Threat Analysis: Netlogon RCE and Palo Alto Auth Bypass Now Actively Exploited, What UK SMBs Need to Do Today
Hello, Mauven here.
This is your Daily Threat Analysis for 1st June 2026.
Two vulnerabilities graduated from ‘patch available’ to ‘actively exploited’ today, and both deserve your immediate attention. One targets the authentication backbone of most Windows environments. The other targets the remote access solution that thousands of UK organisations use to connect their workforce. Neither requires a particularly sophisticated attacker to weaponise once exploitation is confirmed in the wild. And exploitation is now confirmed.
Story One: Windows Netlogon RCE, Your Domain Controller Is Being Targeted
The Centre for Cybersecurity Belgium issued a warning this morning confirming that threat actors are now actively exploiting a recently patched critical remote code execution vulnerability in Windows Netlogon.
For those unfamiliar: Netlogon is the protocol Windows uses to authenticate users and computers against a domain controller. A remote code execution flaw in Netlogon means an attacker who can reach your domain controller over the network can potentially execute arbitrary code on it, without valid credentials.
Your domain controller is not just another server. It holds your Active Directory, your user accounts, your group policies, your authentication infrastructure. An attacker with RCE on your domain controller does not need to spend much time pivoting. They are already everywhere.
What the advisory says: patch applied in a recent Microsoft update cycle, apply it.
What the advisory does not say: a meaningful proportion of UK SMB Windows Server environments are not current on patches, because applying patches to domain controllers requires care, you cannot just reboot the DC during business hours, and many IT providers schedule this work on a monthly or quarterly cycle. If your last scheduled maintenance window was before this patch dropped, you are exposed. The fact that Belgium’s national cybersecurity authority felt the need to issue an active exploitation warning on a Sunday should tell you how quickly this moved.
If you are on a managed service, call your provider today and ask specifically: has the Netlogon RCE patch been applied to our domain controllers? Do not accept ‘we are on top of it.’ Ask for confirmation.
Story Two: Palo Alto GlobalProtect Authentication Bypass, Your VPN Is the Door
Rapid7 confirmed this morning that a Palo Alto GlobalProtect authentication bypass vulnerability has moved from advisory to active in-the-wild exploitation on PAN-OS.
GlobalProtect is Palo Alto’s VPN and remote access solution. An authentication bypass means an attacker can access the VPN gateway without valid credentials. In practical terms: they walk in through the front door as though they belong there.
Palo Alto issued an advisory on this previously. The fact that it is now being actively exploited means the patch window has closed. Organisations that have not applied the fix are no longer in a ‘should patch soon’ situation. They are in an ‘actively being targeted’ situation.
The UK relevance here is straightforward. GlobalProtect has significant deployment across UK professional services, legal, accountancy, and financial services firms, sectors that use it as their primary remote access mechanism. These are also sectors with high-value data and, in many cases, IT environments managed by third-party providers who may not have emergency patching processes.
If your organisation uses Palo Alto GlobalProtect, the questions to ask your IT provider right now are:
- What PAN-OS version are we running?
- Has the authentication bypass patch been applied?
- Are there any anomalous authentication attempts in our GlobalProtect logs from the past 72 hours?
That third question matters. If exploitation began before your patch was applied, you need to know whether any unauthorised access occurred.
The Wider Pattern: ClickFix Campaigns Are Accelerating
Separately from the two critical vulns above, two pieces of threat intelligence today describe accelerating ClickFix-based social engineering campaigns that are directly relevant to UK SMB staff.
DriveSurge, newly identified by Silent Push, is operating as an initial access broker using a pay-per-install model. The actor has compromised thousands of websites and is injecting code that redirects visitors to either fake browser update prompts or ClickFix-style human-verification lures. Both deliver malware to whoever clicks.
Huntress published analysis of BackgroundFix, a fake image-editing tool that uses a ClickFix lure to deliver CastleLoader, which subsequently drops NetSupport RAT and a credential stealer.
The pattern across both: legitimate-looking websites, plausible prompts, and a single user action that hands an attacker a foothold. Neither requires a phishing email. Compromised legitimate websites are the delivery mechanism, which means standard email filtering provides no protection against this.
If your staff browse the internet as part of their work, and they do, this is a live risk. Web filtering that blocks known malicious domains, browser isolation, and endpoint detection that catches in-memory execution are the relevant controls. If you do not have them, this is worth a conversation with your provider.
What To Do Today
If you run Windows Server with Active Directory:
- Confirm with your IT provider or MSP that the Netlogon RCE patch has been applied to all domain controllers
- If you manage your own infrastructure, check Windows Update and prioritise this
- Review event logs for unusual Netlogon authentication attempts
If you use Palo Alto GlobalProtect:
- Confirm PAN-OS patch status with your provider
- Review GlobalProtect authentication logs for anomalies from the past 72 hours
- If you cannot confirm patch status, consider restricting GlobalProtect access until you can
For all organisations:
- Brief staff on ClickFix-style lures: fake browser updates and human-verification prompts that ask them to copy and run commands are not legitimate
- If your endpoint protection is signature-based only, ask your provider whether it would detect in-memory payload delivery
Two actively exploited critical vulnerabilities and an accelerating social engineering campaign in the same day is a busy Sunday. The NCSC published guidance on patching cadence for critical infrastructure years ago. The fact that organisations are still being caught with unpatched domain controllers and VPN gateways when active exploitation is confirmed tells you everything about the gap between published guidance and operational reality.
Check your patch status. Today.
Sources
| Source | Title | URL |
|---|---|---|
| BleepingComputer | Critical Windows Netlogon RCE flaw now exploited in attacks | https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/ |
| The Register | Palo Alto VPN bug graduates from advisory to active exploitation | https://www.theregister.com/cyber-crime/2026/06/01/palo-alto-vpn-bug-graduates-from-advisory-to-active-exploitation/5249114 |
| Centre for Cybersecurity Belgium (CCB) | Active exploitation warning, Netlogon RCE | https://ccb.belgium.be |
| Rapid7 | Palo Alto GlobalProtect authentication bypass, in-the-wild exploitation confirmed | https://www.rapid7.com |
| Silent Push | DriveSurge: New Threat Actor Using ClickFix and Fake Update Drive-By Attacks | https://www.silentpush.com/blog/drivesurge/ |
| Huntress | ClickFix Removes Your Background but Leaves the Malware | https://www.huntress.com/blog/clickfix-castleloader-backgroundfix |