Threat Intelligence Brief - Monday, June 1, 2026

Executive Signal

CVE-2020-1472 (Zerologon) is under active exploitation — Belgium’s national cybersecurity authority has confirmed in-the-wild attacks. Any unpatched Windows domain controller is at immediate risk of unauthenticated remote code execution and full domain compromise.
A 19-year-old Linux kernel flaw (CIFSwitch) now has public PoC code enabling local privilege escalation to root. Working exploit code is public; exploitation timelines are compressing now.
PAN-OS is seeing active exploitation this week, adding to concurrent pressure on vulnerability management teams already working Windows and Linux exposure.
China-aligned actors (Operation Dragon Weave) are running an active espionage campaign against government, technology, financial, and research sectors using the AdaptixC2 implant. Targeting spans the Czech Republic and Taiwan with sector patterns consistent with broader expansion.
AI-assisted phishing and OAuth abuse are active delivery mechanisms this week, with phishing kits impersonating productivity tools and poisoned developer tooling observed in the wild.

Immediate Action Required

1. Patch CVE-2020-1472 (Zerologon) — Windows Netlogon RCE Active exploitation confirmed. This vulnerability allows unauthenticated remote code execution against Windows domain controllers. Unpatched environments should treat this as a P1 incident response scenario, not a patch cycle item.

Affected: Windows domain controllers running unpatched Netlogon
Action: Verify patch status across all DCs immediately. Confirm enforcement mode is enabled — compatibility mode is not sufficient.

2. Patch Linux Kernel CIFSwitch Privilege Escalation Flaw Public PoC is available. Any low-privileged user or process on a vulnerable Linux system can escalate to root. Exposure is highest in multi-tenant environments, container hosts, and shared Linux infrastructure.

Affected: Linux Kernel (CIFSwitch component)
Action: Identify vulnerable kernel versions across your Linux fleet. Prioritize internet-facing and shared-access systems for immediate patching.

High-Impact Developments

Active Exploitation of Windows Netlogon RCE (CVE-2020-1472)

What happened: The Centre for Cybersecurity Belgium confirmed threat actors are actively exploiting CVE-2020-1472, a critical Netlogon vulnerability enabling unauthenticated remote code execution against domain controllers.
Why it matters: Zerologon allows full domain controller takeover without credentials. Active exploitation means both opportunistic and targeted actors are scanning for and hitting exposed systems now.
Who should care: Security leadership, vulnerability management, IT operations, SOC teams monitoring authentication and DC activity.
Recommended action: Confirm patch deployment and Netlogon enforcement mode across all Windows domain controllers. Escalate any unpatched DCs to emergency remediation. Review DC event logs for anomalous Netlogon activity.
Confidence: High
Search metadata: CVE-2020-1472, T1190, Windows, Microsoft, RCE

Linux Kernel CIFSwitch Privilege Escalation — PoC Released

What happened: A 19-year-old vulnerability in the Linux kernel’s CIFSwitch component now has public proof-of-concept exploit code, allowing low-privileged users to escalate to root on vulnerable systems.
Why it matters: PoC availability compresses exploitation timelines. Linux underpins cloud workloads, containers, CI/CD pipelines, and critical servers. Root access on these systems enables lateral movement, data exfiltration, and persistent implant deployment.
Who should care: Vulnerability management, SOC, cloud and infrastructure teams, security architects managing Linux-based environments.
Recommended action: Audit Linux kernel versions across your environment. Prioritize patching on internet-facing systems, shared compute, and container hosts. Where immediate patching is not possible, assess whether kernel module restrictions or access controls reduce exposure in the interim.
Confidence: High
Search metadata: T1068, Linux Kernel, CIFSwitch, Linux, privilege escalation

Operation Dragon Weave — China-Aligned Espionage Targeting Government and Strategic Sectors

What happened: Seqrite Labs identified an active espionage campaign, Operation Dragon Weave, attributed to China-aligned threat actors. The campaign targets government, research, academic, technology, and financial sector organizations in the Czech Republic and Taiwan, deploying the AdaptixC2 command-and-control implant.
Why it matters: The sector profile — government, finance, technology, research — is consistent with campaigns that expand beyond initial geographic targets. AdaptixC2 indicates established C2 infrastructure and a persistent, capable actor. Organizations in allied nations or with exposure to these sectors should assess their relevance to this targeting aperture.
Who should care: Security leadership, threat intelligence, SOC teams, organizations with government contracts or operations in Europe and Asia-Pacific.
Recommended action: Review threat intelligence feeds for AdaptixC2 indicators. Assess whether your sector profile or geopolitical relationships place you within likely targeting scope. Verify network egress monitoring is tuned for C2 communication patterns (T1071).
Confidence: Medium
Search metadata: T1071, Dragon Weave, AdaptixC2, cyber espionage, nation-state, Czech Republic, Taiwan

Monitor Only

PAN-OS active exploitation is referenced in this week’s threat reporting. Organizations running Palo Alto Networks firewalls should verify patch status and review vendor advisories. Specific CVE details were not disclosed in available reporting.
OAuth phishing campaigns using productivity tool impersonation are active. Security awareness teams should issue a targeted reminder, particularly for organizations using OAuth-integrated SaaS platforms.
Poisoned developer tools and supply chain activity were flagged in the weekly recap. Development and DevSecOps teams should review dependency integrity controls and recent toolchain changes.
AI-assisted attack tooling continues to lower the barrier for phishing and social engineering at scale. No specific new capability was disclosed this week; treat as a persistent background trend.

Analyst Observation

CVE-2020-1472 is not a new vulnerability — it is a known, critical, previously-patched flaw that is now being actively exploited. If it remains unpatched in your environment, the question is why, and that answer matters more than the patch itself. The Linux CIFSwitch PoC release is a separate but equally urgent forcing function for teams managing Linux infrastructure at scale. On Dragon Weave: the sector targeting — government, finance, technology, research — is broad enough that many enterprises should be asking whether their threat model accounts for China-aligned espionage actors, not just ransomware groups. The aggregate signal this week is straightforward: patch velocity and threat intelligence operationalization are the two variables that separate prepared organizations from exposed ones right now.

Source Links

Critical Windows Netlogon RCE flaw now exploited in attacks — https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/
19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access — https://www.securityweek.com/19-year-old-linux-kernel-vulnerability-exposes-systems-to-root-access/
China-Aligned Groups Ramp Up Attacks: Dragon Weave Hits Czech Republic & Taiwan — https://thehackernews.com/2026/06/china-aligned-groups-ramp-up-attacks.html
Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More — https://thehackernews.com/2026/06/weekly-recap-new-linux-flaw-pan-os.html

Generated by DevSecOpsDadAttack cyber threat intelligence.

Tags: Cyber-Security-News CVE-2020-1472 T1190 T1071 T1068 Palo-Alto-Networks Microsoft Microsoft-Entra-ID Linux Windows Linux-Kernel vulnerability-management