Five items require action from Indian defenders this week: an on-premises SharePoint flaw under active exploitation with a 4 July patch deadline, APT36 escalating its Linux campaign against Indian government systems, Cisco ASA and Firepower backdoors that survive firmware updates and software reboots, a GlobalProtect authentication bypass enabling unauthorised VPN sessions, and a DPRK-linked macOS backdoor that injects false error data to degrade AI-assisted malware analysis.
1HighCVSS 8.8
Microsoft SharePoint Server Remote Code Execution — CVE-2026-45659
A deserialization flaw in Microsoft SharePoint Server allows an authenticated attacker with Site Member permissions — a low access threshold — to execute arbitrary code on the server without requiring administrative privileges. CISA added CVE-2026-45659 (CVSS 8.8) to its Known Exploited Vulnerabilities catalog on 1 July 2026, with a federal remediation deadline of 4 July 2026. Active exploitation is confirmed; SharePoint Online is not affected. Only on-premises installations are at risk: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
India exposureOn-premises SharePoint deployments are common across Indian BFSI institutions, central and state government departments, public sector undertakings, and large enterprises. Organisations that delayed May 2026 patching should treat this as an emergency item.
ActionApply Microsoft's May 2026 out-of-band update immediately. Review active Site Member accounts for unexpected additions, scan for web shells and anomalous child processes from SharePoint and IIS worker processes, and validate clean backups before patching. Restrict internet-facing SharePoint farms to known IP ranges where feasible.
SourceCISA Known Exploited Vulnerabilities catalog, 1 July 2026; The Hacker News, 1–2 July 2026; The Register, 2 July 2026.
2
APT36 Expands to BOSS Linux — Indian Government Endpoints Directly Targeted
Pakistan-linked APT36 (Transparent Tribe), historically focused on Windows environments, has extended its operations to India's Bharat Operating System Solutions (BOSS) — the Debian-based national Linux distribution deployed across Indian government offices. The campaign delivers phishing emails with ZIP archives containing weaponised .desktop shortcut files. When opened, these files execute a hidden ELF payload while displaying a decoy security advisory document to the user. The malware deploys Geta RAT, which supports credential collection, screenshot capture, file operations, clipboard manipulation, and remote shell command execution. The campaign reflects convergence with SideCopy tradecraft documented by Seqrite Labs and has intensified in the geopolitical context following Operation Sindoor.
India exposureCentral and state government entities running BOSS Linux. Defence-adjacent organisations, academic institutions, and policy research bodies are consistent secondary targets for this threat cluster.
ActionBlock execution of .desktop files delivered via email and internet-sourced archives. Alert on ELF binaries spawned from within freshly extracted ZIP directories. Ensure EDR coverage extends to BOSS Linux endpoints — Linux coverage gaps in government networks are a documented risk. Brief government Linux administrators on this specific lure format.
FIRESTARTER Backdoor on Cisco ASA and Firepower — Patched Devices May Still Be Compromised
CISA and the UK NCSC jointly published Analysis Report AR26-113A (23 April 2026) confirming that a nation-state APT actor implanted FIRESTARTER, a persistent Linux ELF backdoor, on Cisco Firepower and ASA devices at a U.S. federal civilian agency. Initial access exploited CVE-2025-20333 (CVSS 9.9), an improper input validation vulnerability enabling authenticated remote code execution as root, and CVE-2025-20362. The critical risk for organisations that have already patched: FIRESTARTER hooks into LINA, Cisco's core network processing engine, reinstates itself when signalled to terminate, and survives both firmware updates and software reboots. Only a hard power cycle — physically disconnecting power — removes the implant. Issuing shutdown, reboot, or reload CLI commands does not clear it.
India exposureCisco ASA and Firepower appliances are widely used as perimeter firewalls in Indian BFSI, IT services, government, and critical infrastructure sectors. Organisations that applied patches without performing a hard power cycle may believe themselves remediated when persistence may remain.
ActionVerify whether affected Cisco ASA/FTD hardware was hard power-cycled after patching — not merely rebooted. Run Cisco's FIRESTARTER detection tooling. Where power cycle completion cannot be confirmed, plan device reimaging. Review management access logs, AAA authentication events, and outbound C2 patterns described in CISA AR26-113A.
SourceCISA/NCSC Advisory AR26-113A, 23 April 2026; Help Net Security, 24 April 2026; BleepingComputer, April 2026.
CVE-2026-0257 (CVSS 9.1) is an authentication bypass in the GlobalProtect portal and gateway of PAN-OS. When the same TLS certificate is used for both HTTPS service and authentication override cookies, an attacker can extract the certificate's public key and use it to forge valid session cookies, obtaining an unauthenticated VPN session without credentials. Rapid7 MDR observed exploitation beginning 17 May 2026. CISA added the vulnerability to the KEV catalog on 29 May 2026. Unit 42 notes that while exploitation is confirmed, post-access lateral movement in observed incidents has not yet been definitively attributed; however, the access pathway is open.
India exposurePalo Alto GlobalProtect is a common remote-access VPN platform across Indian IT services, BFSI, and large enterprise environments. Any deployment using a shared certificate for HTTPS service and authentication override cookies is at risk.
ActionApply available PAN-OS patches for GlobalProtect portal and gateway. Either disable the authentication override feature or generate a certificate used exclusively for authentication override, separate from the HTTPS service certificate. Rotate certificate keys. Review VPN session logs from mid-May onwards for sessions from unknown hosts or with atypical access patterns; require MFA revalidation for privileged remote access.
SourcePalo Alto Networks Unit 42, May 2026; Rapid7 MDR, 17 May 2026; CISA KEV, 29 May 2026.
SentinelLABS disclosed macOS.Gaslight on 23 June 2026, attributing the Rust-written backdoor with high confidence to North Korean threat actors. The malware harvests browser credentials from Chrome, Brave, Firefox, and Safari, extracts macOS Keychain data, and routes command-and-control through the Telegram Bot API. Its distinguishing technical characteristic: a 3.5 KB prompt injection payload containing 38 fabricated diagnostic error messages — disk exhaustion alerts, token expiry notices, out-of-memory warnings — designed to push AI-assisted malware analysis tools into aborting or truncating their output. SentinelLABS found the technique did not bypass current production analysis platforms in testing. Earlier North Korean macOS samples carried a single injected message block; Gaslight stacks 38, indicating the operators are actively iterating against real analysis tools.
India exposureDPRK threat actors routinely target cryptocurrency exchanges, fintech companies, IT outsourcing firms, and defence-adjacent technology organisations — all significant sectors in India. Indian security operations teams using AI-assisted triage tools should note that prompt injection techniques targeting analysts, not just sandboxes, are now in active development.
ActionEnforce macOS application signing and notarisation controls. Monitor for Telegram Bot API outbound connections from non-authorised processes. Cross-validate AI-assisted analysis output against traditional static and dynamic methods for any macOS samples containing anomalous text blocks resembling diagnostic output. Prioritise credential rotation following any suspected developer workstation compromise.
SourceSentinelLABS, 23 June 2026; Security Affairs, 23 June 2026; The Hacker News, 26 June 2026.
This week's edge and network security sweep covered Fortinet, Cisco, Palo Alto Networks, Check Point, Juniper, SonicWall, Sophos, Barracuda, WatchGuard, Zscaler, Citrix NetScaler/ADC, Ivanti Connect Secure, F5 BIG-IP, Versa, VMware VeloCloud, Aruba/HPE EdgeConnect, and Seqrite/Quick Heal UTM. Cisco and Palo Alto carry the active exploitation action items this week; the Citrix NetScaler memory overread (CVE-2026-3055, KEV March 2026) remains relevant for any organisation that has not yet applied that patch. The SharePoint KEV deadline and the Cisco FIRESTARTER persistence question are the two items that require immediate verification — not just patch confirmation, but confirmation that the correct remediation steps were completed.