRAR Flaw

Risk Level: High

Business Impact: Malicious archives can enable code execution, credential theft, persistence, and espionage activity through files users are trained to open.

What You Need to Know

Trend Micro reports that two Russia-aligned campaigns are still exploiting CVE-2025-8088, a WinRAR path traversal flaw patched last year, to target Ukrainian organizations with data theft and espionage tooling. Trend Micro explains the unmanaged software risk in its WinRAR campaign report, while Dark Reading covers the renewed exploitation against military and government targets in its Ukraine-focused analysis.

Why This Matters

  • Archive files remain a reliable delivery method because they look routine.

  • Unmanaged desktop software creates long-lived exposure after patches exist.

  • Espionage actors prioritize persistence and quiet data collection.

Executive Actions

🧩 Patch WinRAR and archive tools across managed endpoints.

📎 Block or sandbox high-risk archive attachments.

🕵️ Hunt for suspicious extraction behavior, Startup folder writes, and new persistence.

🔐 Prioritize users handling legal, government, defense, finance, or operational data.

⚙️ Immediate Leadership Checklist ⚙️

🧯 Patch Veeam, Check Point VPN, Chrome, Microsoft June updates, PyPI dependencies, and WinRAR based on exposure

🔒 Remove deprecated VPN protocols and harden remote access paths

🔐 Rotate credentials tied to backup servers, VPNs, CI/CD systems, and developer environments

🧩 Verify browser patching for execs, admins, finance, HR, and developers

📦 Audit package installs and enforce dependency controls in build pipelines

🧪 Test backup recovery paths after Veeam patching and credential review

💡 If your backup server, VPN, browser, package manager, and archive tool all need attention in the same week, that is not chaos. That is the threat model introducing itself. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

Your business has grown. Is your accounting?

If your accounting hasn't kept pace with your business, it's quietly costing you. Outdated financials, no clear view of profitability, and hours lost every week — these are growth bottlenecks, not just bookkeeping headaches. BELAY's Financial Experts handle it all.

Keep reading