Issuer: Adverse Trace Date issued: 2026-06-08 Version: 1.0
1. Executive summary
Active exploitation of CVE-2026-41089 (Microsoft Windows Netlogon) and CVE-2026-20230 (Cisco Unified Communications Manager) poses an immediate critical risk to EMEA financial services infrastructure, potentially enabling unauthenticated remote code execution and domain controller compromise. Concurrently, supply chain compromises affecting software distributors (Hola) and credential theft campaigns targeting password managers (Dashlane) highlight persistent threats to third-party risk management frameworks. While specific IOCs for the Netlogon exploitation are not yet public, the presence of proof-of-concept code and confirmed active exploitation necessitates immediate patching and network segmentation. Financial institutions must prioritize these vulnerabilities under DORA Article 17 due to their potential to disrupt critical operations and compromise sensitive client data.
2. Regulatory framing
| Regulation | Article | Practical Impact for EMEA Financial Services |
|---|---|---|
| DORA | Art. 17 | Vulnerability Management: Immediate patching of CVE-2026-41089 and CVE-2026-20230 is required to address "known vulnerabilities" in critical ICT systems. |
| DORA | Art. 19 | Incident Reporting: Successful exploitation leading to data exfiltration (e.g., Netlogon RCE) or service disruption triggers major incident reporting thresholds. |
| DORA | Art. 28-30 | ICT Third-Party Risk: Breaches at vendors (e.g., Dashlane, Hola, Sun Life/DentaQuest) require assessment of concentration risk and contractual notification obligations. |
| NIS2 | Art. 21(2)(d) | Supply Chain Security: Mandates verification of security practices among suppliers and service providers, relevant to the Hola supply chain compromise. |
| NIS2 | Art. 23 | Vulnerability Handling: Requires entities to take measures to prevent, detect, and remediate vulnerabilities, specifically addressing the active exploitation of critical flaws. |
3. Attack chain
Confirmed Steps (Based on Source Material): 1. Reconnaissance/Initial Access: Attackers identify targets running vulnerable versions of Microsoft Windows Server (Netlogon) or Cisco Unified Communications Manager (WebDialer enabled). 2. Exploitation (Netlogon): Attackers send crafted network requests exploiting the stack-based buffer overflow in CVE-2026-41089 to achieve remote code execution. 3. Exploitation (Cisco): Attackers leverage CVE-2026-20230 to write files and escalate privileges to root on unauthenticated network-accessible systems. 4. Privilege Escalation: Successful exploitation of Netlogon grants SYSTEM-level control over Active Directory domain controllers. 5. Supply Chain Injection (Hola): Unauthorized executables were pushed via a compromised update mechanism, installed as Windows services, and configured to exclude themselves from Microsoft Defender.
Unconfirmed/Alleged Steps (Explicit Caveat): * Attribution Uncertainty: While Russia's FSB claims foreign intelligence agencies hacked senior officials' mobile devices, specific attribution and technical TTPs for this specific claim remain unverified by independent researchers. * AI-Assisted Evasion: Reports describe an "AI-enabled EDR evasion lab" where LLM-driven agents automate malware testing against EDR vendors; while demonstrated in a lab setting, widespread operational use of this specific automated workflow in the wild is currently assessed as emerging rather than confirmed in active financial sector breaches.
4. Mitigation & containment
P1: Within 24 Hours (Critical) * Patch Microsoft Windows: Apply the June 2026 security updates immediately to all Domain Controllers and member servers to remediate CVE-2026-41089. * Action: Deploy via WSUS or SCCM; verify installation of KB corresponding to June 2026 Cumulative Update. * Patch Cisco UCM: Upgrade Cisco Unified Communications Manager and Session Management Edition to version 14SU6 or interim 15.x COP to fix CVE-2026-20230. * Constraint: If patching is impossible immediately, disable the "WebDialer" service via Cisco Unified Serviceability to mitigate unauthenticated access. * Network Segmentation: Isolate Domain Controllers from untrusted network segments. Restrict SMB (TCP 445) and Netlogon (TCP 135, dynamic RPC) traffic to strictly necessary management subnets.
P2: Within 72 Hours (High) * Audit Third-Party Software: Scan endpoints for the Hola browser. If present, verify version integrity or uninstall if not business-critical. * Check: Look for unauthorized Windows Services created by non-standard installers. * Credential Reset: Force password resets for any accounts associated with Dashlane if brute-force attempts are detected in logs. Review MFA logs for unauthorized device registrations. * EDR Rule Deployment: Deploy detection rules (see Section 6) to identify potential exploitation attempts or post-exploitation behavior.
P3: Within 7 Days (Medium) * Supply Chain Review: Conduct a review of software supply chain risks per DORA Article 28, focusing on vendors with recent disclosed breaches (e.g., password managers, browser vendors). * AI Policy Review: Audit configurations for AI assistants (e.g., Meta AI, Google Gemini) within the corporate environment to ensure they do not have authority to perform account recovery or sensitive data access without strict identity verification.
5. Indicators of compromise
No specific file hashes, IP addresses, or domains for the active Netlogon or Cisco exploits were provided in the source material. The sources describe the nature of the vulnerability and the type of malicious activity (e.g., "crafted HTTP POST requests using a deflate header" for SolarWinds, "unauthorized executable" for Hola) but do not list specific static IOCs for the active campaigns.
No indicators of compromise available in the source material.
6. Detection
While specific hashes are unavailable, the sources provide distinctive behavioral patterns and vulnerability signatures that can be detected.
YARA Rule: Detects potential Hola supply chain miner characteristics (Based on source description: "operated as a cryptominer, installed as a Windows service, and excluded itself from Defender") Note: This rule targets the behavioral description provided; specific strings like "Defender" exclusion logic are generic but highly relevant in this context.
rule AdverseTrace_Hola_SupplyChain_Miner {
meta:
author = "Adverse Trace"
date = "2026-06-08"
reference = "https://research.checkpoint.com/2026/8th-june-threat-intelligence-report/"
description = "Detects characteristics of the Hola supply chain compromise: service installation and Defender exclusion attempts."
strings:
$svc_install = "CreateServiceW" ascii wide
$defender_exclude = "Add-MpPreference" ascii wide
$exclusion_flag = "-ExclusionPath" ascii wide
$miner_behavior = "stratum+tcp://" ascii wide
condition:
(svc_install and (defender_exclude or exclusion_flag)) or miner_behavior
}
Sigma Rule: Detects exploitation attempts of CVE-2026-41089 (Netlogon) (Based on source description: "crafted network requests" targeting Netlogon service) Note: As specific packet payloads are not public, this rule focuses on the service interaction anomaly and potential crash indicators.
title: Potential CVE-2026-41089 Netlogon Exploitation Attempt
id: 8a2b3c4d-5e6f-7g8h-9i0j-k1l2m3n4o5p6
status: experimental
description: Detects anomalous activity targeting the Netlogon service indicative of CVE-2026-41089 exploitation attempts.
author: Adverse Trace
date: 2026/06/08
references:
- https://research.checkpoint.com/2026/8th-june-threat-intelligence-report/
- https://www.securityweek.com/critical-windows-netlogon-vulnerability-in-attackers-crosshairs/
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\lsass.exe'
ParentImage|endswith: '\services.exe'
filter_crash:
EventID: 1001 # Application Error / Crash
TargetImage|endswith: '\lsass.exe'
condition: selection or filter_crash
level: critical
tags:
- attack.initial_access
- attack.t1210
- cve.2026-41089
7. Sources
- Check Point Research, "8th June – Threat Intelligence Report", https://research.checkpoint.com/2026/8th-june-threat-intelligence-report/, 2026-06-08.
- SecurityWeek, "Critical Windows Netlogon Vulnerability in Attackers' Crosshairs", https://www.securityweek.com/critical-windows-netlogon-vulnerability-in-attackers-crosshairs/, 2026-06-08.
- Check Point Research, "25th May – Threat Intelligence Report", https://research.checkpoint.com/2026/25th-may-threat-intelligence-report/, 2026-05-25.
8. Adverse Trace position
We assess the severity of CVE-2026-41089 and CVE-2026-20230 as Critical due to confirmed active exploitation and the potential for full domain compromise without authentication. The impact on EMEA financial services is high, given the ubiquity of Active Directory and Cisco UCM in this sector. The lack of public IOCs for the Netlogon exploit increases the reliance on patching and behavioral detection. Adverse Trace will continue to monitor for the release of specific exploit hashes and network signatures, updating this advisory immediately upon verification of new technical artefacts. Clients are advised to treat the absence of specific IOCs as a temporary window of opportunity for attackers and to prioritize patch deployment over signature-based detection alone.
Published via PulseTrace — Adverse Trace threat intelligence.