Threat Analysis: SearchLeak and Cisco SD-WAN Auth Bypass, What UK SMBs Need to Know Today
Hello, Mauven here.
This is your Daily Threat Analysis for 15th June 2026.
Two items today. Both are relevant to organisations that use Microsoft 365, which is most of you, and to anyone running Cisco Catalyst SD-WAN infrastructure. I will cover them in order of immediate exploitability for the average UK SMB.
SearchLeak: Microsoft 365 Copilot as a Data Exfiltration Tool
Researchers have disclosed a vulnerability chain in Microsoft 365 Copilot Enterprise, now being referred to as SearchLeak. The mechanics are straightforward and that is what makes this one uncomfortable: a single specially crafted URL, delivered via a phishing email or a link in a document, is sufficient for an attacker to instruct Copilot to search and exfiltrate data from a target’s mailbox, OneDrive, or SharePoint.
The attack works because Copilot, in certain configurations, can be manipulated through prompt injection via external content, a document or email that the victim opens, which contains instructions that Copilot then acts on. The crafted URL then routes the results of that search to an attacker-controlled location. One click. That is the entire attack chain.
Microsoft has patched this. What the reporting does not dwell on, but what I will, is the operational implication for UK SMBs. Most smaller organisations running M365 Enterprise are not managing their own patching cycles. They are relying on a managed service provider or on Microsoft’s automatic update process. In most cases, tenant-level patches for Copilot features do roll out automatically. But that assumption needs verification, not faith.
There is a second issue. If you are using Copilot Enterprise and your staff have broad access to sensitive data, contracts, HR files, financial records held in SharePoint, then the blast radius of this vulnerability is considerable. An attacker does not need to compromise credentials. They need a victim to open a link.
The NCSC has published guidance on prompt injection risks in AI systems. The fact that we are still seeing critical vulnerabilities of this exact type tells you that the guidance is being read and filed rather than acted on.
What to do:
- Confirm with your IT provider or MSP that your M365 tenant is fully current as of today’s date
- Review which staff have Copilot Enterprise licences and what SharePoint and OneDrive content those accounts can access
- Apply the principle of least privilege: if someone does not need access to sensitive SharePoint libraries, remove it, regardless of this vulnerability
- Be sceptical of any link in email that, when clicked, triggers a Copilot interaction
Cisco Catalyst SD-WAN: Active Exploitation by UAT-8616
Cisco Talos is tracking active exploitation of multiple vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager. The headline CVE here is CVE-2026-20182, an authentication bypass that allows a remote, unauthenticated attacker to obtain administrative privileges on the SD-WAN management infrastructure. This is not a low-hanging-fruit vulnerability. Gaining admin on your SD-WAN controller means the attacker can see and manipulate your entire network routing, your VPN configuration, and your connected branch sites.
The exploitation is attributed to a threat cluster Talos designates as UAT-8616. This actor has been observed deploying Sliver (a post-exploitation C2 framework), Godzilla (a web shell), AdaptixC2, and Behinder. This is not opportunistic scanning. The post-exploitation tooling indicates deliberate, sustained access with an intent to persist and move laterally.
Additionally, other threat clusters are exploiting CVE-2026-20133 and related CVEs in the same product family. This is a product line under active, coordinated attack from multiple directions simultaneously.
The SMB relevance here is worth spelling out carefully. Most small businesses do not run Cisco Catalyst SD-WAN directly. But many operate through managed network service providers who do. If your connectivity, your site-to-site VPN, or your cloud network routing is managed by a third party running Cisco Catalyst SD-WAN infrastructure, you have indirect exposure. An attacker who compromises the MSP’s SD-WAN controller has visibility into every customer network routed through it.
The advisory attributes UAT-8616 as a sophisticated actor. It does not say nation-state. What it does not say is that the use of multiple C2 frameworks simultaneously, Sliver, Godzilla, AdaptixC2, is consistent with tradecraft observed in campaigns where the priority is durable access rather than quick monetisation. That inference is mine, not Talos’s, and I am flagging it as such.
What to do:
- If you run Cisco Catalyst SD-WAN directly: patch immediately. CVE-2026-20182 is your priority. Check Cisco’s Security Advisory portal for the specific affected versions and update paths
- If your network is managed by an MSP: ask them today whether they run Cisco Catalyst SD-WAN in their infrastructure, and if so, what their patching status is against this advisory
- Review your MSP’s security incident disclosure obligations in your contract, if their infrastructure is compromised, you need to know about it promptly
- Check your network monitoring for anomalous routing changes or unexpected administrative access events
On the Periphery: Software Supply Chain Pressure Continues
Also worth noting today, though lower priority for most UK SMBs: Arch Linux has locked down new account signups to its AUR community repository after a wave of malicious commits attempted to poison package updates. This follows a familiar pattern, attackers targeting community-maintained software repositories to insert malicious code into widely used packages. The AUR is used primarily by developers and technical users, but if your organisation has developers building on Arch Linux systems, this is relevant. It is also a useful reminder that the software supply chain attack surface extends well beyond enterprise vendors.
Separately, Unit 42 has published analysis of Gremlin Stealer’s updated obfuscation techniques, including instruction virtualisation that transforms malicious code into custom bytecode to evade detection. Gremlin Stealer targets browser credentials, session tokens, payment card data, and Discord tokens. This is relevant to any organisation whose staff use browsers for business systems, which is everyone. The updated obfuscation means that antivirus signatures that previously caught earlier variants may not catch this one.
The Bigger Picture
Today’s threats share a common thread: they target the tools and infrastructure that smaller organisations depend on but rarely examine. M365 Copilot is sold as a productivity improvement. Cisco SD-WAN is managed infrastructure that most SMBs outsource and forget. Community software repositories are trusted by default.
The gap between what vendors ship and what organisations actually verify is where most incidents begin. Patching is not enough if you do not know what you are running and who has access to it.
Before the next briefing: if Threat Analysis is useful to you, follow the show wherever you listen, tomorrow’s briefing lands automatically. And if there is someone in your team, or a peer in another business, who should be getting this, send it their way.
Sources
| Source | Title | URL |
|---|---|---|
| BleepingComputer | New attack turned Microsoft 365 Copilot into 1-click data theft tool | https://www.bleepingcomputer.com/news/security/new-attack-turned-microsoft-365-copilot-into-1-click-data-theft-tool/ |
| Cisco Talos Intelligence | Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities | https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/ |
| AlienVault OTX | Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities pulse | https://otx.alienvault.com |
| Unit 42 / Palo Alto Networks | Gremlin Stealer’s Evolved Tactics: Hiding in Plain Sight With Resource Files | https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/ |
| BleepingComputer | Infinite Campus data breach affects 137,000 school staff accounts | https://www.bleepingcomputer.com/news/security/infinite-campus-data-breach-affects-137-000-school-staff-accounts/ |
| The Register | Arch Linux locks down AUR signups amid wave of malicious commits | https://www.theregister.com/security/2026/06/15/arch_linux_locks_down_aur_signups_amid_wave_of_malicious_commits/ |